AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 15011575

1738 questions total · 24pages · All types, answers revealed

Page 20

Page 21 of 24

Page 22
1501
Multi-Selectmedium

A security engineer is investigating a potential security incident in an AWS account. The engineer needs to determine which user or role performed a specific API call that created a new security group. Which THREE AWS tools can the engineer use to find this information? (Choose THREE.)

Select 3 answers
A.AWS CloudTrail event history
B.Amazon CloudWatch Logs
C.VPC Flow Logs
D.AWS CloudTrail
E.AWS Config
AnswersA, D, E

Event history provides a searchable view of the last 90 days of API calls.

Why this answer

Option A, D, and E are correct. CloudTrail logs all API calls, including who made the call. CloudTrail event history provides a view of the last 90 days.

AWS Config records configuration changes, including security group creation. Option B is wrong because CloudWatch Logs does not capture API calls unless specifically configured. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

1502
MCQhard

A company uses AWS CloudTrail and wants to ensure that log files are encrypted at rest and that access to the logs is logged. Which combination of S3 features should be enabled on the destination bucket?

A.S3 Transfer Acceleration and default encryption
B.MFA Delete and versioning
C.Default encryption and server access logging
D.S3 Object Lock and versioning
AnswerC

Default encryption provides encryption at rest; server access logs log access requests.

Why this answer

Option A is correct because enabling default encryption (SSE-S3 or SSE-KMS) encrypts logs at rest, and enabling server access logs on the bucket logs access to the bucket. Option B is wrong because MFA Delete is for deletion protection, not encryption. Option C is wrong because S3 Object Lock prevents deletion but does not encrypt.

Option D is wrong because S3 Transfer Acceleration is for faster uploads, not security.

1503
MCQmedium

A security engineer is troubleshooting why CloudTrail is not delivering logs to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured with the correct bucket name. However, no log files appear. What is the most likely cause?

A.The S3 bucket has an S3 Object Lock configuration that prevents writes.
B.The S3 bucket is in a different AWS Region from the trail.
C.CloudTrail is not enabled in the AWS Region where the S3 bucket resides.
D.The S3 bucket uses AWS KMS server-side encryption (SSE-KMS) and the KMS key policy does not grant CloudTrail permission to use the key.
AnswerD

CloudTrail must have kms:GenerateDataKey and kms:Decrypt permissions on the KMS key to encrypt/decrypt log files.

Why this answer

CloudTrail requires specific permissions to write to S3, including s3:PutObject and s3:GetBucketAcl. If the KMS key policy does not allow CloudTrail to use it, log delivery fails silently.

1504
MCQeasy

A company wants to provide temporary security credentials to users accessing AWS resources from a mobile app. Which AWS service should they use?

A.AWS Signer
B.AWS Directory Service
C.Amazon Cognito Identity Pools (Federated Identities)
D.AWS IAM roles for cross-account access
AnswerC

Cognito Identity Pools issue temporary AWS credentials.

Why this answer

AWS Cognito Identity Pools provide temporary credentials for authenticated users. Option A is correct. Option B is for identity federation with external providers.

Option C is for managing user directories. Option D is for signing requests.

1505
Multi-Selecthard

A security engineer is investigating a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B!DNS'. Which TWO actions should the engineer take as part of the initial response? (Choose two.)

Select 2 answers
A.Enable Amazon GuardDuty in the account if not already enabled.
B.Isolate the EC2 instance by modifying its security group to deny all traffic.
C.Immediately terminate the EC2 instance to stop the activity.
D.Take a snapshot of the instance's EBS volume for forensic analysis.
E.Disable termination protection on the instance to allow future termination.
AnswersB, D

Isolation prevents further malicious activity.

Why this answer

Option B is correct because isolating the EC2 instance by modifying its security group to deny all traffic is a critical containment step in incident response. This immediately stops the C2 (command and control) communication detected by GuardDuty's 'Backdoor:EC2/C&CActivity.B!DNS' finding, preventing further data exfiltration or lateral movement while preserving the instance for forensic analysis.

Exam trap

The trap here is that candidates may confuse incident response containment with eradication, choosing immediate termination (Option C) instead of isolation and forensic preservation (Option B and D).

1506
Multi-Selecthard

A company is designing a data protection solution for Amazon S3. They need to ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which THREE steps should they take? (Choose THREE.)

Select 2 answers
A.Enable versioning on the bucket.
B.Enable MFA Delete on the bucket.
C.Enable default encryption on the S3 bucket with SSE-S3 or SSE-KMS.
D.Add a bucket policy that denies s3:PutObject if the x-amz-server-side-encryption header is not present.
E.Enable S3 Block Public Access settings.
AnswersC, D

This automatically encrypts objects if no encryption header is provided.

Why this answer

Enabling S3 default encryption (Option A) ensures new objects are encrypted. Using a bucket policy to deny PutObject without encryption headers (Option C) enforces encryption. Enabling S3 Block Public Access (Option B) prevents public access but not unencrypted uploads.

Enabling MFA Delete (Option D) adds authentication for deletes. Enabling versioning (Option E) does not enforce encryption.

1507
MCQeasy

A security engineer runs the command shown in the exhibit. What is the outcome?

A.The command fails because AES256 is not a valid algorithm.
B.Default encryption is enabled on the bucket using SSE-S3.
C.Default encryption is enabled on the bucket using SSE-KMS.
D.The command removes default encryption from the bucket.
AnswerB

SSEAlgorithm: AES256 means SSE-S3.

Why this answer

The command `aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'` enables default encryption on the bucket using SSE-S3, because `AES256` is the algorithm identifier for SSE-S3 (Amazon S3-managed keys). The command succeeds and sets the default encryption configuration to use server-side encryption with S3-managed keys, which is the standard SSE-S3 behavior.

Exam trap

The trap here is that candidates confuse `AES256` with an invalid algorithm or assume it refers to SSE-KMS, but AWS specifically uses `AES256` as the identifier for SSE-S3, while `aws:kms` is used for SSE-KMS.

How to eliminate wrong answers

Option A is wrong because AES256 is a valid algorithm identifier for SSE-S3; it is not invalid, and the command does not fail due to algorithm validation. Option C is wrong because the algorithm identifier for SSE-KMS is `aws:kms`, not `AES256`; using `AES256` explicitly sets SSE-S3, not SSE-KMS. Option D is wrong because the command adds or updates default encryption, it does not remove it; removing default encryption requires a different API call (e.g., `delete-bucket-encryption`).

1508
MCQhard

A company uses AWS Shield Advanced to protect its web application against DDoS attacks. The application is behind an Application Load Balancer (ALB) with a web application firewall (AWS WAF) in front. The security team notices that some requests are being blocked by AWS WAF, but the source IP addresses are legitimate customers. What step should the team take to minimize false positives?

A.Implement rate-based rules with a count action and use the count data to create custom rules.
B.Switch to using AWS Managed Rules for IP reputation lists.
C.Increase the WAF rate-based rule threshold to allow more requests.
D.Reconfigure the ALB idle timeout to a higher value.
AnswerA

Rate-based rules with count allow monitoring and adjusting thresholds to avoid false positives.

Why this answer

Option D is correct because rate-based rules allow legitimate traffic while limiting excessive requests. Option A is wrong because increasing the threshold may allow more attacks. Option B is wrong because using AWS Managed Rules for IP reputation could block legitimate IPs.

Option C is wrong because reconfiguring the ALB idle timeout does not affect WAF blocking.

1509
MCQhard

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all users must use multi-factor authentication (MFA) to access the AWS Management Console. Which combination of actions should the security team take to enforce this requirement?

A.Use AWS CloudTrail to monitor and alert on console logins without MFA
B.Enable MFA through the AWS Account Management console for each account
C.Create an IAM policy in each account that denies access without MFA
D.Apply a service control policy (SCP) at the organization root that denies actions unless MFA is present
AnswerD

An SCP can enforce that all accounts must use MFA by denying access if the condition is not met.

Why this answer

Option B is correct because a service control policy (SCP) can be applied to all accounts to deny access if MFA is not present. Option A is incorrect because IAM policies in individual accounts can be overridden by account administrators. Option C is incorrect because an SCP cannot directly enable MFA; it can only deny access.

Option D is incorrect because while AWS CloudTrail can log, it does not enforce.

1510
MCQhard

An IAM policy is used to grant access to an S3 bucket. The policy condition requires that objects be retrieved using AES256 encryption. However, users can still download objects without specifying encryption. What is the MOST likely reason?

A.The condition key 's3:x-amz-server-side-encryption' applies only to PUT requests, not GET requests.
B.The resource ARN should include the bucket name without the '/*' suffix.
C.The condition should use 'Null' instead of 'StringEquals'.
D.The condition should use 'aws:SecureTransport' instead.
AnswerA

For GET requests, the condition key for server-side encryption is different.

Why this answer

Option C is correct because the condition 's3:x-amz-server-side-encryption' is a request header for uploads, not downloads. For downloads, the condition should be 's3:x-amz-server-side-encryption-customer-algorithm' or similar. Option A is incorrect because the resource ARN is correct.

Option B is incorrect because S3 supports multiple encryption types. Option D is incorrect because the condition is not null.

1511
Multi-Selectmedium

A security engineer is designing a VPC with public and private subnets. The private subnets must be able to download software updates from the internet. Which TWO components can provide this functionality without exposing the private instances to inbound internet traffic?

Select 2 answers
A.NAT gateway
B.Internet gateway
C.VPC endpoint
D.Egress-only internet gateway
E.NAT instance
AnswersA, E

NAT gateway enables outbound internet for private subnets.

