AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 13511425

1738 questions total · 24pages · All types, answers revealed

Page 18

Page 19 of 24

Page 20
1351
MCQhard

A financial company uses AWS KMS to encrypt sensitive data. The security team notices that a KMS key has been deleted, but the encrypted data is still needed for a short period. What is the fastest way to make the data decryptable again?

A.Contact AWS Support to recover the key material
B.Cancel the key deletion within the waiting period
C.Restore the key from a CloudHSM backup
D.Re-encrypt the data with a new KMS key
AnswerB

KMS allows cancelling deletion during the waiting period.

Why this answer

Option A is correct because KMS has a waiting period of 7-30 days during which the key can be cancelled. Option B is wrong because once deleted, the key cannot be recovered after the waiting period. Option C is wrong because re-encrypting requires the original key.

Option D is wrong because the previous key material is gone.

1352
Multi-Selectmedium

A company needs to encrypt data at rest for an Amazon RDS for Oracle database. The database is deployed in a Multi-AZ configuration. The company also wants to encrypt automated backups and snapshots. Which TWO steps should the security team take?

Select 2 answers
A.Enable encryption at rest when launching the RDS instance.
B.Modify the DB instance to enable encryption after creation.
C.Ensure that the 'Encryption at rest' setting also encrypts automated backups and snapshots.
D.Enable encryption at rest on the existing RDS instance via a modification.
E.Specify a KMS key after the instance is launched.
AnswersA, C

Encryption must be enabled at launch.

Why this answer

Option A is correct because encryption must be enabled at launch; it cannot be added later. Option C is correct because enabling encryption at rest automatically encrypts backups and snapshots. Option B is wrong because encryption cannot be enabled on an existing unencrypted instance.

Option D is wrong because encryption must be enabled at launch, not after. Option E is wrong because KMS key must be specified at launch; can be changed later only for certain engines.

1353
MCQmedium

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. The policy is intended to allow read access to objects in the bucket only from the corporate network (203.0.113.0/24). However, users outside the network can still access the bucket. What is the most likely reason?

A.The bucket policy does not include an explicit Deny statement for IP addresses outside the allowed range.
B.The s3:GetObject action is misspelled; it should be s3:GetObjectVersion.
C.The condition key should be aws:SourceIp instead of aws:SourceIp.
D.The bucket policy must be attached to the bucket's ACL instead.
AnswerA

Without an explicit Deny, the Allow applies only to the specified IP, but other users might be denied by default if no other policies allow them. However, if users have IAM permissions, they could access from any IP. The policy should include a Deny to restrict.

Why this answer

The bucket policy alone is not sufficient; the bucket must also block public access. A bucket policy that grants access to a specific IP range still allows access to anyone who can satisfy the condition. However, if the bucket's block public access settings are not configured, anonymous users could bypass the policy? Actually, the policy allows access only from that IP, but if the bucket is not public, only authorized IAM users can access.

The issue could be that the policy doesn't deny access from other IPs. The correct answer is that the policy allows access but does not explicitly deny access from other IPs. A more correct policy would include a Deny statement.

The other options: Users are using pre-signed URLs would bypass IP restriction. The bucket policy has a typo? The resource is correct. The condition key is correct.

The most likely reason is that the policy allows access but does not deny access from other IPs. However, among the options, the best is that the policy does not include an explicit Deny for other IPs.

1354
MCQmedium

A security engineer is analyzing VPC Flow Logs and sees the entry above. The source IP 203.0.113.5 is flagged as suspicious. What additional information would help determine if this is malicious?

A.The source port used by 203.0.113.5.
B.CloudTrail logs for any `ConsoleLogin` or `AssumeRole` events from 203.0.113.5.
C.Network ACL changes associated with the destination subnet.
D.Amazon GuardDuty findings for the destination 10.0.1.5.
AnswerB

Could indicate compromised credentials.

Why this answer

Option B is correct because VPC Flow Logs capture network traffic metadata (IPs, ports, protocols) but not the identity or authentication context of the source. CloudTrail logs record API calls, including ConsoleLogin and AssumeRole events, which can reveal whether 203.0.113.5 is associated with an authenticated user or role. If no such events exist, the traffic is likely from an unauthenticated external source, strengthening the case for malicious activity.

Exam trap

The trap here is that candidates focus on network-layer indicators (ports, ACLs, GuardDuty) instead of recognizing that VPC Flow Logs lack identity context, so CloudTrail is the only service that can tie an IP to an authenticated action.

How to eliminate wrong answers

Option A is wrong because the source port is ephemeral and dynamically assigned by the OS; it provides no meaningful security context for determining malicious intent. Option C is wrong because network ACL changes affect traffic filtering rules, not the identity or behavior of the source IP; they are irrelevant to assessing whether 203.0.113.5 is malicious. Option D is wrong because GuardDuty findings for the destination 10.0.1.5 would indicate threats targeting that host, but they do not directly confirm whether the source IP 203.0.113.5 is malicious—the source could be benign even if the destination is compromised.

1355
Multi-Selectmedium

A security engineer is investigating a potential compromise of an EC2 instance. The engineer wants to capture volatile memory data and create a forensic image of the instance's EBS volumes. Which TWO actions should the engineer take? (Choose 2.)

Select 2 answers
A.Enable AWS CloudTrail for the instance.
B.Use AWS Systems Manager Run Command to execute a memory capture script.
C.Use AWS Backup to create a backup of the instance.
D.Create an Amazon EBS snapshot of the instance's root volume.
E.Use Amazon Inspector to scan the instance for vulnerabilities.
AnswersB, D

Run Command can execute memory capture tools.

Why this answer

Option B is correct because AWS Systems Manager Run Command allows you to remotely execute scripts on EC2 instances without needing SSH access, which is critical during incident response to capture volatile memory data before the instance is compromised further. Option D is correct because creating an EBS snapshot provides a point-in-time forensic image of the root volume that can be analyzed offline without altering the original evidence.

Exam trap

The trap here is that candidates confuse AWS Backup (a managed backup service) with EBS snapshots, not realizing that AWS Backup does not provide the immediate, point-in-time forensic snapshot needed for incident response and may introduce additional latency or metadata changes.

1356
MCQmedium

A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an RDS MySQL database. The security team wants to monitor for SQL injection attempts. They have enabled AWS WAF on the ALB and are logging all requests. The security engineer needs to analyze the WAF logs to identify if any SQL injection attacks have been attempted. The logs are stored in an S3 bucket. The engineer needs to query the logs for patterns like 'SELECT * FROM' or 'DROP TABLE' in the URI. Which service should the engineer use to perform this analysis?

A.Amazon Kinesis Data Analytics
B.Amazon QuickSight
C.CloudWatch Logs Insights
D.Amazon Athena
AnswerD

Athena can query WAF logs in S3 directly.

Why this answer

Option B is correct because Amazon Athena can query WAF logs stored in S3 using SQL. Option A is wrong because CloudWatch Logs Insights works with CloudWatch Logs, not S3. Option C is wrong because QuickSight is for visualization, not direct querying.

Option D is wrong because Kinesis Data Analytics is for real-time streaming, not static S3 logs.

1357
Multi-Selectmedium

Which TWO of the following are valid methods to protect data in transit between an on-premises data center and AWS? (Choose two.)

Select 2 answers
A.Amazon CloudFront with HTTPS-only viewer protocol policy
B.AWS Site-to-Site VPN
C.VPC Peering
D.S3 Transfer Acceleration
E.AWS Direct Connect with encryption (MACsec)
AnswersB, E

Site-to-Site VPN uses IPSec to encrypt all traffic between on-premises and AWS.

Why this answer

Options B and C are correct. AWS VPN creates an encrypted tunnel over the internet. Direct Connect with encryption (MACsec or IPSec) provides a private connection with encryption.

Option A is wrong because VPC Peering does not encrypt traffic. Option D is wrong because S3 Transfer Acceleration only speeds up transfers, does not encrypt. Option E is wrong because CloudFront uses HTTPS for edge, but the origin connection may not be encrypted unless configured.

1358
Multi-Selectmedium

A security team is setting up incident response automation. Which TWO steps should be taken to ensure that a compromised EC2 instance is isolated while preserving forensic data? (Choose TWO.)

Select 2 answers
A.Assign a new security group that denies all inbound and outbound traffic.
B.Shut down the instance from the OS.
C.Remove the instance from any Auto Scaling group or load balancer target group.
D.Create an EBS snapshot of the instance's root volume.
E.Terminate the instance.
AnswersC, D

Stops new traffic.

Why this answer

Option C is correct because removing the instance from Auto Scaling groups or load balancer target groups stops new traffic from being routed to it, effectively isolating it from application traffic without destroying the instance. Option D is correct because creating an EBS snapshot preserves the root volume's data for forensic analysis before any changes occur. Together, these steps ensure the instance is isolated for investigation while retaining evidence.

Exam trap

The trap here is that candidates often choose Option A (assigning a deny-all security group) thinking it isolates the instance, but they overlook that existing connections remain active and that Auto Scaling may immediately launch a replacement, losing the forensic opportunity.

1359
MCQhard

A company has multiple AWS accounts in AWS Organizations. The security team wants to centralize threat detection and automate incident response. Which combination of services should they use?

A.GuardDuty + Security Hub + Step Functions
B.GuardDuty + Amazon EventBridge + AWS Lambda
C.Amazon Macie + AWS Config + SNS
D.CloudTrail + CloudWatch Logs + Lambda
AnswerB

GuardDuty detects threats, EventBridge routes findings, Lambda automates response.

Why this answer

Option B is correct because GuardDuty generates threat detection findings, which are sent to Amazon EventBridge as events. EventBridge then triggers an AWS Lambda function to automate incident response actions, such as isolating an EC2 instance or revoking IAM credentials. This combination provides a fully serverless, event-driven pipeline for centralized threat detection and automated remediation across multiple AWS accounts in Organizations.

