AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 14261500

1738 questions total · 24pages · All types, answers revealed

Page 19

Page 20 of 24

Page 21
1426
Multi-Selectmedium

Which THREE steps should a security engineer take to ensure that an incident response plan for an AWS environment is effective? (Choose three.)

Select 3 answers
A.Regularly test the incident response plan through tabletop exercises and simulations.
B.Document and maintain an up-to-date list of incident response team members and their contact information.
C.Use the AWS account root user for incident response actions to ensure full permissions.
D.Store all evidence in an S3 bucket with public read access for easy sharing.
E.Automate containment actions using AWS Lambda and AWS Systems Manager.
AnswersA, B, E

Testing validates the plan's effectiveness.

Why this answer

Options A, B, and C are correct. Testing the plan via simulations (A) validates its effectiveness. Automating containment actions (B) reduces response time.

Documenting procedures and contacts (C) ensures clarity. Option D is wrong because using the root user for incident response is a security risk. Option E is wrong because storing evidence in public S3 buckets is insecure.

1427
MCQeasy

A company wants to automate the response to a specific GuardDuty finding. When GuardDuty detects a finding of type `UnauthorizedAccess:EC2/SSHBruteForce`, they want to automatically block the offending IP address using a network ACL. Which AWS service can they use to orchestrate this response?

A.AWS Lambda
B.AWS Systems Manager Automation
C.AWS Config
D.AWS CloudFormation
AnswerB

Systems Manager Automation can execute runbooks to modify network ACLs in response to GuardDuty findings.

Why this answer

AWS Systems Manager Automation can be used to run predefined runbooks that modify network ACLs. AWS Config is for compliance, not automation. AWS CloudFormation is for infrastructure as code.

AWS Lambda can be used but requires custom code; Systems Manager Automation provides a managed solution.

1428
MCQhard

Refer to the exhibit. A security engineer applies this S3 bucket policy to an S3 bucket. The bucket contains sensitive data. What is the effect of this policy?

A.It allows anonymous users to upload objects.
B.It denies PutObject requests that are not using HTTPS.
C.It denies all PutObject requests to the bucket.
D.It enforces that all objects must be encrypted at rest.
AnswerB

The condition checks for SecureTransport false, so only non-HTTPS requests are denied.

Why this answer

The policy denies PutObject requests that are not using HTTPS (SecureTransport false). So it enforces HTTPS for uploads. Option B is correct.

Option A is incorrect because it does not deny all PutObject. Option C is incorrect because it does not enforce encryption. Option D is incorrect because it does not allow anonymous uploads.

1429
MCQeasy

A company is required to retain CloudTrail logs for 7 years for compliance. Which solution meets this requirement with the LEAST operational overhead?

A.Store logs in CloudWatch Logs with a retention period of 7 years.
B.Configure CloudTrail to automatically delete logs older than 7 years.
C.Use an AWS Lambda function to delete logs older than 7 years.
D.Configure an S3 Lifecycle policy to transition logs to S3 Glacier Deep Archive after 90 days and expire after 7 years.
E.Export logs to AWS Snowball for offline archival.
AnswerD

Lifecycle policies automate retention and minimize costs.

Why this answer

Option D is correct because it uses an S3 Lifecycle policy to automatically transition CloudTrail logs to S3 Glacier Deep Archive after 90 days (reducing storage costs) and then expire (delete) the objects after 7 years, meeting the retention requirement with zero ongoing operational effort. This is the least operational overhead solution as it is fully automated within S3, requiring no custom code, manual intervention, or additional services.

Exam trap

The trap here is that candidates may think CloudTrail itself manages log retention (Option B) or that CloudWatch Logs is the simplest option (Option A), but AWS explicitly requires you to manage retention at the destination, and S3 Lifecycle policies are the native, automated, and lowest-overhead solution for long-term archival and deletion.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs has a maximum retention period of 10 years, but storing 7 years of CloudTrail logs in CloudWatch Logs incurs high ingestion and storage costs compared to S3, and requires manual or automated export for long-term archival, increasing operational overhead. Option B is wrong because CloudTrail does not have a built-in feature to automatically delete logs older than a specified period; log retention and deletion must be managed at the destination (e.g., S3 Lifecycle policies). Option C is wrong because using a Lambda function to delete logs older than 7 years introduces custom code, potential execution failures, and ongoing maintenance, which is higher operational overhead than a native S3 Lifecycle policy.

Option E is wrong because exporting logs to AWS Snowball for offline archival is designed for large-scale data transfer and physical shipping, not for routine 7-year retention, and it adds significant operational overhead and latency.

1430
MCQmedium

A security engineer is investigating a potential compromise of an IAM user. The engineer sees that the user's access keys were used from an IP address outside the company's allowed geography. Which AWS service can provide the most immediate notification of such anomalous API calls?

A.AWS Trusted Advisor
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon CloudWatch
AnswerB

GuardDuty detects anomalous API calls and generates findings.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior, including anomalous API calls from unusual geographies. It uses machine learning and integrated threat intelligence to analyze CloudTrail events, VPC flow logs, and DNS logs in near real-time, enabling immediate notification of suspicious activity such as access key usage from an unexpected IP address.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with active threat detection, forgetting that CloudTrail only records events and requires an additional service like GuardDuty or a custom CloudWatch alarm to provide immediate notification of anomalous activity.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice recommendations for cost, performance, security, and fault tolerance, but it does not monitor or alert on anomalous API calls in real-time; it is a reactive advisory tool, not a threat detection service. Option C is wrong because AWS CloudTrail is a logging service that records API activity, but it does not analyze or alert on anomalous behavior; it requires an additional service like GuardDuty or a custom CloudWatch rule to generate notifications. Option D is wrong because Amazon CloudWatch can monitor metrics and logs and trigger alarms, but it lacks built-in threat detection intelligence; to detect anomalous geolocation-based API calls, you would need to manually create custom metrics and alarms from CloudTrail logs, which is not immediate or automated compared to GuardDuty's out-of-the-box anomaly detection.

1431
MCQhard

Refer to the exhibit. A security engineer configures the above KMS key policy. The DataAccess role is used by an application that runs on EC2 instances in the us-east-1 region. The application needs to read encrypted objects from an S3 bucket in the same region. Which of the following is true about this configuration?

A.The role can use the key for any S3 operation in any region.
B.The role cannot use the key for any operation because the condition is invalid.
C.The role can only encrypt data, not decrypt it.
D.The role can decrypt objects in S3, but cannot use the key outside of S3.
AnswerD

The condition restricts use to S3 service in us-east-1.

Why this answer

Option A is correct. The condition 'kms:ViaService' restricts the use of the key to requests that originate from S3 in us-east-1. This means the role can only use the key when the request comes through S3 (e.g., S3 GetObject with SSE-KMS).

Option B is wrong because the role can still encrypt data via S3 PutObject (GenerateDataKey). Option C is wrong because the condition allows usage via S3. Option D is wrong because the role does not have kms:Encrypt but has kms:GenerateDataKey, which is sufficient for S3 PutObject.

1432
MCQhard

This SCP is attached to an organizational unit (OU). A developer in an account within the OU tries to launch a t2.small instance. What is the outcome?

A.The launch fails because the SCP denies all RunInstances actions.
B.The launch succeeds because the SCP allows t2.micro only.
C.The launch fails because the SCP denies non-t2.micro instances.
D.The launch succeeds because SCPs do not apply to developers.
AnswerC

Correct: t2.small is denied.

Why this answer

Option B is correct because the SCP denies ec2:RunInstances if the instance type is not t2.micro. Since t2.small is not t2.micro, the condition matches, and the action is denied. Option A is wrong because the condition is met.

Option C is wrong because the condition applies to instance resource. Option D is wrong because SCPs apply to all principals.

1433
MCQhard

An IAM user reports that they are unable to launch an EC2 instance in a specific VPC. The user has an IAM policy that allows ec2:RunInstances for all resources. The VPC has a network ACL that allows all inbound and outbound traffic. What is the most likely cause of the failure?

A.The IAM policy does not grant permission to use the VPC.
B.The security group associated with the instance is blocking the launch.
C.The IAM policy does not grant permission to use the subnet.
D.The network ACL is blocking the launch request.
AnswerC

Launching an instance requires permission for the subnet resource, and the policy may not include it.

Why this answer

Option D is correct because the user needs to specify a subnet when launching an instance, and the IAM policy may not grant permission for the specific subnet if it has a condition. However, the more likely cause is that the user does not have permission to use the subnet resource. Option A is wrong because the VPC is not a resource that requires IAM permissions for the instance launch; the instance is launched into a subnet.

Option B is wrong because security groups do not affect the ability to launch instances. Option C is wrong because network ACLs do not affect the ability to launch instances.

1434
Multi-Selectmedium

A company wants to ensure that all Amazon S3 buckets are encrypted at rest. Which THREE services can be used together to automatically remediate unencrypted S3 buckets?

Select 3 answers
A.Amazon S3 default encryption
B.AWS CloudTrail
C.Amazon EventBridge
D.AWS Config
E.AWS Lambda
AnswersC, D, E

EventBridge can route Config compliance changes to trigger remediation.

Why this answer

Options A, C, and D are correct. AWS Config can detect unencrypted buckets (A), Amazon EventBridge can trigger a remediation action (C), and AWS Lambda can execute the remediation (D). Option B is wrong because S3 itself does not automatically remediate; it can be configured with default encryption but that is per-bucket.

Option E is wrong because CloudTrail is for auditing, not remediation.

1435
Multi-Selecthard

A security engineer is designing a VPC with public and private subnets. The application must be able to send outbound traffic to the internet, but inbound traffic from the internet must be blocked except for a single HTTP load balancer. The application also needs to access an S3 bucket in the same AWS region. Which combination of VPC components meets these requirements? (Choose two.)