Why this answer

Option A (NAT gateway) and Option C (NAT instance) are correct because they allow outbound traffic to the internet and block unsolicited inbound traffic. Option B is wrong because an internet gateway allows bidirectional traffic. Option D (egress-only internet gateway) is for IPv6.

Option E (VPC endpoint) is for AWS services, not general internet.

1512
MCQhard

A company uses AWS Organizations with all features enabled. The security team needs to ensure that no member account can disable AWS CloudTrail logging or delete CloudTrail logs stored in S3. Which combination of preventive controls should be implemented?

A.Set up CloudWatch alarms to notify when CloudTrail is modified or logs are deleted.
B.Apply a service control policy (SCP) at the root OU to deny CloudTrail and S3 delete actions, and enable CloudTrail organizational trail.
C.Use IAM policies in each member account to deny CloudTrail and S3 delete actions.
D.Apply an S3 bucket policy denying delete actions, and enable CloudTrail organizational trail.
AnswerB

SCPs prevent all users including root; organizational trail prevents disabling.

Why this answer

Option B is correct because SCPs can deny actions like cloudtrail:DeleteTrail and s3:DeleteObject, and a CloudTrail organizational trail prevents member accounts from stopping logging. Option A is wrong because IAM policies are not enforced by root users. Option C is wrong because resource-based policies alone cannot prevent root user actions.

Option D is wrong because CloudWatch alarms are detective, not preventive.

1513
MCQhard

A security engineer is troubleshooting an issue where an IAM policy allows access to S3 but the user is denied access to a specific bucket. The policy has the following statement: { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } What is the most likely cause of the denial?

A.The policy statement is too broad and AWS automatically denies access to specific buckets.
B.An explicit deny statement in a different policy (e.g., SCP, permissions boundary) is overriding the allow.
C.The S3 bucket has a bucket policy that denies access to the user.
D.The policy is attached to the user but the user is assuming a role that does not have S3 permissions.
AnswerB

Explicit denies take precedence over allows.

Why this answer

Option A is correct because an explicit deny in a separate policy, such as a service control policy (SCP) or a permissions boundary, overrides any allow. Option B is wrong because the user's own policy is an allow. Option C is wrong because S3 bucket policies are resource-based and can deny access.

Option D is wrong because IAM policies are evaluated as a whole; there is no implicit deny for specific buckets unless a deny exists.

1514
MCQeasy

A security engineer is configuring a security group for a web server that should only accept HTTPS traffic from the internet. Which inbound rule should be set?

A.TCP port 3389 from 0.0.0.0/0
B.TCP port 22 from 0.0.0.0/0
C.TCP port 80 from 0.0.0.0/0
D.TCP port 443 from 0.0.0.0/0
AnswerD

Port 443 is HTTPS.

Why this answer

Option B is correct because HTTPS uses TCP port 443. Option A is wrong because port 80 is HTTP. Option C is wrong because port 22 is SSH.

Option D is wrong because port 3389 is RDP.

1515
Multi-Selecthard

A company's security team is implementing controls to meet PCI DSS compliance. The environment includes Amazon EC2, RDS, and S3. Which THREE controls should be implemented to address logging and monitoring requirements?

Select 3 answers
A.Enable AWS Config to track resource configuration changes.
B.Enable VPC Flow Logs for all VPCs.
C.Enable AWS CloudTrail across all AWS regions.
D.Deploy Amazon CloudWatch Application Insights.
E.Enable detailed billing reports.
AnswersA, B, C

Config provides configuration history and compliance.

Why this answer

AWS Config is correct because it tracks resource configuration changes and records them as configuration items, which is essential for PCI DSS Requirement 10.5.2 that mandates logging of all actions taken by any individual with root or administrative privileges. By monitoring changes to EC2, RDS, and S3 configurations, AWS Config provides an audit trail of who made changes, what changed, and when, directly supporting logging and monitoring compliance.

Exam trap

The trap here is that candidates may confuse operational monitoring tools (like CloudWatch Application Insights) or billing tools with the specific logging and monitoring controls required by PCI DSS, which focus on audit trails of configuration changes, network traffic, and API activity.

1516
MCQmedium

A security engineer is investigating a potential data breach. AWS CloudTrail logs show that an IAM user 'svc-backup' created an S3 bucket in the us-east-1 region and then uploaded a large number of objects. The engineer suspects that the user's credentials were compromised. What is the MOST efficient way to quickly identify the source IP address and user agent of the API calls made by this user?

A.Query AWS CloudTrail logs in Amazon Athena for the user's API calls.
B.Analyze VPC Flow Logs for traffic to the S3 bucket.
C.Enable Amazon GuardDuty and review the generated findings.
D.Use AWS Config to review the configuration history of the S3 bucket.
AnswerA

CloudTrail logs include sourceIPAddress and userAgent for API calls, and Athena enables efficient querying of large log datasets.

Why this answer

Option B is correct because CloudTrail logs contain the sourceIPAddress and userAgent fields for each API call, which can be queried using CloudTrail Insights or Athena to identify the source. Option A is wrong because VPC Flow Logs capture network traffic but do not include IAM user information. Option C is wrong because GuardDuty detects threats but does not store historical API call details.

Option D is wrong because Config records resource configuration changes but not API call source details.

1517
MCQeasy

A security engineer is configuring an AWS environment to detect and respond to potential security threats. Which AWS service can be used to automate the remediation of unwanted access to Amazon S3 buckets by invoking AWS Lambda functions?

A.AWS Config
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS WAF
AnswerB

GuardDuty uses threat intelligence and machine learning to detect threats, and findings can trigger automated remediation via EventBridge and Lambda.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior across AWS accounts and workloads. It can integrate with AWS Lambda functions via CloudWatch Events to automate remediation actions, such as blocking unwanted access to S3 buckets by updating bucket policies or removing public access. This makes GuardDuty the correct choice for detecting and automatically responding to security threats against S3 resources.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to auto-remediate noncompliant resources (using AWS Config rules and Lambda) with GuardDuty's threat-specific detection and response, but AWS Config does not detect security threats like unauthorized access—it only enforces configuration rules.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration auditing and compliance service that evaluates resource configurations against rules, but it does not natively detect security threats or invoke Lambda functions for threat remediation; it can trigger Lambda for configuration drift, not for threat response. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and network exposure, not for detecting or remediating unwanted access to S3 buckets. Option D is wrong because AWS WAF is a web application firewall that protects web applications from common exploits like SQL injection and cross-site scripting, and it does not monitor or remediate S3 bucket access patterns.

1518
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to centrally monitor and analyze all CloudTrail logs from all accounts. The logs must be stored in a centralized S3 bucket with encryption and access logging enabled. Additionally, the team needs to detect anomalous API activity across accounts using machine learning. Which combination of services meets these requirements?

A.AWS CloudTrail to deliver logs to a centralized S3 bucket with default encryption; AWS Config to monitor API activity; S3 server access logs enabled.
B.AWS CloudTrail to deliver logs to a centralized S3 bucket with default encryption; Amazon Macie to detect anomalous API activity; S3 server access logs enabled.
C.AWS CloudTrail to deliver logs to a centralized S3 bucket with default encryption; Amazon Detective to analyze API activity; S3 server access logs enabled.
D.AWS CloudTrail to deliver logs to a centralized S3 bucket with default encryption and S3 server access logs; Amazon GuardDuty enabled in all accounts.
AnswerD

CloudTrail logs to S3, GuardDuty provides ML-based anomaly detection across accounts, and S3 server access logs provide request logging.

Why this answer

Option B is correct because Amazon Macie uses ML to discover sensitive data in S3, not to detect anomalous API activity. Option A is correct: CloudTrail delivers logs to a centralized S3 bucket, Amazon GuardDuty uses ML to detect anomalous API activity across accounts, and S3 server access logs record requests to the bucket. Option C is wrong because AWS Config tracks resource configuration changes, not API activity.

Option D is wrong because Amazon Detective analyzes security data but does not provide ML-based anomaly detection for API activity like GuardDuty.

1519
MCQeasy

A company uses S3 Server Access Logs to audit access to their S3 buckets. The security team wants to ensure that the log files themselves are encrypted at rest using SSE-KMS. Which configuration step is necessary?

A.Use an S3 bucket policy to deny unencrypted uploads to the source bucket
B.Enable default encryption on the source bucket
C.Add a bucket policy on the destination bucket that grants the S3 log delivery service permission to use the KMS key
D.Configure the destination bucket with a lifecycle policy
AnswerC

Required for SSE-KMS on log delivery.

Why this answer

To encrypt S3 access logs with SSE-KMS, the bucket policy of the destination bucket must allow the S3 log delivery service to use the KMS key. Option A is correct. Option B is about the source bucket, C is unnecessary, D is about server-side encryption for the source bucket.

1520
MCQmedium

A company uses Amazon S3 to store sensitive data. The security team wants to detect and alert on public read access to S3 buckets. Which combination of AWS services is MOST appropriate?

A.AWS CloudTrail and Amazon CloudWatch Logs with metric filters for `PutBucketPolicy` events.
B.Amazon Macie with automated discovery jobs and Amazon CloudWatch Events to send alerts.
C.Amazon GuardDuty and AWS Lambda.
D.AWS Config with managed rules like `s3-bucket-public-read-prohibited` and Amazon SNS.
AnswerB

Macie can evaluate bucket policies and alert on public access.

