AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 76150

1738 questions total · 24pages · All types, answers revealed

Page 1

Page 2 of 24

Page 3
76
Multi-Selecteasy

Which TWO methods can be used to encrypt data at rest in Amazon S3? (Choose 2.)

Select 2 answers
A.Set a bucket policy that denies uploads without encryption.
B.Use SSE-S3 to have Amazon S3 manage the encryption keys.
C.Enable encryption in transit using HTTPS.
D.Enable MFA Delete on the S3 bucket.
E.Encrypt the objects client-side before uploading to S3.
AnswersB, E

SSE-S3 encrypts data at rest.

Why this answer

Options A and D are correct. A: Server-side encryption with S3 managed keys (SSE-S3) encrypts data at rest. D: Client-side encryption using the AWS Encryption SDK encrypts data before uploading.

Option B is wrong because S3 does not support encrypting data in transit at rest; encryption in transit is handled by HTTPS. Option C is wrong because bucket policies do not encrypt data. Option E is wrong because MFA Delete protects against accidental deletion, not encryption.

77
Multi-Selectmedium

A company is using AWS KMS to encrypt data in Amazon S3. They need to ensure that the KMS key can only be used from within a specific VPC. Which TWO actions should be taken?

Select 2 answers
A.Create a VPC endpoint for AWS KMS.
B.Attach an IAM policy to the role that denies kms:Decrypt unless the request comes from the VPC.
C.Create a VPC endpoint for Amazon S3.
D.Add a bucket policy condition to restrict access to the VPC.
E.Modify the KMS key policy to include a condition on kms:SourceVpc.
AnswersA, E

Enables private connectivity to KMS from the VPC.

Why this answer

Option A is correct because a VPC endpoint for KMS is needed to access KMS privately. Option D is correct because a key policy condition using kms:SourceVpc restricts usage to the VPC. Option B is wrong because bucket policy cannot restrict KMS key usage.

Option C is wrong because IAM policy alone cannot restrict based on VPC for KMS; it's the key policy. Option E is wrong because a VPC endpoint for S3 does not restrict KMS calls.

78
MCQeasy

A company wants to use AWS WAF to protect its web application from common web exploits. Which AWS service must be integrated with AWS WAF to provide this protection?

A.Security Groups
B.Application Load Balancer or Amazon CloudFront
C.Amazon Route 53
D.Network ACLs
AnswerB

WAF can be attached to ALB or CloudFront.

Why this answer

Option B is correct because AWS WAF is integrated with CloudFront and ALB to filter requests. Option A is wrong because Network ACLs are stateless and not application-layer. Option C is wrong because Security Groups are stateful firewalls at the instance level.

Option D is wrong because Route 53 is DNS, not a web traffic endpoint.

79
Multi-Selecteasy

A company uses AWS Systems Manager Patch Manager to patch EC2 instances. During a security incident, the security team needs to quickly patch a critical vulnerability across all Windows instances in a specific AWS region. Which steps should the team take? (Choose TWO.)

Select 2 answers
A.Assign the patch baseline to the instances by specifying a patch group.
B.Tag all instances with 'PatchGroup=Critical' to include them in the patching.
C.Create a custom patch baseline that includes the required patch.
D.Use the AWS-provided default patch baseline for Windows.
E.Use SSM Run Command to execute a script that downloads and installs the patch.
AnswersA, C

Patch groups control which baseline is applied to which instances.

Why this answer

Option A is correct because assigning a custom patch baseline to instances via a patch group allows the security team to target specific Windows instances for patching. Patch Manager uses patch groups to associate instances with a specific patch baseline, ensuring only the desired instances receive the critical patch. This approach provides granular control over which instances are patched during an incident.

Exam trap

The trap here is that candidates often confuse tagging instances with a patch group (which is necessary for association) with the actual patching action, or they assume the default patch baseline will automatically include all critical patches, when in fact custom baselines are required for targeted incident response.

80
Multi-Selecteasy

A company wants to monitor AWS account activity and receive real-time notifications for specific API calls. Which TWO services should the company use together? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.Amazon CloudWatch Events (Amazon EventBridge)
C.AWS Config
D.Amazon Simple Notification Service (SNS)
E.AWS CloudTrail
AnswersB, E

CloudWatch Events can match patterns from CloudTrail and trigger actions like SNS notifications.

Why this answer

Options B and E are correct. CloudTrail logs API calls, and CloudWatch Events (now Amazon EventBridge) can trigger notifications based on patterns. Option A is wrong because CloudWatch Logs is for log storage, not event-driven notifications.

Option C is wrong because AWS Config is for resource tracking. Option D is wrong because SNS is a notification service but needs a source of events.

81
MCQeasy

A security engineer receives an alert that an EC2 instance is generating outbound traffic to a known malicious IP address. What is the FIRST step the engineer should take as part of the incident response process?

A.Analyze the network traffic logs to understand the scope.
B.Apply the latest security patches to the EC2 instance.
C.Isolate the EC2 instance by modifying the security group to deny all traffic.
D.Terminate the EC2 instance immediately.
AnswerC

Isolation contains the threat while preserving evidence.

Why this answer

Option C is correct because the first step in incident response for a compromised EC2 instance is containment. Modifying the security group to deny all inbound and outbound traffic immediately stops communication with the malicious IP and prevents further data exfiltration or lateral movement, while preserving the instance for forensic analysis. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

The trap here is that candidates often confuse the urgency of containment with the desire to gather evidence first, leading them to choose log analysis (Option A) instead of immediate isolation, but the exam emphasizes that containment is the priority to limit damage.

How to eliminate wrong answers

Option A is wrong because analyzing network traffic logs is a step in the identification and scoping phase, but it should not delay immediate containment; the engineer must first isolate the instance to stop active malicious traffic. Option B is wrong because applying security patches is part of the eradication and recovery phase, which occurs after containment; patching a currently compromised instance does not stop ongoing outbound traffic and may alert the attacker. Option D is wrong because terminating the EC2 instance destroys volatile data (e.g., memory, running processes, temporary files) that is critical for forensic investigation and root cause analysis; isolation preserves evidence.

82
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which configuration ensures that only the management account can delete the log files?

A.Enable S3 Object Lock on the bucket with governance mode.
B.Use an S3 bucket policy that denies s3:DeleteObject for all principals.
C.Enable MFA Delete on the S3 bucket.
D.Configure CloudTrail to automatically delete logs older than 90 days.
E.Use an S3 bucket policy that denies s3:DeleteObject unless the principal is the management account.
AnswerE

This policy ensures only the management account can delete objects.

Why this answer

Option D is correct because using a bucket policy with a condition that denies s3:DeleteObject unless the principal is the management account ensures that only the management account can delete objects. Option A is wrong because CloudTrail does not automatically delete logs. Option B is wrong because S3 bucket policies can be set to restrict deletion.

Option C is wrong because S3 Object Lock can prevent deletion but is not specific to the management account.

83
Multi-Selecteasy

A security engineer needs to capture network traffic between EC2 instances in a VPC for analysis. Which TWO services can provide this capability? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.VPC Flow Logs
D.AWS Config
E.Amazon GuardDuty
AnswersB, C

CloudWatch Logs can ingest and analyze VPC Flow Logs.

Why this answer

Amazon CloudWatch Logs can capture network traffic by using a unified CloudWatch agent or the EC2 instance's operating system to collect and forward log data, such as syslog or custom application logs that include network packet details. VPC Flow Logs capture metadata about IP traffic going to and from network interfaces in a VPC, including source/destination IPs, ports, protocols, and packet counts, but not the full packet payload. Together, these two services enable both detailed OS-level traffic logging (CloudWatch Logs) and network-level flow metadata (VPC Flow Logs) for comprehensive analysis.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs with capturing full packet contents, but they only capture metadata (Layer 3-4 headers), not the payload, while CloudWatch Logs can ingest actual packet data from the OS, making the pair complementary for traffic analysis.

84
MCQhard

A security engineer must ensure that cross-account access to an S3 bucket is restricted to only accounts that are part of a specific AWS organization. Which IAM policy condition key should be used in the bucket policy?

A.aws:SourceIp
B.aws:MultiFactorAuthPresent
C.aws:PrincipalOrgID
D.aws:SourceVpce
AnswerC

Checks that the principal's account is in the specified AWS organization.

Why this answer

Option D is correct because 'aws:PrincipalOrgID' condition key checks that the principal's account belongs to a specific AWS organization. Option A is for MFA. Option B is for source IP.

Option C is for VPC endpoint.

85
MCQmedium

Refer to the exhibit. A developer is trying to list objects in a Google Cloud Storage bucket from an AWS environment. What is the most likely cause of the error?

A.The bucket name is incorrect.
B.The developer is using the wrong command (gsutil instead of aws s3).
C.The IAM role does not have S3 permissions.
D.The S3 bucket policy does not allow the user.
AnswerB

gsutil is for Google Cloud Storage; to access S3, use 'aws s3 ls s3://bucket-name'.

Why this answer

Option A is correct because the error indicates a Google Cloud Storage bucket, not an AWS S3 bucket, so the developer is using wrong command. Option B is wrong because it's a Google Cloud bucket, not S3. Option C is wrong because there is no such bucket or wrong syntax.

Option D is wrong because IAM roles do not apply to Google Cloud.

86
Multi-Selecteasy

A company wants to protect data at rest for an Amazon S3 bucket that contains sensitive data. Which combination of actions provides the MOST comprehensive protection? (Choose two.)

Select 2 answers
A.Enable versioning on the bucket
B.Enable default encryption on the bucket with SSE-S3
C.Configure a bucket policy to deny requests over HTTP
D.Enable MFA Delete on the bucket
E.Configure a lifecycle policy to transition objects to Glacier
AnswersB, C

Ensures encryption at rest.

Why this answer

Option B is correct because enabling default encryption with SSE-S3 ensures that all objects uploaded to the bucket are automatically encrypted at rest using server-side encryption with Amazon S3-managed keys (AES-256). Option C is correct because configuring a bucket policy to deny requests over HTTP enforces HTTPS for all data in transit, preventing exposure of sensitive data during transmission. Together, they protect data both at rest and in transit, providing comprehensive coverage.

