AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 15761650

1738 questions total · 24pages · All types, answers revealed

Page 21

Page 22 of 24

Page 23
1576
MCQhard

Refer to the exhibit. A security engineer wants to monitor a Lambda function for errors and create a CloudWatch alarm when errors exceed a threshold. The engineer notices the log group exists but has no metric filters. What should the engineer do to set up the alarm?

A.Enable CloudWatch Contributor Insights for the Lambda function to automatically detect errors.
B.Create a metric filter on the log group to count occurrences of 'ERROR' in log streams, then create an alarm based on that metric.
C.Configure the Lambda function to publish custom metrics for errors instead of relying on logs.
D.Use CloudWatch Logs Insights to query logs for errors and create an alarm directly from the query results.
AnswerB

This is the standard approach: define a metric filter to extract error counts from logs, then create an alarm.

Why this answer

The exhibit shows no metric filters exist. To alarm on errors, the engineer must create a metric filter that parses logs for error patterns and emits a metric, then create an alarm on that metric.

1577
MCQeasy

A company has a requirement that all S3 buckets must block public access. The security engineer needs to continuously monitor for compliance and automatically remediate any noncompliant buckets. Which combination of AWS services should the engineer use?

A.Amazon GuardDuty and AWS Security Hub
B.AWS Config and AWS Lambda (or SSM Automation)
C.AWS Organizations SCPs and AWS CloudTrail
D.AWS Trusted Advisor and Amazon SNS
AnswerB

Config detects noncompliant resources, and remediation actions can fix them automatically.

Why this answer

AWS Config with a managed rule (s3-bucket-public-read-prohibited or s3-bucket-public-write-prohibited) can detect noncompliant buckets, and an automatic remediation action (e.g., Lambda or SSM Automation) can apply the block public access settings. Option A is for governance not detection. Option C is reactive and manual.

Option D is preventive but not continuous monitoring.

1578
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. Which solution meets these requirements?

A.Write a script that runs in each account using AWS Lambda to enable CloudTrail and point to the central bucket.
B.Use AWS Config rules in each account to check CloudTrail status and remediate via Lambda.
C.Use AWS CloudTrail with Organizations to create an organization trail that logs all accounts to the central bucket.
D.Create an IAM role that each account assumes to enable CloudTrail and log to the central bucket.
AnswerC

Organization trails automatically apply to all accounts in the organization.

Why this answer

Using CloudTrail with AWS Organizations, you can create a trail that applies to all accounts in the organization, logging to a single S3 bucket. Option D is correct. Option A is wrong because manual per-account setup is not scalable.

Option B is wrong because Config does not enable CloudTrail. Option C is wrong because Lambda functions would be complex and not native.

1579
MCQmedium

A company uses IAM roles for EC2 instances. An application running on an EC2 instance needs to read from an S3 bucket in another AWS account. What is the most secure way to grant access?

A.Create an IAM role in the target account with read access to the bucket, and allow the EC2 instance's role to assume it.
B.Store the other account's IAM user access keys in the EC2 instance.
C.Make the bucket public.
D.Create a bucket policy that allows access from the EC2 instance's public IP.
AnswerA

Uses cross-account role assumption, following security best practices.

Why this answer

Option B is correct because using a cross-account IAM role in the target account allows the EC2 instance to assume the role and access the bucket securely, without sharing long-term credentials. Option A is less secure and requires managing keys. Option C is not secure.

Option D is overly permissive.

1580
MCQeasy

A company wants to ensure that all traffic to and from an Amazon RDS instance is encrypted in transit. Which solution should the security engineer implement?

A.Enable encryption at rest using AWS KMS.
B.Configure the database to require SSL/TLS connections and modify clients to connect using SSL.
C.Use an S3 bucket policy to enforce encryption in transit for all S3 traffic.
D.Use an AWS Transit Gateway to route traffic through a central VPC.
AnswerB

SSL/TLS encrypts data in transit between the client and the RDS instance.

Why this answer

Option B is correct because encrypting data in transit for Amazon RDS requires enabling SSL/TLS on the database instance and configuring client connections to use SSL/TLS. This ensures that all traffic between the client and the RDS instance is encrypted using TLS protocols, protecting against eavesdropping and man-in-the-middle attacks. Amazon RDS supports SSL/TLS for all database engines, and you can enforce SSL connections by setting the 'require_secure_transport' parameter (MySQL) or similar parameters for other engines.

Exam trap

The trap here is that candidates confuse encryption at rest (KMS) with encryption in transit (SSL/TLS), leading them to select Option A, which does not address network traffic encryption.

How to eliminate wrong answers

Option A is wrong because encryption at rest using AWS KMS protects data stored on disk, not data in transit; it does not encrypt network traffic between clients and the RDS instance. Option C is wrong because an S3 bucket policy enforces encryption in transit for S3 traffic only, not for RDS traffic; it is irrelevant to RDS connectivity. Option D is wrong because an AWS Transit Gateway is used to route traffic between VPCs and on-premises networks, not to enforce encryption; it does not provide any encryption of data in transit between clients and RDS.

1581
Multi-Selectmedium

A security administrator is designing a cross-account access strategy. The administrator needs to allow users in Account A to assume an IAM role in Account B to access an S3 bucket. Which TWO of the following statements are true regarding this configuration?

Select 2 answers
A.The IAM users in Account A must have an IAM policy that allows the sts:AssumeRole action for the role ARN in Account B.
B.The trust policy for the role must be defined in Account A.
C.The S3 bucket policy must grant access to the IAM users in Account A.
D.The role in Account B must have a trust policy that allows the IAM users in Account A to assume the role.
E.The IAM users in Account A must have cross-account permissions on the S3 bucket in Account B.
AnswersA, D

Users need explicit permission to call AssumeRole.

Why this answer

Option A is correct because for an IAM user in Account A to assume a role in Account B, the user must be explicitly granted permission to call the sts:AssumeRole API action against the role's Amazon Resource Name (ARN). This is done by attaching an IAM policy to the user (or a group/role the user belongs to) that includes the sts:AssumeRole action and specifies the target role ARN as the resource. Without this permission, the user cannot initiate the cross-account role assumption, even if the role's trust policy allows it.

Exam trap

The trap here is confusing where the trust policy is defined (it must be on the role in the target account, not in the source account) and assuming that direct IAM user permissions on the S3 bucket are required instead of using the assumed role's permissions.

1582
MCQmedium

A company is using AWS CloudTrail to log API calls and wants to ensure that log files are not tampered with after delivery to S3. Which feature should be enabled to validate the integrity of CloudTrail log files?

A.Enable CloudTrail log file validation
B.Enable MFA Delete on the S3 bucket
C.Enable S3 Versioning on the bucket
D.Enable S3 bucket default encryption
AnswerA

Log file validation uses hash-based validation to detect tampering.

Why this answer

Option B is correct because CloudTrail log file validation creates a hash for each log file, allowing you to verify that the log files have not been modified. Option A is wrong because S3 Versioning helps recover from accidental deletion or overwriting, but does not validate integrity. Option C is wrong because S3 Server-Side Encryption encrypts data at rest, but does not provide integrity validation.

Option D is wrong because MFA Delete adds an extra layer of protection for deletion, but does not validate integrity.

1583
Multi-Selectmedium

Which TWO actions are valid ways to enforce the principle of least privilege in an AWS environment?