Why this answer

Amazon Macie is purpose-built for discovering and protecting sensitive data in S3, and its automated discovery jobs can detect public read access to buckets. By integrating with Amazon CloudWatch Events, Macie can trigger alerts in real-time when such access is identified, making it the most appropriate choice for this detection and alerting requirement.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation (which is periodic and reactive) with real-time detection and alerting, or they mistakenly believe CloudTrail captures all public access events, when in fact it only logs API calls that change permissions, not the resulting access state.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs `PutBucketPolicy` events, but this only captures policy changes, not the actual public read access state; a bucket could be publicly readable via ACLs or a pre-existing policy without triggering a new `PutBucketPolicy` event, leading to missed detections. Option C is wrong because GuardDuty focuses on threat detection (e.g., unusual API calls, credential compromise) and does not natively scan S3 bucket permissions for public read access; while Lambda could be used to write custom logic, it is not a direct or managed solution for this specific requirement. Option D is wrong because AWS Config managed rule `s3-bucket-public-read-prohibited` is a detective control that evaluates compliance but does not natively generate real-time alerts; while SNS can be configured, the rule only runs on periodic evaluations or configuration changes, not continuously, and it does not detect public read access via ACLs or bucket policies that are already in place.

1521
Multi-Selecteasy

A developer wants to allow an IAM role to be assumed by an EC2 instance that is part of an Auto Scaling group. Which TWO AWS services or features are required? (Choose TWO.)

Select 2 answers
A.AWS Config
B.Instance profile
C.IAM role
D.AWS CloudFormation
E.AWS Single Sign-On (SSO)
AnswersB, C

The instance profile is the container for the role that can be attached to EC2 instances.

Why this answer

An instance profile is required to attach an IAM role to an EC2 instance. When an EC2 instance is launched with an instance profile, the AWS credentials provider on the instance can retrieve temporary security credentials from the IAM role via the instance metadata service (IMDS). This allows the instance to assume the role and perform authorized API actions without embedding long-term credentials.

Exam trap

The trap here is that candidates often confuse IAM roles with instance profiles, thinking a role can be directly attached to an EC2 instance, but the instance profile is the required intermediary container that enables the role to be assumed by the instance.

1522
MCQhard

Refer to the exhibit. An IAM policy attached to a user allows s3:GetObject only from a specific IP range and denies all S3 actions if not using HTTPS. What happens when the user makes a GET request from IP 10.0.0.5 using HTTP?

A.Allowed because the IP is in the range
B.Allowed because the condition does not match
C.Denied because the Deny statement matches
D.Denied because the IP is not in the range
AnswerC

Deny overrides Allow.

Why this answer

The request is denied because the Deny statement's condition (SecureTransport: false) matches HTTP, and Deny overrides Allow. Option D is correct. Option A is wrong because Deny always overrides Allow.

Option B is wrong because the condition matches. Option C is wrong because the request is denied.

1523
Multi-Selecteasy

A company wants to grant a set of developers the ability to launch EC2 instances but only in a specific subnet. Which THREE steps should be taken?

Select 3 answers
A.Create a VPC endpoint for EC2.
B.Add a condition to the policy that restricts the subnet ID using ec2:Subnet.
C.Allow the developers to assume the role via an IAM policy or trust relationship.
D.Configure a security group to allow outbound traffic from the subnet.
E.Create an IAM role with a policy that allows ec2:RunInstances.
AnswersB, C, E

Conditions can enforce that instances are launched only in the specified subnet.

Why this answer

Options A, B, and D are correct. Create a role with permissions to launch instances (A), attach a policy that restricts the subnet via a condition (B), and assign the role to the developers (D). Option C is wrong because a VPC endpoint does not grant IAM permissions.

Option E is wrong because security groups control network traffic, not IAM permissions.

1524
MCQhard

A company's security team needs to implement a solution to detect and alert on the creation of IAM users or roles with administrative privileges. The solution must be able to analyze historical account activity and provide real-time alerts. Which combination of AWS services should be used?

A.AWS CloudTrail and Amazon CloudWatch Logs with metric filters and alarms
B.Amazon GuardDuty and AWS Lambda
C.AWS Trusted Advisor and Amazon SES
D.AWS Config with managed rules and Amazon SNS
AnswerA

CloudTrail logs API calls, CloudWatch Logs filters events, and alarms trigger notifications.

Why this answer

AWS CloudTrail logs IAM CreateUser, CreateRole, and AttachRolePolicy events. Amazon CloudWatch Logs can filter these events and trigger alerts via CloudWatch Alarms. Option A is wrong because AWS Config evaluates current configuration but does not provide real-time alerts on API calls.

Option B is wrong because AWS Trusted Advisor is for best-practice checks, not real-time monitoring. Option D is wrong because Amazon GuardDuty focuses on threat detection, not specific IAM policy changes.

1525
MCQhard

A company is using AWS DMS to migrate data from an on-premises Oracle database to Amazon RDS for PostgreSQL. The data must be encrypted in transit. What should the company do?

A.Use AWS Direct Connect to establish a private connection.
B.Enable SSL on the source and target endpoints in the DMS task.
C.Use AWS KMS to encrypt the data before sending.
D.Set up a VPN connection between the on-premises network and AWS VPC.
AnswerB

DMS supports SSL to encrypt data in transit between endpoints.

Why this answer

Option D is correct because DMS supports SSL/TLS for encrypting data in transit between endpoints. Option A is incorrect because VPN is not required; DMS supports SSL directly. Option B is incorrect because KMS encrypts at rest, not in transit.

Option C is incorrect because Direct Connect provides a private network but does not inherently encrypt traffic; SSL is still needed.

1526
MCQeasy

A company is using Amazon S3 to store sensitive data. The security team wants to ensure that all data is encrypted in transit between the company's on-premises data center and AWS. Which solution should be used?

A.Use an AWS Site-to-Site VPN with IPsec to encrypt traffic
B.Use AWS CloudHSM to encrypt the data in transit
C.Enable SSE-S3 on the S3 bucket
D.Use AWS KMS to encrypt the data before transmission
AnswerA

VPN provides encrypted transit.

Why this answer

An AWS Site-to-Site VPN with IPsec is the correct solution because it creates an encrypted tunnel between the on-premises data center and AWS, ensuring all data in transit is protected. IPsec operates at the network layer (Layer 3) and encrypts the entire IP packet, providing confidentiality and integrity for data moving over the public internet. This directly addresses the requirement to encrypt data in transit between the two environments.

Exam trap

The trap here is that candidates often confuse encryption at rest (SSE-S3, KMS) with encryption in transit, and assume that encrypting data before sending it (e.g., with KMS) automatically secures the transmission channel, when in fact a transport-layer encryption mechanism like IPsec or TLS is required to protect data during transit.

How to eliminate wrong answers

Option B is wrong because AWS CloudHSM is a hardware security module used for key storage and cryptographic operations, not for encrypting data in transit; it does not provide network-level encryption between on-premises and AWS. Option C is wrong because SSE-S3 (Server-Side Encryption with S3-Managed Keys) encrypts data at rest in S3, not data in transit; it has no effect on traffic between the on-premises data center and AWS. Option D is wrong because AWS KMS is a key management service that can be used to encrypt data before transmission, but it does not provide a secure tunnel or protocol-level encryption for the data in transit; the data would still be sent over the internet in an unencrypted form unless a transport encryption mechanism like TLS or IPsec is also applied.

1527
MCQhard

Refer to the exhibit. A security engineer is reviewing a CloudTrail event. What security concern does this event raise?

A.The user is revoking a security group rule.
B.The event is not being logged by CloudTrail.
C.The user is using the AWS root account.
D.The user is opening SSH access to the world.
AnswerD

0.0.0.0/0 is public access.

Why this answer

Option B is correct. The event shows an IAM user adding an inbound rule to security group sg-12345 that allows SSH (port 22) from any IP (0.0.0.0/0). This is a security best practice violation because it exposes the instance to the internet.

Option A is wrong because the user is an IAM user, not root. Option C is wrong because the event is logged, which is good. Option D is wrong because the API is AuthorizeSecurityGroupIngress, not Revoke.

1528
MCQeasy

A company needs to grant an IAM user permissions to start and stop specific EC2 instances. Which IAM policy element should be used to restrict actions to specific instances?

A.Resource
B.Condition
C.Principal
D.NotAction
AnswerB

Conditions like 'ec2:ResourceTag' can restrict to instances with specific tags.

Why this answer

Option B is correct because a Condition element can use 'ec2:ResourceTag' to restrict to instances with specific tags. Option A is wrong because 'NotAction' is for actions, not resources. Option C is wrong because 'Resource' can specify instance ARNs but not dynamically based on tags.

Option D is wrong because 'Principal' is for specifying who.

1529
Multi-Selectmedium

Which TWO AWS services can be used to centrally manage and audit permissions across multiple AWS accounts? (Choose two.)

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.AWS Organizations
D.AWS Single Sign-On
E.IAM Access Analyzer
AnswersC, E

Organizations centrally manages accounts and can apply SCPs to control permissions.

Why this answer

AWS Organizations provides a central view of all accounts and can apply SCPs. IAM Access Analyzer analyzes resource policies across accounts to identify public or cross-account access. AWS Config evaluates resource configurations but does not centrally manage permissions.

AWS CloudTrail logs API calls but does not manage permissions. AWS SSO manages user access but not resource permissions.

1530
MCQhard

A company has a policy that requires all IAM users to use multi-factor authentication (MFA) to access the AWS Management Console. A user reports that they are unable to sign in even after configuring MFA. What is the most likely cause?