Exam trap

The trap here is that candidates often confuse versioning or MFA Delete with data protection, but these features address data durability and deletion prevention, not encryption or transport security, which are required for comprehensive data protection.

87
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. The security team uses AWS Config to monitor compliance. Recently, they noticed that a developer in the 'development' account created an S3 bucket that is publicly accessible. The security team wants to prevent this in the future by automatically remediating any public S3 bucket. They have an SCP that denies s3:PutBucketPublicAccessBlock, but developers are still making buckets public by using bucket ACLs. The security team wants to implement a solution that automatically fixes any bucket that becomes public. Which solution should they choose?

A.Use CloudTrail to detect PutBucketAcl events and send to SNS for manual remediation
B.Use AWS Config with the s3-bucket-public-read-prohibited managed rule and an automatic remediation action using AWS Systems Manager Automation
C.Update the SCP to deny s3:PutBucketAcl with a condition for public access
D.Attach an IAM policy to all users that denies s3:PutBucketAcl
AnswerB

Detects and automatically fixes public buckets.

Why this answer

Option B is correct because AWS Config's s3-bucket-public-read-prohibited managed rule evaluates S3 bucket ACLs and policies for public read access. When a noncompliant bucket is detected, an automatic remediation action using AWS Systems Manager Automation can invoke a custom SSM document (e.g., AWS-DisableS3BucketPublicReadWrite) to remove public ACLs or apply a bucket policy that denies public access. This provides automated, event-driven remediation without relying on manual intervention or incomplete SCPs.

Exam trap

The trap here is that candidates often assume an SCP or IAM policy that denies the specific API call (s3:PutBucketAcl) is the best solution, but the question requires automatic remediation of already-public buckets, not prevention—and SCPs cannot remediate existing noncompliant resources, only block future actions.

How to eliminate wrong answers

Option A is wrong because using CloudTrail to detect PutBucketAcl events and sending to SNS for manual remediation does not automatically fix the bucket; it requires human action, which is slow and error-prone, and does not meet the requirement for automatic remediation. Option C is wrong because updating the SCP to deny s3:PutBucketAcl with a condition for public access would prevent developers from setting public ACLs in the first place, but the question states that developers are already bypassing the existing SCP (which denies s3:PutBucketPublicAccessBlock) by using ACLs; an SCP that denies s3:PutBucketAcl could be effective, but the question explicitly asks for a solution that automatically fixes any bucket that becomes public, not one that prevents the action—furthermore, SCPs cannot retroactively remediate already-public buckets. Option D is wrong because attaching an IAM policy to all users that denies s3:PutBucketAcl is not scalable in a multi-account environment (IAM policies are account-specific and cannot be applied across all accounts via AWS Organizations), and it also does not provide automatic remediation for buckets that are already public.

88
MCQeasy

A company wants to encrypt data at rest in Amazon S3 using server-side encryption with Amazon S3-managed keys (SSE-S3). What is the minimum permission required for an IAM user to upload an object that will be encrypted with SSE-S3?

A.s3:PutObjectAcl
B.kms:Decrypt
C.s3:PutObject
D.kms:GenerateDataKey
AnswerC

SSE-S3 is transparent; no additional permissions are needed.

Why this answer

Option A is correct because SSE-S3 does not require any special permissions beyond s3:PutObject; S3 handles the encryption automatically. Option B is wrong because kms:GenerateDataKey is needed for SSE-KMS, not SSE-S3. Option C is wrong because s3:PutObjectAcl is for ACLs.

Option D is wrong because kms:Decrypt is not needed for SSE-S3.

89
Multi-Selectmedium

A security engineer is designing a data encryption strategy for an S3 bucket that contains sensitive information. Which TWO of the following are valid options for enforcing encryption at rest?

Select 2 answers
A.Use an AWS KMS key with automatic key rotation.
B.Enable S3 default encryption on the bucket.
C.Enable AWS CloudTrail to log all object uploads.
D.Attach an IAM policy to users to require encryption.
E.Use a bucket policy to deny PutObject requests without the x-amz-server-side-encryption header.
AnswersB, E

Correct: Automatically encrypts new objects.

Why this answer

Options B and C are correct. S3 default encryption can be enabled to automatically encrypt objects, and bucket policies can enforce that objects are uploaded with encryption headers. Option A is wrong because CloudTrail does not encrypt data.

Option D is wrong because IAM policies cannot enforce encryption at the service level. Option E is wrong because KMS keys are used for encryption but the question asks for enforcement methods.

90
MCQhard

A company has a requirement to encrypt all data in an S3 bucket using keys that are stored in an on-premises HSM. Which S3 encryption option should be used?

A.SSE-S3
B.Client-side encryption
C.SSE-KMS
D.SSE-C
AnswerD

SSE-C allows customers to provide their own encryption keys.

Why this answer

SSE-C allows customers to provide their own encryption keys. The keys are not stored in AWS. Option D is correct.

Option A is incorrect because SSE-S3 uses S3-managed keys. Option B is incorrect because SSE-KMS uses AWS KMS. Option C is incorrect because client-side encryption encrypts locally, but the keys are managed by the customer.

91
Multi-Selecthard

A company is using AWS CloudTrail and wants to detect when an IAM user performs a specific action, such as stopping an EC2 instance. The security engineer needs to set up a real-time notification. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Create a metric filter in CloudWatch Logs to match the StopInstances event
B.Create a CloudTrail trail that delivers logs to CloudWatch Logs
C.Use Amazon QuickSight to visualize CloudTrail logs
D.Create a CloudWatch alarm on the metric and configure it to send an SNS notification
E.Use Amazon Athena to query CloudTrail logs in S3
AnswersA, B, D

Metric filter extracts metrics from logs.

Why this answer

Options A, B, and C are correct. Create a CloudTrail trail to log events, create a CloudWatch Logs metric filter to detect the specific API call (StopInstances), and create a CloudWatch alarm that triggers an SNS notification. Option D is wrong because Amazon Athena is used for querying data in S3, not for real-time alerting.

Option E is wrong because Amazon QuickSight is for visualization, not alerting.

92
Multi-Selecthard

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer needs to ensure that all findings from member accounts are visible in the administrator account. Additionally, the engineer wants to receive real-time notifications for high-severity findings. Which TWO actions should the engineer take? (Choose TWO.)

Select 2 answers
A.Enable Amazon Detective to analyze GuardDuty findings.
B.Designate an administrator account in GuardDuty to manage the multi-account environment.
C.Create an Amazon EventBridge rule that triggers an SNS notification for high-severity GuardDuty findings.
D.Enable AWS CloudTrail in all member accounts to log GuardDuty API calls.
E.Use AWS Config to monitor GuardDuty configuration.
AnswersB, C

The administrator account can view findings from all member accounts.

Why this answer

Option A is correct because designating an administrator account in GuardDuty allows centralized viewing of findings. Option C is correct because creating an EventBridge rule that matches GuardDuty findings and sends to SNS enables real-time notifications. Option B is wrong because enabling CloudTrail does not aggregate GuardDuty findings.

Option D is wrong because Amazon Detective is for deeper investigation, not real-time notifications. Option E is wrong because AWS Config does not provide real-time notifications for GuardDuty findings.

93
Multi-Selectmedium

A company is using AWS CloudTrail to monitor API activity in its AWS account. The security team needs to be alerted when unauthorized API calls are made to delete Amazon S3 buckets. Which TWO steps should the security team take to meet this requirement? (Choose TWO.)

Select 2 answers
A.Enable Amazon VPC Flow Logs to capture API calls and use Amazon Athena to query for DeleteBucket events.
B.Create an AWS CloudTrail trail that monitors Amazon CloudWatch Logs for DeleteBucket API calls.
C.Create an AWS Config rule to detect DeleteBucket API calls and send an SNS notification.
D.Configure CloudTrail to deliver logs to Amazon CloudWatch Logs and create a metric filter for the DeleteBucket API call.
E.Create an Amazon CloudWatch Events rule that matches the DeleteBucket API call and triggers an Amazon SNS notification.
AnswersD, E

CloudTrail can deliver to CloudWatch Logs, and a metric filter can trigger an alarm.

Why this answer

Option D is correct because CloudTrail can be configured to deliver logs to Amazon CloudWatch Logs, and a metric filter can be created to match the `DeleteBucket` API call. This metric can then trigger an alarm that sends an SNS notification, alerting the security team to unauthorized API calls. Option E is correct because Amazon CloudWatch Events (now Amazon EventBridge) can directly match the `DeleteBucket` API call from CloudTrail and trigger an SNS notification without needing a metric filter or alarm.

Exam trap

The trap here is that candidates may confuse AWS Config (which evaluates resource configurations) with CloudTrail (which records API activity), or think VPC Flow Logs can capture API-level events instead of network flows.

94
MCQmedium

During an incident response, a security engineer needs to collect memory forensics from a running EC2 instance without shutting it down. The instance is running Amazon Linux 2. Which tool is MOST appropriate?

A.tcpdump
B.Volatility
C.LiME (Linux Memory Extractor)
D.dd command to capture /dev/mem
AnswerC

LiME captures memory.

Why this answer

LiME (Linux Memory Extractor) is the most appropriate tool for capturing volatile memory from a running Amazon Linux 2 EC2 instance without shutting it down. It is specifically designed to dump RAM contents to a file or over a network, minimizing the footprint on the target system and ensuring the integrity of the forensic acquisition.

Exam trap

The trap here is that candidates confuse memory acquisition tools (LiME) with memory analysis frameworks (Volatility), or mistakenly believe that dd /dev/mem still works on modern Linux kernels for full memory capture.