Select 2 answers
A.S3 Interface Endpoint in the VPC
B.VPC Peering to a shared services VPC
C.NAT Gateway in a public subnet
D.Internet Gateway attached to the VPC
E.S3 Gateway Endpoint in the VPC
AnswersC, E

Allows outbound internet to EC2 instances in private subnets.

Why this answer

Option A (NAT Gateway in public subnet) allows outbound internet. Option C (S3 Gateway Endpoint) provides private access to S3. Option B is wrong because Internet Gateway alone would allow inbound.

Option D is wrong because VPC Peering is not needed. Option E is wrong because VPC Endpoint (Interface) for S3 is not supported; S3 uses Gateway Endpoint.

1436
MCQhard

Refer to the exhibit. A security engineer runs the command above. Which of the following is true about the role MyRole?

A.The role has a resource-based policy attached
B.The role can be assumed by any IAM user in account 123456789012
C.The role can be assumed by any AWS service
D.The role can be assumed by EC2 instances
AnswerD

The trust policy grants sts:AssumeRole to the EC2 service.

Why this answer

The command `aws ec2 associate-iam-instance-profile --instance-id i-1234567890abcdef0 --iam-instance-profile Name=MyRole` attaches an IAM instance profile to an EC2 instance. An instance profile is a container for an IAM role that enables EC2 instances to assume that role and obtain temporary credentials via the EC2 metadata service. Therefore, the role MyRole can be assumed by EC2 instances when associated through an instance profile.

Exam trap

Cisco often tests the distinction between an IAM role's trust policy (who can assume it) and the instance profile (the mechanism for EC2 to use the role), leading candidates to incorrectly assume that any AWS service can assume the role or that the role has a resource-based policy attached.

How to eliminate wrong answers

Option A is wrong because a resource-based policy is attached to a resource (e.g., an S3 bucket or KMS key), not to an IAM role; IAM roles use trust policies (a type of resource-based policy for the role entity itself) but the exhibit shows an EC2 instance profile association, not a resource-based policy attachment. Option B is wrong because the trust policy of the role must explicitly grant the `sts:AssumeRole` action to the IAM user or account; the exhibit does not show any such trust policy, and simply having an instance profile does not allow any IAM user to assume the role. Option C is wrong because AWS services assume roles via service-linked roles or trust policies that specify the service principal; the exhibit only shows an EC2 instance profile association, which is specific to EC2, and does not grant assumption by any arbitrary AWS service.

1437
MCQhard

A security engineer notices that an IAM user has permissions to create new IAM users and attach policies. What is the most effective way to detect if this user created a backdoor user?

A.Review S3 access logs for any PutObject calls from the IAM user.
B.Use IAM Access Analyzer to review all IAM policies for potential backdoor access.
C.Configure an AWS Config rule to check for IAM users with administrative policies.
D.Enable AWS CloudTrail and monitor IAM events using Amazon CloudWatch Logs and create a metric filter for CreateUser and AttachUserPolicy events.
AnswerD

CloudTrail records all IAM API calls, allowing detection of unauthorized actions.

Why this answer

Option A is correct because AWS CloudTrail logs all IAM API calls, enabling detection of user creation and policy attachment. Option B is wrong because IAM Access Analyzer focuses on resource policies, not user actions. Option C is wrong because AWS Config rules evaluate resource configurations, not API calls.

Option D is wrong because S3 server access logs track object-level access, not IAM actions.

1438
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team notices that some PutObject API calls are not appearing in the CloudTrail logs. The S3 bucket in question has server access logging enabled. What is the MOST likely reason for the missing CloudTrail events?

A.CloudTrail was not configured to log data events for S3.
B.Server access logs are interfering with CloudTrail.
C.The PutObject calls were made via the AWS Management Console.
D.The S3 bucket policy denies CloudTrail from logging.
AnswerA

Data events (like PutObject) are not logged by default; they require explicit configuration in the trail.

Why this answer

Option A is correct because CloudTrail data events for S3 must be explicitly enabled; by default, only management events are logged. Option B is wrong because server access logs are separate from CloudTrail. Option C is wrong because S3 events are logged regardless of whether the request is from the console or CLI.

Option D is wrong because the bucket policy does not affect CloudTrail logging; CloudTrail logs all API calls that it is configured to log.

1439
MCQmedium

A security analyst needs to review all failed SSH login attempts to an EC2 instance. Which combination will provide this information?

A.Use AWS Config to record EC2 instance configuration and check for security group changes.
B.Install the CloudWatch agent on the EC2 instance to collect /var/log/secure and stream to CloudWatch Logs.
C.Enable AWS CloudTrail and search for EC2-related events.
D.Enable VPC Flow Logs for the subnet and query the logs in CloudWatch Logs Insights for rejected traffic on port 22.
AnswerD

VPC Flow Logs capture metadata of network traffic, including rejected connections; SSH login failures typically show as rejected TCP connections on port 22.

Why this answer

Option B is correct because VPC Flow Logs capture network traffic metadata including destination port and action (accept/reject), and CloudWatch Logs Insights can query for SSH traffic (port 22) that was rejected. Option A is incorrect because CloudTrail logs API calls, not OS-level login attempts. Option C is incorrect because CloudWatch agent can collect OS logs but is not the simplest way; VPC Flow Logs are more straightforward.

Option D is incorrect because Config does not monitor OS logs.

1440
MCQmedium

A security engineer needs to monitor for AWS account root user login events and automatically send a notification to the security team. The engineer has enabled CloudTrail and is sending logs to CloudWatch Logs. What is the least effort way to achieve this?

A.Enable Amazon GuardDuty and use its finding for root user activity.
B.Create a metric filter on the CloudWatch Logs group and a CloudWatch alarm.
C.Create a CloudWatch Events rule that matches the event and triggers an SNS topic.
D.Use AWS Config managed rule to detect root user activity.
AnswerC

EventBridge can directly match events and send to SNS.

Why this answer

Option A is correct because CloudWatch Events (EventBridge) can filter for root user login events (userIdentity.type = Root) and trigger an SNS topic for notification. Option B is wrong because a metric filter and alarm would require additional steps. Option C is wrong because Config is for resource configuration, not API call monitoring.

Option D is wrong because GuardDuty does not alert on root user login by default.

1441
MCQhard

A security engineer reviews the above IAM policy attached to an IAM user. The user reports that they cannot download objects from the S3 bucket 'example-bucket' when connected from the office network (IP range 10.0.0.0/16). What is the most likely cause?

A.The bucket policy overrides the IAM policy
B.The policy does not allow the s3:GetObject action
C.The source IP condition does not match the user's actual IP address
D.The user is not assuming the correct IAM role
AnswerC

The condition requires the request to come from 10.0.0.0/16, but the user's IP might be different.

Why this answer

Option C is correct because the policy grants access based on the source IP of the request. IAM user credentials are used, but the actual source IP must match the condition. Option A is wrong because the policy allows GetObject.

Option B is wrong because the policy does not require a specific IAM role. Option D is wrong because the bucket policy is not shown; the IAM policy is the issue.

1442
MCQmedium

A security engineer is tasked with ensuring that all data stored in an RDS DB instance is encrypted at rest. The database is already running and contains data. What should the engineer do?

A.Change the KMS key associated with the DB instance
B.Modify the DB instance to use an encrypted storage type
C.Create a snapshot of the DB instance, copy it with encryption, and restore the encrypted snapshot
D.Enable encryption at rest in the RDS console for the existing DB instance
AnswerC

This is the recommended method to enable encryption on an existing DB instance.

Why this answer

RDS does not support enabling encryption at rest on an existing DB instance. The correct approach is to create a snapshot, copy it with encryption, and restore. Option B is correct.

Option A is incorrect because encryption cannot be enabled directly. Option C is incorrect because modifying the DB instance does not add encryption. Option D is incorrect because KMS key modification does not enable encryption.

1443
MCQmedium

A company needs to centralize security logs from multiple AWS accounts and on-premises servers. The logs must be encrypted at rest and stored in a cost-effective manner. Which solution meets these requirements?

A.Use Amazon S3 Glacier with Vault Lock
B.Use Amazon S3 with server-side encryption (SSE-S3)
C.Use Amazon Kinesis Data Firehose to deliver logs to Amazon Redshift
D.Use Amazon CloudWatch Logs with KMS encryption
AnswerB

S3 provides cost-effective encrypted storage.

Why this answer

Amazon S3 with SSE-S3 provides cost-effective encrypted storage. CloudWatch Logs is more expensive. Kinesis Firehose can deliver to S3 but adds cost.

Glacier is for archival, not active logging.

1444
MCQeasy

A security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?

A.Use Route 53 Resolver DNS Firewall with query logging
B.Use Amazon GuardDuty
C.Enable VPC Flow Logs
D.Enable AWS CloudTrail
AnswerA

DNS Firewall can log DNS queries for VPCs.

Why this answer

Route 53 Resolver DNS Firewall with query logging is the correct choice because it is specifically designed to log all DNS queries made by EC2 instances that use the Route 53 Resolver. This service captures the domain names being queried, the source IP, and the response, enabling detection of DNS-based data exfiltration (e.g., DNS tunneling). It integrates directly with the VPC's DNS resolver, ensuring all outbound DNS traffic from EC2 instances is logged without additional agents.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which show IP-level metadata) with DNS query logs, not realizing that DNS exfiltration requires the actual domain names being queried, which only DNS-specific logging provides.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS logs from Route 53 Resolver DNS Firewall or other sources, but it does not itself capture or log raw DNS queries; it relies on existing logs. Option C is wrong because VPC Flow Logs capture metadata about IP traffic (source/destination IP, ports, protocol) but do not log the actual DNS query names or payloads, making them insufficient for detecting DNS exfiltration. Option D is wrong because AWS CloudTrail logs API calls to AWS services (e.g., Route 53 API calls) but does not capture the DNS queries made by EC2 instances to external domains.