A.The IAM policy explicitly denies console access.
B.The user is using the root account instead of an IAM user.
C.The MFA token has expired.
D.The MFA device is not properly synchronized with AWS.
AnswerD

Time sync issues can cause MFA authentication to fail.

Why this answer

If the IAM user policy denies access if MFA is not present, but the user has MFA configured, the issue could be that the policy condition key aws:MultiFactorAuthPresent is set to 'false' when the session is not using MFA. However, if the user has MFA, the condition should be true. Another common issue is that the MFA device is not assigned to the user, or the user is using a non-MFA session.

Option A is most likely because if the MFA device is not synced, authentication fails. Option B is wrong because the policy can still apply to console users. Option C is wrong because MFA can be used for console.

Option D is wrong because MFA tokens expire, but that would only affect the session, not sign-in.

1531
MCQhard

A security engineer is designing a solution to monitor and remediate non-compliant resources across multiple AWS accounts. The company uses AWS Organizations and wants to enforce that any S3 bucket with public read access is automatically remediated. The solution must be centralized and scalable. Which approach should the engineer take?

A.Deploy an AWS Config conformance pack with a rule and an auto-remediation action using AWS Systems Manager Automation.
B.Create an AWS Config rule in each account and configure an Amazon CloudWatch Events rule to trigger an AWS Lambda function for remediation.
C.Use AWS Trusted Advisor to identify public buckets and manually remediate them.
D.Deploy an AWS Config conformance pack with a rule that checks for public buckets and reports non-compliance.
AnswerA

Conformance packs can include auto-remediation steps, enabling centralized scalable enforcement.

Why this answer

Option A is correct because AWS Config conformance packs allow you to deploy a collection of AWS Config rules and remediation actions across multiple accounts and Regions in AWS Organizations. By including an auto-remediation action using AWS Systems Manager Automation, the solution can automatically remediate S3 buckets with public read access in a centralized and scalable manner, without manual intervention or per-account configuration.

Exam trap

The trap here is that candidates may confuse conformance packs with simple AWS Config rules, forgetting that conformance packs can include automated remediation actions via Systems Manager Automation, while standalone rules only detect and report non-compliance.

How to eliminate wrong answers

Option B is wrong because creating an AWS Config rule in each account is not centralized; it requires manual setup per account and does not scale efficiently across many accounts. Option C is wrong because AWS Trusted Advisor only identifies public buckets and provides recommendations, but it does not support automated remediation; manual remediation is not scalable or centralized. Option D is wrong because while an AWS Config conformance pack with a rule can detect non-compliant public buckets, it only reports non-compliance and does not include an auto-remediation action, failing to meet the requirement for automatic remediation.

1532
MCQeasy

A security engineer is configuring a multi-account CloudTrail setup. The above bucket policy is attached to the central logging bucket. Despite the policy, CloudTrail in the member account (123456789012) cannot deliver logs. What is the MOST likely issue?

A.The Principal should be the CloudTrail service principal of the member account.
B.The condition s3:x-amz-acl is not required; CloudTrail does not set that ACL.
C.The Action should be s3:PutObjectAcl instead of s3:PutObject.
D.The resource ARN must include the source account ID in the path.
AnswerB

CloudTrail uses a different ACL; removing the condition solves the issue.

Why this answer

Option B is correct because the resource path includes the account ID, but the condition requires the ACL to be set to bucket-owner-full-control, which CloudTrail does not set by default. Option A is wrong because the principal is correct. Option C is wrong because the bucket policy does not need to specify the source account explicitly; the path includes it.

Option D is wrong because the action is correct.

1533
MCQmedium

A company wants to launch an Amazon EC2 instance that must be accessible via SSH from the company's corporate network (IP range 198.51.100.0/24). The instance should not be accessible from the internet. Which network configuration should the security engineer recommend?

A.Place the instance in a private subnet with a route to an internet gateway, and add a security group rule that allows SSH inbound from 198.51.100.0/24.
B.Place the instance in a public subnet, and add a network ACL rule that denies all inbound traffic from 0.0.0.0/0.
C.Place the instance in a private subnet, and add a security group rule that allows SSH inbound from 198.51.100.0/24.
D.Place the instance in a public subnet, and add a security group rule that allows SSH inbound from 0.0.0.0/0.
AnswerC

The instance is in a private subnet, and the security group restricts SSH to the corporate IP range.

Why this answer

The instance should be placed in a private subnet with a security group allowing SSH from the corporate IP range. A bastion host or VPN could be used, but the question asks for the instance's network configuration. Option A is correct.

Option B is incorrect because placing in a public subnet exposes it to the internet. Option C is incorrect because a public subnet with a NACL blocking everything would block SSH. Option D is incorrect because a private subnet with a route to an internet gateway would still be private? Actually, private subnets do not have direct internet access, but a route to an internet gateway would make it a public subnet.

So D is wrong.

1534
MCQeasy

A company wants to allow an EC2 instance to access an S3 bucket without exposing the instance to the internet. Which AWS service should be used to achieve this?

A.NAT Gateway
B.AWS Site-to-Site VPN
C.Internet Gateway
D.VPC Endpoint (Gateway type) for S3
AnswerD

This provides private connectivity to S3.

Why this answer

Option B is correct. A VPC endpoint for S3 allows private connectivity between the VPC and S3 without internet access. Option A (Internet Gateway) would expose the instance.

Option C (NAT Gateway) is for outbound internet. Option D (VPN) is for on-premises connectivity.

1535
MCQeasy

Refer to the exhibit. A security engineer uses the AWS CLI command shown to investigate a console login event. What type of user performed the login?

A.AWS service
B.Assumed role
C.Root user
D.IAM user
AnswerD

The userIdentity type is 'IAMUser'.

Why this answer

The `userIdentity` in the CloudTrail event shows `type: IAMUser`, indicating an IAM user logged in. Option B is correct. Option A is wrong because the type is IAMUser, not Root.

Option C is wrong because the type is not AssumedRole. Option D is wrong because it is not an AWS service.

1536
MCQhard

A security auditor notices that an IAM role has a policy that grants 'iam:PassRole' to a specific EC2 instance profile. What is the security implication of this permission?

A.It could allow privilege escalation if the role passes a role with more permissions to an EC2 instance.
B.It allows the role to delete IAM roles.
C.It allows the role to create new IAM policies.
D.It allows the role to create new IAM users.
AnswerA

iam:PassRole can be misused to grant higher privileges to EC2 instances.

Why this answer

Option B is correct because iam:PassRole allows passing a role to an AWS service, which could lead to privilege escalation if the role has more permissions than intended. Option A is wrong because it's not about changing policies. Option C is wrong because it's not about creating users.

Option D is wrong because it's not about deleting roles.

1537
MCQhard

A company is using AWS KMS to encrypt data in Amazon S3. The security team discovers that an S3 bucket has a bucket policy that allows s3:PutObject without requiring encryption. What is the risk?

A.The KMS key can be used by unauthorized users
B.Data can be downloaded without authentication
C.Data in transit is not encrypted
D.Data can be uploaded without encryption at rest
AnswerD

Without requiring encryption, data may be stored unencrypted.

Why this answer

Data can be uploaded without encryption, potentially exposing sensitive data. Option A is wrong because the data is not encrypted at rest. Option C is wrong because encryption in transit is not related.

Option D is wrong because the risk is about data being stored unencrypted.

1538
MCQmedium

A company is using AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which policy should be attached to the KMS key to enforce this restriction?

A.KMS grant that gives the IAM role decrypt permissions for the key
B.IAM policy attached to the role that allows kms:Decrypt for the key
C.S3 bucket policy that denies decrypt unless the requester is the specific IAM role
D.KMS key policy with a condition that the principal must be the specific IAM role
AnswerD

Correct: KMS key policy can restrict decryption to a specific IAM role.

Why this answer

Option A is correct because a KMS key policy can specify which IAM roles are allowed to use the Decrypt action. Option B is wrong because S3 bucket policies do not control KMS decryption permissions. Option C is wrong because IAM policies alone cannot restrict decryption if the key policy allows broader access.

Option D is wrong because KMS grants are temporary and not the best practice for permanent access control.

1539
MCQmedium

A company's security engineer is configuring a web application firewall (WAF) to protect a public-facing Application Load Balancer (ALB). The application is vulnerable to SQL injection attacks. Which AWS WAF rule should be used to mitigate this threat?

A.Add a rule to block cross-site scripting (XSS) attacks.
B.Add a rule from the AWS Managed Rules for SQL injection.
C.Add a rate-based rule to limit requests per IP.
D.Add a geographic match rule to block traffic from specific countries.
AnswerB

SQL injection rule group blocks SQLi patterns.

Why this answer

Option A is correct. AWS WAF has a managed rule group called SQLi that specifically blocks SQL injection attempts. Option B (Rate-based rule) is for DDoS.

Option C (Cross-site scripting) is for XSS. Option D (Geographic match) is for geo-blocking.

1540
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy should be used?

A.Security group assigned to the S3 bucket
B.IAM policy with aws:SourceIp condition
C.S3 bucket policy with aws:SourceVpc condition
D.Network ACL attached to the S3 bucket
AnswerC

The aws:SourceVpc condition key restricts access to requests originating from the specified VPC.

Why this answer

Option C is correct because S3 bucket policies support the `aws:SourceVpc` condition key, which allows you to restrict access to requests originating from a specific VPC. This works by evaluating the VPC ID from which the request was made, using the source VPC information that AWS automatically includes in requests from VPC endpoints. No other mechanism (security groups, IAM source IP conditions, or network ACLs) can directly enforce VPC-level access control on S3.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups, NACLs) with service-level controls (bucket policies) and assume that S3 can be protected like an EC2 instance, when in fact S3 only supports bucket policies and IAM policies for access control.