How to eliminate wrong answers

Option A is wrong because tcpdump is a network packet capture tool, not a memory forensics tool; it captures network traffic, not RAM contents. Option B is wrong because Volatility is a memory analysis framework used to examine memory dumps, not a tool to acquire memory from a live system. Option D is wrong because the dd command to capture /dev/mem is deprecated and restricted in modern Linux kernels (including Amazon Linux 2) due to security hardening; /dev/mem provides access to physical memory but is typically limited to the first 1 MB, making it unsuitable for full RAM acquisition.

95
MCQmedium

A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance encrypted at rest with AWS KMS is failing to launch. The error message indicates a KMS access issue. Which IAM role or policy is most likely missing?

A.The RDS subnet group is in a private subnet without a NAT gateway
B.The DB instance's security group does not allow outbound traffic to KMS
C.The KMS key policy does not grant access to the root account
D.The AWSServiceRoleForRDS service-linked role is missing
AnswerD

Required for RDS to access KMS keys.

Why this answer

The AWSServiceRoleForRDS service-linked role is required for RDS to call AWS KMS on your behalf to manage encryption keys for encrypted DB instances. If this role is missing, RDS cannot obtain the necessary permissions to decrypt the KMS key during instance launch, resulting in a KMS access error. This role is automatically created the first time you create an RDS resource, but if it was deleted or not present, you must recreate it to resolve the issue.

Exam trap

The trap here is that candidates often focus on KMS key policies or network configurations, but the real issue is the missing service-linked role that grants RDS the service-level permissions to interact with KMS, which is a common oversight in encrypted RDS troubleshooting scenarios.

How to eliminate wrong answers

Option A is wrong because the subnet group configuration (private subnet without NAT gateway) affects network connectivity, not KMS permissions; RDS can launch in a private subnet without a NAT gateway as long as it has a VPC endpoint or proper routing to KMS. Option B is wrong because security groups control network traffic at the instance level, but KMS access is managed via IAM policies and key policies, not outbound traffic rules; RDS uses AWS KMS over HTTPS, which does not require a specific security group rule for outbound traffic to KMS. Option C is wrong because the KMS key policy granting access to the root account is a default best practice, but the missing element is the service-linked role that allows RDS to assume the necessary permissions; the root account already has full access by default.

96
MCQhard

A company has a security rule that all S3 buckets must have server access logging enabled. A security engineer uses AWS Config to evaluate compliance. The engineer configures a managed rule but notices that the rule does not evaluate all buckets. What is the most likely reason?

A.The rule only evaluates buckets in the us-east-1 region.
B.The rule only evaluates buckets that have a specific tag.
C.The rule excludes buckets that have a bucket policy denying access to AWS Config.
D.The rule requires the logging target bucket to be in the same account.
AnswerB

The managed rule 's3-bucket-logging-enabled' has an optional parameter 'TargetBucket' but does not require a specific tag. However, the most common reason for not evaluating all buckets is that the rule may be configured with a scope that includes only tagged resources, or the rule's trigger is set to configuration changes only, missing existing buckets. But among given, D is most plausible because many AWS Config rules can be scoped by tags.

Why this answer

Option B is correct because the AWS Config managed rule `s3-bucket-server-access-logging-enabled` can be configured with a `tag` parameter. When a tag is specified, the rule only evaluates S3 buckets that have that exact tag key-value pair. If the security engineer did not apply the required tag to all buckets, or if the rule was configured with a tag that does not match all buckets, some buckets will be excluded from evaluation, causing the observed behavior.

Exam trap

The trap here is that candidates often assume AWS Config managed rules evaluate all resources of a given type by default, overlooking the fact that many rules support optional tag-based filtering that can silently limit the scope of evaluation.

How to eliminate wrong answers

Option A is wrong because the managed rule `s3-bucket-server-access-logging-enabled` evaluates buckets across all regions where AWS Config is enabled, not just us-east-1; the rule is regional in scope but can be deployed in each region. Option C is wrong because bucket policies that deny access to AWS Config would cause the rule to report a non-compliant result (e.g., 'INSUFFICIENT_DATA' or 'NON_COMPLIANT') rather than silently skip evaluation; the rule still attempts to evaluate the bucket. Option D is wrong because the rule does not require the logging target bucket to be in the same account; cross-account logging is supported as long as the necessary permissions are in place, and the rule checks the bucket's logging configuration, not the target bucket's account.

97
MCQeasy

A company wants to ensure that data stored in Amazon EBS volumes is encrypted at rest. What is the easiest way to achieve this?

A.Use AWS KMS to rotate the EBS encryption key
B.Use a script to encrypt each volume after creation
C.Enable EBS encryption by default in the AWS Region
D.Use application-level encryption
AnswerC

EBS encryption by default ensures all new volumes are encrypted.

Why this answer

Enable EBS encryption by default for the AWS Region. Option B is wrong because individual volume encryption can be done, but default is easier. Option C is wrong because encryption at the application layer is not necessary.

Option D is wrong because KMS key rotation does not enable encryption.

98
MCQeasy

A security engineer needs to detect unauthorized API calls in an AWS account. Which AWS service should be used to record and monitor API activity for auditing?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Config
D.Amazon GuardDuty
AnswerA

CloudTrail records API activity for auditing.

Why this answer

AWS CloudTrail is the correct service because it is specifically designed to record API activity across AWS services, capturing details such as the identity of the caller, the time of the call, the source IP address, and the request parameters. This audit log is essential for detecting unauthorized API calls, as it provides a complete history of all management and data plane operations for security analysis and compliance.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs (which stores logs) with CloudTrail (which records API activity), or they assume GuardDuty's threat detection capability includes native API logging, when in fact GuardDuty consumes CloudTrail logs rather than generating them.

How to eliminate wrong answers

Option B (Amazon CloudWatch Logs) is wrong because it is a service for monitoring, storing, and accessing log files from various sources (e.g., applications, EC2 instances), but it does not natively record AWS API calls; it can only ingest CloudTrail logs if configured as a destination. Option C (AWS Config) is wrong because it evaluates and records resource configuration changes and compliance rules, not API activity; it focuses on the state of resources rather than the actions that modify them. Option D (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes CloudTrail logs, VPC Flow Logs, and DNS logs for malicious activity, but it does not itself record or store API call history for auditing purposes.

99
MCQmedium

A company is using AWS Organizations and wants to delegate administrative tasks for a specific OU to another account. Which feature should be used?

A.AWS Resource Access Manager
B.AWS CloudTrail
C.AWS SSO
D.Delegated administrator for AWS Organizations
AnswerD

Allows a member account to perform administrative tasks on behalf of the organization.

Why this answer

Option A is correct: delegated administrator allows a member account to manage services for the organization. Option B is for sharing resources. Option C is for sharing accounts.

Option D is for logging.

100
MCQmedium

Refer to the exhibit. A security engineer attaches this S3 bucket policy to an S3 bucket. What is the effect of this policy?

A.Requests over HTTP are denied, but HTTPS requests are allowed.
B.The policy has no effect because there is no Allow statement.
C.All requests over HTTPS are allowed.
D.All requests to the bucket are denied.
AnswerA

The policy denies when SecureTransport is false, i.e., HTTP.

Why this answer

Option C is correct because the policy denies all S3 actions when the request is not made over HTTPS. Option A is wrong because it denies all requests. Option B is wrong because it allows HTTPS.

Option D is wrong because there is no explicit allow.

101
MCQmedium

A company uses AWS KMS to encrypt data in S3 buckets. The security team needs to ensure that KMS keys can only be used by specific IAM roles within the same account. Which key policy should be applied?

A."Principal": {"AWS": "arn:aws:iam::123456789012:*"}
B."Principal": {"AWS": "*"}
C."Principal": {"AWS": "arn:aws:iam::123456789012:root"}
D."Principal": {"AWS": "arn:aws:iam::123456789012:role/AllowedRole"}
AnswerD

This restricts the key usage to the specified IAM role.

Why this answer

Option A is correct because specifying the IAM role ARN in the key policy grants that role access. Option B is wrong because allowing the root user enables any IAM user with appropriate permissions. Option C is wrong because it allows all principals in the account.

Option D is wrong because it allows access to anyone in the organization.

102
MCQhard

A financial services company has a production AWS account with hundreds of EC2 instances running a mix of Linux and Windows workloads. The security team is responsible for detecting and responding to security incidents. They have enabled CloudTrail, VPC Flow Logs, and GuardDuty. Recently, GuardDuty generated a finding indicating that an EC2 instance is communicating with a known malicious IP address. The security engineer needs to investigate the incident. The engineer examines the GuardDuty finding and sees the affected resource is an EC2 instance ID. The engineer wants to identify which user or role launched the instance and what security groups were associated with it at launch time. Which approach should the engineer take to gather this information?

A.Log in to the EC2 console and view the instance details under the 'Security' tab.
B.Use AWS Systems Manager Inventory to collect metadata about the instance.
C.Search CloudTrail logs for the RunInstances event that created the instance, using the instance ID to filter.
D.Use AWS Config to view the configuration history of the EC2 instance and check the security group changes.
AnswerC

CloudTrail captures the API call with user identity and parameters.

Why this answer

Option A is correct because CloudTrail logs the RunInstances API call which includes the user identity, instance ID, and security group IDs. Option B is wrong because AWS Config records the configuration but not the user who launched it. Option C is wrong because EC2 console does not provide historical launch details.

Option D is wrong because Systems Manager Inventory does not track launch user or initial security groups.

103
Multi-Selectmedium

Which TWO actions are best practices for securing an AWS account root user? (Select TWO.)

Select 2 answers
A.Use the root user for everyday administrative tasks.
B.Create access keys for the root user.
C.Delete the root user to prevent unauthorized access.
D.Create an IAM user with administrative privileges and use it instead of the root user.
E.Enable MFA on the root user.
AnswersD, E

Reduces exposure of root user credentials.

Why this answer

Options A and D are correct. Enabling MFA on the root user adds an extra layer of security. Creating an IAM admin user and using it for daily tasks reduces root user usage.

Option B is wrong because the root user should not be used for daily tasks. Option C is wrong because access keys should not be created for the root user; they are long-term credentials. Option E is wrong because the root user email should be monitored, but that is not a best practice for securing the root user itself.