1445
MCQmedium

A company wants to enforce that all IAM users in an AWS account must have multi-factor authentication (MFA) enabled. Which AWS service can be used to automatically detect and remediate non-compliant users?

A.AWS Trusted Advisor
B.AWS IAM Access Analyzer
C.AWS CloudTrail
D.AWS Config
AnswerD

Config provides managed rules for IAM user MFA and can trigger automatic remediation.

Why this answer

AWS Config can evaluate IAM user MFA status using a managed rule (iam-user-mfa-enabled) and trigger automatic remediation via Systems Manager Automation or Lambda.

1446
MCQmedium

A company needs to encrypt data at rest in Amazon Redshift. They want to use an AWS KMS customer managed key. What is the correct procedure to enable encryption for an existing Redshift cluster?

A.Enable encryption using the Redshift console by selecting the KMS key.
B.Use the AWS CLI command 'aws redshift modify-cluster' with --encrypted flag.
C.Modify the cluster and enable encryption with the KMS key.
D.Take a snapshot of the cluster, restore it to a new cluster with encryption enabled, and point applications to the new cluster.
AnswerD

Snapshots can be restored to encrypted clusters.

Why this answer

Amazon Redshift does not support enabling encryption on an existing cluster directly. The only way to transition an unencrypted cluster to an encrypted one is to take a snapshot of the cluster, restore it to a new cluster with encryption enabled using a KMS customer managed key, and then redirect applications to the new cluster. This is because encryption settings are immutable after cluster creation.

Exam trap

The trap here is that candidates assume encryption can be toggled on an existing cluster via console or CLI commands, similar to services like RDS or EBS, but Redshift enforces encryption as a cluster-level immutable property.

How to eliminate wrong answers

Option A is wrong because the Redshift console does not allow enabling encryption on an existing cluster; encryption can only be specified at cluster creation or during a restore from snapshot. Option B is wrong because the 'aws redshift modify-cluster' command does not support the --encrypted flag; encryption cannot be modified on a running cluster. Option C is wrong because modifying the cluster to enable encryption with a KMS key is not a supported operation; encryption settings are immutable after creation.

1447
MCQmedium

A security engineer is investigating a potential compromise. An EC2 instance running Amazon Linux 2 is sending outbound traffic to a known malicious IP address. The engineer needs to capture the network traffic for analysis without alerting the attacker. Which solution meets these requirements?

A.Enable VPC Flow Logs on the ENI and stream to Amazon S3 for analysis.
B.Attach a security group to the instance that logs all traffic to CloudWatch Logs.
C.Use VPC Traffic Mirroring to mirror the EC2 instance's ENI traffic to a monitoring appliance in a separate VPC.
D.Enable AWS Network Firewall on the VPC and configure a rule to log all traffic to the malicious IP.
AnswerC

VPC Traffic Mirroring copies traffic at the ENI level without inline inspection, enabling passive capture for analysis without alerting the attacker.

Why this answer

Option C is correct because VPC Traffic Mirroring captures all network traffic at the packet level from the EC2 instance's Elastic Network Interface (ENI) and forwards it to a monitoring appliance without any inline processing or modification of the traffic. This allows the security engineer to perform deep packet analysis while remaining completely transparent to the attacker, as the mirrored traffic is a copy and does not affect the original flow. Unlike other options, Traffic Mirroring provides full packet capture (including headers and payloads) for forensic analysis, which is essential for investigating a compromise.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which only provide metadata) with full packet capture, or assume that security groups or Network Firewall can log traffic passively, when in fact they are active security controls that could interfere with the attacker's activities.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture only metadata (source/destination IP, ports, protocol, packet/byte counts) and not the actual packet payloads, so they cannot provide the deep packet analysis needed for investigating a compromise. Option B is wrong because security groups are stateful firewalls that filter traffic at the instance level and do not have a logging capability to CloudWatch Logs; they only allow or deny traffic based on rules, and any logging would require additional agent-based solutions. Option D is wrong because AWS Network Firewall is a managed firewall service that inspects and potentially modifies traffic inline, which could alert the attacker by dropping or altering packets, and it does not provide passive packet capture for analysis.

1448
Multi-Selecteasy

A security engineer is designing a data protection strategy for an S3 bucket that contains sensitive data. The data must be encrypted at rest and the key material must be stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 validated. Which TWO services can be used to meet these requirements?

Select 2 answers
A.S3 server-side encryption with customer-provided keys (SSE-C)
B.S3 server-side encryption with S3 managed keys (SSE-S3)
C.AWS CloudHSM
D.AWS KMS with custom key store backed by CloudHSM
E.AWS KMS with default key store
AnswersC, D

CloudHSM provides dedicated HSMs that are FIPS 140-2 Level 3 validated.

Why this answer

Options A and B are correct. AWS CloudHSM provides dedicated HSMs with FIPS 140-2 Level 3 validation. AWS KMS with a custom key store backed by CloudHSM allows using KMS with CloudHSM keys.

Option C is incorrect because default KMS keys are not backed by dedicated HSMs with Level 3. Option D is incorrect because SSE-S3 uses S3-managed keys, not HSM. Option E is incorrect because SSE-C uses customer-provided keys, not HSM.

1449
MCQhard

A security team needs to enforce that all EC2 instances launched in a specific AWS account use only approved AMIs. Which combination of services can enforce this requirement?

A.Use IAM policies to restrict ec2:RunInstances to only approved AMIs
B.Use AWS Service Catalog with a product that launches approved AMIs
C.Use an AWS Config rule to check AMI compliance and a service control policy (SCP) to deny noncompliant launches
D.Use AWS CloudTrail to log all EC2 launches and alert on noncompliant AMIs
AnswerC

Config evaluates, SCP denies the action.

Why this answer

AWS Config rules can evaluate launched instances, and SCPs can deny noncompliant launches. Option A is correct. Option B (Service Catalog) requires products, not enforced for direct EC2 run.

Option C (CloudTrail) only logs. Option D (IAM) cannot restrict based on AMI ID directly.

1450
Multi-Selecthard

A company is using AWS Key Management Service (KMS) with a customer managed key. The security team needs to ensure that the key can be rotated automatically every year. Which TWO steps are required?

Select 2 answers
A.Enable AWS CloudTrail for the KMS key.
B.Enable automatic key rotation in the KMS console or API.
C.Ensure the key material is generated by AWS KMS, not imported.
D.Grant the KMS service principal permission to rotate the key.
E.Create the key as a customer managed key (CMK).
AnswersB, E

This enables yearly rotation.

Why this answer

The correct answers are A and C. Option A: Automatic key rotation can be enabled on the KMS key. Option C: The key must be a customer managed key because automatic rotation is not available for AWS managed keys.

Option B: IAM permissions are not required for rotation. Option D: Imported key material cannot be automatically rotated. Option E: CloudTrail logging is not a prerequisite for rotation.

1451
MCQmedium

Refer to the exhibit. An administrator applies this bucket policy to an S3 bucket. Which of the following statements describes the effect of this policy?

A.The policy denies all PutObject requests that do not specify SSE-KMS.
B.The policy allows uploads without encryption but denies uploads with SSE-KMS.
C.The policy allows unencrypted uploads but denies uploads with SSE-KMS.
D.The policy allows uploads with SSE-S3 but denies uploads with SSE-KMS.
AnswerA

Both statements ensure that only SSE-KMS uploads succeed.

Why this answer

Option B is correct. The first statement denies PutObject if the encryption header is not 'aws:kms'. The second statement denies PutObject if the encryption header is null (absent).

Together, they enforce that all uploads must use SSE-KMS. Option A is wrong because the policy does not allow unencrypted uploads. Option C is wrong because the policy does not allow SSE-S3.

Option D is wrong because the policy does not allow no encryption.

1452
MCQhard

A company's security team needs to enforce encryption at rest for all RDS instances in the production account. They have enabled mandatory encryption using a service control policy. What else must be done to ensure existing unencrypted RDS instances are encrypted?

A.Attach a new KMS key policy to the RDS instance.
B.Create a snapshot of the unencrypted instance, copy the snapshot with encryption enabled, and restore the encrypted snapshot to a new DB instance.
C.Enable encryption on the DB subnet group and reboot the instance.
D.Modify the RDS instance to enable encryption using the AWS Console.
AnswerB

This is the standard procedure to migrate to encrypted RDS.

Why this answer

Option A is correct because RDS does not support encrypting existing unencrypted instances; you must create a snapshot, copy it encrypted, and restore. Option B is incorrect because you cannot enable encryption on an existing instance. Option C is incorrect because enabling encryption on the DB subnet group does not affect existing instances.

Option D is incorrect because you must use a snapshot copy.

1453
MCQhard

A healthcare company runs a HIPAA-compliant application on AWS. The application uses Amazon S3 to store Protected Health Information (PHI). The company has implemented the following controls: (1) All S3 buckets are configured with default encryption using SSE-S3. (2) Bucket policies restrict access to only authorized IAM roles. (3) S3 access logs are enabled and sent to a centralized logging account. (4) MFA Delete is enabled on all buckets. (5) Object lock is not enabled. Recently, an internal auditor discovered that when an authorized user deletes an object, the object is permanently deleted and cannot be recovered. The company's data retention policy requires that deleted PHI be recoverable for at least 30 days after deletion. A review of the IAM policies shows that users have s3:DeleteObject permission. The auditor also notes that the bucket versioning is not enabled. The security team needs to implement a solution that allows authorized users to delete objects but ensures that deleted objects can be recovered within 30 days. Which of the following is the MOST effective course of action?