Select 2 answers
A.Use the root user for daily administration
B.Use S3 bucket policies to allow all IAM users
C.Grant only the necessary actions in IAM policies
D.Use SCPs to deny actions that are not required
E.Assign the AdministratorAccess managed policy to all users
AnswersC, D

This directly applies least privilege.

Why this answer

Options A and C are correct. Option A is correct because IAM policies should grant the minimum required permissions. Option C is correct because SCPs can restrict permissions across accounts.

Option B is wrong because S3 bucket policies are resource-based and not a direct least privilege method for users. Option D is wrong because assigning full access is against least privilege. Option E is wrong because root user has unrestricted access.

1584
MCQeasy

A company wants to centralize the management of IAM users and groups for multiple AWS accounts. Which AWS service should be used to allow users to access multiple accounts with a single set of credentials?

A.AWS Organizations
B.IAM users and groups in each account
C.Amazon Cognito
D.AWS IAM Identity Center (AWS SSO)
AnswerD

Provides centralized access management across accounts.

Why this answer

Option B is correct because AWS IAM Identity Center (successor to AWS SSO) allows users to sign in once and access multiple accounts using role assignments. Option A is wrong because IAM users are per-account. Option C is wrong because Cognito is for customer-facing identity.

Option D is wrong because Organizations does not provide single sign-on.

1585
MCQmedium

A developer creates this CloudFormation stack. An EC2 instance with this role tries to list objects in the bucket. What will happen?

A.The instance can list the bucket but not the objects
B.The instance cannot assume the role because the principal is ec2.amazonaws.com
C.The instance can upload objects to the bucket
D.The instance can list objects in the bucket
AnswerA

s3:ListBucket lists the bucket, not objects.

Why this answer

Option A is correct because the policy only allows s3:ListBucket, which lists the bucket itself, not its objects. s3:ListObjects is required to list objects. Option B is wrong because s3:GetObject is for reading objects. Option C is wrong because s3:PutObject is for uploading.

Option D is wrong because the role can assume.

1586
Multi-Selecthard

Which THREE are AWS best practices for securing an Amazon EC2 instance? (Choose three.)

Select 3 answers
A.Store database credentials in instance metadata for easy retrieval.
B.Launch instances in the default VPC for easier network configuration.
C.Use security groups to control inbound and outbound traffic.
D.Disable password-based authentication and use SSH key pairs instead.
E.Regularly apply security patches using AWS Systems Manager Patch Manager.
AnswersC, D, E

Security groups are the primary mechanism for controlling network traffic to EC2 instances.

Why this answer

The correct answers are A, C, and E. Option A is correct because security groups act as a virtual firewall. Option C is correct because disabling password-based SSH access in favor of key pairs is a security best practice.

Option E is correct because AWS Systems Manager Patch Manager helps keep instances up to date. Option B is wrong because the default VPC allows inbound traffic from the internet by default; best practice is to create a custom VPC with appropriate rules. Option D is wrong because storing secrets in instance metadata is not secure; use AWS Secrets Manager or Parameter Store.

1587
MCQmedium

A company uses AWS Shield Advanced to protect its web application against DDoS attacks. The application runs behind an Application Load Balancer (ALB) and uses Amazon CloudFront as a CDN. The security team notices that some requests are bypassing CloudFront and hitting the ALB directly. They want to ensure that all traffic goes through CloudFront to benefit from DDoS protection and to enforce encryption in transit. The ALB has a public DNS name and is accessible from the internet. What should the security team do to restrict direct access to the ALB while allowing CloudFront traffic?

A.Use a network ACL to restrict inbound traffic to only CloudFront's IP addresses.
B.Configure CloudFront to add a custom header to requests, and configure the ALB's security group to allow traffic only from CloudFront's IP addresses and that contains the custom header.
C.Deploy AWS WAF on the ALB with a rule that blocks requests that do not originate from CloudFront.
D.Create a security group rule that allows traffic only from CloudFront's IP addresses and denies all other traffic.
AnswerB

Security groups can allow traffic based on source IP, and CloudFront provides a list of its IP addresses. Adding a custom header provides an additional layer of verification.

Why this answer

Option A is correct because CloudFront can be configured to add a custom header, and the ALB's security group can be set to allow traffic only if that header is present, preventing direct access. Option B is wrong because security groups do not support filtering by header values; they filter by IP, port, and protocol. Option C is wrong because NACLs are stateless and do not support header inspection.

Option D is wrong because WAF rules inspect HTTP requests but are not designed to block direct access at the network level; also, WAF is typically used with CloudFront or ALB, but not to enforce CloudFront-only access.

1588
MCQmedium

Refer to the exhibit. A security engineer runs the AWS CLI command to look up CloudTrail events. What can be concluded from the output?

A.The event name is DeleteTrail
B.The trail was deleted by user 'admin'
C.User 'admin' created a trail named 'my-trail' on Jan 15
D.The event is a read-only API call
AnswerC

The event shows CreateTrail.

Why this answer

The output shows that user 'admin' created a trail named 'my-trail' on Jan 15. Option A is correct. Option B is wrong because the event is not read-only.

Option C is wrong because the trail was created, not deleted. Option D is wrong because the event name is CreateTrail.

1589
MCQeasy

A company wants to restrict access to an Amazon S3 bucket so that only objects uploaded with server-side encryption using AWS KMS (SSE-KMS) are allowed. Which bucket policy condition key should be used?

A.s3:x-amz-server-side-encryption-customer-key
B.s3:x-amz-server-side-encryption-aws-kms-key-id
C.kms:EncryptionContext
D.s3:x-amz-server-side-encryption
AnswerB

This condition key in a bucket policy can enforce that objects are encrypted with a specific KMS key.

Why this answer

The correct answer is C because the s3:x-amz-server-side-encryption-aws-kms-key-id condition key allows you to require that objects be encrypted with a specific KMS key. Option A is wrong because s3:x-amz-server-side-encryption only checks if encryption is enabled, not the key. Option B is wrong because kms:EncryptionContext is used for KMS policies, not S3 bucket policies.

Option D is wrong because s3:x-amz-server-side-encryption-customer-key is for SSE-C.

1590
MCQmedium

A company uses AWS KMS to encrypt data in Amazon RDS. The security team needs to ensure that the KMS key cannot be deleted accidentally. Which action should be taken?

A.Create an alias for the key.
B.Enable automatic key rotation.
C.Add a statement to the key policy that denies the kms:ScheduleKeyDeletion action.
D.Use a multi-Region key.
AnswerC

A key policy can explicitly deny the ability to schedule deletion, preventing accidental deletion.

Why this answer

KMS key deletion can be prevented by enabling key rotation (does not prevent deletion), using an alias (does not prevent deletion), or enabling deletion protection via a key policy (not directly; deletion requires a waiting period). The correct approach is to set a deletion window and ensure the key is not scheduled for deletion, but the question asks for accidental deletion prevention. Enabling automatic key rotation does not prevent deletion.

The best answer is to use a multi-Region key? No. Actually, to prevent accidental deletion, you can use a KMS key policy that denies the ScheduleKeyDeletion action. Option D is correct: the key policy should include a Deny statement for kms:ScheduleKeyDeletion.