104
MCQmedium

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all Amazon S3 buckets created by CloudFormation are encrypted by default. Which approach should be taken?

A.Configure an IAM policy that requires all S3 operations to use encryption.
B.Set a bucket policy in the CloudFormation template that denies all actions unless encryption is enabled.
C.Enable AWS Config rule s3-bucket-server-side-encryption-enabled to enforce encryption.
D.Use a bucket policy with a condition that denies s3:PutObject if the x-amz-server-side-encryption header is not present.
AnswerD

This policy enforces encryption on object uploads.

Why this answer

Option B is correct because adding a bucket policy that denies PutObject if encryption is not set enforces encryption at the object level. Option A is wrong because CloudFormation does not have a global bucket policy setting. Option C is wrong because S3 default encryption is set on individual buckets, not globally via IAM.

Option D is wrong because enabling AWS Config rules only detects non-compliance; it does not enforce encryption.

105
Multi-Selectmedium

A security engineer is tasked with securing an Amazon RDS for MySQL database. The database must be accessible only from a specific set of EC2 instances. Which THREE steps should the engineer take?

Select 3 answers
A.Disable encryption at rest to improve performance.
B.Enable encryption at rest for the RDS instance.
C.Launch the RDS instance in a private subnet.
D.Create a security group that allows inbound traffic on port 3306 from the EC2 instances' security group.
E.Associate the RDS instance with a public subnet for easier access.
AnswersB, C, D

Encryption at rest protects data on disk.

Why this answer

Option A is correct because launching the DB in a private subnet prevents direct internet access. Option B is correct because using a security group to allow inbound traffic from the EC2 instances' security group restricts access. Option D is correct because enabling encryption at rest protects data.

Option C is wrong because a public subnet would expose the DB to the internet. Option E is wrong because disabling encryption is not a security measure.

106
MCQhard

A security team has enabled AWS CloudTrail in all regions and is delivering logs to an S3 bucket. The team has also enabled S3 server access logging for the CloudTrail bucket. The team needs to detect any unauthorized access to the CloudTrail logs. Which combination of services should the team use to achieve near-real-time detection?

A.AWS CloudTrail Insights and Amazon CloudWatch
B.Amazon GuardDuty and Amazon CloudWatch Events
C.Amazon Athena and Amazon QuickSight
D.AWS Config and Amazon SNS
AnswerB

GuardDuty can monitor S3 access logs for malicious activity and generate findings that can trigger CloudWatch Events for notification.

Why this answer

Option D is correct because Amazon GuardDuty can monitor S3 access logs for suspicious activity, and CloudWatch Events can trigger a notification. Option A is wrong because AWS Config does not analyze S3 access logs in real time. Option B is wrong because Athena is for querying, not real-time detection.

Option C is wrong because CloudTrail Insights focuses on API activity, not S3 data events.

107
MCQmedium

A company uses AWS CloudTrail and wants to ensure that logs are encrypted at rest using a customer-managed KMS key. The CloudTrail trail is configured to deliver logs to an S3 bucket. After enabling SSE-KMS on the S3 bucket, the logs are not being delivered. What is the most likely cause?

A.CloudTrail does not support SSE-KMS.
B.The KMS key is in a different AWS account.
C.The S3 bucket policy does not allow CloudTrail to write logs.
D.The KMS key policy does not grant CloudTrail permission to use the key.
AnswerD

CloudTrail must have kms:GenerateDataKey and kms:Decrypt permissions.

Why this answer

Option A is correct because CloudTrail needs explicit permissions to use the KMS key for encrypting log files. Option B is incorrect because CloudTrail can use KMS keys from other accounts. Option C is incorrect because CloudTrail supports SSE-KMS.

Option D is incorrect because bucket policies for CloudTrail must allow `s3:PutObject`.

108
MCQeasy

A company has an AWS Direct Connect connection to its on-premises data center. The company wants to ensure that all traffic between the data center and AWS is encrypted. Which solution meets this requirement?

A.Use a Site-to-Site VPN connection over the internet.
B.Use a Direct Connect gateway with a public virtual interface and an IPsec VPN.
C.Use AWS PrivateLink with TLS termination.
D.Use Direct Connect as is because it is already encrypted.
AnswerB

This encrypts traffic over the Direct Connect connection.

Why this answer

Option C is correct because IPsec VPN over Direct Connect provides encryption for the traffic. Option A is wrong because Direct Connect is a private connection but not encrypted by default. Option B is wrong because Site-to-Site VPN over the internet does not use Direct Connect.

Option D is wrong because TLS is for application-level encryption, not for the network layer.

109
MCQeasy

A company wants to receive an alert when an IAM user creates a new access key. Which AWS service should be used to trigger the alert?

A.Amazon CloudWatch Logs
B.Amazon GuardDuty
C.AWS CloudTrail and Amazon CloudWatch Events
D.AWS Config
AnswerC

CloudTrail logs the event, CloudWatch Events can trigger an alert.

Why this answer

Option C is correct because CloudTrail logs IAM CreateAccessKey events. A CloudWatch Events rule can match this event and trigger an SNS notification. Option A is wrong because Config evaluates resource compliance, not API events.

Option B is wrong because CloudWatch Logs requires logs to be sent, but CloudTrail is the source. Option D is wrong because GuardDuty detects threats, not specific API calls.

110
Multi-Selecthard

A company has a requirement that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO steps should the company take to enforce this?

Select 2 answers
A.Enable MFA devices for each IAM user.
B.Use a service control policy (SCP) to require MFA for all users.
C.Attach an IAM policy that denies all actions unless the request includes MFA (condition aws:MultiFactorAuthPresent).
D.Enable MFA for the root user only.
E.Configure an IAM password policy that requires MFA.
AnswersA, C

Users must have MFA devices assigned.

Why this answer

Option A and D are correct. Option A: enabling MFA on each user is the first step. Option D: an IAM policy with a condition for aws:MultiFactorAuthPresent denies access if MFA is not present.

Option B is wrong because the root user should not be used for daily tasks. Option C is wrong because password policy does not force MFA. Option E is wrong because SCPs do not enforce MFA at the user level.

111
MCQhard

A company uses AWS Organizations with many accounts. The security team wants to ensure that no account can disable AWS CloudTrail or stop logging. Which configuration should be used?

A.Enable CloudTrail log file validation.
B.Attach an IAM policy to the root user in each account.
C.Use AWS Config rules to detect and alert when CloudTrail is modified.
D.Apply an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail.
AnswerD

SCPs can deny actions across all accounts.

Why this answer

Option A is correct because an SCP can deny the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions at the organizational level. Option B is wrong because AWS Config rules can detect but not prevent. Option C is wrong because IAM policies in the master account do not affect member accounts.

Option D is wrong because CloudTrail itself cannot prevent its own modification.

112
MCQeasy

A company wants to block traffic from a specific IP address range from accessing an Application Load Balancer (ALB). Which AWS feature should be used?

A.Network ACL
B.Security Group for the ALB
C.Route53
D.AWS WAF
AnswerD

Web application firewall that can filter by IP.

Why this answer

Option B is correct because AWS WAF can be associated with an ALB to filter traffic based on IP addresses. Option A is wrong because security groups cannot be associated with ALBs in the same way as EC2. Option C is wrong because Network ACLs operate at the subnet level, not directly on the ALB.

Option D is wrong because Route53 does not filter traffic.

113
MCQmedium

A company uses Amazon RDS for MySQL with automated backups enabled. The security team suspects that a database administrator (DBA) with full RDS access has exfiltrated data by creating a snapshot of the database and sharing it with an external AWS account. The team wants to detect such exfiltration in the future. Which step should the team take to detect and alert on snapshot sharing?

A.Use AWS Config to detect changes to RDS snapshot attributes.
B.Enable Amazon GuardDuty with RDS Protection.
C.Create an Amazon EventBridge rule that triggers on the `ModifyDBSnapshotAttribute` API call and sends an alert via Amazon SNS.
D.Enable AWS CloudTrail and review logs manually.
AnswerC

Automated detection and alerting.

Why this answer

Option C is correct because the `ModifyDBSnapshotAttribute` API call is the specific action used to share an RDS snapshot with an external AWS account. By creating an Amazon EventBridge rule that triggers on this API call, the team can immediately send an alert via Amazon SNS, enabling real-time detection and response to unauthorized snapshot sharing. This approach is automated, event-driven, and directly targets the exfiltration vector.

Exam trap

The trap here is that candidates often confuse AWS Config (which is configuration-aware but not real-time) with EventBridge (which is event-driven and real-time), or they mistakenly think GuardDuty RDS Protection covers all RDS-related threats, including data exfiltration via snapshot sharing, when it actually focuses on database-level threats like brute-force attacks or anomalous queries.

How to eliminate wrong answers

Option A is wrong because AWS Config can detect changes to RDS snapshot attributes, but it is a compliance-oriented service that evaluates resource configurations periodically (e.g., every 10 minutes) and does not provide real-time alerting on API calls; it would also require custom rules and lacks the immediate notification capability needed for security incidents. Option B is wrong because Amazon GuardDuty with RDS Protection focuses on detecting suspicious login attempts, anomalous access patterns, and potential compromise of the RDS instance itself, not on monitoring API-level actions like snapshot sharing. Option D is wrong because enabling AWS CloudTrail and manually reviewing logs is reactive, not proactive; it does not provide automated alerting and would be impractical for timely detection of exfiltration events.

114
MCQmedium

A company uses S3 to store sensitive customer data. The security team requires that all objects uploaded to S3 be encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). A developer reports that some objects are being stored unencrypted. What is the MOST effective way to enforce this requirement?

A.Enable default encryption on the bucket using SSE-S3
B.Use a bucket policy to deny s3:PutObject if encryption is not set to aws:kms
C.Use an SCP to deny s3:PutObject without encryption
D.Set a bucket policy to require the x-amz-server-side-encryption header
AnswerB

Policy condition can enforce SSE-KMS.