A.Enable S3 Object Lock in Governance mode with a retention period of 30 days.
B.Enable S3 Versioning on the buckets and ensure that the IAM policies include s3:DeleteObjectVersion where appropriate.
C.Remove the s3:DeleteObject permission from all IAM policies and use S3 Lifecycle policies to expire objects after 30 days.
D.Change the default encryption from SSE-S3 to SSE-C and use a separate key for each object.
AnswerB

Versioning allows recovery of deleted objects via delete markers or version restoration.

Why this answer

Enabling S3 Versioning is the most effective solution because it preserves all object versions, including deleted objects (which become delete markers). With versioning enabled, authorized users can still use s3:DeleteObject to delete the current version, but the previous versions remain recoverable. Since the requirement is to recover deleted PHI within 30 days, versioning combined with a lifecycle policy to permanently delete old versions after 30 days would meet the retention policy without blocking immediate deletion.

Exam trap

The trap here is that candidates may think S3 Object Lock (Option A) is the only way to prevent deletion, but they overlook that versioning allows deletion with recoverability, which directly satisfies the requirement for authorized users to delete objects while retaining the ability to recover them within 30 days.

How to eliminate wrong answers

Option A is wrong because S3 Object Lock in Governance mode prevents any deletion (including overwrites) until the retention period expires, which conflicts with the requirement that authorized users can delete objects immediately. Option C is wrong because removing s3:DeleteObject permission and relying solely on lifecycle policies would prevent users from deleting objects on demand, violating the requirement that authorized users can delete objects. Option D is wrong because changing encryption to SSE-C has no effect on object deletion or recovery; encryption protects data at rest but does not provide versioning or retention capabilities.

1454
MCQmedium

Refer to the exhibit. A security engineer applies this S3 bucket policy to enforce server-side encryption. However, users report that they can still upload objects without encryption. What is the most likely reason the policy is not working as intended?

A.The bucket policy does not apply to objects uploaded by the bucket owner when using the AWS Management Console.
B.The bucket policy uses 'Deny' instead of 'Allow', which is incorrect for enforcing encryption.
C.The policy does not include 's3:PutObjectAcl' action, so users can bypass encryption via ACLs.
D.The 's3:x-amz-server-side-encryption' condition key is misspelled; it should be 's3:x-amz-server-side-encryption-customer-algorithm'.
AnswerA

Bucket policies do not apply to the bucket owner's AWS account root user or when using the console if the user has full S3 permissions; the policy is overridden by IAM permissions.

Why this answer

S3 bucket policies are not evaluated for requests made by the AWS account root user or by IAM users with full S3 access when using the console; they rely on IAM permissions. To enforce encryption, use an IAM policy or S3 default encryption.

1455
MCQmedium

A security engineer notices that an Amazon EC2 instance is sending suspicious outbound traffic to an unknown IP address. The instance is part of an Auto Scaling group. The engineer needs to immediately stop the traffic without affecting the availability of the application. What should the engineer do?

A.Add a network ACL rule to deny outbound traffic to the suspicious IP address.
B.Terminate the instance immediately.
C.Update the security group attached to the instance to deny outbound traffic to the suspicious IP address.
D.Detach the instance from the Auto Scaling group.
AnswerC

Security group rules are stateful; adding a deny rule for the specific IP will block the traffic immediately.

Why this answer

Option B is correct because modifying the security group to deny outbound traffic to the specific IP is immediate and reversible. Option A is wrong because terminating the instance would affect availability. Option C is wrong because a NACL would affect all instances in the subnet.

Option D is wrong because detaching the instance from the ASG does not stop the traffic.

1456
Multi-Selectmedium

A security engineer is auditing IAM policies. The engineer wants to identify if any policy grants 'Effect: Allow' with 'Action: *' and 'Resource: *'. Which TWO AWS services can be used to detect such overly permissive policies?

Select 2 answers
A.AWS CloudTrail
B.AWS Trusted Advisor
C.AWS Config
D.IAM Access Analyzer
E.Amazon GuardDuty
AnswersC, D

Config can use custom rules to evaluate IAM policies.

Why this answer

IAM Access Analyzer can analyze policies for broad permissions. AWS Config can evaluate custom rules to check for such policies. Option A (CloudTrail) logs usage, not policy content.

Option C (GuardDuty) does not analyze IAM policies. Option E (Trusted Advisor) checks some but not all policies.

1457
Multi-Selectmedium

A security team suspects that an attacker has compromised an EC2 instance and is using it to launch outbound DDoS attacks. The team needs to quickly isolate the instance while preserving forensic data. Which combination of actions should the team take? (Choose TWO.)

Select 2 answers
A.Apply a restrictive security group that blocks all outbound traffic.
B.Modify the network ACL for the subnet to deny all outbound traffic.
C.Create a snapshot of the EBS volumes attached to the EC2 instance.
D.Detach the instance from the Auto Scaling group.
E.Terminate the EC2 instance immediately.
AnswersA, C

This isolates the instance by preventing outbound connections while allowing forensic access via inbound rules if needed.

Why this answer

Option A is correct because applying a restrictive security group that blocks all outbound traffic immediately stops the EC2 instance from sending any network packets, including DDoS traffic, without terminating the instance. This preserves the running state and allows forensic data collection from the instance's memory and disk. Security groups act as a stateful virtual firewall at the instance level, so blocking outbound traffic effectively isolates the instance from the network.

Exam trap

The trap here is that candidates often confuse network ACLs with security groups, thinking a subnet-level NACL change is equivalent to instance-level isolation, but NACLs affect all instances in the subnet and are stateless, making them unsuitable for targeted incident response.

1458
Multi-Selecteasy

A company wants to allow only specific IP addresses to access an S3 bucket. Which two methods can achieve this? (Choose TWO.)

Select 2 answers
A.Use an IAM policy with a condition that limits access to specific IP addresses.
B.Configure a network ACL on the subnet that blocks traffic from all but specific IPs.
C.Enable VPC Flow Logs to filter traffic from specific IPs.
D.Attach a security group to the S3 bucket that allows traffic only from specific IPs.
E.Use an S3 bucket policy with a condition that limits access to specific IP addresses.
AnswersA, E

IAM policies can also use aws:SourceIp condition.

Why this answer

Options A and B are correct. S3 bucket policies support the aws:SourceIp condition to restrict access based on IP addresses. Bucket policies can also be combined with IAM policies.

Option C is wrong because security groups cannot be attached to S3. Option D is wrong because network ACLs cannot be attached to S3. Option E is wrong because VPC flow logs only monitor traffic.

1459
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy configuration should be used?

A.Use an S3 access point policy to restrict access
B.Attach an IAM policy to the role that allows kms:Decrypt with a condition on the source IP
C.Create a KMS grant for the IAM role with Decrypt permission
D.Add a bucket policy with a condition that the kms:ViaService is s3.amazonaws.com
AnswerD

This condition ensures decryption requests go through S3, and the IAM role can be the principal.

Why this answer

Option A (S3 bucket policy with a condition that requires the kms:ViaService condition key) is correct because it restricts decryption to requests coming through S3. Option B is wrong because a KMS grant is not the best practice for this scenario. Option C is wrong because a KMS key policy alone cannot restrict based on the IAM role's source IP.

Option D is wrong because S3 bucket policies can include conditions referencing KMS keys.

1460
MCQeasy

A security engineer is analyzing the VPC Flow Logs entry in the exhibit. The log shows traffic from an internal IP to an external IP. Which potential security concern should the engineer investigate?

A.The instance is participating in a DDoS attack against the external IP.
B.An EC2 instance is attempting to connect to an external host on port 3389 (RDP).
C.An external host is scanning the internal network on port 443.
D.The security group allows inbound RDP from 0.0.0.0/0.
AnswerB

Outbound RDP traffic from an internal instance is suspicious and may indicate data exfiltration or a compromised machine.

Why this answer

The VPC Flow Logs entry shows outbound traffic from an internal IP to an external IP on destination port 3389, which is the default port for Remote Desktop Protocol (RDP). RDP outbound from an EC2 instance to an external host is a security concern because it could indicate an attacker using the instance as a pivot point to connect to an external command-and-control server or to exfiltrate data via an RDP tunnel. The log direction (src internal, dst external) and port 3389 specifically point to an outbound RDP attempt, not inbound scanning or DDoS.

Exam trap

The trap here is that candidates focus on the port number (3389) and assume it is about inbound RDP from the internet, but the flow direction (src internal, dst external) indicates outbound traffic, which is a different security concern related to egress filtering and potential command-and-control activity.

How to eliminate wrong answers

Option A is wrong because a single outbound RDP connection to an external IP does not indicate participation in a DDoS attack; DDoS attacks typically involve high-volume traffic (e.g., SYN floods, UDP floods) to many targets, not a single TCP connection on port 3389. Option C is wrong because the log shows traffic from an internal IP to an external IP (src internal, dst external), not an external host scanning the internal network; scanning would have the external IP as the source. Option D is wrong because the VPC Flow Logs entry does not contain any information about security group rules; it only shows the traffic flow, and the concern is the outbound RDP attempt, not inbound rules.

1461
MCQeasy

A company wants to ensure that all IAM users in an account have multi-factor authentication (MFA) enabled. A security administrator needs to identify users who do not have MFA. Which AWS service should the administrator use?

A.AWS CloudTrail
B.IAM Access Analyzer
C.IAM Credential Report
D.AWS Config
AnswerC

The credential report includes MFA status for all users.

Why this answer

AWS IAM Credential Report lists all IAM users and their MFA status, providing a quick way to identify users without MFA. Option A (IAM Access Analyzer) focuses on resource policies. Option C (CloudTrail) logs events.

Option D (AWS Config) can check compliance but requires a rule; the credential report is more direct.

1462
MCQhard

A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?