1591
MCQeasy

A company wants to centralize CloudTrail logs from multiple AWS accounts into a single S3 bucket for security analysis. The logs must be encrypted at rest and access must be logged. What is the MOST secure way to grant cross-account access to the central S3 bucket?

A.Create an S3 bucket policy that grants s3:PutObject to everyone, and rely on CloudTrail to restrict access.
B.Create an IAM role in the central account that each member account can assume to write logs.
C.Create an S3 bucket policy that grants CloudTrail service principal permission to write objects, with a condition checking the source account ID.
D.Use an S3 bucket with default encryption enabled and share the KMS key with the other accounts.
AnswerC

This restricts cross-account writes to only those accounts specified.

Why this answer

Option A is correct because using a bucket policy with a condition for CloudTrail service principal and source account ensures only CloudTrail from allowed accounts can write. Option B is wrong because KMS encryption does not control write access. Option C is wrong because IAM roles are not used by CloudTrail for cross-account delivery.

Option D is wrong because a bucket policy without account restriction would allow any CloudTrail to write.

1592
Multi-Selecthard

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket to store logs. The security team wants to ensure that traffic does not traverse the internet. Which solution should be used? (Choose two.)

Select 2 answers
A.Create an S3 Gateway Endpoint in the VPC
B.Attach a VPC Endpoint Policy to the Gateway Endpoint to restrict access to the specific bucket
C.Attach an Internet Gateway to the VPC
D.Create an S3 Interface Endpoint in the VPC
E.Use a NAT Gateway to route the traffic to the internet
AnswersA, B

Provides private connectivity to S3.

Why this answer

A VPC Gateway Endpoint (option A) allows instances in a private subnet to access S3 without traversing the internet by routing traffic through AWS's internal network. This is the correct foundational component because it uses prefix lists in the route table to direct S3 traffic to the endpoint, bypassing the need for an Internet Gateway or NAT Gateway.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints with Interface Endpoints, assuming both are equally valid for S3, but Gateway Endpoints are the correct and cost-effective choice for S3 access from private subnets, while Interface Endpoints are used for services like API Gateway or Kinesis.

1593
Multi-Selecthard

A security engineer is designing a multi-account strategy using AWS Organizations. The engineer needs to centrally manage network security across all accounts. Which TWO AWS services are most appropriate for this task?

Select 2 answers
A.AWS Firewall Manager
B.AWS Network Firewall
C.VPC Peering
D.AWS WAF
E.Amazon GuardDuty
AnswersA, B

Firewall Manager provides centralized management of firewall rules across accounts and resources.

Why this answer

Option B (AWS Network Firewall) is correct for centrally managing firewall rules. Option D (AWS Firewall Manager) is correct for centrally managing firewall policies across accounts. Option A (Amazon GuardDuty) is threat detection.

Option C (AWS WAF) is web application firewall but not for network-level security. Option E (VPC Peering) is a connectivity option, not a management service.

1594
MCQmedium

A company uses AWS WAF to protect a web application. The security team needs to analyze blocked requests to identify attack patterns. Which service should be used to query and visualize WAF logs?

A.Amazon CloudWatch Logs Insights
B.Amazon QuickSight
C.Amazon Athena
D.AWS WAF console
AnswerC

Athena can query WAF logs in S3 using SQL.

Why this answer

Amazon Athena can query WAF logs stored in S3. CloudWatch Logs Insights is for CloudWatch Logs, not directly for S3. QuickSight can visualize but cannot query directly.

WAF does not have a built-in query service.

1595
Multi-Selectmedium

A security engineer is designing an incident response plan for a compromised S3 bucket. Which TWO actions should be taken to contain the incident? (Choose TWO.)

Select 2 answers
A.Delete the bucket and recreate it.
B.Enable MFA Delete on the bucket.
C.Enable CloudTrail data events for the bucket to log all object-level operations.
D.Apply a bucket policy that denies all principals access to the bucket.
E.Enable default encryption for the bucket.
AnswersC, D

Provides visibility for investigation.

Why this answer

Enabling CloudTrail data events for the S3 bucket (Option C) is a critical detective control that logs all object-level operations (e.g., GetObject, PutObject, DeleteObject). This allows the security engineer to perform forensic analysis, identify the scope of the compromise, and understand the attacker's actions, which is essential for containment and remediation. While not a direct containment action, it is a necessary step to gather evidence before or during containment.

Exam trap

The trap here is confusing detective controls (logging) with containment actions, and thinking that enabling encryption or MFA Delete will stop an active compromise, when they only protect against future risks or specific deletion scenarios.

1596
MCQmedium

A company uses AWS Organizations with all features enabled. The security team wants to enforce that all IAM users in member accounts must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if the user does not have MFA. The SCP is attached to the root organizational unit. After a few days, users in a member account report that they can still access the console without MFA. The security team reviews the SCP and finds it is correctly configured. What is the MOST likely reason the SCP is not being enforced?

A.The member account has a separate SCP attached that allows the actions, overriding the root SCP.
B.The member account is the management account of the organization, which is not affected by SCPs.
C.The SCP is missing an explicit allow for the actions, so the default deny is not taking effect.
D.The SCP does not apply to the root user of the member account, so root can bypass MFA.
AnswerB

Correct: The management account is not subject to SCPs.

Why this answer

Option C is correct because SCPs do not affect the management account of the organization. If the member account is actually the management account, the SCP does not apply. Option A is incorrect because SCPs are not affected by service control policies at the account level (they are the same).

Option B is incorrect because SCPs do not require explicit allow; they work by denying. Option D is incorrect because SCPs apply to all users and roles, including root user, unless explicitly exempted.

1597
Multi-Selectmedium

A security engineer is configuring a VPC with public and private subnets. The engineer wants to ensure that the private subnet instances cannot initiate outbound connections to the internet but can receive responses from the internet if initiated from within the VPC. Which TWO configurations should be used?

Select 2 answers
A.Configure the private subnet security group to allow inbound traffic from the public subnet's security group.
B.Configure the private subnet route table to not have a route to an Internet Gateway or NAT Gateway.
C.Attach an Internet Gateway to the VPC and add a route to it in the private subnet route table.
D.Attach a NAT Gateway to the private subnet and add a route to it.
E.Configure the private subnet Network ACL to allow outbound traffic to 0.0.0.0/0.
AnswersA, B

Allows responses from public subnet.

Why this answer

Options A and D are correct. A NAT Gateway allows outbound internet but not inbound; however the question says cannot initiate outbound. So a NAT Gateway is not needed.

The correct approach is to not have a route to the internet for private subnet, and use a security group that allows inbound traffic only from the public subnet. Option B is wrong because Internet Gateway is for public subnets. Option C is wrong because it allows outbound.

Option E is wrong because Network ACLs are stateless and would need rules for both directions.

1598
Multi-Selecthard

A company uses AWS CloudTrail to log API calls. They want to ensure that log files are encrypted at rest and that integrity is verified. Which TWO services can be used together to achieve this?

Select 2 answers
A.S3 Inventory
B.AWS CloudHSM
C.CloudTrail log file integrity validation
D.AWS KMS to encrypt the log files
E.S3 MFA Delete
AnswersC, D

Verifies log files have not been tampered.