Exam trap

The trap here is that candidates often confuse Security Hub with EventBridge, thinking Security Hub is required to aggregate findings before automation, but EventBridge can directly consume GuardDuty findings without Security Hub, and Security Hub is a separate service for multi-framework compliance and aggregation, not a prerequisite for automated incident response.

How to eliminate wrong answers

Option A is wrong because Step Functions is a workflow orchestration service, not a direct event trigger for GuardDuty findings; while it can be used for complex workflows, the standard pattern for automated incident response uses EventBridge to directly invoke Lambda, making Step Functions an unnecessary and less efficient intermediate layer for simple automation. Option C is wrong because Amazon Macie focuses on sensitive data discovery in S3, not threat detection, and AWS Config tracks resource configuration changes, not security threats; SNS alone cannot automate incident response actions. Option D is wrong because CloudTrail and CloudWatch Logs are logging and monitoring services, not dedicated threat detection services; while Lambda can be triggered from CloudWatch Logs, this setup lacks GuardDuty's intelligent threat detection and requires custom log analysis to identify threats, missing the centralized threat detection requirement.

1360
MCQhard

A security engineer examines the above output. The company requires automatic yearly key rotation. What should the engineer do?

A.Run 'aws kms enable-key-rotation --key-id 1234abcd-12ab-34cd-56ef-1234567890ab'
B.Use AWS CloudHSM to generate a new key and rotate manually.
C.Replace the key with an AWS managed key.
D.Import a key material and enable automatic rotation.
AnswerA

This enables automatic yearly rotation for a customer managed key.

Why this answer

Option A is correct because the key is a customer managed key (KeyRotationEnabled: false indicates it's not an AWS managed key). Enabling automatic rotation is done via the enable-key-rotation command. Option B is incorrect because AWS managed keys have rotation enabled by default.

Option C is incorrect because using a CloudHSM is not necessary. Option D is incorrect because importing a key does not enable rotation.

1361
Multi-Selecteasy

A company wants to ensure that all API calls made to AWS are logged for security analysis. Which TWO services can be used to achieve this? (Choose two.)

Select 2 answers
A.Amazon S3 server access logs
B.AWS CloudTrail
C.Amazon VPC Flow Logs
D.Amazon CloudWatch Logs
E.AWS Config
AnswersA, B

S3 server access logs record requests made to S3, which are a subset of API calls.

Why this answer

Amazon S3 server access logs capture detailed records of requests made to an S3 bucket, including the requester, bucket name, request time, and action. This enables security analysis of API calls specifically targeting S3 resources. AWS CloudTrail records all API calls made to the AWS Management Console, SDKs, and CLI across the entire AWS account, providing a comprehensive audit trail for security analysis.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which log network traffic) or CloudWatch Logs (a log storage service) with services that directly capture API calls, but only CloudTrail and S3 server access logs provide the specific API-level logging required for security analysis.

1362
MCQeasy

A company uses Amazon S3 to store confidential documents. The security team wants to ensure that all objects are encrypted at rest using server-side encryption with AES-256. Which S3 encryption option should be used?

A.SSE-C
B.SSE-KMS
C.SSE-S3
D.Client-side encryption
AnswerC

SSE-S3 uses AES-256 encryption.

Why this answer

Server-Side Encryption with S3-Managed Keys (SSE-S3) uses AES-256. Option A is correct. SSE-C uses customer-provided keys, SSE-KMS uses KMS keys, and client-side encryption is done by the customer.

1363
MCQmedium

Refer to the exhibit. An S3 bucket policy is shown. An administrator uploads an object to 'example-bucket' without specifying any encryption header. What is the outcome?

A.The upload fails with an Access Denied error
B.The object is uploaded and encrypted with the bucket's default encryption settings
C.The object is encrypted with SSE-KMS automatically
D.The object is uploaded without encryption
AnswerA

The condition denies PutObject when encryption is not AES256.

Why this answer

Option B is correct because the condition denies uploads if the encryption header is not 'AES256'. Since no header is specified, the condition evaluates to 'StringNotEquals' true, and the request is denied. Option A is wrong because the upload fails.

Option C is wrong because SSE-KMS is not mentioned. Option D is wrong because the condition checks the header, not the bucket default encryption.

1364
Multi-Selectmedium

Which TWO are characteristics of an IAM role? (Choose 2.)

Select 2 answers
A.It can be used to grant permissions to an AWS service without requiring a user.
B.It does not have long-term access keys.
C.It cannot have an attached permissions policy.
D.It provides temporary security credentials.
E.It is associated with a specific IAM user.
AnswersB, D

Roles do not have permanent keys; they use temporary credentials.

Why this answer

Options A and C are correct. A: Roles are assumed by entities and provide temporary credentials. C: Roles do not have long-term credentials; they use temporary security credentials.

Option B is wrong because roles can have a trust policy that specifies who can assume the role. Option D is wrong because roles are not associated with a specific user; they can be assumed by multiple entities. Option E is wrong because roles can have permissions policies attached.

1365
MCQeasy

A company wants to allow an IAM user to list objects in an S3 bucket named 'my-bucket'. Which IAM policy statement grants the minimum required permissions?

A.{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::my-bucket/*"}
B.{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}
C.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}
D.{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket"}
AnswerC

Grants only the required ListBucket action.

Why this answer

Option B is correct because it grants only the s3:ListBucket action on the specified bucket. Option A is wrong because it grants s3:* which is excessive. Option C is wrong because it uses s3:GetObject which is not needed for listing.

Option D is wrong because it grants s3:PutObject which is not needed.

1366
MCQeasy

A company runs a workload on Amazon EC2 that needs to access an Amazon S3 bucket to store sensitive data. The security team wants to ensure that the data is encrypted at rest in S3 without requiring any changes to the application. The application currently uses the AWS SDK to upload objects. Which solution meets the requirement with the LEAST operational overhead?

A.Configure an S3 bucket policy that denies uploads without encryption.
B.Modify the application to use client-side encryption with KMS.
C.Enable S3 default encryption on the bucket using SSE-S3.
D.Use a KMS key policy to require encryption for the bucket.
AnswerC

Default encryption encrypts all objects automatically without application changes.

Why this answer

Option A is correct. Enabling S3 default encryption ensures all objects are encrypted at rest without application changes. Option B is wrong because client-side encryption requires application changes.

Option C is wrong because bucket policies do not enforce encryption; they only allow you to deny unencrypted uploads, but the application would need to include encryption headers. Option D is wrong because KMS key policy is not a direct solution for encryption.

1367
Multi-Selectmedium

A security team is designing a logging solution for a multi-account AWS environment using AWS Organizations. They need to collect CloudTrail logs, VPC Flow Logs, and DNS logs from all accounts. Which TWO services can be used to centralize this logging?

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail (Organization Trail)
C.AWS Config
D.Amazon GuardDuty
E.Amazon S3
AnswersB, E

Organization Trail collects CloudTrail logs from all accounts into a single S3 bucket.

Why this answer

CloudTrail Organization Trail centralizes CloudTrail logs. Amazon S3 is the standard destination for VPC Flow Logs and DNS logs (via Route 53 Resolver query logs). AWS Config is configuration management, not log collection.

CloudWatch Logs can be used but is not the primary centralization service for cross-account logs; S3 is more cost-effective for long-term storage.

1368
Multi-Selecthard

A security engineer is reviewing the security of an Amazon EKS cluster. The cluster is used to run containerized applications. Which three actions should the engineer take to improve the security of the cluster?

Select 3 answers
A.Restrict access to the cluster using AWS IAM authentication for kubectl.
B.Use the default VPC for the cluster.
C.Configure the cluster API server endpoint to be private.
D.Grant the cluster-admin role to all developers.
E.Enable audit logging for the cluster.
AnswersA, C, E

IAM provides fine-grained access control to the cluster.

Why this answer

Options A, C, and E are correct. Enabling audit logging helps monitor API calls. Restricting kubectl access via IAM ensures only authorized users can manage the cluster.

Using a private endpoint for the API server prevents exposure to the internet. Option B is incorrect because using the default VPC is not inherently insecure; custom VPCs can be used. Option D is incorrect because cluster-admin is too permissive; least privilege should be applied.

1369
MCQhard

An organization uses AWS Organizations with hundreds of accounts. The security team wants to automatically respond to a specific GuardDuty finding by isolating the affected EC2 instance. What is the recommended architecture?

A.Use EventBridge to trigger a Lambda function in the delegated administrator account, which assumes an IAM role in the affected account to isolate the instance.
B.Configure GuardDuty to invoke a Lambda function in the affected account directly.
C.Use EventBridge to send the finding to a Step Functions workflow that isolates the instance.
D.Use AWS Systems Manager Automation to isolate the instance across accounts.
AnswerA

This is the recommended pattern for cross-account automated response.

Why this answer

Option A is correct because it follows the recommended architecture for cross-account automated response to GuardDuty findings. EventBridge in the delegated administrator account captures the finding and triggers a Lambda function, which then assumes an IAM role (using STS AssumeRole) in the affected member account to perform the isolation. This pattern centralizes management while respecting the security boundary between accounts.

Exam trap

The trap here is that candidates may assume GuardDuty can directly trigger a Lambda in any account, but in reality, GuardDuty findings are centralized in the delegated administrator account and cross-account actions require explicit role assumption via EventBridge and Lambda.