Why this answer

Option D is correct because an S3 bucket policy with a Deny condition for s3:PutObject without the x-amz-server-side-encryption header set to aws:kms will block unencrypted uploads. Option A is wrong because SSE-C uses customer-provided keys, not KMS. Option B is wrong because bucket policies are more direct than service control policies for this.

Option C is wrong because default encryption only applies when no encryption is specified, but a PUT request can still override it.

115
MCQhard

A developer needs to access an S3 bucket from an EC2 instance. The developer creates an IAM role with the necessary S3 permissions and attaches it to the instance profile. However, applications running on the instance can still not access the bucket. What is the most likely cause?

A.The IAM role cannot be attached after the EC2 instance is launched.
B.The IAM role is not attached to the EC2 instance's instance profile.
C.The instance metadata service is disabled on the EC2 instance.
D.The S3 bucket policy does not explicitly grant access to the IAM role.
AnswerB

The role must be associated with the instance profile to be used by the instance.

Why this answer

Option C is correct because the instance profile must be associated with the EC2 instance at launch or by attaching the profile. Option A is wrong because instance metadata is used by the AWS CLI to obtain credentials. Option B is wrong because a bucket policy with a condition for a specific principal is not required.

Option D is wrong because the IAM role can be attached to an existing instance via the instance profile.

116
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centrally manage IAM policies across all accounts. Which AWS feature should the team use to enforce permissions across member accounts?

A.IAM roles with cross-account access
B.Service Control Policies (SCPs)
C.AWS Config rules
D.AWS CloudTrail trails
AnswerB

SCPs centrally manage permissions across accounts.

Why this answer

Option C is correct because SCPs allow central control over permissions for all accounts in an organization. Option A is wrong because IAM policies are per-account. Option B is wrong because AWS Config is for compliance monitoring, not enforcement.

Option D is wrong because AWS CloudTrail is for auditing, not enforcement.

117
Multi-Selectmedium

Which TWO statements are true about IAM roles? (Choose two.)

Select 2 answers
A.IAM roles can be used by federated users.
B.IAM roles are specific to an AWS region.
C.IAM roles cannot be attached to an EC2 instance.
D.IAM roles have permanent access keys.
E.IAM roles can be assumed by AWS services like EC2.
AnswersA, E

Federated users can assume roles to access AWS.

Why this answer

Options B and C are correct. IAM roles can be assumed by AWS services (B) and can be used by federated users (C). Option A is false; roles do not have long-term credentials.

Option D is false; roles are not region-specific. Option E is false; roles can be attached to EC2 instances via instance profiles.

118
MCQhard

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be used?

A.Enable encryption on the Direct Connect virtual interface
B.Use VPC Peering with encryption
C.Set up an IPsec VPN over the Direct Connect connection
D.Configure TLS on all applications
AnswerC

IPsec VPN provides encryption over Direct Connect.

Why this answer

Option B is correct because IPsec VPN over Direct Connect provides encryption. Option A is wrong because Direct Connect alone does not provide encryption. Option C is wrong because VPC Peering is for VPC-to-VPC.

Option D is wrong because TLS is for application layer, not for the network connection.

119
MCQmedium

A company has multiple AWS accounts and wants to centralize VPC flow log analysis. Flow logs are enabled for all VPCs and are published to Amazon S3 buckets in each account. A security engineer needs to aggregate these logs into a single S3 bucket in the centralized logging account. What should the security engineer do?

A.Create an S3 bucket policy on the centralized bucket that allows the source accounts to write objects.
B.Set up VPC peering between each account and the centralized logging account, then configure flow logs to write directly to the centralized bucket.
C.Configure S3 Replication between each account's flow log bucket and the centralized bucket.
D.Use Amazon CloudWatch Logs to stream flow logs to the centralized S3 bucket.
AnswerA

A bucket policy with cross-account permissions allows direct writes from source accounts to the centralized bucket.

Why this answer

Option D is correct because S3 bucket policies can be used to grant cross-account permissions. Option A is wrong because VPC peering does not allow cross-account S3 access. Option B is wrong because CloudWatch Logs can route to S3 but requires additional configuration.

Option C is wrong because S3 replication automatically copies objects but requires source and destination buckets in different accounts with proper permissions.

120
MCQeasy

A security engineer needs to ensure that an EC2 instance can only be accessed using SSH key pairs, not passwords. Which configuration is required?

A.Use EC2 Instance Connect instead of SSH
B.Set 'PasswordAuthentication no' in /etc/ssh/sshd_config on the EC2 instance
C.Attach an IAM role to the instance that denies password-based access
D.Configure the security group to allow SSH only from specific IP addresses
AnswerB

This disables password-based SSH login, enforcing key-based authentication.

Why this answer

Option B is correct because disabling password authentication in the SSH daemon configuration ensures only key-based authentication is allowed. Option A is wrong because security groups control network access, not authentication method. Option C is wrong because IAM roles do not affect SSH authentication.

Option D is wrong because EC2 Instance Connect is an alternative, not a method to enforce key-only.

121
MCQeasy

A company wants to securely store and manage SSL/TLS certificates for use with CloudFront. Which AWS service should be used?

A.AWS Identity and Access Management (IAM)
B.AWS Key Management Service (AWS KMS)
C.AWS Certificate Manager (ACM)
D.AWS CloudHSM
AnswerC

ACM provisions and manages SSL/TLS certificates.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it is specifically designed to provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services like CloudFront. ACM integrates directly with CloudFront to automatically renew certificates before expiration, eliminating manual renewal overhead. It also handles the complex certificate chain and private key management securely, ensuring HTTPS termination at CloudFront edge locations.

Exam trap

The trap here is that candidates often confuse AWS KMS or IAM Server Certificate Store as viable options for CloudFront, but ACM is the only service that provides automatic renewal and native integration with CloudFront, and certificates must be in us-east-1.

How to eliminate wrong answers

Option A is wrong because AWS Identity and Access Management (IAM) is a service for managing user identities, permissions, and access control, not for storing or managing SSL/TLS certificates; while IAM can store server certificates for use with Elastic Load Balancers (ELBs) via the IAM Server Certificate Store, it does not support CloudFront and lacks automatic renewal features. Option B is wrong because AWS Key Management Service (AWS KMS) is a managed service for creating and controlling encryption keys used to encrypt data at rest, not for managing SSL/TLS certificates; KMS does not handle certificate issuance, renewal, or integration with CloudFront. Option D is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for cryptographic key storage and operations, but it is not designed for SSL/TLS certificate lifecycle management; using CloudHSM for certificates would require custom development and manual renewal, and it does not natively integrate with CloudFront.

122
MCQmedium

A company's AWS Lambda function that processes sensitive data is triggering unexpectedly. The security team wants to investigate using AWS CloudTrail. What should they look for?

A.`UpdateFunctionConfiguration` events in CloudTrail from the Lambda service.
B.`CreateFunction` events in CloudTrail from the Lambda service.
C.`Invoke` events in CloudTrail from the Lambda service.
D.`PutSubscriptionFilter` events in CloudTrail from CloudWatch Logs.
AnswerC

Each invocation generates an `Invoke` event.

Why this answer

Option C is correct because `Invoke` events in CloudTrail record every invocation of a Lambda function, including the source (e.g., AWS service, SDK, or console) and the identity that triggered it. By analyzing these events, the security team can identify unexpected triggers, such as unauthorized IAM users or roles invoking the function, or anomalous invocation patterns that indicate a potential security issue.

Exam trap

The trap here is that candidates may confuse configuration or creation events with invocation events, mistakenly thinking that `UpdateFunctionConfiguration` or `CreateFunction` would show who triggered the function, when in fact only `Invoke` events capture the actual execution requests.

How to eliminate wrong answers

Option A is wrong because `UpdateFunctionConfiguration` events record changes to the function's configuration (e.g., memory, timeout, environment variables), not the actual invocations that would reveal unexpected triggers. Option B is wrong because `CreateFunction` events record the creation of new Lambda functions, not the triggering of an existing function. Option D is wrong because `PutSubscriptionFilter` events from CloudWatch Logs are used to configure log subscription filters for streaming log data, not to capture Lambda invocation events.

123
MCQeasy

Refer to the exhibit. An IAM user has this policy attached. Can the user create a new IAM user in the us-east-1 region?

A.Yes, because the Allow statement explicitly permits CreateUser.
B.No, because IAM is a global service and region conditions do not apply.
C.Yes, because the Deny only applies to us-east-1.
D.No, because the Deny statement blocks all IAM actions in us-east-1.
AnswerD

The Deny is explicit and overrides the Allow.

Why this answer

Option C is correct. The Deny statement applies to all IAM actions in us-east-1, which overrides the Allow for CreateUser. Since the Deny is explicit, it blocks the action even though there is an Allow.

The request fails.

124
MCQmedium

A company has an S3 bucket with a bucket policy that grants access to an IAM role used by an application running on EC2. The application is unable to read objects from the bucket, even though the IAM role has the necessary permissions. What is the most likely cause?

A.The bucket is in a different AWS account.
B.The bucket policy denies access to the IAM role.
C.The bucket policy does not explicitly allow the IAM role.
D.The IAM role has an explicit deny statement.
AnswerB

A deny in bucket policy overrides any allow.

Why this answer

Option C is correct because S3 bucket policies and IAM policies must both allow access; if either denies, access is denied. Option A is wrong because explicit deny overrides allow, but the bucket policy might not have an explicit deny. Option B is wrong because the bucket policy might not allow the role.

Option D is wrong because service control policies apply at organization level, not directly.

125
MCQhard

A company has a requirement to retain CloudTrail logs for 7 years to meet regulatory compliance. They want to minimize storage costs while ensuring logs are immutable and cannot be deleted by anyone, including the root user. What should they do?