Why this answer

CloudTrail log file integrity validation (option C) provides a built-in mechanism to verify that log files have not been modified, deleted, or tampered with after delivery. It uses SHA-256 hashing and digital signatures (based on RSA) to create a digest file that can be independently validated. AWS KMS (option D) allows you to encrypt CloudTrail log files at rest using server-side encryption (SSE-KMS), ensuring that the logs are stored in an encrypted format.

Together, they meet both the encryption-at-rest and integrity verification requirements.

Exam trap

The trap here is that candidates often confuse AWS CloudHSM with AWS KMS, thinking CloudHSM can directly encrypt CloudTrail logs, but CloudTrail only supports encryption via S3-managed keys (SSE-S3) or KMS keys (SSE-KMS), not CloudHSM, and integrity validation is a separate built-in feature of CloudTrail itself.

1599
MCQmedium

A company wants to provide its developers with IAM roles that allow them to launch EC2 instances with specific security groups. The security team wants to ensure that developers cannot launch instances without a security group. How can this be enforced?

A.Create a service control policy that allows only the use of specific security groups.
B.Use an SCP to deny launching instances without a security group.
C.Add a condition in the IAM policy that requires the ec2:SecurityGroup parameter to have a specific value.
D.Configure the VPC to have no default security group.
AnswerC

For example, using 'aws:RequestTag/securitygroup' or 'ec2:SecurityGroup' condition keys.

Why this answer

Option C is correct because you can use a condition in the IAM policy to require the security group. Option A is wrong because default security group is always attached if none specified, so that doesn't enforce. Option B is wrong because that is the default behavior, but developers can still launch without specifying a security group.

Option D is wrong because that would allow any security group.

1600
MCQeasy

Refer to the exhibit. A security engineer is reviewing this IAM policy attached to an IAM user. The user reports being unable to download objects from the S3 bucket when connecting from a VPN with IP address 10.0.1.45. What is the most likely reason for the failure?

A.The policy does not include an Allow effect for s3:GetObject.
B.The aws:SourceIp condition key is not supported for IAM user policies; it should be used with IAM role trust policies.
C.The source IP 10.0.1.45 is not within the allowed range 10.0.0.0/16.
D.The policy uses the wrong action name; it should be s3:GetObjectAcl.
AnswerB

Condition keys like aws:SourceIp work only in the context of IAM roles, not user policies.

Why this answer

Option D is correct because IAM policies do not support the aws:SourceIp condition key for IAM users; it only works for IAM roles. Options A, B, and C are incorrect because the policy syntax is valid for roles, the IP is in the range, and the action is allowed.

1601
MCQhard

A security engineer is investigating a potential data exfiltration from an EC2 instance. CloudTrail logs show that an IAM user created a new access key for an existing IAM role and used it to call S3 GetObject from an unfamiliar IP address. What is the MOST likely reason the CloudTrail logs captured this activity?

A.CloudTrail was enabled to capture management events.
B.S3 server access logs were enabled on the bucket containing the objects.
C.VPC Flow Logs were enabled for the EC2 instance's subnet.
D.The security engineer had enabled CloudTrail Insights.
E.AWS Config was enabled to record resource changes.
AnswerA

CloudTrail management events include IAM actions like creating access keys and API calls.

Why this answer

Option B is correct because CloudTrail records IAM user actions, including creating access keys and API calls. Option A is wrong because VPC Flow Logs do not capture IAM actions. Option C is wrong because CloudTrail is enabled by default for management events.

Option D is wrong because S3 server access logs do not capture IAM user actions.

1602
Multi-Selectmedium

Which THREE statements about IAM roles are correct? (Choose THREE.)

Select 3 answers
A.IAM roles can be used by federated users.
B.IAM roles cannot be used for cross-account access.
C.IAM roles can be attached to an IAM user.
D.IAM roles can be assumed by AWS services.
E.IAM roles are global and not specific to a region.
AnswersA, D, E

Federated users can assume roles via SAML or OIDC.

Why this answer

The correct answers are A, B, and D. IAM roles are global and not region-specific, can be assumed by AWS services, and can be used by federated users. Option C is wrong because roles cannot be attached to IAM users directly; users assume roles.

Option E is wrong because roles can be used by cross-account access.

1603
MCQhard

A company uses cross-account IAM roles to allow a third-party vendor to access resources in the company's AWS account. The security team wants to ensure that the vendor can only access the specific S3 bucket named 'vendor-bucket'. What should the security team do?

A.Create an IAM user for the vendor and attach a policy that allows access to 'vendor-bucket'.
B.In the trust policy of the role, specify the vendor's AWS account and attach a permissions policy that allows s3:* on 'vendor-bucket'. Also create a bucket policy that allows the role.
C.Use an SCP to deny access to all S3 buckets except 'vendor-bucket'.
D.Create a new AWS account for the vendor and use VPC peering.
AnswerB

The trust policy allows the vendor to assume the role, and the permissions policy limits actions to the bucket.

Why this answer

The correct approach is to define a permissions boundary on the role that only allows access to the specific bucket, and also ensure the bucket policy allows the role.

1604
Multi-Selectmedium

A security engineer is configuring an automated incident response workflow for Amazon GuardDuty findings. Which TWO actions should the engineer take to ensure that the response is triggered for all current and future GuardDuty findings?

Select 2 answers
A.Enable GuardDuty to export findings to CloudWatch Logs and then create a metric filter.
B.Create an Amazon EventBridge rule with an event pattern that matches GuardDuty finding events.
C.Create an Amazon SNS topic and subscribe the Lambda function to it, then configure GuardDuty to publish to SNS.
D.Configure the rule to invoke an AWS Lambda function that executes the incident response playbook.
E.Set up a CloudWatch Logs subscription filter to forward GuardDuty logs to the Lambda function.
AnswersB, D

EventBridge allows matching GuardDuty finding events to trigger a response.

Why this answer

Option B is correct because Amazon EventBridge can capture all GuardDuty findings by using an event pattern that matches the 'GuardDuty Finding' event type. This ensures that both current and future findings automatically trigger the rule without requiring manual updates or additional configuration.

Exam trap

The trap here is that candidates often confuse GuardDuty's integration with CloudWatch Logs (which does not exist) or assume GuardDuty can directly publish to SNS, when in fact EventBridge is the required intermediary for automated workflows.

1605
Multi-Selecthard

Which THREE measures can be taken to secure a VPC's network boundary? (Choose three.)

Select 3 answers
A.Attach an S3 bucket policy to restrict access to the bucket.
B.Use security groups to control inbound and outbound traffic at the instance level.
C.Attach an internet gateway to the VPC.
D.Use network ACLs to add an additional layer of stateless filtering at the subnet level.
E.Enable VPC Flow Logs to capture and analyze traffic metadata.
AnswersB, D, E

Security groups are stateful firewalls for instances.

Why this answer

Security groups act as a virtual firewall for EC2 instances, controlling inbound and outbound traffic at the instance level (stateful). They are a fundamental measure for securing the VPC network boundary by allowing only specified traffic to reach the instances, based on rules that evaluate source/destination IP, protocol, and port. This provides a critical layer of defense directly at the compute resource.

Exam trap

The trap here is confusing network security controls (security groups, network ACLs, VPC Flow Logs) with resource-level policies (S3 bucket policies) or connectivity components (internet gateway), leading candidates to select options that do not directly secure the VPC's network boundary.