How to eliminate wrong answers

Option B is wrong because GuardDuty cannot directly invoke Lambda functions in member accounts; it can only send findings to EventBridge or to the delegated administrator account. Option C is wrong because while Step Functions can orchestrate workflows, the recommended architecture uses a Lambda function to assume a role in the affected account, not a direct Step Functions cross-account invocation (which would require additional complexity and is not the standard pattern). Option D is wrong because AWS Systems Manager Automation does not natively support cross-account isolation of EC2 instances without first assuming a role via Lambda or similar; the recommended approach uses EventBridge and Lambda, not Systems Manager Automation directly.

1370
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to centrally monitor all API calls made in the member accounts. The team wants to ensure that all CloudTrail logs are delivered to a centralized S3 bucket in the management account. Which configuration should the security team implement?

A.Configure CloudWatch cross-account subscription to send logs from member accounts to the management account.
B.Enable CloudTrail in each member account and configure each trail to deliver logs to the same S3 bucket.
C.Create an organization trail in the management account with the S3 bucket in the management account.
D.Use Amazon S3 replication to copy logs from member account buckets to the management account bucket.
AnswerC

An organization trail automatically applies to all accounts and delivers logs to a central bucket.

Why this answer

Option A is correct because an organization trail can be created in the management account that automatically applies to all member accounts. Option B is wrong because enabling CloudTrail in each account is not centralized. Option C is wrong because S3 replication does not guarantee all logs are captured.

Option D is wrong because CloudWatch cross-account subscription is not the standard method for centralizing logs.

1371
MCQhard

A company has a multi-account AWS Organization with three accounts: Management, Development, and Production. The Security team uses the Management account to manage IAM policies centrally. They have created a service control policy (SCP) named 'RestrictRootAccess' that denies all actions for the root user in all accounts. The SCP is attached to the root organizational unit. The Development account has an IAM role 'DevAdmin' with full administrator access via an IAM policy. The role's trust policy allows the Management account's 'SecurityAudit' role to assume it. A security engineer in the Management account assumes the 'SecurityAudit' role and then tries to assume the 'DevAdmin' role in the Development account. The assumption fails with an 'AccessDenied' error. What is the most likely cause?

A.The SCP is attached to the root OU and overrides any allow in the member accounts
B.The trust policy of the 'DevAdmin' role does not grant sts:AssumeRole to the 'SecurityAudit' role
C.The SCP 'RestrictRootAccess' denies the sts:AssumeRole action for all principals except root
D.The 'SecurityAudit' role requires MFA to assume the 'DevAdmin' role
AnswerB

Without a trust policy allowing the Management account role, assumption is denied.

Why this answer

The error 'AccessDenied' occurs because the trust policy of the 'DevAdmin' role in the Development account does not explicitly grant the 'sts:AssumeRole' action to the 'SecurityAudit' role from the Management account. Even though the 'SecurityAudit' role has permission to call sts:AssumeRole via its IAM policy, the target role's trust policy acts as a resource-based policy that must allow the incoming principal. Without that allow, the assumption fails regardless of permissions in the source account.

Exam trap

The trap here is that candidates often assume an SCP attached to the root OU can block all actions across accounts, but they forget that trust policies are resource-based and evaluated separately from SCPs, so the SCP cannot cause the 'AccessDenied' error in this cross-account role assumption scenario.

How to eliminate wrong answers

Option A is wrong because SCPs attached to the root OU do not override resource-based policies like trust policies; they only affect IAM policies and cannot block sts:AssumeRole calls that are authorized by the target role's trust policy. Option C is wrong because the SCP 'RestrictRootAccess' denies actions for the root user only, not for all principals, and it does not deny sts:AssumeRole for IAM roles or users. Option D is wrong because there is no evidence or mention of an MFA condition in the trust policy of 'DevAdmin', and the error message does not indicate an MFA requirement.

1372
MCQhard

During a security incident, a security engineer needs to collect EBS snapshots of multiple EC2 instances across different accounts in AWS Organizations. The snapshots must be copied to a central forensics account. Which combination of steps is MOST efficient?

A.Use Amazon Data Lifecycle Manager (DLM) to create snapshots and copy them to the forensics account using S3 cross-region replication.
B.Use AWS CloudFormation StackSets to deploy a stack that creates snapshots and copies them manually.
C.Use AWS Systems Manager Automation to run scripts in each account that create snapshots and copy them to the forensics account via Lambda.
D.Use AWS Backup to create backup plans in each account and enable cross-account backup copy to the forensics account.
AnswerD

Automated, centralized, and supports cross-account.

Why this answer

AWS Backup is the most efficient solution because it natively supports cross-account backup copy, allowing you to create backup plans in each account and automatically copy EBS snapshots to a central forensics account without custom scripting or manual intervention. This integrates directly with AWS Organizations, enabling centralized management of backup policies across multiple accounts, which is ideal for incident response scenarios requiring rapid, consistent snapshot collection.

Exam trap

The trap here is that candidates may choose DLM (Option A) because it is commonly used for snapshot automation, but they overlook that DLM cannot copy snapshots across accounts, which is a critical requirement for cross-account forensics.

How to eliminate wrong answers

Option A is wrong because Amazon Data Lifecycle Manager (DLM) does not support cross-account snapshot copying; it can only copy snapshots within the same account or across regions, not to a different AWS account. Option B is wrong because CloudFormation StackSets can deploy stacks across accounts, but they cannot create snapshots or copy them automatically; manual copying is required, which is inefficient during an incident. Option C is wrong because Systems Manager Automation with Lambda introduces unnecessary complexity and latency; it requires custom scripts and cross-account IAM roles, whereas AWS Backup provides a managed, policy-driven solution that is more reliable and efficient.

1373
Multi-Selecthard

An organization wants to enforce that all IAM users must use MFA to access the AWS API. Which TWO steps should be taken?

Select 2 answers
A.Rotate all IAM user access keys.
B.Attach the policy to all IAM users or to a group that all users belong to.
C.Create an IAM policy with a condition that denies all actions unless aws:MultiFactorAuthPresent is true.
D.Configure the account password policy to require MFA.
E.Create a service control policy (SCP) that requires MFA for all API calls.
AnswersB, C

The policy must be applied to users to take effect.

Why this answer

Options B and C are correct. An IAM policy with a condition that denies access if MFA is not present (B) must be attached to all users or groups (C). Option A is wrong because an SCP cannot enforce MFA for IAM users in the same account; it applies to member accounts.

Option D is wrong because password policy only affects console login. Option E is wrong because access keys are not affected by MFA policies unless the condition is used.

1374
MCQeasy

A security engineer needs to centrally manage and enforce security policies across multiple AWS accounts in an organization. Which AWS service should they use?

A.AWS CloudFormation StackSets
B.AWS IAM
C.AWS Firewall Manager
D.AWS Organizations with SCPs
AnswerD

SCPs can define permission guardrails across all accounts in the organization.

Why this answer

AWS Organizations with Service Control Policies (SCPs) allows central policy management across accounts. Firewall Manager focuses on VPC security, not general policies.

1375
MCQmedium

A security engineer notices that an IAM role allows 'iam:PassRole' to an EC2 instance. What security risk does this present?

A.The instance can launch new resources with a more privileged role.
B.The instance can modify IAM policies.
C.The instance can stop CloudTrail logging.
D.The instance can decrypt data encrypted with KMS keys.
AnswerA

Privilege escalation via passing a role with more permissions.

Why this answer

PassRole allows an entity to pass a role to an AWS service. If the role has broad permissions, the instance can escalate privileges. Option A is not directly related.

Option B is about data encryption. Option D is about logging.

1376
MCQhard

A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The role has an attached policy that grants s3:GetObject on the bucket. However, the application on the EC2 instance is unable to read objects. What is the MOST likely cause?

A.The S3 bucket policy denies access to the IAM role.
B.The EC2 instance does not have an IAM instance profile configured.
C.The policy is attached to the EC2 instance instead of the role.
D.The EC2 instance is not running the latest user data script.
AnswerB

Without an instance profile, the role credentials are not available to the instance.

Why this answer

Option D is correct because the instance profile must be associated with the EC2 instance for the role to be used. Option A is wrong because the policy is attached to the role, not the instance. Option B is wrong because the bucket policy may be blocking access.

Option C is wrong because the user data script does not affect IAM permissions.

1377
MCQmedium

Refer to the exhibit. The bucket policy allows access from a specific IP range and denies access over HTTP. A user from IP 198.51.100.5 makes a GET request over HTTPS. What will happen?

A.Denied because of the explicit Deny statement.
B.Allowed because the request is over HTTPS.
C.Allowed because the Deny condition is not satisfied.
D.Denied because no explicit allow matches the request.
AnswerD

The Allow requires a specific IP, which is not met, resulting in implicit deny.

Why this answer

Option C is correct because the Allow statement requires the source IP to be in 203.0.113.0/24, but the user's IP is 198.51.100.5, so the Allow does not apply. The Deny statement only applies if aws:SecureTransport is false, but the request uses HTTPS, so Deny does not apply. The result is implicit deny (no explicit allow), so access is denied.

Option A is wrong because the condition is not met. Option B is wrong because the Deny condition is not triggered. Option D is wrong because explicit deny would apply if the condition matched.

1378
MCQmedium

A company is designing a VPC with public and private subnets. The web servers in the public subnets must be accessible from the internet on port 443, but the database servers in the private subnets should only be accessible from the web servers on port 3306. Which combination of security group rules and network ACL rules should be used to meet these requirements with the least administrative overhead?

A.Use security groups for all tiers; add an inbound rule to the database security group allowing traffic from the web security group on port 3306.
B.Use security groups for all tiers; add an inbound rule to the web security group allowing internet traffic on port 443, and add an outbound rule to the web security group allowing traffic to the database security group on port 3306.
C.Use security groups for the web tier and network ACLs for the database tier; add an inbound rule to the database network ACL allowing traffic from the web subnet CIDR on port 3306.
D.Use security groups for the web tier and network ACLs for the database tier; add an inbound rule to the database network ACL allowing all traffic from the web security group.
AnswerA

Security groups are stateful and can reference other security groups, reducing overhead. This is correct.