How to eliminate wrong answers

Option A is wrong because security groups are network-level firewalls for EC2 instances and cannot be assigned to S3 buckets; S3 is a managed service that does not support security group attachments. Option B is wrong because `aws:SourceIp` condition in IAM policies checks the originating IP address, not the VPC, so it cannot restrict access based on VPC membership and would not work for traffic from a VPC endpoint where the source IP is internal. Option D is wrong because network ACLs are stateless firewalls attached to subnets, not to S3 buckets, and they cannot control access to S3 at the bucket level.

1541
Multi-Selecteasy

Which TWO AWS services can be used to detect unauthorized access to an S3 bucket? (Select TWO.)

Select 2 answers
A.AWS WAF
B.AWS CloudTrail
C.Amazon GuardDuty
D.Amazon Macie
E.AWS Config
AnswersC, D

GuardDuty includes S3 threat detection findings.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior across AWS accounts and workloads. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze S3 data events (e.g., GetObject, PutObject) logged via CloudTrail management and data events, identifying suspicious patterns such as unusual access from a known malicious IP address or an anonymous user gaining access to an S3 bucket.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (a logging service) with a detection service, forgetting that CloudTrail only records events and does not analyze or alert on unauthorized access without additional services like GuardDuty or Amazon Detective.

1542
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team notices that some expected log entries are missing for actions performed by an IAM role assumed by an EC2 instance. The instance has the required permissions. What is the MOST likely cause of the missing log entries?

A.The EC2 instance is in a VPC that has a VPC endpoint for CloudTrail, but the endpoint policy denies logging.
B.CloudTrail is not logging read-only API calls by default; the trail must be configured to log read events.
C.CloudTrail trail is not configured to log data events for EC2.
D.The IAM role used by the EC2 instance has a permissions boundary that excludes cloudtrail:PutLogEvents.
AnswerD

If a permissions boundary denies cloudtrail:PutLogEvents, CloudTrail cannot deliver log files for that role's actions, resulting in missing entries.

Why this answer

Option D is correct because CloudTrail logs are delivered to an S3 bucket, and the IAM role must have permissions to write logs via `cloudtrail:PutLogEvents`. If a permissions boundary on the role explicitly denies this action, the role cannot deliver log entries to CloudTrail, even if the role has other required permissions. This explains why expected log entries are missing despite the instance having the necessary permissions to perform the API calls.

Exam trap

The trap here is that candidates assume missing log entries are due to CloudTrail configuration (e.g., data events or read-only settings) rather than recognizing that the IAM role itself may lack the specific permission to deliver logs to CloudTrail, which is a subtle but critical requirement.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint for CloudTrail is used to send log data from CloudTrail to S3, not to log API calls; the endpoint policy would affect delivery, not the logging of actions performed by the EC2 instance. Option B is wrong because CloudTrail logs all API calls (both read and write) by default when management events are enabled; read-only events are not excluded unless the trail is explicitly configured to log only write events. Option C is wrong because the missing log entries are for management API calls (e.g., EC2 actions), not data events (e.g., S3 object-level operations); data events are an additional configuration and are not required for logging standard EC2 API actions.

1543
MCQhard

A security engineer needs to monitor AWS API calls for potential unauthorized access. The engineer wants to be alerted when a specific IAM user performs a high-risk action like deleting a CloudTrail trail. What is the MOST efficient way to achieve this?

A.Configure CloudTrail to send logs to CloudWatch Logs and create a metric filter with an alarm.
B.Enable VPC Flow Logs and analyze with Elasticsearch.
C.Use Amazon Athena to query CloudTrail logs daily for the action.
D.Enable Amazon GuardDuty with a custom threat list.
E.Create a CloudWatch Events rule that matches the API call and sends an SNS notification.
AnswerE

CloudWatch Events can filter CloudTrail events in real-time.

Why this answer

Option A is correct because CloudWatch Events can filter for specific API calls and trigger an SNS notification. Option B is wrong because CloudTrail does not have built-in alerting. Option C is wrong because Athena is for querying logs, not real-time alerting.

Option D is wrong because GuardDuty does not monitor for specific API calls by a user. Option E is wrong because VPC Flow Logs are for network traffic.

1544
MCQhard

A Security Engineer is designing a network architecture for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier, and the database tier only from the application tier. All tiers are in the same VPC. Which configuration meets these requirements with minimal administrative overhead?

A.Use network ACLs with inbound rules that reference the prefix list of the previous tier's subnets.
B.Use network ACLs with inbound rules that allow traffic from the previous tier's subnet CIDR.
C.Use security groups with inbound rules that allow traffic from the previous tier's public IP addresses.
D.Use security groups with inbound rules that reference the security group of the previous tier.
AnswerD

Security groups are stateful and can reference other security groups, simplifying rule management.

Why this answer

Option B is correct because security group rules can reference other security groups by ID, allowing traffic between tiers without managing IP addresses. Option A is wrong because NACLs are stateless and require explicit allow rules for return traffic, adding complexity. Option C is wrong because using public IPs for internal communication is unnecessary and insecure.

Option D is wrong because prefix lists are used for IP address management, not for allowing traffic between security groups.

1545
MCQhard

A company uses AWS KMS to encrypt EBS volumes. They want to ensure that the key used for EBS encryption is not shared across different AWS accounts. Which feature should they use?

A.Use a CloudHSM custom key store.
B.Use the key's alias to restrict access.
C.Enable automatic key rotation.
D.Configure the key policy to deny access to any principal from another AWS account.
AnswerD

Key policy can explicitly deny cross-account access.

Why this answer

Option D is correct because AWS KMS key policies can explicitly deny access to principals from other AWS accounts by using the `aws:SourceAccount` or `aws:SourceArn` condition keys, or by specifying a `Deny` statement with a condition that checks the account ID. This ensures that the KMS key used for EBS encryption cannot be used by any IAM principal or role from a different AWS account, preventing cross-account key sharing.

Exam trap

The trap here is that candidates often confuse key rotation (Option C) or aliases (Option B) with access control, or assume that CloudHSM (Option A) inherently isolates keys across accounts, when in fact only the key policy can enforce account-level restrictions.

How to eliminate wrong answers

Option A is wrong because CloudHSM custom key stores provide a hardware security module (HSM) for key storage but do not inherently restrict cross-account access; the key policy must still be configured to deny other accounts. Option B is wrong because a key's alias is simply a friendly name for the key and does not enforce any access control; aliases are not evaluated in authorization decisions. Option C is wrong because automatic key rotation only changes the cryptographic material of the key over time (typically annually) and has no effect on cross-account access permissions.

1546
MCQmedium

A security engineer is troubleshooting an issue where an IAM role used by an EC2 instance cannot access an S3 bucket, even though the role has an attached policy that grants s3:GetObject on the bucket. The bucket policy does not explicitly deny access. What is the most likely cause?

A.A service control policy (SCP) is denying access
B.The bucket policy does not grant access to the IAM role
C.The IAM policy is attached to the user instead of the role
D.The bucket has an explicit deny in its policy
AnswerB

When using an IAM role, the bucket policy must explicitly allow the role, otherwise the implicit denial applies.

Why this answer

Option D is correct because for cross-account access or access from EC2, the bucket policy must explicitly grant access to the role. Option A is incorrect because explicit deny is not present. Option B is incorrect because the policy is attached to the role, not the user.

Option C is incorrect because service control policies (SCPs) are not mentioned and would be an organization-level deny.

1547
Multi-Selectmedium

A company needs to enforce encryption in transit for all traffic between an Amazon EC2 instance and an Amazon RDS database. Which TWO steps should be taken?

Select 2 answers
A.Enable TLS on the RDS database and configure the database to require encrypted connections.
B.Configure security groups to allow traffic only on port 3306 (MySQL) or 5432 (PostgreSQL).
C.Set up a VPN connection between the EC2 instance and the RDS database.
D.Enable encryption at rest on the RDS instance.
E.Configure the application to connect using TLS/SSL.
AnswersA, E

Enforces encryption for client connections.

Why this answer

Options C and E are correct. To enforce encryption in transit, you must enable TLS on the RDS instance and require encrypted connections from the client. Option A is wrong because security group rules do not enforce encryption.

Option B is wrong because using a VPN does not enforce encryption at the database layer. Option D is wrong because enabling encryption at rest does not affect transit.

1548
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all CloudFormation stacks include a specific tag "Environment" with a value of "Production" or "Development". Which approach should be used?

A.Use AWS CloudFormation Guard to validate that the template includes the required tag with allowed values.
B.Apply an IAM policy that requires the tag on all CloudFormation actions.
C.Use AWS Config to detect and automatically remediate non-compliant stacks.
D.Create an SCP to deny CloudFormation stacks that do not have the required tag.
AnswerA

Guard can be integrated into CI/CD pipelines to enforce policies.

Why this answer

AWS CloudFormation Guard is a policy-as-code tool that can validate templates before deployment. SCPs apply to accounts, not stacks. IAM policies can require tags but not specific values easily.

Config rules are reactive.

1549
MCQeasy

A company wants to use AWS Direct Connect to establish a dedicated network connection from its on-premises data center to AWS. Which of the following is a security best practice when configuring Direct Connect?