A.Configure the S3 bucket with MFA Delete enabled.
B.Use CloudTrail log file validation and enable AWS CloudTrail Insights.
C.Store the logs in Amazon S3 Glacier Deep Archive with a vault lock policy.
D.Enable S3 Object Lock in Compliance mode on the destination bucket.
AnswerD

Compliance mode prevents any user from deleting objects until the retention period expires.

Why this answer

S3 Object Lock with Compliance mode ensures that objects cannot be deleted or overwritten by any user, including the root user, for the specified retention period. Governance mode allows some users to override. Option A is wrong because MFA Delete does not prevent deletion by root.

Option C is wrong because S3 Glacier Deep Archive is a storage class, not immutability. Option D is wrong because CloudTrail does not provide immutability.

126
MCQmedium

Refer to the exhibit. A security engineer reviews the key policy of an AWS KMS customer managed key. The AppRole role is used by an application to encrypt and decrypt data. However, the application is unable to decrypt data. What is the MOST likely cause?

A.The root user does not have permission to use the key.
B.The KMS key is disabled.
C.The key administrator has not granted the AppRole permission to use the key.
D.The kms:Decrypt permission is not granted to the AppRole.
AnswerB

If the key is disabled, decryption will fail despite the permissions.

Why this answer

Option B is correct because the 'Allow use of the key' statement grants Encrypt, Decrypt, ReEncrypt*, GenerateDataKey*, and DescribeKey actions, which should allow decryption. However, the issue might be that the key is disabled or the application is not using the correct key. The exhibit shows the key policy allows the actions; if decryption fails, the key might be disabled.

Option A is wrong because the policy includes kms:Decrypt. Option C is wrong because the Admin role has key administration permissions, but that doesn't affect decryption by AppRole. Option D is wrong because the root principal is allowed full access, so that's not an issue.

127
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. The security team needs to implement centralized logging for all AWS CloudTrail events across all accounts. They create a new trail in the management account with the following configuration: trail name 'central-trail', apply to all accounts in the organization, enable data events for all S3 buckets, and store logs in a centralized S3 bucket. After one week, they notice that some accounts are not delivering CloudTrail logs to the central bucket. The security engineer verifies that the trail is still configured to apply to all accounts and that the S3 bucket policy allows cross-account access. What is the MOST likely reason for the missing logs?

A.The member accounts have not enabled CloudTrail Insights
B.The S3 bucket policy does not grant the correct permissions to the member accounts
C.The trail is not configured as a multi-region trail
D.Some accounts were added to the organization after the trail was created, and the trail was not updated to include them
AnswerD

When new accounts join, the trail must be updated or they need to enable the trail manually.

Why this answer

When a trail is created in the management account with 'apply to all accounts in the organization', it automatically includes all current member accounts. However, if new accounts are added to the AWS Organization after the trail is created, the trail does not automatically extend to those new accounts. The trail must be updated (e.g., via the CloudTrail console or API) to include the newly added accounts, or the organization trail feature must be re-enabled.

This is why logs from accounts added after trail creation are missing.

Exam trap

The trap here is that candidates assume 'apply to all accounts' means the trail dynamically includes any account added later, but in reality, the trail only applies to accounts that were members at the time of creation and must be manually updated for new accounts.

How to eliminate wrong answers

Option A is wrong because CloudTrail Insights is an optional feature that analyzes management events for unusual activity; it is not required for log delivery and its absence does not prevent logs from being delivered. Option B is wrong because the security engineer already verified that the S3 bucket policy allows cross-account access, so the policy is not the issue. Option C is wrong because the question does not mention any requirement for multi-region logging; the missing logs are from specific accounts, not from specific regions, and a single-region trail would still deliver logs from the home region of each account.

128
MCQeasy

A company wants to receive real-time notifications for every root user login to the AWS Management Console. Which service should be used?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon CloudWatch Events
D.AWS Config
AnswerC

CloudWatch Events can create a rule that matches the root login event from CloudTrail and sends to SNS.

Why this answer

Option B is correct because CloudWatch Events can match the RootLogin event from CloudTrail and trigger an SNS notification. Option A is incorrect because CloudTrail itself does not send notifications. Option C is incorrect because GuardDuty may detect unusual root activity but is not designed for real-time notifications of all root logins.

Option D is incorrect because AWS Config does not monitor root logins.

129
Multi-Selecthard

A company is implementing AWS Organizations with multiple accounts. Which THREE are benefits of using service control policies (SCPs)? (Choose three.)

Select 3 answers
A.Grant cross-account access
B.Prevent users from disabling CloudTrail
C.Enforce compliance requirements
D.Manage consolidated billing
E.Centrally restrict permissions across accounts
AnswersB, C, E

SCPs can deny actions that disable logging.

Why this answer

Options A, B, and C are correct. D is wrong because SCPs are not used for billing. E is wrong because SCPs do not enable cross-account access.

130
MCQmedium

A company is using AWS Organizations to manage multiple accounts. The security team needs to enforce that all newly created S3 buckets across the organization have server-side encryption (SSE-S3) enabled by default. Which solution is MOST operationally efficient?

A.Create an AWS Lambda function that is triggered by S3 event notifications to enable encryption on any new bucket.
B.Set a default bucket encryption policy in each account’s S3 console.
C.Apply an SCP to the root organizational unit that denies s3:CreateBucket if the bucket lacks encryption settings.
D.Use AWS Config with a managed rule s3-bucket-server-side-encryption-enabled to trigger remediation.
AnswerC

SCPs can deny actions with conditions, preventing noncompliant bucket creation across all accounts.

Why this answer

Using an SCP to deny creation of buckets without encryption is the most efficient because it prevents noncompliant buckets from being created at the root level. Option A (Lambda on CloudTrail) is reactive and less efficient. Option C (AWS Config rule) only detects noncompliant buckets after creation.

Option D (IAM permissions) does not block at the organization level.

131
MCQmedium

A security engineer needs to ensure that all EC2 instances launched in a development account are tagged with a cost center. What is the most effective way to enforce this?

A.Use AWS Config to detect untagged instances and send alerts
B.Use AWS Systems Manager to tag instances after launch
C.Create a tag policy in AWS Organizations requiring the cost center tag
D.Use an IAM policy that denies ec2:RunInstances unless the request includes the cost center tag
AnswerD

This prevents launching instances without the required tag.

Why this answer

Option D is correct because using an IAM policy with a condition key (e.g., `aws:RequestTag`) that denies `ec2:RunInstances` unless the `cost center` tag is specified in the API call enforces tagging at launch time. This prevents any untagged instance from being created, providing proactive enforcement rather than reactive detection or remediation.

Exam trap

The trap here is that candidates often choose AWS Config (Option A) because it is a common governance tool, but they miss that Config only detects non-compliance after the fact, whereas IAM policies provide preventive enforcement at the API level.

How to eliminate wrong answers

Option A is wrong because AWS Config can only detect and alert on untagged instances after they are launched, not prevent their creation, leaving a window of non-compliance. Option B is wrong because AWS Systems Manager can tag instances after launch, but this is a reactive measure that does not enforce tagging at creation time and may miss instances that are not managed by Systems Manager. Option C is wrong because tag policies in AWS Organizations are used to enforce consistent tagging across accounts but do not prevent the launch of untagged resources; they only provide a compliance check and can mark non-compliant resources, not block the action.

132
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team requires that all CloudTrail trails be encrypted with a customer-managed KMS key. Which CloudFormation template snippet correctly enforces this requirement?

A.Trail with KMSKeyId set to 'aws/cloudtrail'
B.Trail with KMSKeyId set to 'arn:aws:kms:us-east-1:123456789012:key/abcd1234-...'
C.Trail with KMSKeyId set to 'alias/my-cloudtrail-key'
D.Trail without KMSKeyId specified
AnswerB

This specifies a customer-managed KMS key.

Why this answer

Option C sets KMSKeyId to a customer-managed key, ensuring encryption. Option A uses AWS managed key (default). Option B does not encrypt.

Option D uses an alias but could be AWS managed; the KMSKeyId must be a customer-managed key ARN.

133
MCQeasy

A company wants to automatically isolate an EC2 instance that is suspected to be compromised. What is the MOST effective AWS-native approach?

A.Terminate the instance immediately
B.Use Amazon GuardDuty to detect the compromise and automatically modify the instance's security group to deny all traffic
C.Use AWS Config to change the instance's IAM role
D.Use AWS Systems Manager to run a script that stops the instance
AnswerB

GuardDuty can trigger a Lambda to modify security group, isolating the instance.

Why this answer

Amazon GuardDuty can detect suspicious activity on an EC2 instance (e.g., cryptocurrency mining, unusual outbound traffic) and, when integrated with Amazon EventBridge and AWS Lambda, automatically modify the instance's security group to deny all traffic. This approach isolates the instance without terminating it, preserving forensic evidence and allowing further investigation. It is the most effective AWS-native approach because it combines threat detection with automated, least-privilege response actions.

Exam trap

The trap here is that candidates often choose termination (Option A) thinking it is the fastest way to stop the threat, but the exam emphasizes preserving forensic evidence and using automated, reversible isolation mechanisms like security group modification.

How to eliminate wrong answers

Option A is wrong because terminating the instance destroys volatile forensic data (memory, disk) and prevents post-incident analysis, which is contrary to incident response best practices. Option C is wrong because changing the instance's IAM role does not affect network traffic; the instance remains accessible over the network, so it does not isolate the compromised instance. Option D is wrong because using AWS Systems Manager to run a script that stops the instance still leaves the instance accessible until the stop completes, and stopping does not block network access immediately; additionally, Systems Manager requires the instance to have network connectivity to receive the command, which may not be reliable if the instance is already compromised.

134
MCQmedium

A company wants to detect and alert on suspicious IAM role usage, such as a role being assumed from an unusual geographic location. Which AWS service should be used to generate the alerts?

A.AWS IAM Access Analyzer
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon CloudWatch
AnswerB

GuardDuty uses anomaly detection on CloudTrail events to alert on unusual activity.