A.Create a custom AWS Config rule using a Lambda function that evaluates IAM groups
B.Use IAM Access Analyzer to identify policies that grant broad access
C.Use AWS CloudTrail Insights to detect CreateUser events
D.Enable AWS Config advanced query and run a query on IAM groups
AnswerA

Lambda-backed Config rules can evaluate unsupported resource types via API calls.

Why this answer

AWS Config managed rules do not support the AWS::IAM::Group resource type, so you cannot use a managed rule to evaluate inline policies on IAM groups. The best approach is to create a custom AWS Config rule backed by a Lambda function that can evaluate the IAM group's inline policies and trigger a compliance check when the group configuration changes. This allows you to detect any inline policy that contains the 'iam:CreateUser' action.

Exam trap

The trap here is that candidates assume AWS Config advanced queries can evaluate any resource type, but AWS Config only supports querying resource types that it records, and IAM groups are not recorded, making Option D ineffective.

How to eliminate wrong answers

Option B is wrong because IAM Access Analyzer is designed to identify resources shared with external entities, not to evaluate inline policies on IAM groups for specific actions like 'iam:CreateUser'. Option C is wrong because AWS CloudTrail Insights detects unusual API activity patterns, not the static configuration of IAM group policies; it would only alert after a CreateUser event occurs, not proactively detect the policy. Option D is wrong because AWS Config advanced queries can query resource configuration data, but they cannot evaluate inline policies on IAM groups since AWS Config does not support the AWS::IAM::Group resource type for configuration recording or querying.

1463
MCQeasy

A company is designing a new AWS account structure using AWS Organizations. The security team wants to restrict the use of specific AWS services across all member accounts. Which feature should they use?

A.AWS Single Sign-On (SSO)
B.AWS CloudTrail
C.AWS Identity and Access Management (IAM) cross-account roles
D.Service control policies (SCPs)
AnswerD

SCPs can restrict which AWS services can be used in member accounts.

Why this answer

Service control policies (SCPs) are the correct feature because they allow you to centrally restrict which AWS services and actions are permitted across all member accounts in an AWS Organization. SCPs act as a permission guardrail that applies to all IAM users, roles, and root users within the affected accounts, enabling the security team to enforce service restrictions without modifying individual account configurations.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM cross-account roles can enforce service restrictions, but SCPs are the only mechanism that applies globally across all users and roles in an AWS Organization.

How to eliminate wrong answers

Option A is wrong because AWS Single Sign-On (SSO) is a service for managing user access and authentication across multiple AWS accounts and applications, not for restricting service usage. Option B is wrong because AWS CloudTrail is a logging and monitoring service that records API activity, but it does not enforce or restrict which services can be used. Option C is wrong because IAM cross-account roles allow users in one account to assume roles in another account for access, but they do not provide a centralized mechanism to deny specific services across all accounts.

1464
MCQeasy

A company stores sensitive documents in an S3 bucket. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted using server-side encryption with AWS KMS. Which S3 bucket feature should be configured?

A.Default encryption
B.Versioning
C.Bucket policy
D.Lifecycle policy
AnswerA

Default encryption applies server-side encryption to all objects uploaded.

Why this answer

Option B is correct because the default encryption setting on an S3 bucket can enforce SSE-KMS. Option A is incorrect because bucket policies enforce access, not encryption. Option C is incorrect because lifecycle policies manage object lifecycle.

Option D is incorrect because versioning does not enforce encryption.

1465
MCQeasy

A security engineer is responsible for monitoring AWS account activity. The engineer needs to receive real-time notifications when specific API calls are made, such as 'DeleteTrail' or 'UpdateTrail'. The engineer wants to use AWS services to achieve this with minimal latency. Which combination of services should the engineer use?

A.CloudTrail -> Amazon EventBridge -> Amazon SNS
B.CloudTrail -> Amazon S3 -> S3 event notification -> AWS Lambda -> Amazon SNS
C.CloudTrail -> CloudWatch Logs -> CloudWatch Logs subscription filter -> AWS Lambda -> Amazon SNS
D.CloudTrail -> CloudWatch Logs -> CloudWatch metric filter -> CloudWatch alarm -> Amazon SNS
AnswerD

This architecture provides near real-time alerting based on API calls.

Why this answer

CloudTrail delivers events to CloudWatch Logs in near real-time. You can then create a CloudWatch Logs metric filter to match specific API calls and set up a CloudWatch alarm that triggers an SNS notification. This provides real-time alerts.

Option A is correct. Option B is wrong because EventBridge can directly receive CloudTrail events, but CloudTrail logs are not automatically sent to EventBridge; you need to set up a rule. Option C is wrong because CloudWatch Logs subscription filters are for streaming to other services, not for real-time alarms.

Option D is wrong because S3 event notifications are not real-time and are for object-level events.

1466
MCQmedium

An organization is using IAM roles for EC2 instances. The security team needs to ensure that each EC2 instance can only assume a specific role based on tags. Which feature should be used?

A.Service Control Policy (SCP)
B.IAM policy with 'aws:SourceIp' condition
C.IAM permissions boundary
D.Role trust policy with 'aws:ResourceTag' condition
AnswerD

The trust policy can use tags to restrict which EC2 instances can assume the role.

Why this answer

Option D is correct because the role trust policy can use the 'aws:ResourceTag' condition key to restrict which EC2 instances can assume the role based on the instance's tags. This ensures that only instances with specific tags (e.g., 'Environment=Production') are allowed to assume the IAM role, meeting the security team's requirement for tag-based role assumption.

Exam trap

The trap here is that candidates often confuse IAM permissions boundaries (which limit permissions) with trust policies (which control who can assume a role), leading them to select Option C instead of the correct trust policy condition.

How to eliminate wrong answers

Option A is wrong because Service Control Policies (SCPs) are used to set permission boundaries across accounts in an AWS Organization, not to control role assumption based on EC2 instance tags. Option B is wrong because 'aws:SourceIp' condition restricts access based on the source IP address, not on EC2 instance tags, and is irrelevant for instance-based role assumption. Option C is wrong because IAM permissions boundaries define the maximum permissions a role or user can have, but they do not control which EC2 instances can assume a role based on tags.

1467
MCQeasy

A company wants to host a static website in an Amazon S3 bucket. The bucket must be private and accessible only through an Amazon CloudFront distribution. Which configuration ensures that CloudFront can access the S3 bucket while blocking direct access via S3 URL?

A.Use CloudFront signed URLs and configure the bucket policy to allow access from CloudFront IP ranges
B.Enable S3 Block Public Access and configure CloudFront to use the bucket as an origin
C.Configure the bucket policy to allow s3:GetObject from the CloudFront service principal
D.Create an Origin Access Control (OAC) and update the bucket policy to allow access only to the CloudFront distribution
AnswerD

OAC ensures only CloudFront can access the bucket via a special principal.

Why this answer

Option A is correct because an Origin Access Control (OAC) allows CloudFront to access the bucket while blocking direct S3 access. Option B is wrong because a bucket policy allowing s3:GetObject from CloudFront's service principal is the older method (OAI), but OAC is the recommended approach. Option C is wrong because S3 block public access would also block CloudFront if not properly configured.

Option D is wrong because CloudFront signed URLs are for end users, not for origin access.

1468
Multi-Selectmedium

A company wants to protect sensitive data in Amazon S3 from unauthorized access. Which TWO AWS services can be used to detect and alert on suspicious access patterns?

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon GuardDuty
E.Amazon Macie
AnswersA, E

Logs S3 API calls for analysis.

Why this answer

Options A and C are correct. Amazon Macie uses machine learning to discover and protect sensitive data, and AWS CloudTrail logs API calls for monitoring. Option B is wrong because GuardDuty is for threat detection across accounts, not specifically for S3 data access.

Option D is wrong because Config is for compliance. Option E is wrong because CloudWatch Logs can store logs but not analyze access patterns without additional services.

1469
MCQeasy

A company is using Amazon S3 to store sensitive customer data. They need to ensure that data is encrypted at rest and that the encryption keys are managed by the company, not AWS. Which S3 encryption option should they use?

A.SSE-C
B.Client-side encryption
C.SSE-KMS
D.SSE-S3
AnswerA

SSE-C allows the customer to provide their own encryption keys, which are managed by the customer.

Why this answer

Option C is correct because SSE-C allows the customer to provide their own encryption keys and manage them. Option A is wrong because SSE-S3 uses AWS-managed keys. Option B is wrong because SSE-KMS uses AWS-managed KMS keys.

Option D is wrong because client-side encryption is not an S3 server-side encryption option.

1470
MCQmedium

A company uses AWS Organizations and wants to enforce that all S3 buckets created in any account within the organization have default encryption enabled. Which policy should be used?

A.Use a bucket policy on each bucket to enforce encryption
B.Use a service control policy (SCP) to deny creation of buckets without default encryption
C.Use an IAM policy to require encryption on all bucket creation actions
D.Use AWS Config rules to automatically enable encryption on new buckets
AnswerB

SCPs can enforce rules across all accounts in the organization.

Why this answer

Option A (SCP) is correct because it can be applied to all accounts to enforce the requirement. Option B is wrong because IAM policies are account-specific. Option C is wrong because service control policies do not configure resources.

Option D is wrong because a bucket policy is per bucket, not preventive.

1471
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team requires that all encryption keys be automatically rotated every year. However, the current KMS key policy does not allow rotation. Which action should the security team take to meet the requirement?

A.Manually rotate the key by creating a new key and updating the S3 bucket policy.
B.Use an AWS managed key instead of a customer managed key.
C.Create a new customer managed key with imported key material and enable automatic rotation.
D.Enable automatic rotation on the existing customer managed key.
AnswerB

AWS managed keys are automatically rotated annually.