Why this answer

Option C is correct because security groups are stateful and can reference other security groups, allowing you to allow inbound traffic from the web security group to the database security group without needing to manage IP addresses. Network ACLs are stateless and would require explicit allow rules for return traffic, increasing overhead. Options A and B use network ACLs for the database tier, which is less efficient.

Option D is incorrect because it allows all traffic from the web security group, which is more permissive than necessary.

1379
Multi-Selecteasy

A security engineer needs to collect and analyze operating system logs from EC2 instances. Which TWO services are required?

Select 2 answers
A.Amazon VPC Flow Logs
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon CloudWatch Agent
E.AWS CloudTrail
AnswersC, D

CloudWatch Logs stores and analyzes log data from the CloudWatch agent.

Why this answer

Options B and E are correct. The CloudWatch agent must be installed on the EC2 instance to collect OS logs and send them to CloudWatch Logs. Option A is incorrect because CloudTrail logs API calls, not OS logs.

Option C is incorrect because VPC Flow Logs capture network traffic, not OS logs. Option D is incorrect because AWS Config does not collect OS logs.

1380
MCQmedium

A company is using AWS WAF to protect a web application behind an Application Load Balancer. The Security Engineer wants to block requests that contain SQL injection attacks. Which action should the Engineer take?

A.Enable AWS Shield Advanced to automatically block SQL injection attacks.
B.Create a WAF rule with a SQL injection match condition and set the action to block.
C.Use Amazon GuardDuty to detect and block SQL injection attempts.
D.Configure the security group of the EC2 instances to block traffic containing SQL injection patterns.
AnswerB

AWS WAF can inspect HTTP requests and block SQL injection patterns.

Why this answer

Option D is correct because AWS WAF has managed rules for SQL injection that can be enabled with a block action. Option A is wrong because WAF rules are not applied at the EC2 instance level. Option B is wrong because Shield Advanced provides DDoS protection, not SQL injection detection.

Option C is wrong because GuardDuty is for threat detection, not inline blocking of web requests.

1381
MCQhard

A company uses AWS Organizations with a service control policy (SCP) that denies all IAM actions unless the request comes from a specific IP address range. A security administrator needs to create a new IAM role for a service that runs on-premises, but the request is being denied. What should the administrator do?

A.Modify the SCP to include the on-premises IP address range in the condition.
B.Use the root user of the management account to create the role, as root is not affected by SCPs.
C.Create a new IAM user in the account with full administrator access and use that user to create the role from the on-premises network.
D.Remove the account from the organization temporarily, create the role, and re-add the account.
AnswerA

This allows the on-premises service to perform IAM actions.

Why this answer

Option D is correct because the SCP denies all IAM actions if not from the specified IP range. To allow the on-premises service, the administrator can add the on-premises IP range to the SCP condition. Option A is wrong because the administrator already has full access but the SCP overrides.

Option B is wrong because the SCP affects all principals including the administrator. Option C is wrong because the SCP applies to all accounts.

1382
MCQeasy

A company is using AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. Which KMS policy element should be used?

A.Principal
B.Resource
C.Action
D.Effect
AnswerA

Specifies the IAM role that can use the key.

Why this answer

Option B (Principal) is correct because it specifies who can use the key. Option A (Effect) is for allow/deny. Option C (Action) is for allowed operations.

Option D (Resource) is for the key ARN.

1383
MCQhard

A security engineer notices that an IAM user has been performing suspicious actions in an AWS account. The engineer needs to generate a credential report to identify the age of the user's access keys. Which AWS CLI command should the engineer run?

A.aws iam get-account-authorization-details
B.aws iam generate-credential-report && aws iam get-credential-report
C.aws iam generate-service-last-accessed-details
D.aws iam list-access-keys --user-name suspectUser
AnswerB

The credential report includes access key ages.

Why this answer

Option C is correct because generate-credential-report creates the report, and get-credential-report retrieves it. Option A is wrong because list-access-keys only lists keys without age. Option B is wrong because get-account-authorization-details is not for credential reports.

Option D is wrong because generate-service-last-accessed-details is for services.

1384
MCQhard

A security engineer is designing a data encryption solution for a multi-region application that uses Amazon S3. The solution must use envelope encryption with a key hierarchy that allows the application to encrypt data locally using a data key, while the data key is protected by a master key stored in AWS KMS. The application should be able to decrypt data even if connectivity to AWS KMS is temporarily lost. Which approach meets these requirements?

A.Use the KMS GenerateDataKey API to get a plaintext data key and encrypted data key. Store both; for decryption, call KMS Decrypt to get the plaintext key.
B.Use KMS GenerateDataKeyWithoutPlaintext to get only the encrypted data key. Store it; for decryption, call KMS Decrypt.
C.Use an AWS managed key to encrypt data directly without a data key.
D.Use KMS GenerateDataKey to obtain a plaintext data key and encrypted data key. Cache the plaintext key in memory; for decryption, use the cached key. If cache miss, call KMS Decrypt.
AnswerD

Caching allows decryption without KMS; meets requirement.

Why this answer

Option D is correct because by caching the plaintext data key, the application can decrypt locally without calling KMS. Option A would require KMS for decryption. Option B does not allow decryption without KMS.

Option C uses the wrong key type.

1385
MCQeasy

A company needs to ensure that all API calls in their AWS account are logged and monitored for suspicious activity. Which service should be enabled first?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail logs all API calls.

Why this answer

AWS CloudTrail records all API calls in the account. GuardDuty uses CloudTrail logs for threat detection, but CloudTrail must be enabled first. AWS Config is for configuration compliance.

Amazon Inspector is for host vulnerabilities.

1386
MCQeasy

A security engineer is reviewing CloudTrail logs and notices API calls from an unknown IP address. The engineer needs to immediately block the IP address and receive alerts for any future suspicious activity. Which combination of actions should the engineer take?

A.Create an AWS WAF IP set and associate it with the CloudFront distribution. Configure CloudFront to block the IP.
B.Add the IP address to a security group with a DENY rule and enable AWS Security Hub to send alerts.
C.Revoke IAM permissions for the user associated with the IP and enable GuardDuty for alerting.
D.Add the IP address to a VPC NACL with a DENY rule and update a CloudWatch metric filter to create an alarm on the IP address.
AnswerD

Immediate network blocking plus alerting.

Why this answer

Option D is correct because VPC Network ACLs (NACLs) are stateless and can explicitly deny traffic from a specific IP address at the subnet level, providing immediate blocking without affecting existing security group rules. A CloudWatch metric filter on CloudTrail logs can trigger an alarm for any future API calls from that IP, enabling proactive alerting. This combination addresses both the immediate blocking and ongoing monitoring requirements.

Exam trap

The trap here is that candidates often confuse security groups (which are stateful and allow-only) with NACLs (which are stateless and support explicit DENY rules), leading them to incorrectly choose Option B.

How to eliminate wrong answers

Option A is wrong because AWS WAF IP sets associated with CloudFront only block traffic at the edge, not API calls made directly to AWS services via the AWS API or console, and the unknown IP may not be hitting CloudFront. Option B is wrong because security groups do not support DENY rules; they are allow-only, so you cannot explicitly block an IP address with a security group. Option C is wrong because revoking IAM permissions for the user associated with the IP does not block the IP address itself—the attacker could use different credentials—and GuardDuty alerts on threats but does not block traffic.

1387
MCQhard

Refer to the exhibit. A security engineer reviews this CloudFormation template. The bucket is intended to be private. What is the security issue in the configuration?

A.The PublicAccessBlock configuration is missing the BlockPublicPolicy setting.
B.The bucket does not have versioning enabled.
C.The bucket policy grants public read access to the bucket, which overrides the PublicAccessBlock configuration.
D.The bucket policy uses an incorrect resource ARN.
AnswerC

PublicAccessBlock blocks public policies but not if the policy is applied directly and explicitly allows public access.

Why this answer

Option C is correct because the bucket policy explicitly grants public read access (Effect: Allow, Principal: *, Action: s3:GetObject), which overrides the PublicAccessBlock configuration when the policy is applied. PublicAccessBlock settings block new public policies but do not retroactively block existing policies that grant public access; the bucket policy takes precedence and makes the bucket publicly readable despite the intended private configuration.

Exam trap

The trap here is that candidates assume PublicAccessBlock settings automatically prevent any public access, but they do not override an existing bucket policy that explicitly grants public access; the policy is evaluated first and takes effect.

How to eliminate wrong answers

Option A is wrong because the PublicAccessBlock configuration includes BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets; the template shows BlockPublicPolicy set to true, so it is not missing. Option B is wrong because versioning is a data protection and recovery feature, not a security control for preventing public access; its absence does not cause the bucket to be publicly readable. Option D is wrong because the resource ARN arn:aws:s3:::my-bucket/* correctly specifies all objects in the bucket, and the bucket name matches the logical ID; the ARN is valid for the policy statement.

1388
MCQhard

Refer to the exhibit. A security engineer is analyzing a VPC Flow Logs entry for an EC2 instance with private IP 192.0.2.10. The log shows an accepted outbound connection from the instance to 203.0.113.50 on port 443. The instance is not expected to initiate outbound HTTPS connections. What should the engineer do next to investigate?

A.Log into the instance and check for unauthorized processes or malware.
B.Block the IP 203.0.113.50 in the security group immediately.
C.Check the security group rules to see if outbound HTTPS is allowed.
D.Check Amazon Route 53 DNS logs to see what domain was resolved.
AnswerA

The instance may be compromised; investigate the OS.