1606
MCQmedium

During a security incident, a security engineer suspects that an EC2 instance has been compromised and is exfiltrating data to an external IP address. Which AWS service can provide real-time network traffic analysis and alert on unusual outbound traffic patterns?

A.Amazon Inspector
B.AWS CloudTrail
C.Amazon GuardDuty
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture network traffic metadata for analysis.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information and can be analyzed to detect abnormal outbound traffic. Option A is wrong because GuardDuty uses VPC Flow Logs and other sources but does not provide raw flow log analysis. Option C is wrong because CloudTrail logs API calls, not network traffic.

Option D is wrong because Inspector is for vulnerability assessment, not network traffic analysis.

1607
MCQmedium

Refer to the exhibit. An IAM policy allows s3:GetObject on an S3 bucket only when the object is encrypted with SSE-KMS. An IAM user with this policy attempts to download an object that is not encrypted. What will happen?

A.The download fails because the condition is not met, even though the action is allowed.
B.The download succeeds because the condition is not required.
C.The download fails because the policy is invalid.
D.The download succeeds because there is no explicit deny.
AnswerA

The Allow is conditional; condition not met results in implicit deny.

Why this answer

Option D is correct because the policy grants access only when the condition is met (SSE-KMS). Since the object is not encrypted with SSE-KMS, the condition fails, and the request is denied by default (implicit deny). Option A is incorrect because the policy does not have an explicit deny.

Option B is incorrect because the condition must be met. Option C is incorrect because the condition is evaluated.

1608
MCQmedium

A company uses AWS Organizations with a single management account and multiple member accounts. The security team needs to ensure that all member accounts automatically deploy AWS Config rules to audit security group configurations. Which solution meets this requirement with minimal operational overhead?

A.Configure an AWS Lambda function in each account that periodically checks security group compliance.
B.Enable AWS Security Hub and rely on its built-in security group checks.
C.Use AWS Config conformance packs deployed via AWS CloudFormation StackSets from the management account.
D.Create an AWS Config rule in each member account manually using AWS CloudFormation templates.
AnswerC

Conformance packs can be deployed across accounts using StackSets, automating rule deployment.

Why this answer

Option C is correct because AWS Config conformance packs, deployed via AWS CloudFormation StackSets from the management account, allow you to centrally deploy a collection of AWS Config rules and remediation actions across all member accounts in an AWS Organization. This approach ensures consistent security group auditing with minimal operational overhead, as StackSets automatically handle deployment, updates, and drift detection across accounts and Regions.

Exam trap

The trap here is that candidates often confuse AWS Security Hub’s ability to aggregate and visualize security findings with the ability to automatically deploy and enforce Config rules, leading them to select Option B, but Security Hub does not deploy or manage Config rules itself.

How to eliminate wrong answers

Option A is wrong because using an AWS Lambda function in each account to periodically check security group compliance introduces significant operational overhead (function maintenance, scheduling, cross-account coordination) and does not leverage AWS Config’s native, event-driven compliance evaluation. Option B is wrong because AWS Security Hub provides security posture visibility and aggregates findings, but it does not automatically deploy AWS Config rules; it relies on existing Config rules or other integrations to generate findings. Option D is wrong because manually creating an AWS Config rule in each member account using AWS CloudFormation templates requires per-account deployment and maintenance, which is not scalable and contradicts the requirement for minimal operational overhead.

1609
MCQhard

A security engineer is investigating a potential compromise of an EC2 instance. The instance was launched from a custom AMI. The engineer needs to determine if the AMI itself contains malicious software. Which approach provides the most thorough analysis without risking the production environment?

A.Launch a test instance from the AMI in an isolated VPC and run Amazon Inspector.
B.Use AWS Systems Manager to run a compliance scan on the running instance.
C.Create an EBS snapshot from the AMI and scan the snapshot with Amazon Detective.
D.Launch a test instance from the AMI in an isolated VPC and analyze its behavior.
AnswerA

Isolated environment prevents impact; Inspector scans for vulnerabilities and CVEs.

Why this answer

Option A is correct because launching a test instance from the AMI in an isolated VPC allows you to run Amazon Inspector, which performs automated vulnerability assessments and network reachability checks against the instance. This approach provides a thorough analysis of the AMI's software and configuration without exposing the production environment to any potential malicious activity. Amazon Inspector uses a knowledge base of common vulnerabilities and exposures (CVEs) and CIS benchmarks to identify security issues, making it effective for detecting malicious software embedded in the AMI.

Exam trap

The trap here is that candidates may choose Option D (behavioral analysis) because it seems more hands-on and thorough, but they overlook that Amazon Inspector provides a more systematic, automated, and comprehensive scan for known vulnerabilities and misconfigurations, which is the most efficient way to identify malicious software in an AMI without risking the production environment.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager compliance scans are designed to assess the configuration of a running instance against defined policies (e.g., patch compliance), not to detect malicious software within the AMI itself; the scan runs on the potentially compromised production instance, risking the production environment. Option C is wrong because Amazon Detective analyzes VPC flow logs, CloudTrail logs, and GuardDuty findings to investigate security incidents, but it does not scan EBS snapshots for malware; creating a snapshot from the AMI and scanning it with Detective would not reveal malicious software in the snapshot. Option D is wrong because while launching a test instance in an isolated VPC and analyzing its behavior (e.g., network traffic, process activity) can provide insights, it lacks the automated, comprehensive vulnerability scanning capabilities of Amazon Inspector, making it less thorough for identifying known malicious software or CVEs.

1610
MCQeasy

A company wants to provide temporary, limited-privilege credentials to users so they can access AWS resources from mobile applications. Which AWS service should the company use?

A.AWS Security Token Service (STS)
B.AWS Single Sign-On (SSO)
C.AWS Identity and Access Management (IAM) users
D.Amazon Cognito user pools
AnswerA

STS issues temporary, limited-privilege credentials for users.

Why this answer

Option B is correct because AWS STS issues temporary credentials. Option A is wrong because IAM users have long-term credentials. Option C is wrong because Cognito identity pools can use STS but the base service for temporary credentials is STS.

Option D is wrong because SSO provides federated access but not temporary credentials for mobile apps directly.

1611
MCQeasy

A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. The data will be transferred using HTTPS. What additional step should be taken to ensure the encryption is enforced?

A.Use AWS KMS to require encryption in transit
B.Enable S3 Transfer Acceleration
C.Add a bucket policy that denies requests where aws:SecureTransport is false
D.Use Amazon CloudFront with HTTPS only
AnswerC

Correct: This enforces HTTPS for all requests to the bucket.

Why this answer

Option A is correct because an S3 bucket policy with a condition that denies requests not using aws:SecureTransport ensures HTTPS is enforced. Option B is wrong because CloudFront enforces HTTPS but does not replace bucket policy enforcement. Option C is wrong because AWS KMS does not enforce HTTPS.

Option D is wrong because S3 Transfer Acceleration speeds up transfers but does not enforce encryption.

1612
MCQeasy

A developer needs to allow an IAM user to manage their own password in the AWS Management Console. Which IAM policy should be attached to the user?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:ChangePassword","Resource":"*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:ListUsers","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:ChangePassword","Resource":"*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"iam:ChangePassword","Resource":"arn:aws:iam::*:user/${aws:username}"}]}
AnswerD

This policy restricts password change to the user's own account using a variable.