Why this answer

Amazon GuardDuty is the correct choice because it is a threat detection service that continuously monitors for suspicious activity, including unusual IAM role usage such as a role being assumed from an anomalous geographic location. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze CloudTrail management events and VPC flow logs, generating alerts (findings) for deviations from baseline behavior. This directly meets the requirement to detect and alert on suspicious role assumptions without needing to write custom rules.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with detection, assuming that because CloudTrail records the AssumeRole event, it can also alert on it, but CloudTrail requires an additional service like GuardDuty or CloudWatch with custom rules to generate alerts, whereas GuardDuty provides built-in, automated anomaly detection for this exact scenario.

How to eliminate wrong answers

Option A is wrong because AWS IAM Access Analyzer is designed to identify resources shared with external entities by analyzing resource-based policies, not to detect anomalous IAM role usage or generate real-time alerts based on geographic location. Option C is wrong because AWS CloudTrail is a logging service that records API activity but does not natively analyze logs for suspicious patterns or generate alerts; it requires additional services like CloudWatch Logs or GuardDuty to process and alert on the data. Option D is wrong because Amazon CloudWatch is a monitoring and observability service that can trigger alarms based on metrics or log patterns, but it lacks built-in anomaly detection for IAM role usage from unusual locations and would require custom metric filters and manual threshold configuration, making it less effective and more complex than GuardDuty's purpose-built capabilities.

135
Multi-Selecteasy

Which TWO of the following are AWS best practices for managing access keys? (Choose 2.)

Select 2 answers
A.Use the same access key for multiple users.
B.Share access keys via email.
C.Delete unused access keys.
D.Rotate access keys regularly.
E.Embed access keys directly in application code.
AnswersC, D

Reduces attack surface.

Why this answer

Rotating keys regularly and not embedding them in code are standard security practices.

136
MCQmedium

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted with server-side encryption using customer-provided encryption keys (SSE-C). A developer uploads objects using the AWS SDK but forgets to include the encryption key in the request. What happens to the upload?

A.The upload succeeds and the object is encrypted with the default S3 managed key
B.The upload succeeds and the object is encrypted with the bucket's default encryption settings
C.The upload succeeds but the object is stored without server-side encryption
D.The upload fails with a 400 Bad Request error
AnswerC

SSE-C only encrypts if key provided.

Why this answer

With SSE-C, the request must include the encryption key. If not provided, the upload succeeds but the object is stored without server-side encryption (i.e., as plaintext). Option C is correct.

Option A is wrong because S3 does not deny; B is wrong because no error; D is wrong because default encryption is not applied.

137
MCQeasy

A security engineer is investigating a potential data breach and finds this CloudTrail log entry. What does this entry indicate?

A.A user encrypted data using a KMS key
B.A user decrypted data using a KMS key
C.An anonymous user accessed the KMS key
D.The KMS key was deleted
AnswerB

The event name is Decrypt.

Why this answer

Option D is correct because the event shows a user calling Decrypt on a KMS key. Option A is wrong because it's a Decrypt, not an Encrypt. Option B is wrong because the key is specified.

Option C is wrong because the user is identified.

138
MCQeasy

A company uses AWS Secrets Manager to store database credentials. The security team needs to ensure that secrets are automatically rotated every 30 days. Which configuration should be used?

A.Manually update the secret in Secrets Manager every 30 days.
B.Use Amazon Macie to detect when secrets are stale.
C.Set an expiration date on the secret and recreate it.
D.Enable automatic rotation using an AWS Lambda function.
AnswerD

Secrets Manager natively supports rotation with Lambda.

Why this answer

Option D is correct because AWS Secrets Manager provides a built-in mechanism to automatically rotate secrets using an AWS Lambda function. By configuring a rotation schedule (e.g., every 30 days), Secrets Manager invokes the Lambda function to create a new version of the secret and update the database credentials, ensuring compliance without manual intervention.

Exam trap

The trap here is that candidates may confuse setting an expiration date (Option C) with automatic rotation, but expiration only triggers deletion or recreation, not the seamless, scheduled credential update that a Lambda-based rotation provides.

How to eliminate wrong answers

Option A is wrong because manually updating the secret every 30 days is not automated and violates the requirement for automatic rotation; it also introduces human error risk and operational overhead. Option B is wrong because Amazon Macie is a data discovery and classification service that identifies sensitive data in S3, not a tool for detecting stale secrets or managing rotation schedules in Secrets Manager. Option C is wrong because setting an expiration date on a secret only marks it for deletion or forces recreation, but does not automatically rotate the secret; the secret must be manually recreated, and the rotation process is not triggered by expiration alone.

139
MCQmedium

A security engineer reviews the CloudTrail log entry in the exhibit. The engineer notices that an EC2 instance was launched using an AdminRole. Which additional information would help determine if this is a legitimate action or a potential compromise?

A.The AMI ID ami-0abcdef1234567890 is not a standard Amazon-provided AMI.
B.The source IP address 203.0.113.50 is from an unexpected geographic location not associated with the company.
C.The instance type m5.xlarge is unusually large compared to previous launches.
D.The security group sg-0123456789abcdef0 allows inbound SSH from 0.0.0.0/0.
AnswerB

Anomalous source IP is a common indicator of compromise.

Why this answer

The source IP address 203.0.113.50 is from an unexpected geographic location not associated with the company. In CloudTrail, the `sourceIPAddress` field records the originating IP of the API call. If an AdminRole is used from an IP outside the company's known CIDR ranges or geographic regions, it strongly indicates a potential compromise—such as stolen credentials or an attacker using the role from an unauthorized network.

This is a key indicator of anomalous behavior in threat detection.

Exam trap

The trap here is that candidates focus on technical misconfigurations (like open security groups or unusual AMIs) rather than the behavioral anomaly of an administrative action originating from an unexpected IP, which is the most direct indicator of a potential compromise in CloudTrail logs.

How to eliminate wrong answers

Option A is wrong because an AMI ID that is not a standard Amazon-provided AMI could be a custom or marketplace AMI, which is common in legitimate environments; it does not alone indicate compromise. Option B is correct as explained. Option C is wrong because an instance type like m5.xlarge may be larger than usual but could be legitimate for a specific workload; size alone is not a reliable indicator of compromise without context like cost anomalies or unusual launch patterns.

Option D is wrong because a security group allowing inbound SSH from 0.0.0.0/0 is a misconfiguration that increases risk, but it does not directly indicate that the launch action itself was unauthorized or compromised—it is a separate security issue.

140
Multi-Selectmedium

A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive documents. The security team requires that all data be encrypted in transit and at rest, and that any accidental deletion of objects can be reversed within 30 days. Additionally, the company must be able to audit all access attempts to the bucket, including failed attempts. Which TWO actions should the company take to meet these requirements? (Choose two.)

Select 2 answers
A.Enable default encryption on the bucket using SSE-S3.
B.Enable AWS CloudTrail with data events for S3.
C.Enable S3 Versioning on the bucket.
D.Enable S3 server access logs and send them to a separate bucket.
E.Enable MFA Delete on the bucket.
AnswersB, C

CloudTrail logs all API calls, including failed ones, for auditing.

Why this answer

AWS CloudTrail with data events for S3 is correct because it captures all S3 API calls, including GetObject, PutObject, and DeleteObject, and records both successful and failed access attempts. This meets the auditing requirement for all access attempts, including failed ones, as CloudTrail logs the request details, error codes, and source IP addresses.

Exam trap

The trap here is that candidates often confuse S3 server access logs (which log successful requests only) with CloudTrail data events (which log all API calls, including failures), leading them to select Option D instead of Option B.

141
MCQhard

A company is using AWS Config to evaluate resource compliance. They need to ensure that all EC2 instances have a specific tag key 'Environment' with a value of 'Production' or 'Development'. Which type of AWS Config rule should be used?

A.Custom AWS Config rule written in Python
B.Custom AWS Config rule using AWS Lambda
C.AWS Config managed rule 'ec2-instance-tags'
D.AWS Config managed rule 'required-tags'
AnswerB

A custom rule can check for both tag key and value.

Why this answer

Option B is correct because a custom AWS Config rule (Lambda function) can evaluate the required tags. Option A is wrong because managed rules may not have the exact logic. Option C is wrong because AWS Config does not have a built-in 'required-tags' rule with custom values.

Option D is wrong because AWS Config rules cannot be written in Python directly; they use Lambda.

142
Multi-Selecteasy

Which TWO AWS services can be used to detect and alert on suspicious activity in near real-time?

Select 2 answers
A.Amazon CloudWatch Events
B.Amazon Inspector
C.Amazon GuardDuty
D.AWS CloudTrail
E.AWS Config
AnswersA, C

CloudWatch Events can trigger on suspicious patterns.

Why this answer

Options A and D are correct. Amazon GuardDuty provides near real-time threat detection, and Amazon CloudWatch Events can trigger alerts based on patterns. Option B (Config) is for compliance, not threat detection.

Option C (CloudTrail) is for logging, not real-time alerting. Option E (Inspector) is for vulnerability scanning.

143
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization block public access. Which policy should be attached to the root organizational unit to achieve this?

A.Enable AWS CloudTrail to log public access attempts and alert the security team.
B.Use AWS Config rules to remediate non-compliant buckets automatically.
C.Attach a service control policy (SCP) that denies s3:PutBucketPublicAccessBlock.
D.Create an IAM role with a bucket policy that blocks public access.
AnswerC

SCPs can be attached to OUs to centrally restrict permissions.

Why this answer

Option B is correct because a service control policy (SCP) can be applied at the root OU to deny actions that allow public access. Option A is wrong because IAM roles are account-specific. Option C is wrong because CloudTrail is for logging.

Option D is wrong because AWS Config rules evaluate compliance but do not enforce.

144
MCQeasy

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the organization have multi-factor authentication (MFA) enabled. Which combination of actions should be taken to enforce this requirement?

A.Create an SCP that denies IAM actions without MFA and attach it to the IAM group that contains all users.
B.Create an SCP that denies IAM actions without MFA and attach it to the root organizational unit (OU).
C.Create an SCP that denies IAM actions without MFA and attach it to each IAM user.
D.Create an SCP that denies IAM actions without MFA and attach it to the management account.
AnswerB

Attaching the SCP to the root OU applies it to all accounts in the organization, enforcing MFA for all IAM users.