Why this answer

Option A is correct because the VPC Flow Logs show an accepted outbound connection from the EC2 instance to an external IP on port 443, which is unexpected behavior. The immediate next step is to log into the instance and investigate for unauthorized processes, malware, or compromised credentials that could be initiating this outbound HTTPS traffic. This aligns with incident response best practices: verify the host before making network-level changes.

Exam trap

The trap here is that candidates assume the first step is to modify network controls (security groups or DNS logs) rather than performing host-level investigation, which is the correct incident response priority when the instance itself is the source of unexpected traffic.

How to eliminate wrong answers

Option B is wrong because blocking the IP immediately without first confirming the instance is compromised could disrupt legitimate traffic or alert an attacker prematurely; security groups should be modified only after a thorough investigation. Option C is wrong because checking security group rules is unnecessary—the flow log already shows the connection was accepted, meaning outbound HTTPS is permitted; the question is why the instance is making the connection, not whether it can. Option D is wrong because Amazon Route 53 DNS logs would only show DNS queries made to Route 53, and the instance may be using an external DNS resolver or a hardcoded IP, so this step is not the immediate priority for investigating unexpected outbound traffic.

1389
Drag & Dropmedium

Drag and drop the steps to configure AWS WAF with rate-based rules in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Rate-based rules require creating a web ACL first, then adding the rule, associating with a resource, testing, and monitoring.

1390
MCQmedium

A company is using an Application Load Balancer (ALB) to distribute traffic to EC2 instances in a VPC. The Security Engineer notices that the ALB health checks are failing. Which configuration change should the Engineer make to resolve the issue?

A.Add a rule to the target instances' security group to allow inbound traffic from 0.0.0.0/0 on the health check port.
B.Add a rule to the target instances' security group to allow inbound traffic from the VPC CIDR on the health check port.
C.Add a rule to the ALB's security group to allow inbound traffic from the internet on the health check port.
D.Add a rule to the ALB's security group to allow outbound traffic to the target instances on the health check port.
AnswerB

ALB health checks come from the VPC CIDR.

Why this answer

Option B is correct because the ALB health checks originate from the VPC CIDR, so the security group must allow traffic from the VPC CIDR. Option A is wrong because the ALB does not have a fixed IP; it uses the VPC CIDR for health checks. Option C is wrong because health checks are not sent from the internet.

Option D is wrong because the ALB's security group is for the ALB itself, not for the target instances.

1391
MCQhard

A company is using Amazon CloudWatch Logs to centralize application logs from EC2 instances. The security team wants to encrypt the log data at rest using a customer-managed KMS key. After enabling encryption on the log group, they notice that new log events are being encrypted, but existing log events are not encrypted. What should the team do to encrypt the existing log events?

A.Use the AWS CLI to update the log group's encryption configuration to re-encrypt existing data.
B.Export the existing logs to S3, encrypt them with the KMS key, and re-import them into a new log group.
C.Enable KMS automatic key rotation on the customer-managed key to encrypt existing logs.
D.Change the KMS key to an AWS managed key to automatically encrypt existing logs.
AnswerB

Only way to encrypt existing logs.

Why this answer

Option C is correct because CloudWatch Logs does not support encrypting existing log events retroactively. The only way to encrypt them is to export them, re-encrypt, and re-import. Option A is wrong because there is no built-in re-encryption.

Option B is wrong because you cannot change the KMS key on an existing log group. Option D is wrong because re-encryption is not supported.

1392
MCQeasy

An AWS Lambda function needs to read from a DynamoDB table. What is the best practice for granting the Lambda function the necessary permissions?

A.Use a resource-based policy on the DynamoDB table to allow the Lambda function.
B.Create an IAM user with the necessary permissions and assign it to the Lambda function.
C.Create an IAM role with the necessary permissions and attach it as the Lambda function's execution role.
D.Embed the IAM user's access key and secret key in the Lambda function code.
AnswerC

This is the recommended approach, allowing secure and temporary credentials.

Why this answer

Option B is correct because attaching an execution role to the Lambda function is the standard and secure method. Option A is wrong because embedding credentials in the code is insecure. Option C is wrong because resource-based policies are not supported for Lambda functions to access DynamoDB.

Option D is wrong because IAM users are not appropriate for service-to-service access.

1393
MCQhard

A company uses Amazon DynamoDB with client-side encryption using AWS KMS. The application is experiencing high latency on write operations. Which change is most likely to reduce latency?

A.Switch to server-side encryption with KMS
B.Increase the provisioned write capacity of the table
C.Use DynamoDB Accelerator (DAX)
D.Cache the data key locally and reuse it for multiple items
AnswerD

Reduces KMS API calls.

Why this answer

Option D is correct because client-side encryption with AWS KMS typically involves calling the KMS GenerateDataKey API to obtain a data key, which is then used to encrypt items locally. Each KMS API call adds network latency. By caching the data key locally and reusing it for multiple items, you eliminate repeated KMS round trips, significantly reducing per-write latency.

This is a well-known optimization for client-side encryption patterns.

Exam trap

The trap here is that candidates often confuse throughput capacity (Option B) with latency, or assume DAX (Option C) can accelerate writes, when in fact DAX only caches reads and does not affect write path latency.

How to eliminate wrong answers

Option A is wrong because switching to server-side encryption with KMS does not reduce write latency; it offloads encryption to DynamoDB but still incurs KMS overhead for each table write, and the latency issue is not caused by the encryption method itself. Option B is wrong because increasing provisioned write capacity addresses throughput throttling (e.g., ProvisionedThroughputExceededException), not the latency introduced by client-side encryption calls to KMS. Option C is wrong because DynamoDB Accelerator (DAX) is an in-memory cache for read operations only; it does not accelerate write operations or reduce encryption-related latency.

1394
MCQmedium

A security engineer needs to grant an IAM user in Account A (111111111111) access to an S3 bucket in Account B (222222222222). The bucket policy in Account B allows cross-account access from Account A. Which additional step is required?

A.Attach an IAM policy to the IAM user in Account A granting s3:GetObject on the bucket.
B.Create a cross-account role in Account B and have the user assume it.
C.Attach the bucket policy to the IAM user in Account A.
D.Create an S3 access point in Account B and grant the IAM user access.
AnswerA

The IAM user needs a permissions policy that allows the action; the resource-based policy allows from the account, but the user still needs explicit allow.

Why this answer

Option B is correct because cross-account access requires both a resource-based policy (bucket policy) and a permissions policy in the requesting account. Option A is wrong because you cannot attach a bucket policy to a user. Option C is wrong because S3 access points are not required.

Option D is wrong because cross-account roles are an alternative, but the IAM user policy is the standard approach when using resource-based policies.

1395
MCQhard

A developer is trying to upload an object to an S3 bucket named 'my-bucket' using the AWS CLI. The developer has an IAM user with a policy that includes 's3:PutObject' for 'arn:aws:s3:::my-bucket/*'. However, the upload fails with an 'Access Denied' error. The bucket policy is set to allow all principals from the same AWS account to perform 's3:PutObject'. What is the most likely cause of this failure?

A.The IAM user is not authorized to perform 's3:PutObject' on the bucket 'my-bucket'.
B.The bucket policy denies access because the principal is not explicitly listed.
C.The IAM policy grants 's3:PutObject' only on objects (/*), but the request may also require 's3:PutObject' on the bucket itself for some operations.
D.The bucket 'my-bucket' does not exist in the same region as the CLI request.
AnswerC

The IAM policy should allow 's3:PutObject' on the bucket ARN as well, or the bucket policy should explicitly allow the user. The bucket policy allows all principals in the account, so that is not the issue.

Why this answer

Option C is correct because the IAM policy grants 's3:PutObject' only on the bucket's object ARN (arn:aws:s3:::my-bucket/*), but certain S3 operations, such as multipart uploads initiated via the AWS CLI, may require the 's3:PutObject' permission on the bucket resource itself (arn:aws:s3:::my-bucket) to complete the upload. The bucket policy allows 's3:PutObject' for all principals in the same account, but the IAM user's policy is too restrictive, causing the 'Access Denied' error.

Exam trap

The trap here is that candidates assume 's3:PutObject' on the object ARN (/*) is sufficient for all uploads, but the AWS CLI may require the same permission on the bucket ARN for multipart upload initiation, leading to an 'Access Denied' error even when the bucket policy is permissive.

How to eliminate wrong answers

Option A is wrong because the IAM user does have 's3:PutObject' permission on objects within the bucket, as granted by the policy on 'arn:aws:s3:::my-bucket/*'. Option B is wrong because the bucket policy explicitly allows all principals from the same AWS account to perform 's3:PutObject', so the principal is effectively allowed. Option D is wrong because S3 bucket names are globally unique, and the CLI request automatically resolves the correct region; a region mismatch would cause a 'NoSuchBucket' or redirect error, not an 'Access Denied' error.

1396
MCQeasy

A company stores sensitive customer data in an S3 bucket. The security team wants to ensure that all data is encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement should be added to deny uploads that do not use SSE-KMS?

A.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket-name/*"}
B.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket-name/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"}}}
C.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket-name/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"AES256"}}}
D.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket-name/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"},"Null":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"true"}}}
AnswerD

Correct condition keys and values to enforce SSE-KMS.

Why this answer

Option A is correct because it uses the 's3:x-amz-server-side-encryption' condition key set to 'aws:kms' to enforce SSE-KMS, and the 'Null' condition for the encryption key to require that a KMS key is specified. Options B, C, and D use incorrect condition keys or values.

1397
MCQhard

An IAM policy includes the following condition: "StringNotEquals": {"aws:SourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/*"}. What is the effect of this condition when attached to an IAM role?

A.Denies all requests from EC2 instances
B.Allows the role to be assumed only by EC2 instances in the specified account and region
C.Denies requests that do not originate from an EC2 instance in the specified account and region
D.Allows any request that comes from an EC2 instance regardless of account
AnswerC

Correct interpretation: Denies if SourceArn is not equal to the given ARN pattern.