Why this answer

Option C is correct because it allows the user to change their own password. Option A is wrong because it allows any user to change any password. Option B is wrong because it allows listing users.

Option D is wrong because it denies password change.

1613
MCQhard

A company's security team is implementing a solution to automatically revoke public access to Amazon S3 buckets that become public. The solution must be serverless and use native AWS services. Which combination of services should be used?

A.Amazon S3 event notifications on ObjectCreated events to invoke a Lambda function
B.Amazon EventBridge (CloudWatch Events) to detect PutBucketPolicy events and invoke an AWS Lambda function to remove the policy
C.Amazon CloudWatch Logs with a metric filter and alarm to trigger an SNS notification
D.AWS Config with managed rule 's3-bucket-public-read-prohibited' and auto-remediation via Systems Manager
AnswerB

EventBridge captures API calls from CloudTrail and triggers Lambda to revert the public policy.

Why this answer

Amazon EventBridge can detect S3 bucket policy changes via CloudTrail and trigger a Lambda function to remediate. Option A is wrong because AWS Config can detect but not automatically remediate without Lambda. Option C is wrong because S3 events only trigger on object-level events, not bucket policy changes.

Option D is wrong because CloudWatch Logs alone cannot trigger remediation.

1614
MCQmedium

A company is designing an automated incident response workflow. When a high-severity GuardDuty finding is generated, the security team wants to automatically isolate the affected EC2 instance by modifying its security group to deny all traffic. Which service should orchestrate this response?

A.AWS Lambda
B.AWS Config
C.AWS Step Functions
D.AWS Systems Manager Automation
AnswerD

Automation provides predefined runbooks for incident response, including security group modification.

Why this answer

AWS Systems Manager Automation is the correct choice because it provides a pre-built runbook (AWS-DetachAndIsolateEC2Instance) that can be triggered by Amazon EventBridge when a GuardDuty finding is generated. This runbook automatically modifies the EC2 instance's security group to deny all traffic, effectively isolating the instance without requiring custom code. Systems Manager Automation is designed for such operational workflows, offering built-in error handling and approval steps.

Exam trap

The trap here is that candidates often choose AWS Lambda because they think they need custom code to modify security groups, overlooking that AWS Systems Manager Automation provides a purpose-built, no-code runbook for EC2 isolation that integrates directly with GuardDuty findings via EventBridge.

How to eliminate wrong answers

Option A is wrong because AWS Lambda is a serverless compute service for running code, but it would require you to write custom logic to modify security groups, handle API calls, and manage permissions, whereas Systems Manager Automation provides a ready-to-use runbook. Option B is wrong because AWS Config is a service for evaluating resource compliance against rules, not for orchestrating automated incident response actions like modifying security groups. Option C is wrong because AWS Step Functions is a workflow orchestration service that could coordinate multiple steps, but it lacks the pre-built runbook for EC2 isolation and would require you to build the entire workflow from scratch, including Lambda functions for each action.

1615
MCQmedium

A security engineer is analyzing a potential security incident involving an Amazon RDS for MySQL database. The engineer suspects that a SQL injection attack was successful. Which AWS service can the engineer use to review the actual SQL queries that were executed against the database?

A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon RDS Audit Logs
AnswerD

RDS Audit Logs can record SQL statements executed.

Why this answer

Amazon RDS for MySQL supports audit logs that capture detailed records of database activities, including the actual SQL queries executed. By enabling the `audit_log` plugin and configuring the `server_audit_events` parameter, the engineer can review the exact SQL statements that were run, which is essential for identifying a SQL injection attack. This is the only AWS service that provides query-level visibility into RDS database operations.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs control-plane API calls) with database audit logs (which log data-plane SQL queries), leading them to incorrectly select CloudTrail for reviewing executed SQL statements.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture metadata about network traffic (IP addresses, ports, protocols) but do not log the content of SQL queries or database operations. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes AWS CloudTrail events, VPC Flow Logs, and DNS logs for suspicious activity, but it does not provide direct access to the SQL queries executed against an RDS database. Option C is wrong because AWS CloudTrail records API calls made to the RDS service (e.g., creating a DB instance) but does not log the data-plane SQL queries executed within the database itself.

1616
MCQhard

A company needs to ensure that data in Amazon S3 is encrypted at rest using envelope encryption. The company wants to rotate the encryption key every 90 days. Which solution meets these requirements with minimal operational overhead?

A.Use SSE-KMS with AWS managed key
B.Use SSE-S3 and enable automatic key rotation
C.Use SSE-C and rotate the customer-provided key every 90 days
D.Use SSE-KMS with a customer managed key and enable automatic key rotation
AnswerD

KMS can automatically rotate customer managed keys annually; for 90-day rotation, manual rotation is needed but still minimal overhead.

Why this answer

Option D is correct because SSE-KMS with a customer managed key (CMK) supports automatic key rotation, which can be configured to rotate the CMK every 90 days (or any custom period between 90 days and 7 years). This satisfies the envelope encryption requirement (SSE-KMS uses envelope encryption by default, where a CMK encrypts a data key that encrypts the S3 object) and the 90-day rotation requirement with minimal operational overhead, as AWS handles the rotation automatically.

Exam trap

The trap here is that candidates confuse AWS managed keys (which have a fixed 365-day rotation) with customer managed keys (which allow custom rotation periods), leading them to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because AWS managed keys (aws/s3) have a mandatory automatic rotation period of 365 days (1 year), not 90 days, and the rotation schedule cannot be customized. Option B is wrong because SSE-S3 uses server-side encryption with Amazon S3-managed keys (SSE-S3), which does not support envelope encryption; it uses a single key for encryption and does not provide customer-controlled key rotation. Option C is wrong because SSE-C requires the customer to provide and manage their own encryption keys, including manual rotation every 90 days, which introduces significant operational overhead compared to the automated rotation in Option D.

1617
MCQmedium

A company is using AWS WAF to protect a web application. The security team notices that a specific IP address is generating a high volume of requests and triggering the WAF rate-based rule. However, the IP address is a legitimate partner's static IP. What should the security team do to allow this IP while still protecting against other malicious traffic?

A.Add a rule with an IP set condition that allows the partner's IP as an exception to the rate-based rule.
B.Create an IP set and whitelist the IP address in the web ACL default action.
C.Increase the rate limit for the rate-based rule to accommodate the partner's traffic.
D.Disable the rate-based rule for the partner's IP by modifying the rule scope.
AnswerA

This allows the partner's IP to exceed the rate limit while other traffic is still rate-limited.

Why this answer

Option C is correct because adding a WAF IP set condition that allows the partner's IP as an exception to the rate-based rule ensures that legitimate traffic is not blocked while other traffic is still subject to the rule. Option A is wrong because whitelisting the IP in the web ACL would bypass all rules, not just the rate-based rule. Option B is wrong because increasing the rate limit would affect all traffic, potentially allowing malicious traffic.

Option D is wrong because WAF rate-based rules cannot be disabled for a specific IP directly; an IP set condition is needed.

1618
MCQmedium

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The security team wants to restrict access to the ALB so that it only accepts traffic from CloudFront. Which configuration should be used?