Why this answer

Option C is correct because AWS managed keys (AWS managed) are automatically rotated annually; they cannot be used for customer-managed keys. Option A is wrong because customer managed keys do not support automatic rotation for imported key material; they require manual rotation. Option B is wrong because it suggests enabling automatic rotation for a customer managed key, but the key policy may still prevent it; also the question states the key policy does not allow rotation, so the correct approach is to use an AWS managed key or modify the policy.

Option D is wrong because KMS does not support automatic rotation for keys with imported key material.

1472
Multi-Selectmedium

A security engineer is configuring a VPC for a three-tier application. The web tier must be accessible from the internet, the application tier must be accessible only from the web tier, and the database tier must be accessible only from the application tier. Which TWO security group configurations should be used? (Choose TWO.)

Select 2 answers
A.Allow inbound SSH from 0.0.0.0/0 on the web tier security group.
B.Allow inbound HTTP/HTTPS from 0.0.0.0/0 on the web tier security group.
C.Allow inbound HTTP/HTTPS from the web tier security group on the database tier security group.
D.Allow inbound HTTP/HTTPS from the web tier security group on the application tier security group.
E.Allow inbound HTTP/HTTPS from the internet on the database tier security group.
AnswersB, D

Web tier needs to be publicly accessible.

Why this answer

Option A is correct because the web tier security group should allow HTTP/HTTPS from the internet. Option D is correct because the application tier security group should allow traffic from the web tier security group. Option B is wrong because the database tier should not allow traffic from the web tier.

Option C is wrong because the web tier should not allow SSH from the internet. Option E is wrong because the database tier should not allow traffic from the internet.

1473
MCQhard

A company's Security team is using AWS Organizations with a consolidated billing account. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket in the management account. Which combination of actions should the security team take? (Choose the best answer.)

A.Use AWS Config rules to detect when CloudTrail is disabled.
B.Create a new IAM policy that requires each account owner to enable CloudTrail.
C.Enable CloudTrail in the management account only and use cross-account logging.
D.Use an SCP to deny disabling CloudTrail and use CloudFormation StackSets to deploy CloudTrail in all accounts.
AnswerD

SCP prevents disabling, StackSets deploy automatically.

Why this answer

Option C is correct because using an SCP to deny disabling CloudTrail and a CloudFormation StackSet to deploy CloudTrail in each account ensures enforcement and deployment. Option A is wrong because relying on individual account owners is not automated. Option B is wrong because enabling CloudTrail only in the management account does not cover member accounts.

Option D is wrong because Config rules do not prevent disabling of CloudTrail.

1474
Multi-Selectmedium

A security engineer is designing a VPC with public and private subnets. The application servers in the private subnets need to access the internet for software updates, but must not be directly reachable from the internet. Which TWO actions satisfy these requirements?

Select 2 answers
A.Configure the private subnet's security group to allow inbound traffic from 0.0.0.0/0.
B.Add a route in the private subnet's route table pointing to the NAT gateway.
C.Attach an internet gateway to the private subnet's route table.
D.Create a VPC gateway endpoint for Amazon S3.
E.Deploy a NAT gateway in a public subnet.
AnswersB, E

Correct: This routes outbound internet traffic through the NAT gateway.

Why this answer

Option B is correct because a NAT gateway, when deployed in a public subnet with an associated Elastic IP and a route to an internet gateway, allows instances in private subnets to initiate outbound connections to the internet (e.g., for software updates) while preventing any unsolicited inbound connections from the internet. The private subnet's route table must include a default route (0.0.0.0/0) pointing to the NAT gateway's private IP address to forward outbound traffic through it.

Exam trap

The trap here is that candidates often confuse a NAT gateway with an internet gateway, mistakenly thinking that adding an internet gateway to a private subnet's route table provides outbound-only access, when in fact it enables bidirectional internet connectivity and requires public IPs on the instances.

1475
MCQhard

During a security incident, a security engineer needs to capture network traffic from an EC2 instance for forensic analysis. The instance is part of an Auto Scaling group and may be terminated. What is the MOST efficient way to capture the traffic without affecting the instance's performance?

A.Use VPC Traffic Mirroring to mirror the instance's network traffic.
B.Enable VPC Flow Logs for the subnet.
C.SSH into the instance and run tcpdump to capture packets.
D.Attach a Network Load Balancer in front of the instance.
AnswerA

Traffic Mirroring is agentless and does not affect the instance.

Why this answer

VPC Traffic Mirroring allows you to copy network traffic from an EC2 instance to a monitoring appliance without impacting the instance. Option A (tcpdump) is intrusive. Option B (VPC Flow Logs) captures metadata, not full packets.

Option D (Network Load Balancer) forwards traffic but is not designed for forensic capture.

1476
MCQeasy

A company wants to audit all changes to security group rules in their AWS account. Which AWS service should be used to record these changes?

A.Amazon CloudWatch Logs.
B.AWS CloudTrail.
C.VPC Flow Logs.
D.AWS Config.
AnswerB

CloudTrail records API calls for auditing.

Why this answer

Option B is correct because AWS CloudTrail records API calls, including changes to security group rules. Option A is wrong because CloudWatch Logs stores log data but does not record API calls. Option C is wrong because AWS Config records resource configuration changes but is not primarily for auditing API calls; CloudTrail is the correct service for API auditing.

Option D is wrong because VPC Flow Logs captures network traffic, not configuration changes.

1477
MCQmedium

A company has a requirement to log all network traffic flowing through a VPC, including traffic between EC2 instances within the same subnet. Which AWS service should be used?

A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudTrail
AnswerA

VPC Flow Logs capture IP traffic information.

Why this answer

Option C is correct because VPC Flow Logs capture network traffic information at the VPC, subnet, or ENI level. Option A is wrong because CloudTrail logs API calls, not network traffic. Option B is wrong because AWS Config records resource configuration changes.

Option D is wrong because GuardDuty is a threat detection service that uses flow logs but does not log traffic itself.

1478
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?

A.Apply a bucket policy on each bucket denying PutObject without encryption
B.Create an SCP at the root OU that denies s3:PutBucketAction without encryption
C.Enable AWS Config with the s3-bucket-server-side-encryption-enabled rule
D.Attach an IAM policy to each account's admin user requiring encryption
AnswerB

SCPs can deny actions across all accounts in the organization.

Why this answer

Option B is correct because Service Control Policies (SCPs) at the root OU can deny the s3:PutBucketAction (which includes s3:PutBucketEncryption) unless the request includes encryption settings that use AWS KMS. This enforces encryption at the organizational level, overriding any account-level permissions, and ensures that all S3 buckets across all accounts are encrypted with KMS.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config) with preventive controls (like SCPs), or assume that bucket policies or IAM policies can enforce organization-wide encryption when they lack the scope or precedence to do so.

How to eliminate wrong answers

Option A is wrong because bucket policies are applied per bucket and cannot enforce encryption on buckets that already exist without encryption; they also require manual application to each bucket and do not prevent creation of unencrypted buckets. Option C is wrong because AWS Config rules are detective, not preventive—they can detect non-compliant buckets but cannot block the creation of unencrypted buckets. Option D is wrong because IAM policies attached to admin users can be overridden or bypassed by other users or roles with different permissions, and they do not apply to service-linked roles or cross-account access.

1479
MCQeasy

A security engineer needs to ensure that all data in transit between an Application Load Balancer and EC2 instances is encrypted using TLS. Which configuration is required?

A.Configure the ALB with an HTTPS listener and the target group with HTTPS protocol.
B.Configure the ALB with an HTTPS listener and the target group with HTTP protocol.
C.Configure the ALB with a TLS listener and the target group with TCP protocol.
D.Configure the ALB with a TCP listener and the target group with HTTP protocol.
AnswerA

HTTPS listener provides encryption to clients; target group HTTPS encrypts traffic to EC2 instances.

Why this answer

The ALB must have a listener with a secure listener protocol (HTTPS) and the target group must specify HTTPS as the protocol to enable encryption between ALB and EC2 instances. Option B is correct.

1480
MCQeasy

A company has an Amazon RDS for MySQL database in a private subnet. The security team wants to ensure that only an application server in the same VPC can connect to the database. Which security group configuration should be used?

A.Inbound rule on the RDS security group: allow MySQL on port 3306 from the VPC's CIDR.
B.Inbound rule on the RDS security group: allow MySQL on port 3306 from the subnet CIDR of the application server.
C.Inbound rule on the RDS security group: allow MySQL on port 3306 from the security group ID of the application server.
D.Inbound rule on the application server's security group: allow outbound MySQL to the RDS security group.
AnswerC

This restricts access to instances that are in the specified security group.

Why this answer

Option C is correct because referencing the application server's security group ID as the source in the inbound rule for MySQL (port 3306) on the RDS security group allows traffic only from instances that are members of that security group, regardless of their IP addresses. This is the most secure and precise method, as it automatically adapts to changes in the application server's IP (e.g., after scaling or replacement) and avoids opening the database to the entire subnet or VPC CIDR.

Exam trap

The trap here is that candidates often confuse inbound vs. outbound rules or mistakenly think that allowing a subnet CIDR is equivalent to allowing a specific instance, when in fact security group ID-based rules provide instance-level granularity and are the recommended approach for this use case.

How to eliminate wrong answers

Option A is wrong because allowing the VPC's CIDR on port 3306 would permit any resource in the VPC (including unauthorized instances, Lambda functions in the same VPC, or even compromised hosts) to connect to the database, violating the principle of least privilege. Option B is wrong because allowing the subnet CIDR of the application server still opens the database to all instances in that subnet, not just the specific application server, and does not protect against lateral movement within the subnet. Option D is wrong because it configures an outbound rule on the application server's security group, which controls traffic leaving the application server, not inbound access to the RDS instance; the RDS security group's inbound rules are what enforce which sources can connect to the database.