A.Use a private virtual interface (VIF) and enable IPsec encryption for the traffic.
B.Use a public VIF to access all AWS services including VPC resources.
C.Use a private VIF and establish an IPsec VPN tunnel over the Direct Connect connection.
D.Use a private VIF and enable MACsec encryption at the physical layer.
AnswerA

Private VIF provides private connectivity; adding IPsec encrypts data in transit.

Why this answer

Option A is correct because using a private VIF ensures traffic goes over the AWS private network, not the internet, and encrypting with IPsec adds a layer of security. Option B is wrong because MACsec is for physical layer security, not required for private VIF. Option C is wrong because public VIF is for public services and is less secure.

Option D is wrong because a VPN over Direct Connect is redundant if private VIF is used.

1550
Multi-Selecteasy

A company needs to protect data at rest in Amazon S3. Which THREE mechanisms can be used to encrypt objects stored in S3?

Select 3 answers
A.Server-Side Encryption with S3-Managed Keys (SSE-S3)
B.Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
C.Client-Side Encryption
D.Server-Side Encryption with IAM-Managed Keys (SSE-IAM)
E.Server-Side Encryption with Customer-Provided Keys (SSE-C)
AnswersA, B, E

S3-managed keys encrypt data at rest.

Why this answer

Options A, B, and E are correct. SSE-S3 (option A) encrypts with S3-managed keys. SSE-C (option B) uses customer-provided keys.

SSE-KMS (option E) uses AWS KMS keys. Option C is wrong because client-side encryption is done by the client before upload, not by S3. Option D is wrong because there is no such option as SSE-IAM.

1551
MCQmedium

A company uses AWS Organizations and has enabled GuardDuty in the management account. The security team wants to view GuardDuty findings for all member accounts from a single delegated administrator account. Which configuration step is required?

A.Enable GuardDuty in each member account and configure cross-account IAM roles to aggregate findings in the management account.
B.Enable GuardDuty only in the management account and share findings via CloudWatch Logs cross-account subscription.
C.Designate a delegated administrator account in Organizations, then enable GuardDuty in that account. GuardDuty will automatically aggregate findings from member accounts.
D.Enable GuardDuty in the management account and use CloudWatch cross-account dashboard to view findings from member accounts.
AnswerC

Correct design for centralized GuardDuty.

Why this answer

Option C is correct because AWS Organizations allows you to designate a delegated administrator account for GuardDuty, which can then manage and view findings from all member accounts without needing to enable GuardDuty individually in each account. Once the delegated administrator is set up, GuardDuty automatically aggregates findings from all member accounts in the organization, providing a single-pane-of-glass view for the security team.

Exam trap

The trap here is that candidates often assume GuardDuty must be enabled manually in each account or that CloudWatch cross-account features can aggregate GuardDuty findings, but the exam tests knowledge of the delegated administrator feature which is the native, automated solution for multi-account aggregation.

How to eliminate wrong answers

Option A is wrong because it describes a manual, cross-account IAM role approach that is unnecessary and less efficient; GuardDuty's delegated administrator feature eliminates the need for per-account enablement and custom aggregation. Option B is wrong because enabling GuardDuty only in the management account does not allow it to monitor member account activity; GuardDuty must be enabled in each account (or via the delegated administrator) to generate findings from those accounts, and CloudWatch Logs cross-account subscription is not the intended mechanism for aggregating GuardDuty findings. Option D is wrong because CloudWatch cross-account dashboards can visualize metrics but do not automatically aggregate GuardDuty findings from member accounts; GuardDuty findings are not natively pushed to CloudWatch as metrics without additional configuration, and the delegated administrator approach is the correct method.

1552
MCQmedium

Refer to the exhibit. A security engineer runs the above command and sees the security group configuration. Based on the output, which statement is correct?

A.The security group has no outbound rules.
B.The security group allows SSH access from any IP address.
C.The security group allows HTTP traffic from the internet.
D.The security group is associated with multiple EC2 instances.
AnswerC

HTTP is allowed from 0.0.0.0/0.

Why this answer

The security group allows HTTP from anywhere (0.0.0.0/0) and SSH from a specific IP range. The outbound rule allows all traffic. Option C is correct.

Option A is incorrect because SSH is not open to all. Option B is incorrect because there is an outbound rule. Option D is incorrect because there is only one security group.

1553
MCQhard

A company wants to grant cross-account access to an S3 bucket. The bucket policy allows access from account 111111111111. An IAM user in account 111111111111 has a policy allowing s3:GetObject on that bucket. However, the user gets AccessDenied. What is the most likely reason?

A.The S3 bucket is in a different region and requires a VPC endpoint.
B.The IAM user policy is attached to a group, not directly to the user.
C.The bucket policy grants access to the account, but the IAM user's ARN is not explicitly listed.
D.The IAM user policy has an explicit deny for s3:GetObject.
AnswerC

When granting cross-account, the bucket policy must specify the IAM user ARN or a condition.

Why this answer

Option A is correct because the S3 bucket policy must explicitly grant access to the IAM user ARN, not just the account. Option B is wrong because explicit deny in the IAM policy would be unusual. Option C is wrong because S3 does not require VPC endpoints.

Option D is wrong because the user is in the same account as the policy.

1554
Multi-Selectmedium

A security engineer is designing a VPC with public and private subnets. The company requires that all outbound traffic from private subnets to the internet must go through a single IP address for whitelisting by third-party services. Which TWO actions should the engineer take?

Select 2 answers
A.Use a VPC Peering connection to a central VPC with an Internet Gateway.
B.Deploy a NAT Gateway in a private subnet.
C.Configure the private subnet route table with a default route to an Internet Gateway.
D.Deploy a NAT Gateway in a public subnet and assign an Elastic IP.
E.Attach an Internet Gateway to the VPC.
AnswersD, E

Correct placement and IP assignment for outbound traffic.

Why this answer

A NAT Gateway in a public subnet with an Elastic IP allows private instances to access the internet using a single IP. Route tables for private subnets must point default route (0.0.0.0/0) to the NAT Gateway.

1555
MCQmedium

A security engineer needs to detect and alert on suspicious API calls made from a compromised EC2 instance. The instance is associated with an IAM role that has permissions to call various AWS APIs. Which AWS service should the engineer use to monitor API calls and trigger alerts?

A.Amazon GuardDuty
B.AWS CloudTrail combined with Amazon CloudWatch Events
C.AWS Config
D.VPC Flow Logs
AnswerB

CloudTrail logs API calls; CloudWatch Events can trigger alerts based on those logs.

Why this answer

AWS CloudTrail records all API calls made by or on behalf of the EC2 instance's IAM role. By sending these logs to Amazon CloudWatch Events (now Amazon EventBridge), you can create rules that match specific API actions (e.g., 'ec2:TerminateInstances') and trigger alerts via SNS, Lambda, or other targets. This combination provides real-time monitoring and alerting for suspicious API activity from a compromised instance.

Exam trap

The trap here is that candidates confuse GuardDuty's threat detection capabilities with the need for custom alerting on specific API calls, overlooking that CloudTrail combined with CloudWatch Events (EventBridge) is the correct service pair for granular, user-defined monitoring and alerting.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious behavior, but it does not natively trigger custom alerts for specific API calls; it generates its own findings. Option C is wrong because AWS Config is a resource inventory and compliance service that evaluates configuration changes against rules, not a real-time API monitoring and alerting service. Option D is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log API calls or IAM role activity, so they cannot detect suspicious API calls.

1556
MCQeasy

A company wants to encrypt data in transit between an Application Load Balancer (ALB) and its targets. Which configuration should be used?

A.Configure the ALB with a TCP listener and use Network Load Balancer.
B.Configure the ALB with an HTTPS listener and use HTTPS as the protocol for the target group.
C.Configure the ALB security group to allow only encrypted traffic.
D.Configure the ALB with an HTTP listener and use a security group to enforce encryption.
AnswerB

HTTPS provides encryption in transit between ALB and targets.

Why this answer

Option B is correct because HTTPS listeners on the ALB can terminate TLS and optionally re-encrypt traffic to targets using HTTPS. Option A is wrong because HTTP does not encrypt data. Option C is wrong because TCP listeners do not provide encryption.

Option D is wrong because the security group does not control encryption.

1557
MCQhard

A company is designing a data protection strategy for sensitive data stored in Amazon S3. Compliance requirements mandate that all data be encrypted at rest using customer-provided keys (SSE-C). Which solution meets the requirements with minimal operational overhead?

A.Use server-side encryption with Amazon S3 managed keys (SSE-S3) and enable bucket versioning.
B.Use client-side encryption with the AWS Encryption SDK and store keys in the application configuration.
C.Use server-side encryption with customer-provided keys (SSE-C) and store the keys in AWS Secrets Manager.
D.Use server-side encryption with AWS KMS managed keys (SSE-KMS) and enable automatic key rotation.
AnswerC

SSE-C uses customer-provided keys; storing keys in Secrets Manager adds convenience.

Why this answer

Option B is correct because S3 server-side encryption with customer-provided keys (SSE-C) allows the customer to manage encryption keys while AWS handles encryption/decryption, meeting compliance with minimal overhead. Option A is wrong because using KMS with a customer-managed key (SSE-KMS) is not SSE-C. Option C is wrong because client-side encryption requires managing keys outside AWS, increasing overhead.

Option D is wrong because SSE-S3 uses AWS-managed keys, not customer-provided.

1558
Multi-Selecteasy

A security engineer needs to ensure that all API calls in an AWS account are logged for auditing purposes. Which TWO services should the engineer enable? (Select TWO.)

Select 2 answers
A.VPC Flow Logs
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.Amazon GuardDuty
E.AWS Config
AnswersB, E

CloudTrail logs API calls for governance and auditing.