A.Configure the ALB to be internal and place it in a VPC with a CloudFront VPC origin.
B.Configure the ALB to require a specific header 'X-CloudFront-Origin' and reject requests without it.
C.Configure the ALB to use an IAM role that allows only CloudFront to invoke the ALB.
D.Configure the ALB security group to allow inbound traffic only from the CloudFront origin IP ranges published by AWS.
AnswerD

This restricts ALB access to CloudFront IPs, preventing direct internet access.

Why this answer

Option B is correct because configuring the ALB security group to allow traffic only from CloudFront's IP ranges ensures that only CloudFront can reach the ALB. Option A is wrong because CloudFront does not require a VPC origin; ALB is a regional endpoint. Option C is wrong because the ALB cannot authenticate the CloudFront user agent.

Option D is wrong because CloudFront cannot use an IAM role to access the ALB.

1619
Multi-Selectmedium

A security engineer is designing a CI/CD pipeline that deploys AWS infrastructure using AWS CloudFormation. The pipeline must assume an IAM role in each target account to create and update stacks. Which TWO steps are required to allow cross-account access for CloudFormation? (Choose TWO.)

Select 2 answers
A.Create a service role for CloudFormation in the pipeline account with a trust policy for the target account.
B.Store the target account root credentials in AWS Secrets Manager and retrieve them in the pipeline.
C.Configure the pipeline's IAM role with a trust policy that allows the target account to access it.
D.Use AWS STS AssumeRole in the pipeline to obtain temporary credentials for the target account role.
E.Create an IAM role in the target account with a trust policy allowing the pipeline account to assume it.
AnswersD, E

Correct: The pipeline must assume the target account role via STS to gain permissions.

Why this answer

Option A is correct because the IAM role in the target account must have a trust policy that allows the pipeline account to assume it. Option D is correct because the pipeline (using AWS CodeBuild or similar) must call STS AssumeRole with the role ARN. Option B is wrong because CloudFormation itself does not assume roles for stack operations; the entity calling CloudFormation assumes the role.

Option C is wrong because the pipeline's role does not need a trust policy for the target account. Option E is wrong because cross-account role assumption does not require root user credentials.

1620
MCQeasy

A company has a requirement to detect and alert on S3 objects that contain personally identifiable information (PII) being shared publicly. Which AWS service should be used?

A.Amazon CloudWatch
B.Amazon GuardDuty
C.Amazon Inspector
D.Amazon Macie
AnswerD

Macie is designed to discover and protect sensitive data in S3.

Why this answer

Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in S3. Option B (GuardDuty) detects threats, not data classification. Option C (Inspector) is for vulnerabilities.

Option D (CloudWatch) is for monitoring.

1621
MCQhard

A security engineer needs to design an IAM policy that allows an IAM user to launch EC2 instances only if they specify a specific security group ID (sg-12345) and a specific instance type (t2.micro). Which policy achieves this?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:security-group/sg-12345", "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro" } } } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro", "aws:RequestTag/security-group": "sg-12345" } } } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro" } } } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro", "ec2:SecurityGroup": "sg-12345" } } } ] }
AnswerD

Correctly restricts both instance type and security group.

Why this answer

Option B is correct because it uses condition keys ec2:InstanceType and ec2:SecurityGroup to restrict the RunInstances action. Option A does not restrict instance type. Option C uses the wrong condition key for security group.

Option D uses RequestTag but security group is not a tag.

1622
MCQeasy

A company needs to protect data at rest on Amazon EBS volumes attached to EC2 instances. Which solution provides the most control over the encryption keys?

A.Use a customer managed KMS key with EBS encryption.
B.Encrypt data using client-side encryption before writing to EBS.
C.Use an AWS managed KMS key for EBS encryption.
D.Enable EBS encryption by default in the account.
AnswerA

Customer managed keys give full control over key lifecycle and permissions.

Why this answer

Option A is correct because using a customer managed KMS key allows the customer to control key rotation, policies, and access. Option B is wrong because AWS managed keys do not allow customer control. Option C is wrong because EBS encryption by default uses AWS managed keys unless specified.

Option D is wrong because client-side encryption would require application changes.

1623
MCQeasy

A company wants to ensure that all data sent to an S3 bucket is encrypted in transit. Which policy statement should be added to the bucket policy?

A.Allow if aws:SecureTransport is false
B.Deny unless aws:SecureTransport is false
C.Allow if aws:SecureTransport is true
D.Deny if aws:SecureTransport is false
AnswerD

Denies HTTP, forces HTTPS.

Why this answer

Option C is correct because the condition 'aws:SecureTransport' with 'true' ensures that requests must use HTTPS. Option A is wrong because it denies HTTPS. Option B is wrong because it allows HTTP.

Option D is wrong because it allows both.

1624
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple AWS accounts? (Select TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Organizations
C.Amazon GuardDuty
D.AWS IAM
E.AWS Config
AnswersB, E

Enables central management of policies via SCPs.

Why this answer

Options B and D are correct. AWS Organizations allows you to centrally manage policies (SCPs) across accounts. AWS Config allows you to create rules that enforce compliance across accounts.

Option A is wrong because IAM is per-account. Option C is wrong because AWS CloudTrail is for auditing, not enforcement. Option E is wrong because Amazon GuardDuty is for threat detection.

1625
Multi-Selecteasy

A company wants to use AWS CloudTrail to log all API calls in an AWS account. The security engineer needs to ensure that the logs are encrypted at rest and are accessible only to authorized personnel. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Enable MFA delete on the S3 bucket.
B.Enable server-side encryption on the S3 bucket that stores CloudTrail logs.
C.Attach a service control policy (SCP) to the root account.
D.Create an IAM policy that grants access to the S3 bucket only to specific users or roles.
E.Configure the S3 bucket policy to require encrypted connections (aws:SecureTransport).
AnswersB, D, E

Encrypts logs at rest.

Why this answer

Option A, C, and E are correct. Enabling SSE-S3 or SSE-KMS ensures encryption at rest. Using a bucket policy with conditions for HTTPS ensures encryption in transit.

Applying an IAM policy to restrict access ensures only authorized personnel can access logs. Option B is wrong because SCPs apply at the organization level, not account-level log access. Option D is wrong because MFA delete does not encrypt logs.

1626
MCQeasy

Refer to the exhibit. A security engineer is analyzing VPC Flow Logs and notices a pattern of outbound traffic from an EC2 instance to an external IP on port 22 (SSH). The engineer wants to identify which instances are initiating SSH connections to the internet. Which field in the flow log record indicates the source of the connection?

A.The first IP address in the log entry (srcaddr)
B.The second IP address (dstaddr)
C.The first port number (srcport)
D.The second port number (dstport)
AnswerA

The first IP is the source address; for outbound traffic, it is the internal IP of the instance.

Why this answer

In VPC Flow Logs, the `srcaddr` field records the source IP address of the traffic. Since the engineer is looking for which EC2 instances are initiating outbound SSH connections (port 22), the source IP in the flow log entry (srcaddr) directly identifies the instance that started the connection. The direction of the traffic is determined by the source and destination fields, not by the port numbers alone.

Exam trap

The trap here is that candidates confuse the source port (srcport) with the source address (srcaddr), mistakenly thinking the port number identifies the initiating instance, when in fact the source IP address is the correct field to determine which EC2 instance started the connection.