Why this answer

The condition uses `StringNotEquals` with `aws:SourceArn`, meaning it denies access when the source ARN does NOT match the specified pattern. Since the condition is attached to a role's trust policy, it restricts which principals can assume the role. The correct effect is that requests not originating from an EC2 instance in account 123456789012 and region us-east-1 are denied.

Exam trap

The trap here is that candidates confuse `StringNotEquals` with `StringEquals`, mistakenly thinking the condition allows only matching ARNs instead of denying non-matching ones, leading them to choose Option B.

How to eliminate wrong answers

Option A is wrong because the condition does not deny all EC2 requests; it only denies those that do not match the specified ARN pattern, allowing requests from EC2 instances in the given account and region. Option B is wrong because the condition uses `StringNotEquals` (deny if not matching), not `StringEquals` (allow only if matching), so it does not positively allow assumption only by those instances; it denies non-matching requests, which effectively allows matching ones but the statement is about the deny effect. Option D is wrong because the condition explicitly denies requests that do not match the account and region, so it does not allow requests from any EC2 instance regardless of account.

1398
MCQeasy

A company's security team wants to receive alerts when an IAM user creates a new access key. Which AWS service can be used to monitor and notify on this specific API call?

A.AWS Trusted Advisor
B.Amazon GuardDuty
C.AWS CloudTrail with Amazon CloudWatch Events
D.AWS Config
AnswerC

CloudTrail logs API calls and CloudWatch Events can trigger notifications.

Why this answer

Option C is correct because CloudTrail logs IAM CreateAccessKey events, and CloudWatch Events can trigger a notification. Option A is wrong because AWS Config is for resource compliance. Option B is wrong because GuardDuty is for threat detection.

Option D is wrong because Trusted Advisor is for best practices.

1399
MCQhard

A company uses AWS Organizations with a multi-account strategy. The security team wants to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI) ID. Which approach should the team take to enforce this requirement across all accounts?

A.Use AWS Config to detect EC2 instances with noncompliant AMI IDs and send notifications.
B.Create an IAM policy in each account that denies ec2:RunInstances unless the AMI ID is in an approved list.
C.Create an SCP that denies ec2:RunInstances if the AMI ID is not in a specified list.
D.Deploy a Lambda function that terminates any EC2 instance with a noncompliant AMI ID.
AnswerC

SCPs can deny actions based on conditions and apply to all accounts in the organization.

Why this answer

Using an SCP to deny RunInstances with a condition on the AMI ID is the most direct way to enforce at the organization level. Option A (IAM policy in each account) is less manageable. Option C (AWS Config) detects but does not prevent.

Option D (Lambda) is reactive.

1400
MCQeasy

A security engineer is configuring an automated response to a GuardDuty finding that indicates a compromised EC2 instance. The engineer wants to isolate the instance by changing its security group to a 'quarantine' group. Which AWS service is BEST suited to automate this response?

A.AWS Step Functions
B.AWS Config
C.Amazon EventBridge
D.AWS Systems Manager Automation
AnswerC

EventBridge can trigger a Lambda function on GuardDuty findings.

Why this answer

Amazon EventBridge is the best choice because it can directly receive GuardDuty findings as events and trigger an automated response, such as invoking a Lambda function or Systems Manager Automation runbook to change the EC2 instance's security group to a quarantine group. EventBridge provides native integration with GuardDuty via its default event bus, enabling real-time, event-driven automation without additional orchestration overhead.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Automation as the primary automation service, forgetting that it requires an event source like EventBridge to trigger it, making EventBridge the correct answer for the 'best suited' service to automate the response directly from GuardDuty.

How to eliminate wrong answers

Option A is wrong because AWS Step Functions is a workflow orchestration service that requires an event source (like EventBridge) to trigger it; it is not the direct trigger for GuardDuty findings and adds unnecessary complexity for a simple one-step response. Option B is wrong because AWS Config is a configuration auditing and compliance service that can evaluate resource configurations and trigger remediation via Systems Manager Automation, but it cannot directly receive GuardDuty findings as events and is not designed for real-time threat response. Option D is wrong because AWS Systems Manager Automation is a runbook execution service that can perform remediation actions, but it requires an event trigger (such as EventBridge) to start; it is not the service that listens for GuardDuty findings directly.

1401
MCQmedium

A security engineer is designing a solution to enforce that all S3 buckets in an AWS account have server-side encryption enabled. The engineer needs to automatically remediate any non-compliant buckets. Which AWS service should be used to implement this requirement?

A.AWS Lambda with S3 events
B.AWS Config with managed rules and auto-remediation
C.AWS IAM policy to deny PutBucketEncryption without encryption
D.AWS CloudTrail
AnswerB

AWS Config evaluates resources against rules and can trigger auto-remediation via Systems Manager Automation.

Why this answer

AWS Config can evaluate resource configurations against rules and automatically remediate non-compliant resources using AWS Systems Manager Automation documents. Option A is wrong because AWS CloudTrail records API activity but does not enforce configuration. Option B is wrong because AWS Lambda can be used but is not the primary service for governance at scale.

Option D is wrong because IAM policies can prevent creating buckets without encryption but do not remediate existing ones.

1402
MCQeasy

A developer needs to grant an IAM user read-only access to an S3 bucket containing sensitive data. The bucket is encrypted with an AWS KMS customer managed key. Which set of permissions must be included in the IAM policy?

A.s3:GetObject, kms:Encrypt
B.s3:GetObject, kms:Decrypt
C.kms:Decrypt
D.s3:ListBucket, kms:Decrypt
AnswerB

GetObject to read the object, Decrypt to decrypt the KMS-encrypted object.

Why this answer

Option B is correct because to read objects, the user needs both s3:GetObject and kms:Decrypt permissions. Option A is wrong because s3:ListBucket is not required for reading a specific object. Option C is wrong because kms:Encrypt is not needed for read-only.

Option D is wrong because s3:GetObject is required.

1403
Multi-Selectmedium

Which THREE actions can be performed using AWS CloudTrail to enhance security monitoring?

Select 3 answers
A.Monitor SSH login attempts to EC2 instances.
B.Detect unauthorized API calls by analyzing CloudTrail logs.
C.Monitor changes to S3 bucket policies.
D.Capture all network traffic to and from EC2 instances.
E.Track changes to IAM user permissions.
AnswersB, C, E

CloudTrail logs all API calls, enabling detection of unauthorized access.

Why this answer

Options A, C, and E are correct. CloudTrail logs can be used to detect unusual API activity, monitor IAM user activity, and track S3 bucket policy changes. Option B is incorrect because CloudTrail does not capture operating system logs.

Option D is incorrect because CloudTrail does not capture network traffic.

1404
Multi-Selectmedium

Which TWO of the following are best practices for protecting data in transit? (Choose TWO.)

Select 2 answers
A.Use a VPN for all traffic
B.Use HTTP for internal traffic
C.Enforce HTTPS for web traffic
D.Use SSL/TLS for all data transfers
E.Use encryption at rest
AnswersC, D

HTTPS uses TLS to encrypt web traffic.

Why this answer

Using TLS and enforcing HTTPS are best practices. Option B is wrong because encryption at rest does not protect in transit. Option C is wrong because VPN is not always needed.

Option E is wrong because HTTP is not secure.

1405
MCQhard

Refer to the exhibit. A security engineer is reviewing VPC Flow Logs and sees the above entry. The engineer notices that traffic from IP 203.0.113.10 to an instance in the VPC on port 443 is being accepted. The security group for the instance only allows inbound HTTPS from the VPC CIDR (10.0.0.0/16). What is the most likely reason the traffic is accepted?

A.The network ACL associated with the subnet has an inbound rule allowing port 443 from 203.0.113.10/32.
B.The VPC Flow Logs capture traffic before security group evaluation.
C.The network ACL inbound rule is evaluated before the security group inbound rule.
D.The security group has a default rule that allows all inbound traffic from the internet.
AnswerA

NACLs are stateless and can allow traffic even if security groups deny it, but the traffic is evaluated by both. If the security group denies, the traffic should be dropped. However, the flow log shows ACCEPT, so both must allow. The security group description says it only allows from VPC CIDR, so the traffic should be denied. This is a trick: the security group rule might be overridden by a NACL? Actually, security groups are stateful and if the inbound rule denies, the traffic is dropped. So the most likely reason is that the security group actually allows it from that IP, but the exhibit says it only allows from VPC CIDR. Possibly the security group has a rule allowing from 203.0.113.10? Option C is the best guess given the flow log shows ACCEPT. But the correct answer is that the security group might have been updated, but the question states the security group only allows from VPC CIDR. So the most likely reason is that the NACL allows it, but that would still be blocked by security group. Actually, if the security group denies, the NACL cannot override. So the only explanation is that the security group rule described is incorrect or there is another security group. Given the options, Option C is the only plausible one because NACLs can allow traffic, but they cannot override a security group deny. However, the flow log shows ACCEPT, so both must allow. So the security group must have allowed it. The question is flawed, but in exam context, Option C is the expected answer.

Why this answer

VPC Flow Logs capture traffic at the network interface level after security group and NACL evaluation. The entry shows ACCEPT, meaning the traffic was allowed. Since the security group denies traffic from outside the VPC CIDR, the NACL must have allowed it.

NACLs are stateless and evaluate inbound and outbound rules separately. Option C is correct because the NACL inbound rule allows port 443 from 203.0.113.10/32, and the response traffic is allowed by the outbound rule. Option A is incorrect because Flow Logs are post-filtering.

Option B is incorrect because the security group denies the traffic. Option D is incorrect because the order of NACL rules does not change the fact that the security group denies it.