1481
MCQeasy

A company has an AWS account with multiple S3 buckets that contain sensitive data. The security team wants to ensure that no public access is granted to any bucket. The team has enabled AWS Config and set up a rule to detect public buckets. The rule reports that all buckets are compliant. However, during a security review, a team member finds that one bucket has a bucket policy that grants 's3:GetObject' to 'Principal': '*'. Why did the AWS Config rule not detect this?

A.AWS CloudTrail must be enabled for Config to evaluate policies.
B.The AWS Config rule only checks ACLs, not bucket policies.
C.The bucket is in a different AWS account.
D.IAM Access Analyzer must be enabled first.
AnswerB

Correct: The managed rule checks ACLs only.

Why this answer

Option A is correct. The AWS Config managed rule 's3-bucket-public-read-prohibited' checks for public read access via ACLs, not bucket policies. To detect public access via bucket policies, a custom rule is needed.

Option B is wrong because CloudTrail would log access, not detect compliance. Option C is wrong because SCPs are for Organizations. Option D is wrong because IAM Access Analyzer analyzes resource-based policies but does not enforce.

1482
MCQeasy

A company wants to ensure that all data in transit between its EC2 instances and an RDS database is encrypted. The instances and the database are in the same VPC. Which configuration step is necessary to achieve this?

A.Enable encryption at rest for the RDS instance using AWS KMS.
B.Set up a VPN connection between the EC2 instances and the RDS database.
C.Configure the security group for the RDS instance to enforce encryption.
D.Enable SSL/TLS on the RDS instance and configure the EC2 instances to connect using SSL.
AnswerD

SSL/TLS encrypts data in transit between client and database.

Why this answer

Option A is correct. To encrypt data in transit, you must enable SSL/TLS on the RDS instance and configure the client (EC2) to use SSL when connecting. Option B (enforcing encryption on the security group) is not a valid concept.

Option C (using VPN) is unnecessary for intra-VPC traffic. Option D (enabling encryption at rest) does not cover transit encryption.

1483
Multi-Selecthard

Which THREE AWS services can be used to centrally manage security across multiple accounts? (Select THREE.)

Select 3 answers
A.AWS Config
B.AWS Shield
C.AWS CloudTrail
D.Amazon GuardDuty
E.AWS Organizations
AnswersA, C, E

Config can aggregate rules and compliance across accounts.

Why this answer

AWS Config is correct because it provides a centralized view of resource configurations and compliance across multiple accounts when integrated with AWS Organizations. By enabling Config in the management account and using aggregation authorizations, you can aggregate configuration and compliance data from all member accounts into a single administrator account, enabling centralized security governance.

Exam trap

The trap here is that candidates confuse services that aggregate findings (like GuardDuty with Organizations) with services that centrally manage security policies and configurations, leading them to select GuardDuty instead of recognizing that only AWS Config, AWS CloudTrail (for centralized logging), and AWS Organizations (for policy-based governance) provide true centralized management.

1484
Multi-Selectmedium

Which TWO actions should a security engineer take to protect root user credentials? (Select TWO.)

Select 2 answers
A.Use the root user only for billing
B.Share the root user credentials with the security team
C.Do not create access keys for the root user
D.Enable MFA on the root user account
E.Delete the root user account
AnswersC, D

Access keys increase risk.

Why this answer

Option C is correct because AWS strongly recommends that you do not create access keys for the root user. Access keys provide programmatic access to the AWS API, and if compromised, an attacker would have unrestricted access to all AWS resources and billing information. By not creating access keys, you eliminate this high-risk attack vector.

Exam trap

The trap here is that candidates often think the root user can be deleted or that using it only for billing is acceptable, but AWS explicitly prohibits deleting the root user and recommends using IAM users with billing permissions instead.

1485
MCQhard

During an incident investigation, a security analyst finds that an IAM user 'JohnDoe' has been using an access key that was last rotated over 2 years ago. The analyst needs to determine if this key has been compromised. Which approach provides the MOST definitive evidence?

A.Check the S3 access logs to see if the key was used to download sensitive data
B.Use AWS CloudTrail LookupEvents to find API calls made by the key, focusing on unusual IP addresses or times
C.Review the IAM password policy to see if the key was created before the current policy
D.Use AWS Config to see if the key's permissions have changed
AnswerB

CloudTrail logs provide detailed records of API calls, helping identify anomalous activity.

Why this answer

Option B is correct because AWS CloudTrail LookupEvents allows you to filter API calls by user identity (such as the access key ID) and examine attributes like source IP address, user agent, and timestamp. Unusual IP addresses or times of day are strong indicators of compromise, as they suggest the key is being used from locations or at hours inconsistent with the legitimate user's behavior. This provides the most definitive evidence because it directly correlates the key's usage with anomalous patterns, rather than relying on indirect indicators like data downloads or permission changes.

Exam trap

The trap here is that candidates assume S3 access logs (Option A) are the definitive source for detecting compromise, but they miss that CloudTrail provides a complete audit trail of all API calls, including those that don't involve S3 data access, making it the superior choice for identifying anomalous behavior.

How to eliminate wrong answers

Option A is wrong because S3 access logs only show object-level operations (e.g., GetObject, PutObject) and do not capture all API calls made by the key; a compromised key might be used for reconnaissance or other actions that don't involve downloading sensitive data, so absence of such logs does not rule out compromise. Option C is wrong because the IAM password policy governs user passwords, not access keys; access key rotation is managed independently via the IAM console or API, and the password policy has no bearing on whether a key is compromised. Option D is wrong because AWS Config tracks resource configuration changes over time, but a compromised key can be used without any permission changes—attackers often use existing permissions to exfiltrate data or perform actions, so unchanged permissions do not indicate the key is safe.

1486
MCQeasy

A security engineer needs to ensure that data at rest in an Amazon RDS for PostgreSQL DB instance is encrypted. Which action should the engineer take?

A.Grant the rds:ModifyDBInstance permission to allow encryption toggling.
B.Modify the existing unencrypted DB instance to enable encryption.
C.Enable encryption automatically by enabling automated backups.
D.Create a new DB instance with encryption enabled using the AWS CLI or Console.
AnswerD

RDS encryption must be enabled at creation time.

Why this answer

Option A is correct because RDS encryption at rest is enabled by specifying the --storage-encrypted flag during creation. Option B is wrong because encryption can only be enabled at creation time; existing unencrypted instances cannot be encrypted without migration. Option C is wrong because encryption at rest is not enabled by default.

Option D is wrong because encryption at rest is independent of KMS key permissions.

1487
MCQeasy

An IAM user needs to rotate their own access keys. Which IAM policy action should be allowed?

A.iam:DeleteAccessKey
B.iam:UpdateAccessKey
C.iam:CreateAccessKey
D.iam:ChangePassword
AnswerB

Allows updating the status of an access key.

Why this answer

Option C is correct because IAM:UpdateAccessKey is used to manage a user's own access keys. Option A is wrong because IAM:CreateAccessKey creates a new key, but rotation involves updating. Option B is wrong because IAM:ChangePassword is for password.

Option D is wrong because IAM:DeleteAccessKey deletes a key.

1488
MCQeasy

A company wants to protect its Amazon EC2 instances from distributed denial-of-service (DDoS) attacks at the network layer. Which AWS service should be used?

A.Amazon CloudFront
B.Amazon GuardDuty
C.AWS Shield Advanced
D.AWS WAF
AnswerC

Provides advanced DDoS protection.

Why this answer

AWS Shield Advanced provides enhanced protections for Amazon EC2 instances against network-layer (Layer 3/4) DDoS attacks, such as SYN floods, UDP reflection attacks, and other volumetric attacks. It includes always-on traffic monitoring, automated mitigation, and access to the DDoS Response Team (DRT) for custom mitigations, making it the correct choice for network-layer DDoS protection.

Exam trap

The trap here is that candidates often confuse AWS WAF (Layer 7) with network-layer DDoS protection, or assume Amazon CloudFront's edge caching alone is sufficient for all DDoS types, but Shield Advanced is the specific service designed for comprehensive network-layer (Layer 3/4) DDoS mitigation.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that primarily protects against application-layer (Layer 7) attacks and provides edge-based DDoS mitigation, but it does not offer dedicated network-layer DDoS protection for EC2 instances directly. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious activity, but it does not actively mitigate or block DDoS attacks at the network layer. Option D is wrong because AWS WAF is a web application firewall that operates at Layer 7 (HTTP/HTTPS) to filter malicious requests like SQL injection or cross-site scripting, and it cannot mitigate network-layer (Layer 3/4) attacks such as SYN floods or UDP amplification.

1489
MCQmedium

A company wants to automatically detect and notify about any S3 buckets that have public read access. Which combination of services should be used?

A.AWS CloudTrail and AWS Lambda
B.AWS Config and Amazon EventBridge
C.AWS IAM Access Analyzer and Amazon CloudWatch
D.AWS Trusted Advisor and Amazon SES
AnswerB

Config evaluates and sends events to EventBridge, which can trigger SNS.

Why this answer

AWS Config can evaluate S3 bucket public access using managed rules, and Amazon EventBridge can trigger notifications via SNS.

1490
MCQhard

A company manages a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all Amazon S3 buckets in the organization are encrypted with AWS KMS customer managed keys (CMKs) and that no unencrypted buckets can be created. They also want to ensure that the encryption settings cannot be changed by account administrators. The team uses AWS CloudTrail to log all S3 API calls and wants to detect any attempts to create unencrypted buckets. The security team creates a service control policy (SCP) that denies s3:PutBucketEncryption and s3:PutBucketPolicy unless the request includes a specific encryption setting. However, they find that a developer in a member account was able to create an unencrypted bucket using the AWS Management Console. The CloudTrail logs show that the bucket was created with the s3:CreateBucket API call without specifying any encryption parameters. What should the security team do to prevent this from happening?