Why this answer

Option B is correct because Service Control Policies (SCPs) in AWS Organizations can be attached to the root organizational unit (OU) to apply a blanket denial of IAM actions when MFA is not present, affecting all accounts and users within the organization. This leverages the `aws:MultiFactorAuthPresent` condition key in an SCP to enforce MFA at the organization level, ensuring that even if IAM users are created in member accounts, they cannot perform IAM actions without MFA. Attaching the SCP to the root OU ensures the policy cascades down to all child OUs and accounts, providing centralized enforcement.

Exam trap

The trap here is that candidates mistakenly think SCPs can be attached to IAM users or groups, but SCPs are organization-level policies that only apply to OUs, accounts, or the root, not to individual IAM entities.

How to eliminate wrong answers

Option A is wrong because SCPs cannot be attached to IAM groups; SCPs are applied to OUs, accounts, or the root of the organization, not to IAM entities like groups, users, or roles. Option C is wrong because SCPs cannot be attached directly to IAM users; they are only applicable to AWS Organizations entities (OUs, accounts, or the root). Option D is wrong because attaching the SCP to the management account would only affect that single account, not the member accounts; SCPs must be attached to the root OU or relevant OUs to enforce policies across the entire organization.

145
MCQhard

Refer to the exhibit. A security engineer configured the above bucket policy for CloudTrail log delivery. However, logs are not being delivered. What is the most likely cause?

A.The Action should be 's3:PutObjectAcl' instead of 's3:PutObject'.
B.The Principal is incorrect; it should be the CloudTrail service principal for the region.
C.The condition requires 'bucket-owner-full-control' ACL, but CloudTrail does not set this ACL when delivering to the same account.
D.The Resource ARN is missing the account ID in the path.
AnswerC

CloudTrail sets the ACL only for cross-account delivery; for same account, the ACL is not set, causing the condition to fail.

Why this answer

The bucket policy requires the 'bucket-owner-full-control' canned ACL, but CloudTrail by default uses 'bucket-owner-full-control' only when delivering to a different account. For same-account delivery, the ACL is not set, causing a mismatch. Option A is wrong because the principal is correct.

Option B is wrong because the resource ARN is correct. Option D is wrong because the action is correct.

146
MCQeasy

A security engineer receives an AWS GuardDuty finding for 'UnauthorizedAccess:EC2/SSHBruteForce'. The affected EC2 instance has a public IP and is in a public subnet. What is the IMMEDIATE step to contain the threat?

A.Stop the EC2 instance to stop the brute force attempts.
B.Change the security group name to 'Quarantine' and remove all rules.
C.Modify the network ACL to deny all inbound traffic from the attacker's IP address range.
D.Update the security group to deny inbound SSH from the attacker's IP address.
AnswerD

Immediately blocks the attacker while allowing other traffic.

Why this answer

Option D is correct because updating the security group to deny inbound SSH from the attacker's IP address immediately blocks the brute force attempts at the instance level without disrupting legitimate traffic from other sources. Security groups are stateful and act as a virtual firewall for EC2 instances, so denying the specific attacker IP for port 22 (SSH) stops the attack while preserving the instance's availability and other services.

Exam trap

The trap here is that candidates often confuse security groups (stateful, instance-level) with network ACLs (stateless, subnet-level) and choose option C, thinking a subnet-wide block is more effective, but it is slower and impacts all instances in the subnet, whereas a security group update is immediate and targeted.

How to eliminate wrong answers

Option A is wrong because stopping the EC2 instance halts all services and may cause data loss or downtime, which is not the immediate containment step—it is a last resort. Option B is wrong because changing the security group name to 'Quarantine' and removing all rules would block all inbound and outbound traffic, effectively isolating the instance and breaking legitimate connectivity, which is too aggressive for immediate containment. Option C is wrong because modifying the network ACL to deny all inbound traffic from the attacker's IP address range is a subnet-level control that is stateless, meaning it would require also allowing return traffic explicitly; additionally, it affects all instances in the subnet, not just the targeted one, and is slower to implement than a security group update.

147
MCQhard

A security engineer is configuring a VPC endpoint for Amazon S3 and wants to ensure that only traffic from specific IAM roles can access the S3 bucket through the endpoint. Which policy element should the engineer use?

A.aws:SourceVpc
B.aws:PrincipalArn
C.aws:username
D.aws:SourceVpce
AnswerB

This condition key allows restricting access to specific IAM roles.

Why this answer

Option A is correct because VPC endpoint policies can use 'aws:PrincipalArn' condition to restrict access to specific IAM roles. Option B is wrong because 'aws:SourceVpc' restricts to a specific VPC, not IAM role. Option C is wrong because 'aws:SourceVpce' restricts to a specific endpoint, not role.

Option D is wrong because 'aws:username' is for IAM users, not roles.

148
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). They have an Application Load Balancer in the public subnets and EC2 instances in the private subnets. The EC2 instances need to access the internet for updates. The security engineer has set up a NAT gateway in each public subnet. The route table for the private subnets has a default route pointing to the NAT gateway in the same Availability Zone. However, the EC2 instances are unable to reach the internet. What is the most likely cause?

A.The route tables for the public subnets do not have a default route (0.0.0.0/0) to the Internet Gateway.
B.The security groups for the EC2 instances do not allow outbound traffic.
C.The NAT gateways do not have route propagation enabled.
D.The NAT gateways are in the same Availability Zone.
AnswerA

NAT gateways need a route to IGW to reach the internet.

Why this answer

Option C is correct. Each NAT gateway must be in a public subnet with a route to the Internet Gateway. If the route table for the public subnet where the NAT gateway resides does not have a default route to the IGW, the NAT gateway cannot forward traffic.

Option A is incorrect because each NAT gateway can be in a different AZ. Option B is incorrect because route propagation is for VPN. Option D is incorrect because security groups allow outbound by default.

149
MCQeasy

A company wants to centrally manage access keys for IAM users. Which AWS service can generate and rotate access keys automatically?

A.AWS CloudHSM
B.AWS KMS
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager can rotate IAM access keys automatically.

Why this answer

AWS Secrets Manager is the correct service because it natively supports automatic rotation of secrets, including IAM user access keys. You can configure a rotation schedule (e.g., every 30 days) and Secrets Manager will generate a new access key pair, update the IAM user, and optionally disable or delete the old key. This provides a fully managed, centralized solution for rotating access keys without custom scripting.

Exam trap

The trap here is that candidates often confuse AWS KMS (which handles encryption keys) with Secrets Manager (which handles secrets like passwords and access keys), or they assume Parameter Store can rotate secrets automatically, but only Secrets Manager provides built-in, configurable rotation for IAM access keys.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides hardware security modules for cryptographic key storage and operations, but it does not generate or rotate IAM access keys. Option B is wrong because AWS KMS manages encryption keys (symmetric and asymmetric) and performs cryptographic operations, but it cannot create or rotate IAM user access keys. Option C is wrong because AWS Systems Manager Parameter Store can store secrets as parameters, but it lacks built-in rotation capabilities; you would need to implement custom rotation logic using Lambda, whereas Secrets Manager provides native rotation.

150
MCQhard

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes financial transactions and must store transaction logs in an Amazon S3 bucket. The security team requires that all API calls to AWS services are logged and that the logs are stored in a secure, tamper-proof manner. The team enables AWS CloudTrail to log management events and Amazon S3 server access logs for the S3 bucket. They also enable AWS Config to track resource changes. The compliance team wants to ensure that no one can disable CloudTrail logging or delete the CloudTrail log files. The security engineer proposes a solution using an SCP in AWS Organizations to deny actions that would disable CloudTrail or delete log files. However, the engineer is concerned that the SCP might be applied too broadly and affect legitimate administrative actions. The engineer wants to ensure that only the security team’s IAM role (SecurityAdminRole) can perform these restricted actions, while all other principals (including IAM users, roles, and the root user) are denied. The engineer creates an SCP that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, and s3:DeleteObject on the CloudTrail S3 bucket. The SCP includes a condition that allows the action if the principal is SecurityAdminRole. However, after applying the SCP, the security team finds that even SecurityAdminRole is unable to stop CloudTrail logging. What is the most likely cause of this issue?

A.The condition in the SCP is incorrectly scoped, causing the deny to apply to all principals including SecurityAdminRole.
B.The SCP is applied to the root organizational unit (OU), which includes the management account where the root user is not affected by SCPs.
C.The SecurityAdminRole does not have the necessary IAM permissions to stop CloudTrail logging.
D.The S3 bucket policy on the CloudTrail bucket denies access to the SecurityAdminRole.
AnswerA

Correct – The condition likely does not properly exclude SecurityAdminRole, so the deny applies to all.

Why this answer

C: Correct – The root user is not affected by SCPs by default, but if the condition incorrectly references the root user, it may block all principals including SecurityAdminRole. However, the more common issue is that the SCP was applied without an explicit allow for the SecurityAdminRole, or the condition was not properly scoped. In this scenario, the most likely cause is that the condition in the SCP is not correctly scoped to allow SecurityAdminRole.

The SCP should use a condition like "StringNotEquals": {"aws:PrincipalArn": "arn:aws:iam::*:role/SecurityAdminRole"} to deny only when the principal is not that role. If the condition is incorrectly written, it may deny all principals. Alternatively, the SCP might be applied to the management account where root user cannot be denied, but the issue is that SecurityAdminRole is denied.

The typical mistake is using "Deny" without a proper condition that excludes the allowed role. A: Incorrect – If the SCP is applied to the root OU, it applies to all accounts including the security team's account. B: Incorrect – S3 bucket policies can grant access, but if the SCP denies, the deny overrides.

D: Incorrect – The correct answer is that the SCP is too restrictive; the condition is flawed.

Page 1

Page 2 of 24

Page 3