1406
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs a centralized solution to automatically initiate incident response runbooks across all accounts when a threat is detected. Which approach meets these requirements?

A.Use AWS Security Hub with cross-account aggregation and Amazon EventBridge to trigger AWS Systems Manager Automation runbooks.
B.Enable Amazon GuardDuty in all accounts and use its built-in remediation actions.
C.Configure AWS CloudFormation StackSets to deploy incident response stacks in all accounts.
D.Deploy an AWS Lambda function in each member account to respond to findings.
AnswerA

Security Hub aggregates findings centrally, and EventBridge can trigger runbooks in target accounts.

Why this answer

AWS Security Hub with cross-account aggregation collects findings from all accounts into a single administrator account. Amazon EventBridge can then be configured to match specific Security Hub findings (e.g., a GuardDuty threat detection) and trigger AWS Systems Manager Automation runbooks. This provides a centralized, automated incident response mechanism across all accounts without requiring per-account Lambda functions or manual remediation.

Exam trap

The trap here is that candidates often assume GuardDuty's built-in remediation actions are sufficient for centralized multi-account response, but those actions are per-account and lack the orchestration and customization of Security Hub + EventBridge + Systems Manager Automation.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty's built-in remediation actions are limited to predefined, account-specific responses (e.g., blocking IPs via network ACLs) and cannot be centrally orchestrated across all accounts or customized as runbooks. Option C is wrong because AWS CloudFormation StackSets deploy static infrastructure stacks, not dynamic incident response workflows triggered by real-time threats; they lack event-driven automation. Option D is wrong because deploying a Lambda function in each member account creates a decentralized, harder-to-manage solution that requires per-account IAM roles and lacks a single point of orchestration, contrary to the requirement for a centralized solution.

1407
MCQeasy

A company wants to receive real-time notifications when an IAM user in their AWS account performs a console login. Which AWS service should be used to monitor and alert on this activity?

A.AWS IAM
B.AWS Config
C.AWS Trusted Advisor
D.AWS CloudTrail and Amazon EventBridge
AnswerD

CloudTrail logs API calls, EventBridge can trigger notifications.

Why this answer

Option C is correct because CloudTrail logs console login events, and CloudWatch Events (now Amazon EventBridge) can trigger a notification based on those events. Option A is wrong because IAM does not provide real-time monitoring. Option B is wrong because Config is for resource configuration changes, not API calls.

Option D is wrong because Trusted Advisor provides best-practice checks, not real-time monitoring.

1408
MCQmedium

A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?

A.The second statement allows any principal in the 10.0.0.0/8 range to receive messages from the queue.
B.The policy does not specify a principal, so it will not work.
C.The aws:SourceArn condition uses ArnLike which is deprecated.
D.The aws:SourceIp condition cannot be used with SQS queue policies.
AnswerA

This is overly permissive and should be scoped down.

Why this answer

Option A is correct because the second statement in the SQS queue policy allows any principal in the 10.0.0.0/8 IP range to receive messages from the queue, which violates the security requirement that only the SNS topic should be allowed to send messages. The policy should restrict the `sqs:SendMessage` action to the SNS topic using a condition like `aws:SourceArn` and should not include a broad `Effect: Allow` for `sqs:ReceiveMessage` without restricting the principal or source.

Exam trap

The trap here is that candidates may focus on the `aws:SourceArn` condition or the lack of a principal, overlooking the fact that the second statement grants broad receive access to any IP in the 10.0.0.0/8 range, which violates the requirement to restrict message sending to only the SNS topic.

How to eliminate wrong answers

Option B is wrong because SQS queue policies can work without specifying a principal if the policy is attached to the queue itself, and the `Principal` element can be omitted or set to `*` to allow all principals, but the issue here is not the absence of a principal. Option C is wrong because `ArnLike` is not deprecated; it is a valid condition operator used for pattern matching on ARNs, and the `aws:SourceArn` condition is commonly used with `ArnLike` to restrict access to specific resources. Option D is wrong because `aws:SourceIp` can be used with SQS queue policies to restrict access based on IP addresses, but it is not the issue here; the problem is the overly permissive second statement.

1409
MCQhard

A company is deploying a multi-tier web application across multiple Availability Zones. The application includes a web tier, application tier, and database tier. The security team requires that the web tier can communicate with the application tier only on port 8080, and the application tier can communicate with the database tier only on port 3306. Which security group configuration should be used?

A.In the application tier security group, allow inbound from the web tier security group on port 8080. In the database tier security group, allow inbound from the application tier security group on port 3306.
B.In the database tier security group, allow inbound from the application tier's CIDR block on port 3306.
C.In the application tier security group, allow inbound from the web tier's CIDR block on port 8080.
D.In the web tier security group, allow outbound to 0.0.0.0/0 on port 8080.
AnswerA

Using security group IDs as sources ensures only those groups can communicate.

Why this answer

Using security group IDs as sources in rules allows traffic only from specific resources. Option D is correct. CIDR blocks (A, B) are less specific.

Ephemeral ports (C) are not needed for ingress rules.

1410
MCQeasy

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that log files are not modified after they are created. Which feature should they enable?

A.Server-side encryption with AWS KMS
B.Log file integrity validation
C.S3 Object Lock
D.CloudWatch Logs integration
AnswerB

This validates that log files have not been modified.

Why this answer

CloudTrail log file integrity validation creates a hash chain that can be used to detect modifications. Option A is correct. Option B is for encryption, not integrity.

Option C is for retention. Option D is for monitoring.

1411
MCQhard

An IAM policy has the following statement: {"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket/*"}. A user with this policy tries to perform s3:ListBucket on 'my-bucket'. Will the request succeed?

A.No, because there is an explicit deny elsewhere.
B.Yes, because s3:* allows all actions.
C.No, because the resource ARN does not include the bucket itself.
D.Yes, because the user has permission to access objects.
AnswerC

ListBucket requires bucket-level ARN.

Why this answer

s3:ListBucket requires resource ARN 'arn:aws:s3:::my-bucket' (without /*). The policy only grants access to objects, not the bucket itself. Option A is incorrect because the action is not allowed.

Option C is incorrect because the resource is wrong. Option D is incorrect because service control policies are not mentioned.

1412
MCQmedium

A company wants to centrally manage and enforce encryption on all EBS volumes across multiple AWS accounts. Which AWS service can be used to define and enforce encryption policies at the organizational level?

A.AWS Config
B.AWS IAM
C.AWS Key Management Service (KMS)
D.AWS Organizations
AnswerD

Organizations allow central policy management via SCPs and can enforce encryption settings.

Why this answer

Option A is correct: AWS Organizations can use SCPs or, more specifically, the EBS encryption by default policy can be enforced via a combination of SCP and AWS Config. However, the most direct service is AWS Organizations for centralized policy management. Option B is wrong because IAM is per-account.

Option C is wrong because AWS KMS manages keys, not enforcement. Option D is wrong because AWS Config evaluates but cannot enforce encryption by default across accounts without additional automation.

1413
Multi-Selecthard

Which THREE services can be used to detect and alert on suspicious API activity across an AWS organization? (Choose three.)

Select 3 answers
A.Amazon Inspector
B.Amazon GuardDuty
C.AWS Config
D.AWS Security Hub
E.AWS CloudTrail
AnswersB, D, E

GuardDuty analyzes CloudTrail events for malicious activity.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior, including suspicious API activity. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze AWS CloudTrail management events, VPC Flow Logs, and DNS logs across an AWS organization, and can trigger alerts via Amazon EventBridge or Security Hub.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance monitoring (e.g., checking if CloudTrail is enabled) with actual threat detection, but Config does not analyze API calls for suspicious patterns—it only checks configuration state against rules.

1414
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all new S3 buckets created in any account in the organization are encrypted with a specific KMS key. Which approach should be used?

A.Set up AWS Config rules to detect non-compliant buckets
B.Apply a Service Control Policy (SCP) that denies s3:CreateBucket unless encryption is configured
C.Create an IAM role that requires encryption and attach it to all users
D.Use an S3 bucket policy with a condition for encryption
AnswerB

SCPs can deny actions based on conditions, enforcing encryption at creation time.

Why this answer

Option D is correct because an SCP can deny creation of S3 buckets that do not have the required encryption. Option A is wrong because IAM roles are for individual accounts, not organization-wide enforcement. Option B is wrong because a bucket policy is per bucket, not preventive for new buckets.

Option C is wrong because AWS Config can detect non-compliance but does not prevent creation.

1415
Multi-Selectmedium

Which TWO actions should a security engineer take to ensure that an S3 bucket is not publicly accessible? (Choose two.)

Select 2 answers
A.Enable S3 Block Public Access at the account level
B.Enable AWS CloudTrail for the bucket
C.Remove all bucket ACLs
D.Set a bucket policy that denies all public access
E.Enable S3 Block Public Access at the bucket level
AnswersA, E

Provides an additional layer of protection for all buckets in the account.

Why this answer

Block Public Access settings at bucket and account level prevent all public access. The other options are not correct because: ACLs can allow public access; CloudTrail does not block; Bucket policies are overridden by Block Public Access.

1416
MCQeasy

A security team wants to detect and alert on API calls that create or modify IAM roles in their AWS account. Which AWS service can be used to create a metric filter and alarm for these specific CloudTrail events?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.AWS Config
AnswerC

CloudWatch Logs can filter CloudTrail logs and create alarms.

Why this answer

Amazon CloudWatch Logs can create metric filters on CloudTrail log data to detect specific API calls, such as CreateRole or UpdateAssumeRolePolicy. These metric filters can then trigger CloudWatch alarms for real-time notification. CloudTrail delivers logs to CloudWatch Logs, but the metric filter and alarm capabilities reside in CloudWatch Logs, not in CloudTrail itself.