Why this answer

Option A and Option D are correct. CloudTrail logs API activity, and AWS Config records resource configuration changes for auditing. Option B is wrong because VPC Flow Logs capture network traffic, not API calls.

Option C is wrong because CloudWatch Logs stores log data but does not log API calls by itself. Option E is wrong because GuardDuty is a threat detection service, not a logging service.

1559
MCQhard

A company has a CloudTrail trail that logs management events for all regions. The security team notices that some S3 data events are not being logged. How should the team enable logging for all S3 data events?

A.Update the existing CloudTrail trail to include data events for S3
B.Create a new CloudTrail trail that logs only data events
C.Use Amazon GuardDuty to monitor S3 access
D.Enable S3 server access logging on each bucket
AnswerA

Existing trails can be updated to include data events.

Why this answer

CloudTrail data events must be explicitly enabled. The existing trail can be updated to include data events. Creating a new trail with management events only would not capture data events.

S3 server access logs are separate.

1560
MCQmedium

A company uses AWS Organizations with multiple accounts and wants to ensure that all newly created S3 buckets have encryption enabled. The Security team needs a solution that automatically remediates non-compliant buckets without manual intervention. What should they do?

A.Apply a service control policy (SCP) that denies the s3:PutBucketPublicAccessBlock and s3:PutBucketEncryption actions unless the bucket has encryption enabled.
B.Use an S3 bucket policy that denies PutObject unless the request includes the x-amz-server-side-encryption header.
C.Enable AWS Config with the s3-bucket-server-side-encryption-enabled rule and set up automatic remediation using Systems Manager Automation.
D.Create an IAM role with permissions to enforce encryption and attach it to all accounts in the organization.
AnswerA

SCPs can prevent creation of buckets that do not meet encryption requirements, providing preventive control.

Why this answer

Option A is correct because a service control policy (SCP) that denies the s3:PutBucketEncryption action unless the bucket already has encryption enabled effectively prevents creation of unencrypted buckets. SCPs operate at the AWS Organizations level and apply to all accounts, ensuring that any attempt to create or modify a bucket without encryption is denied, providing automated, organization-wide governance without manual intervention.

Exam trap

The trap here is that candidates often confuse reactive detection and remediation (like AWS Config with automation) with proactive prevention (like SCPs), and fail to realize that SCPs can enforce conditions on bucket creation itself, not just on object uploads.

How to eliminate wrong answers

Option B is wrong because an S3 bucket policy that denies PutObject unless the x-amz-server-side-encryption header is present only enforces encryption on objects uploaded to existing buckets, not on the bucket creation itself, and does not prevent creation of unencrypted buckets. Option C is wrong because AWS Config with the s3-bucket-server-side-encryption-enabled rule can detect non-compliant buckets, but automatic remediation using Systems Manager Automation requires manual setup and may not prevent creation in real time; it is reactive rather than proactive. Option D is wrong because creating an IAM role with permissions to enforce encryption and attaching it to all accounts does not automatically enforce encryption on new buckets; it only provides the capability, and users could still create buckets without encryption if they have other permissions.

1561
MCQhard

A company uses Amazon GuardDuty to monitor for threats. The security team receives a high-severity finding: 'UnauthorizedAccess:EC2/SSHBruteForce'. The finding indicates a single EC2 instance with a public IP is receiving SSH connection attempts from multiple external IPs. The instance is part of an Auto Scaling group and is fronted by an Application Load Balancer (ALB). The security team wants to block the attacking IPs without disrupting legitimate traffic. What is the MOST effective approach?

A.Stop the EC2 instance and launch a new one in a different subnet.
B.Modify the security group of the EC2 instance to deny inbound SSH from the attacking IPs.
C.Create a network ACL rule on the subnet to deny inbound traffic from the attacking IPs.
D.Configure AWS WAF on the ALB to block the attacking IPs using an IP set rule.
AnswerD

AWS WAF can filter incoming requests to the ALB, blocking malicious IPs while allowing legitimate traffic. This can be automated via GuardDuty findings triggering a Lambda function.

Why this answer

GuardDuty can automatically update AWS WAF web ACLs via CloudWatch Events and Lambda. Since the ALB is the entry point, blocking at the WAF level prevents attacks before they reach the instance.

1562
MCQhard

A multinational corporation uses AWS Organizations to manage multiple accounts. The security team requires that all data in S3 buckets across all accounts be encrypted at rest using customer-managed KMS keys. They have created a Service Control Policy (SCP) to deny creation of S3 buckets without encryption. However, upon testing, they find that a user in a member account can still create an unencrypted bucket. The SCP is attached to the root organizational unit. The SCP statement is: {"Effect":"Deny","Action":"s3:CreateBucket","Resource":"*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}. What is the MOST likely reason the SCP is not working?

A.The SCP requires the member account to enable SCP enforcement.
B.The condition key s3:x-amz-server-side-encryption is incorrect; the correct key is s3:x-amz-server-side-encryption-aws-kms-key-id.
C.The SCP is not effective because IAM policies are evaluated before SCPs.
D.The SCP does not apply to the management account where the test was performed.
AnswerD

SCPs do not apply to the management account; they only apply to member accounts.

Why this answer

Option A is correct because SCPs do not affect the management account; they only apply to member accounts. Option B is wrong because SCPs are not evaluated before IAM policies; they are evaluated after but still effective. Option C is wrong because the SCP uses the correct condition key.

Option D is wrong because SCPs do not need to be explicitly enabled by the member account; they are effective automatically when attached.

1563
MCQeasy

A company runs a web application on EC2 instances in an Auto Scaling group across two Availability Zones. The instances are behind an Application Load Balancer. The security team wants to ensure that only the ALB can send traffic to the instances. The instances are in a security group named 'app-sg'. Currently, 'app-sg' has an inbound rule allowing HTTP traffic from 0.0.0.0/0. The team wants to restrict access to only the ALB's security group. The ALB is in a security group named 'alb-sg'. Which course of action should the security engineer take to meet the requirement with minimal disruption?

A.Modify the inbound rule of 'app-sg' to allow HTTP traffic from the private IP addresses of the ALB nodes.
B.Modify the inbound rule of 'app-sg' to allow HTTPS traffic from 0.0.0.0/0 and remove the HTTP rule.
C.Modify the inbound rule of 'app-sg' to allow HTTP traffic from the ALB's elastic network interface (ENI).
D.Modify the inbound rule of 'app-sg' to allow HTTP traffic from security group 'alb-sg'.
AnswerD

Correct: This restricts inbound traffic to only the ALB, as the ALB is associated with 'alb-sg'.

Why this answer

Option D is correct because security groups can reference each other by ID, allowing traffic from any instance associated with the source security group (alb-sg) without needing to know the ALB's IP addresses. This ensures that only the ALB can send HTTP traffic to the EC2 instances, as the rule dynamically applies to all ALB nodes across Availability Zones. It also minimizes disruption because no IP changes are required, and the rule automatically scales with the ALB.

Exam trap

The trap here is that candidates may think they need to use the ALB's private IP addresses or ENI details, but AWS security groups support referencing other security groups by ID, which is the correct and scalable method for this use case.

How to eliminate wrong answers

Option A is wrong because ALB nodes use elastic network interfaces (ENIs) with private IPs that can change during scaling or replacement, making this approach brittle and requiring constant updates; it also violates the principle of using security group references for dynamic environments. Option B is wrong because allowing HTTPS from 0.0.0.0/0 still permits traffic from any source, failing to restrict access to only the ALB, and removing the HTTP rule does not address the requirement. Option C is wrong because referencing an ALB's ENI is not a valid security group rule source; security groups can only reference other security groups or CIDR blocks, not specific ENIs.

1564
MCQeasy

An administrator runs the AWS CLI command shown in the exhibit. What does this command do?

A.Lists all IAM policies in the account
B.Lists the managed policies attached to the user 'MyRole'
C.Lists the managed policies attached to the role 'MyRole'
D.Lists all inline policies attached to the role 'MyRole'
AnswerC

The output shows the managed policies (by name and ARN) attached to the role.

Why this answer

Option B is correct. The command lists the managed policies attached to a role named 'MyRole'. Option A is wrong because it lists attached policies, not inline policies.

Option C is wrong because it lists the policies attached to a role, not a user. Option D is wrong because it lists attached policies, not all policies in the account.

1565
MCQeasy

A company's security policy requires that all IAM users must use strong passwords. Which IAM feature should be used to enforce this requirement?

A.AWS Organizations
B.AWS Key Management Service (AWS KMS)
C.AWS CloudTrail
D.IAM password policy
AnswerD

IAM password policy enforces password requirements for IAM users.

Why this answer

Option C is correct because IAM password policies allow enforcing complexity, length, and rotation. Option A is wrong because AWS KMS is for encryption keys. Option B is wrong because AWS Organizations is for managing multiple accounts.

Option D is wrong because AWS CloudTrail is for logging.

1566
MCQhard

An organization has a requirement to retain all security logs for at least 7 years for compliance. The logs are stored in Amazon S3 and are rarely accessed. Which storage class is the MOST cost-effective for this retention period?

A.S3 Glacier Deep Archive
B.S3 Standard
C.S3 One Zone-IA
D.S3 Intelligent-Tiering
AnswerA

Lowest cost for long-term archival with retrieval time of 12 hours.

Why this answer

Option C is correct because S3 Glacier Deep Archive is designed for long-term retention of data that is accessed rarely, with a retrieval time of 12 hours, and is the lowest cost storage class. Option A is wrong because S3 Standard is for frequently accessed data and is expensive. Option B is wrong because S3 Intelligent-Tiering is for data with unknown access patterns but still not cheapest for 7 years.