A.Modify the SCP to deny s3:CreateBucket unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header.
B.Enable CloudTrail Insights to detect unusual S3 activity and create a CloudWatch alarm.
C.Attach an IAM permissions boundary to all IAM roles used by developers that denies s3:CreateBucket.
D.Enable S3 Block Public Access at the account level to prevent unencrypted bucket creation.
AnswerA

Correct – Denies creation of unencrypted buckets via SCP.

Why this answer

D: Correct – The SCP should deny s3:CreateBucket if the request does not include the x-amz-server-side-encryption-aws-kms-key-id header. This prevents creation of unencrypted buckets. A: Incorrect – CloudTrail is already logging; additional logging does not prevent the action.

B: Incorrect – IAM permissions boundary does not override SCP; the SCP should already prevent the action, but it was not effective because the SCP did not deny s3:CreateBucket without encryption. C: Incorrect – S3 Block Public Access does not enforce encryption.

1491
MCQhard

A company is migrating its on-premises log aggregation system to AWS. They have multiple applications running on EC2 instances that generate logs in JSON format. The security team needs a centralized logging solution that can ingest logs from all instances, store them durably, and allow real-time searching and alerting. The team also needs to retain logs for at least one year for compliance. The current plan is to use Amazon CloudWatch Logs for ingestion and search, but the team is concerned about the cost of long-term storage and the need for ad-hoc querying. Which solution meets the requirements with the LEAST operational overhead?

A.Send all logs to CloudWatch Logs and set a retention policy of one year.
B.Send logs directly to an S3 bucket and use Amazon Athena to query logs in real time.
C.Use the CloudWatch agent to send logs to CloudWatch Logs for real-time monitoring, then export logs to Amazon S3 daily, and use S3 lifecycle policies to expire logs after one year.
D.Send logs to Amazon OpenSearch Service (formerly Elasticsearch) with a one-year retention policy.
AnswerC

This provides real-time monitoring via CloudWatch Logs and cost-effective long-term storage in S3.

Why this answer

The correct answer is B. Sending logs to CloudWatch Logs for real-time monitoring and then exporting them to S3 for long-term, low-cost storage is a common pattern. S3 lifecycle policies can manage retention.

Option A is incorrect because CloudWatch Logs alone for one year would be expensive. Option C is incorrect because S3 alone does not provide real-time search capabilities. Option D is incorrect because Amazon ES (OpenSearch) could work but adds operational overhead for cluster management, and the requirement is least overhead.

1492
Multi-Selecteasy

A company wants to monitor unauthorized API calls in their AWS account. Which TWO AWS services can provide real-time alerting on such events?

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Trusted Advisor
E.Amazon Inspector
AnswersB, C

CloudTrail logs all API calls, including those that return AccessDenied errors.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to the AWS environment, including unauthorized ones (e.g., AccessDenied errors). By configuring CloudTrail to deliver logs to Amazon CloudWatch Logs and setting up a metric filter with an alarm, you can receive real-time alerts when unauthorized API calls occur. This directly meets the requirement for monitoring and alerting on such events.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance alerts (which are not real-time and focus on resource drift) with CloudTrail's API-level event monitoring, or they mistakenly think GuardDuty is the only service for security alerts, but GuardDuty uses anomaly detection and threat intelligence rather than direct API call logging.

1493
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in member accounts must have a password policy that requires a minimum length of 14 characters. How can this be achieved centrally?

A.Use a service control policy (SCP) to enforce the password policy across all accounts.
B.Use IAM permission boundaries to restrict password policy changes to specific Regions.
C.Use AWS Config rules to automatically remediate non-compliant password policies.
D.Use an SCP that denies the UpdateAccountPasswordPolicy action unless the policy has MinimumPasswordLength >= 14.
AnswerD

SCPs can deny API calls that don't meet conditions.

Why this answer

Option C is correct because a service control policy (SCP) can deny changes to the password policy that don't meet the requirement. Option A is wrong because SCPs cannot set password policies; they can only deny actions. Option B is wrong because AWS Config can detect non-compliance but cannot enforce.

Option D is wrong because IAM is a global service and cannot be restricted to a specific Region.

1494
MCQmedium

A company uses AWS Lambda functions to process data from an S3 bucket. The security team wants to detect any unauthorized attempts to invoke the Lambda function from outside the company's VPC. The Lambda function is configured to be VPC-enabled and is attached to a VPC with a security group. The team has enabled CloudTrail and VPC Flow Logs. However, they are not seeing any logs for the Lambda invocations in CloudTrail. The team has checked that CloudTrail is logging management events and that the Lambda function is being invoked. What is the most likely reason for the missing CloudTrail logs?

A.CloudTrail is not logging Lambda Invoke API calls because they are data events, not management events.
B.The Lambda function is not configured to send logs to CloudTrail.
C.The CloudTrail trail is not configured to log data events for Lambda.
D.VPC Flow Logs are not enabled for the Lambda function's VPC.
AnswerA

Invoke calls are data events and require enabling data events in CloudTrail.

Why this answer

Option D is correct because CloudTrail management events do not include Lambda Invoke API calls unless data events are enabled. Option A is wrong because VPC Flow Logs capture network traffic, not Lambda invocations. Option B is wrong because the Lambda function's VPC configuration does not affect CloudTrail logging.

Option C is wrong because CloudTrail is not limited by VPC endpoints.

1495
MCQhard

A company's security team wants to detect and block malicious SQL injection attempts against an Application Load Balancer. Which AWS service should be used?

A.AWS WAF
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS Shield Advanced
AnswerA

WAF can use rules to block SQL injection patterns.

Why this answer

AWS WAF is a web application firewall that can be associated with an Application Load Balancer to inspect HTTP/HTTPS requests for malicious patterns, such as SQL injection attempts. It uses managed rule sets (e.g., AWS Managed Rules for SQL injection) to detect and block these attacks in real time, making it the correct choice for this use case.

Exam trap

The trap here is that candidates often confuse GuardDuty's threat detection (which covers network and account-level anomalies) with application-layer attack detection, or assume Shield Advanced's DDoS protection includes web application firewall capabilities.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for anomalous behavior, but it does not inspect or block application-layer requests like SQL injection at the ALB level. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and network exposure, not for detecting or blocking live web application attacks. Option D is wrong because AWS Shield Advanced provides DDoS protection against volumetric and state-exhaustion attacks, but it does not include application-layer inspection for SQL injection payloads.

1496
Multi-Selectmedium

Which TWO of the following are valid methods to protect sensitive data in transit between an on-premises data center and AWS? (Select TWO.)

Select 2 answers
A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.Internet Gateway
D.VPC Peering
E.AWS Direct Connect with IPSec VPN
AnswersB, E

Site-to-Site VPN encrypts traffic between on-premises and AWS.

Why this answer

AWS Site-to-Site VPN (Option B) creates an encrypted tunnel between an on-premises VPN device and a Virtual Private Gateway in AWS, using IPSec to protect data in transit. This ensures confidentiality and integrity of data crossing the public internet, making it a valid method for securing sensitive data between an on-premises data center and AWS.

Exam trap

The trap here is that candidates often assume AWS Transit Gateway or VPC Peering inherently encrypt traffic, but they do not; encryption must be explicitly added via VPN or Direct Connect with IPSec, and the exam tests this distinction between connectivity and encryption.

1497
MCQeasy

Refer to the exhibit. This trust policy is attached to an IAM role. What does it allow?

A.All IAM users in account 123456789012 to assume the role with MFA.
B.The root user of account 123456789012 to assume the role without MFA.
C.The root user of account 123456789012 to assume the role only if MFA is present.
D.Any user in account 123456789012 to assume the role without MFA.
AnswerC

The principal is root user, and condition requires MFA.

Why this answer

Option D is correct because the trust policy allows the root user of account 123456789012 to assume the role only if MFA is present. Option A is wrong because it requires MFA. Option B is wrong because it allows the root user, not all users.

Option C is wrong because it allows the root user, not specific users.

1498
Multi-Selectmedium

A security team needs to monitor for unauthorized API calls in their AWS account. Which TWO services can provide real-time alerts for such events?

Select 2 answers
A.Amazon CloudWatch Logs Insights
B.AWS CloudTrail with Amazon CloudWatch Events
C.Amazon VPC Flow Logs
D.AWS Config
E.Amazon GuardDuty
AnswersB, E

CloudTrail logs API calls, and CloudWatch Events can trigger alerts in real-time.

Why this answer

Options A and D are correct. CloudTrail logs API calls, and when combined with CloudWatch Events, can trigger real-time alerts. GuardDuty also detects suspicious API activity and can generate findings in real-time.

Option B is incorrect because AWS Config evaluates resource configurations, not API calls. Option C is incorrect because VPC Flow Logs capture network traffic, not API calls. Option E is incorrect because CloudWatch Logs Insights is a query tool, not a real-time alerting service.

1499
Matchingmedium

Match each AWS IAM policy type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attached to a user, group, or role

Attached to a resource like S3 bucket

Maximum permissions for an identity

Used in AWS Organizations to restrict permissions

Why these pairings

Different types of policies control access in AWS.

1500
Multi-Selecteasy

Which TWO are valid IAM identity-based policies? (Choose 2.)

Select 2 answers
A.Trust policy
B.Inline policy
C.S3 bucket policy
D.Service control policy (SCP)
E.AWS managed policy
AnswersB, E

Inline policies are identity-based policies directly attached to an entity.

Why this answer

Options B and D are correct. B: An AWS managed policy is a standalone policy that can be attached to IAM identities. D: An inline policy is embedded directly in a user, group, or role.

Option A is wrong because a bucket policy is a resource-based policy, not identity-based. Option C is wrong because an SCP is a policy used in AWS Organizations, not an identity-based policy. Option E is wrong because a trust policy is attached to a role to define who can assume it, not an identity-based policy.

Page 19

Page 20 of 24

Page 21