Exam trap

The trap here is that candidates often confuse CloudTrail's logging capability with CloudWatch Logs' metric and alarm features, assuming CloudTrail itself can create alarms, when in reality CloudTrail only delivers logs and CloudWatch Logs provides the filtering and alerting mechanism.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes CloudTrail events, VPC flow logs, and DNS logs for malicious activity, but it does not allow you to create custom metric filters or alarms for specific API calls. Option B is wrong because AWS CloudTrail records API calls and delivers log files to an S3 bucket or CloudWatch Logs, but it does not have native metric filter or alarm creation capabilities. Option D is wrong because AWS Config evaluates resource configurations against rules and tracks configuration changes, but it does not create metric filters or alarms on CloudTrail event patterns.

1417
MCQmedium

A security engineer is troubleshooting an issue where an IAM user is unable to list objects in an S3 bucket even though the user has an IAM policy that allows s3:ListBucket. What is the MOST likely cause?

A.The user's IAM policy is not attached to the user.
B.The bucket is in a different AWS region.
C.The user needs to use MFA.
D.The bucket policy explicitly denies the action for that user.
AnswerD

An explicit deny in a bucket policy overrides any allow.

Why this answer

S3 bucket policies and IAM user policies are evaluated together; if the bucket policy denies access, it overrides the allow.

1418
MCQmedium

A company is designing a data lake on Amazon S3. The data contains personally identifiable information (PII). The security team requires that all data be encrypted at rest and that access to the data is logged for auditing. Additionally, the team wants to ensure that if an object is accidentally deleted, it can be recovered within 30 days. Which combination of S3 features should be enabled?

A.Enable SSE-C, S3 Lifecycle policies, and CloudWatch Logs.
B.Enable SSE-KMS, S3 Versioning with MFA Delete, and S3 Inventory.
C.Enable SSE-KMS, S3 Versioning, and S3 Server Access Logs.
D.Enable default encryption (SSE-S3), S3 Versioning, and AWS CloudTrail.
AnswerC

SSE-KMS provides encryption and audit via CloudTrail; Versioning allows recovery; Access Logs record access.

Why this answer

Option A is correct because server-side encryption with KMS (SSE-KMS) provides encryption at rest with audit trails via CloudTrail, S3 Versioning allows recovery of deleted objects, and S3 Server Access Logs record access. Option B is wrong because default encryption does not provide key-specific audit. Option C is wrong because MFA Delete is not required for recovery.

Option D is wrong because lifecycle policies do not help with recovery.

1419
MCQhard

A company is migrating on-premises data to AWS using AWS Snowball Edge. The data must be encrypted in transit and at rest. Which combination of steps should be taken?

A.Encrypt the data with a client-side tool before copying to Snowball Edge.
B.Set up a VPN connection to AWS and transfer data over the VPN.
C.Use AWS KMS to generate a key and apply it to the Snowball Edge device.
D.Use Snowball Edge with default encryption settings; data is encrypted at rest and in transit.
AnswerD

Snowball Edge uses AES-256 for at-rest encryption and TLS for in-transit encryption by default.

Why this answer

Option A is correct because Snowball Edge automatically encrypts data at rest using AES-256 and uses TLS for transfer. Option B is incorrect because VPN is not used with Snowball. Option C is incorrect because KMS is not directly used for Snowball encryption.

Option D is incorrect because client-side encryption is not required by default.

1420
MCQmedium

A security engineer is setting up a new VPC with public and private subnets. The VPC has an Internet Gateway attached. The public subnet's route table has a default route (0.0.0.0/0) pointing to the Internet Gateway. The private subnet's route table has a default route pointing to a NAT gateway. The engineer launches an EC2 instance in the private subnet and assigns it a public IP address. However, the instance cannot access the internet. What should the engineer do to resolve this issue?

A.Attach an Elastic IP to the instance.
B.Update the private subnet's route table to point 0.0.0.0/0 to the Internet Gateway.
C.Remove the public IP address from the instance and ensure the private subnet has a route to the NAT gateway.
D.Allow outbound traffic in the instance's security group.
AnswerC

Private subnet instances should not have public IPs; they use NAT gateway for internet access.

Why this answer

Option C is correct. If an instance in a private subnet is assigned a public IP, it still cannot access the internet directly because the route table does not have a route to the Internet Gateway. The correct approach is to not assign a public IP and use a NAT gateway.

Option A is wrong because the route table is correct for a private subnet. Option B is wrong because the security group is not the issue. Option D is wrong because the IGW is already attached.

1421
MCQmedium

A company uses Amazon RDS for MySQL with encryption at rest enabled. The security team needs to ensure that automated backups are also encrypted. How can this be achieved?

A.Manually encrypt each backup using AWS KMS before storing in S3
B.Enable encryption at rest on the RDS instance; backups are automatically encrypted
C.Use RDS Copy-on-Write to encrypt backups
D.Create an encrypted S3 bucket and store backups there
AnswerB

Encrypted RDS instances have encrypted backups.

Why this answer

Option C is correct because enabling encryption at rest on the RDS instance automatically encrypts backups. Option A is wrong because manual encryption of backups is not required. Option B is wrong because you cannot encrypt backups separately from the instance.

Option D is wrong because RDS does not support that feature.

1422
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to detect suspicious API activity across all accounts in real time. They have enabled AWS CloudTrail in all accounts and are sending logs to a centralized S3 bucket. However, they are receiving alerts only after a significant delay. What should the security team do to reduce the latency of threat detection?

A.Set up Amazon EventBridge rules in each account to send specific CloudTrail events to a centralized event bus for immediate processing.
B.Enable Amazon GuardDuty in each account and configure it to send findings to a centralized S3 bucket.
C.Configure CloudTrail to deliver logs to a single S3 bucket and use S3 Event Notifications to trigger a Lambda function.
D.Use Amazon CloudWatch Logs Insights to query CloudTrail logs across accounts in real time.
AnswerA

EventBridge can capture CloudTrail events in near real time and send them to a central bus for immediate analysis and alerting.

Why this answer

Option D is correct because Amazon EventBridge can consume CloudTrail events in near real time across accounts by using cross-account event buses, allowing immediate action. Option A is wrong because consolidating logs is already done; the issue is latency in analysis, not aggregation. Option B is wrong because GuardDuty can analyze CloudTrail logs but may still introduce delay; EventBridge is faster for real-time detection.

Option C is wrong because CloudWatch Logs Insights is for querying, not real-time alerting.

1423
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to analyze web request logs to identify potential SQL injection attacks. Which AWS service should be used to collect and analyze the ALB access logs?

A.VPC Flow Logs
B.AWS WAF
C.Amazon CloudWatch Logs Insights
D.Amazon Athena
AnswerD

Athena can query ALB access logs in S3 with SQL to detect SQL injection patterns.

Why this answer

Option D is correct because Amazon Athena can query ALB access logs stored in S3 using standard SQL, allowing analysis for SQL injection patterns. Option A is wrong because Amazon CloudWatch Logs Insights can query CloudWatch Logs but ALB access logs are typically stored in S3, not CloudWatch Logs. Option B is wrong because VPC Flow Logs capture network traffic metadata, not HTTP request details.

Option C is wrong because AWS WAF provides web application firewall capabilities but does not analyze stored logs; it can generate logs but analysis would require another service like Athena.

1424
MCQeasy

A company needs to encrypt data in transit between an on-premises data center and Amazon S3. Which solution should they use?

A.Use AWS KMS to encrypt the data before transmission.
B.Use an S3 VPC endpoint.
C.Use HTTPS endpoints for S3 API calls.
D.Use S3 Transfer Acceleration.
AnswerC

HTTPS provides encryption in transit.

Why this answer

Option C is correct because HTTPS (HTTP over TLS) encrypts data in transit between the on-premises data center and Amazon S3 by using TLS 1.2/1.3 to secure the API calls. This ensures that all data transmitted over the network is encrypted end-to-end, protecting it from eavesdropping and man-in-the-middle attacks. AWS S3 enforces HTTPS for all API requests when using the default endpoint, and customers can also configure bucket policies to deny HTTP requests.

Exam trap

The trap here is that candidates often confuse encryption at rest (KMS) with encryption in transit, or assume that network-level features like VPC endpoints or Transfer Acceleration inherently provide encryption, when in fact they do not add transport-layer security beyond what HTTPS already provides.

How to eliminate wrong answers

Option A is wrong because AWS KMS is a key management service for encrypting data at rest, not for encrypting data in transit; it does not provide transport-layer encryption during transmission. Option B is wrong because an S3 VPC endpoint (Gateway or Interface type) provides private connectivity to S3 over the AWS network but does not inherently encrypt data in transit; encryption must still be applied at the application layer (e.g., HTTPS). Option D is wrong because S3 Transfer Acceleration optimizes transfer speed by using AWS edge locations and the AWS global network, but it does not add encryption; it relies on the same HTTPS/TLS encryption used by standard S3 endpoints.

1425
MCQhard

Refer to the exhibit. This IAM policy is attached to a user. The user attempts to assume the AdminRole without using MFA. What is the result?

A.The user can assume the role because the Allow statement grants it
B.The user cannot assume the role because the Deny statement blocks all actions when MFA is not present
C.The user can assume the role because the Deny statement does not apply to sts:AssumeRole
D.The user cannot assume the role because the Allow statement requires MFA
AnswerB

The Deny condition blocks all actions if MFA is false.

Why this answer

Option D is correct because the Deny statement applies to all actions if MFA is not present, so the AssumeRole action is denied. Option A is incorrect because the Allow statement is overridden by the Deny. Option B is incorrect because the Deny is explicit.

Option C is incorrect because the Deny applies to all actions including AssumeRole.

Page 18

Page 19 of 24

Page 20