Option D is wrong because S3 One Zone-IA is for infrequent access but not designed for long-term archival.

1567
MCQmedium

A company is using Amazon GuardDuty to monitor for malicious activity. The security team wants to automatically isolate an EC2 instance that is flagged for outbound communication with a known malicious IP address. Which approach is the most efficient and scalable?

A.Use a CloudWatch Alarm to directly invoke a Lambda function to isolate the instance.
B.Use AWS Config to automatically terminate the instance when a GuardDuty finding is reported.
C.Use Amazon EventBridge to invoke an AWS Lambda function that modifies the instance's security group.
D.Create a CloudWatch alarm on GuardDuty findings and modify the subnet's network ACL to block the traffic.
AnswerC

Scalable and targeted.

Why this answer

Option C is correct because GuardDuty can send findings to EventBridge, which can trigger a Lambda function to modify the instance's security group to isolate it. Option A is wrong because modifying the NACL would affect the entire subnet, not just the instance. Option B is wrong because terminating the instance is too drastic and may cause data loss.

Option D is wrong because CloudWatch Alarms cannot directly trigger Lambda for GuardDuty findings.

1568
Multi-Selectmedium

A security engineer needs to implement a solution to detect and alert on suspicious API calls in an AWS account. Which TWO AWS services should be integrated to achieve this? (Choose two.)

Select 2 answers
A.AWS Config
B.Amazon Inspector
C.AWS CloudTrail
D.AWS Trusted Advisor
E.Amazon GuardDuty
AnswersC, E

Correct: CloudTrail records API calls for analysis by GuardDuty.

Why this answer

Option A and Option C are correct. Amazon GuardDuty can analyze CloudTrail events to detect suspicious API calls. Option B is wrong because AWS Config evaluates configurations, not API calls.

Option D is wrong because Amazon Inspector assesses EC2 vulnerabilities. Option E is wrong because AWS Trusted Advisor provides best-practice checks.

1569
MCQmedium

A security engineer needs to analyze large volumes of VPC Flow Logs stored in Amazon S3 to identify anomalous traffic patterns. Which approach is MOST cost-effective and scalable?

A.Use AWS Glue to catalog and query the logs.
B.Download the logs to an EC2 instance and use grep commands.
C.Use Amazon Athena with partitioned data in S3.
D.Use Amazon QuickSight to directly query the logs.
AnswerC

Athena is serverless and cost-effective for querying data in S3.

Why this answer

Amazon Athena is the most cost-effective and scalable solution for querying large volumes of VPC Flow Logs stored in S3 because it uses a serverless, pay-per-query model with no infrastructure to manage. By partitioning the data (e.g., by date or region), Athena minimizes the amount of data scanned per query, directly reducing costs while enabling complex SQL-based analysis for anomaly detection.

Exam trap

The trap here is that candidates may confuse AWS Glue's cataloging role with a query engine, or assume QuickSight can directly query S3 without an intermediate service, leading them to overlook Athena's serverless, pay-per-query model as the optimal choice for scalable log analysis.

How to eliminate wrong answers

Option A is wrong because AWS Glue is primarily a metadata catalog and ETL service, not optimized for direct ad-hoc querying of large datasets; using Glue for this purpose would incur unnecessary costs for crawlers and ETL jobs without providing the scalable, on-demand querying that Athena offers. Option B is wrong because downloading logs to an EC2 instance and using grep is not scalable for large volumes, introduces egress costs from S3, requires managing EC2 resources, and cannot efficiently handle complex analytical queries across terabytes of data. Option D is wrong because Amazon QuickSight is a business intelligence visualization tool that relies on a query engine like Athena or a database; directly querying S3 with QuickSight is not supported—it would need Athena as an intermediary, making the suggestion technically incorrect and inefficient.

1570
MCQeasy

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all access to the bucket is encrypted in transit. Which policy should be attached to the bucket to enforce this?

A.Configure a bucket policy that denies requests that do not include the x-amz-server-side-encryption header.
B.Attach a bucket policy that denies requests when aws:SecureTransport is false.
C.Enable default encryption on the bucket using SSE-S3.
D.Use Amazon CloudFront to serve the content and require HTTPS.
AnswerB

This enforces HTTPS for all requests.

Why this answer

Option D is correct. An S3 bucket policy with a condition that denies access if the request does not use aws:SecureTransport (HTTPS) ensures encryption in transit. Option A (enable default encryption) is for at-rest encryption.

Option B (require encryption using SSE-S3) is also at-rest. Option C (use CloudFront) does not enforce HTTPS for direct access.

1571
Multi-Selectmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all API calls in the organization are logged and retained for at least one year. Which AWS services or features should be used to meet these requirements? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty with threat detection enabled.
B.AWS Config with recording enabled for all resources.
C.Amazon S3 lifecycle policy to transition logs to S3 Glacier after one year.
D.VPC Flow Logs for all VPCs.
E.AWS CloudTrail with organization trail.
AnswersC, E

This ensures logs are retained and cost-effective.

Why this answer

Option C is correct because an Amazon S3 lifecycle policy can automatically transition CloudTrail log objects from S3 Standard to S3 Glacier after one year, meeting the retention requirement cost-effectively. Option E is correct because AWS CloudTrail with an organization trail logs all API calls across all accounts in the AWS Organization, ensuring comprehensive logging.

Exam trap

The trap here is that candidates often confuse AWS Config (which records resource configuration changes) with CloudTrail (which records API calls), leading them to select Config as a logging solution for API activity.

1572
MCQhard

Refer to the exhibit. A security engineer reviews IAM permissions for the 'admin' user. The user is a member of the 'Administrators' group, which has the 'AdministratorAccess' managed policy attached. Additionally, the user has an inline policy named 'AllowSSH'. The engineer wants to ensure that the user can only start SSM sessions on instances with the tag 'SSH: enabled'. However, the user can still start sessions on any instance. What is the most likely reason?

A.The inline policy does not include 'ec2:DescribeInstances' for the SSM session, so it cannot start sessions.
B.The condition 'aws:ResourceTag/SSH' should be 'aws:RequestTag/SSH' to check the request tag.
C.The inline policy uses 'Allow' instead of 'Deny' for instances without the tag, so it does not restrict access.
D.The inline policy 'AllowSSH' is not effective because it is overridden by the group policy 'AdministratorAccess'.
AnswerC

The inline policy allows SSM StartSession only on tagged instances, but since the group policy allows all actions, the effective permission is still 'Allow' on all instances. To restrict, a 'Deny' statement is needed for instances without the tag.

Why this answer

The group policy 'AdministratorAccess' grants full access, including ssm:StartSession on all resources. The inline policy's Allow with condition is not restrictive; it only adds an additional Allow path. To restrict, a Deny statement must be used to explicitly block instances without the tag.

1573
Multi-Selecteasy

Which TWO AWS services can be used to monitor network traffic for malicious activity? (Select TWO.)

Select 2 answers
A.AWS Network Firewall
B.Amazon GuardDuty
C.AWS Shield
D.AWS WAF
E.Amazon Inspector
AnswersA, B

Network Firewall provides stateful inspection and threat detection.

Why this answer

Options A and C are correct. Amazon GuardDuty analyzes VPC Flow Logs, DNS logs, and CloudTrail for threats. AWS Network Firewall provides stateful inspection to detect malicious traffic.

Option B is wrong because AWS WAF is for web application firewalls. Option D is wrong because AWS Shield is for DDoS protection. Option E is wrong because Amazon Inspector is for vulnerability assessment.

1574
Multi-Selecteasy

A company needs to encrypt data at rest in Amazon RDS for SQL Server. Which TWO methods can be used? (Choose two.)

Select 2 answers
A.Use a client-side encryption library.
B.Use column-level encryption with Always Encrypted.
C.Use SSL/TLS certificates to encrypt the connection.
D.Use SQL Server Transparent Data Encryption (TDE).
E.Enable encryption on the DB instance at launch time.
AnswersD, E

TDE encrypts the database files at rest.

Why this answer

Options A and B are correct. Enabling encryption at launch encrypts the entire instance, and Transparent Data Encryption (TDE) is a SQL Server feature for encryption. Option C is incorrect because column-level encryption is possible but not native to RDS.

Option D is incorrect because SSL/TLS encrypts data in transit, not at rest. Option E is incorrect because client-side encryption is not an RDS feature.

1575
MCQmedium

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all objects uploaded to the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). What should the security team do to enforce this requirement?

A.Use an S3 bucket policy that requires the x-amz-server-side-encryption-aws-kms-key-id header to match a specific KMS key.
B.Use an S3 bucket policy with a condition that requires the x-amz-server-side-encryption header to be present.
C.Configure the bucket's default encryption to use SSE-KMS.
D.Use an S3 bucket policy with a condition that denies PutObject if the x-amz-server-side-encryption header is not set to 'aws:kms'.
AnswerD

This policy denies uploads that do not use SSE-KMS, effectively enforcing the requirement.

Why this answer

Option C is correct because an S3 bucket policy denying PutObject requests that do not include the x-amz-server-side-encryption header set to aws:kms ensures that only objects encrypted with SSE-KMS can be uploaded. Option A is wrong because bucket policies cannot enforce default encryption; they can only deny requests based on conditions. Option B is wrong because enabling default encryption does not prevent uploads without encryption headers.

Option D is wrong because SSE-S3 is not KMS encryption.

Page 20

Page 21 of 24

Page 22