How to eliminate wrong answers

Option B is wrong because `dstaddr` is the destination IP address (the external server), not the source EC2 instance. Option C is wrong because `srcport` is the source port number (a random ephemeral port used by the client), not the IP address of the initiating instance. Option D is wrong because `dstport` is the destination port (22 for SSH), which identifies the service but not the source of the connection.

1627
Multi-Selecthard

A security engineer is investigating a potential security incident. The engineer has enabled CloudTrail and VPC Flow Logs. Which THREE pieces of information can the engineer obtain from CloudTrail logs that are NOT available in VPC Flow Logs? (Choose three.)

Select 3 answers
A.The payload of the API request.
B.The AWS Region where the API call was made.
C.The destination IP address and port of the network traffic.
D.The IAM user or role that performed the API call.
E.The source IP address of the API call.
AnswersB, D, E

CloudTrail records the region of the endpoint; VPC Flow Logs are per VPC and do not indicate API endpoint region.

Why this answer

Options A, B, and D are correct because CloudTrail logs API calls, including details like the IAM user who made the call, the source IP address (could be the same as flow logs but identity is unique), and the AWS region of the API endpoint. Options C and E are wrong because packet payloads are not logged by either service, and VPC Flow Logs provide network traffic metadata (source/destination IP, ports, protocol) not available in CloudTrail.

1628
Multi-Selectmedium

A company uses AWS KMS to encrypt data in Amazon RDS. The security team wants to ensure that the KMS key can be used only by specific IAM roles and that all usage of the key is logged. Which TWO actions should the team take?

Select 2 answers
A.Apply an S3 bucket policy to the RDS automated backup bucket
B.Enable automatic key rotation
C.Enable AWS CloudTrail to log KMS API calls
D.Modify the key policy to grant kms:Encrypt and kms:Decrypt only to the required IAM roles
E.Create a cross-account key policy to allow all IAM roles in the account
AnswersC, D

CloudTrail logs usage.

Why this answer

To restrict key usage, use a key policy that allows only specific IAM roles. To log usage, enable CloudTrail logging. Option A and D are correct.

Option B is incorrect because enabling key rotation does not control access. Option C is incorrect because cross-account access is not needed. Option E is incorrect because S3 bucket policies do not control KMS key usage.

1629
MCQmedium

Refer to the exhibit. A security engineer has created an S3 bucket policy to allow AWS CloudTrail and VPC Flow Logs to deliver logs to the bucket. However, CloudTrail logs are not being delivered, but VPC Flow Logs are delivered successfully. What is the most likely cause?

A.The principal is set to a service instead of an AWS account.
B.The condition 's3:x-amz-acl' is misspelled.
C.The service principal in the policy is incorrect for CloudTrail.
D.The bucket policy does not grant CloudTrail permission to perform 's3:GetBucketAcl' and 's3:PutBucketAcl'.
AnswerD

CloudTrail needs these permissions to verify bucket ownership.

Why this answer

The service principal for CloudTrail is `cloudtrail.amazonaws.com`, which is correct, so the issue is likely that the CloudTrail trail's S3 bucket is not configured correctly, or the bucket policy does not include the necessary permissions for CloudTrail to verify the bucket. However, given that VPC Flow Logs work, the issue might be that the CloudTrail trail is not using the correct bucket name or prefix. But the question focuses on the policy; the policy seems correct for both.

The most common issue is that CloudTrail requires the bucket to have a specific ACL or the policy to allow `s3:GetBucketAcl` and `s3:PutBucketAcl`. Option D is correct. Option A is wrong because the service principal is correct.

Option B is wrong because the condition is fine. Option C is wrong because the principal is correct. Option D addresses a common missing permission.

1630
MCQhard

A security engineer needs to ensure that all data in transit between an Application Load Balancer (ALB) and EC2 instances is encrypted. What configuration is required?

A.Configure the security group to allow traffic on port 443.
B.Configure the ALB listener with HTTPS protocol.
C.Configure the ALB to terminate TLS connections.
D.Configure the target group to use HTTPS protocol.
AnswerD

Target group protocol determines backend encryption.

Why this answer

To encrypt traffic between ALB and EC2, the target group must use HTTPS protocol. Option D is correct. Listener protocol (A) is for client-to-ALB.

Security group (B) controls access, not encryption. TLS termination (C) is for listener, not backend.

1631
MCQeasy

A security engineer needs to grant an EC2 instance access to an S3 bucket without storing long-term credentials on the instance. Which approach should the engineer use?

A.Generate an access key and secret key for an IAM user and store them in the EC2 instance.
B.Use an SCP to allow the EC2 instance to access the S3 bucket.
C.Store the credentials in the AMI used to launch the instance.
D.Create an IAM role with the required permissions and attach it to the EC2 instance as an instance profile.
AnswerD

Provides temporary credentials via the instance metadata service.

Why this answer

Option A is correct because an IAM role with an instance profile allows the EC2 instance to obtain temporary credentials. Option B is wrong because access keys are long-term credentials. Option C is wrong because storing keys in the AMI is insecure.

Option D is wrong because an SCP is for organization-wide policies, not for individual EC2 instances.

1632
MCQeasy

A company is using AWS KMS to encrypt sensitive data in Amazon DynamoDB. The security team wants to ensure that the KMS key can only be used from within the company's VPC and not from the internet. The VPC has an interface VPC endpoint for KMS. What should the security team do to enforce this restriction?

A.Make the KMS key Regional and disable cross-Region access
B.Use security group rules to restrict access to the KMS endpoint
C.Create an S3 bucket policy that restricts access to the KMS key
D.Attach a VPC endpoint policy that denies access from outside the VPC
AnswerD

VPC endpoint policies control access to KMS through the endpoint.

Why this answer

Option A is correct because attaching a policy to the VPC endpoint that denies access from outside the VPC restricts usage. Option B is wrong because a bucket policy is for S3, not KMS. Option C is wrong because security group rules do not apply to KMS operations; they apply to network traffic.

Option D is wrong because making the key regional does not restrict network access.

1633
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that no account can disable Amazon GuardDuty. Which SCP should be applied?

A.Deny action: guardduty:StopMonitoringMembers
B.Deny action: guardduty:DisableGuardDuty
C.Deny action: guardduty:UpdateDetector
D.Deny action: guardduty:DeleteDetector
AnswerA

This prevents member accounts from disabling GuardDuty monitoring by the administrator.

Why this answer

SCPs can deny specific actions. The correct SCP denies the StopMonitoringMember action for GuardDuty.

1634
MCQhard

A security engineer is auditing the AWS Organizations structure. The engineer notices that the 'Management' account (111111111111) has a status of 'ACTIVE' and joined method 'CREATED'. The engineer is concerned about potential security risks. Which action should the engineer take to improve security?

A.Remove the management account from the organization.
B.Delete the management account and create a new one.
C.Create a new root user for the management account and delete the old one.
D.Enable multi-factor authentication (MFA) for the root user of the management account.
AnswerD

MFA protects the root user of the management account.

Why this answer

Option A is correct because the root user of the management account should have MFA enabled to protect the account that can modify SCPs and manage other accounts. Option B is wrong because removing the management account is not possible. Option C is wrong because deleting the management account is not possible.

Option D is wrong because the root user cannot be deleted.

1635
MCQmedium

A company uses AWS CloudTrail and wants to ensure that all log files are encrypted at rest using a customer-managed AWS KMS key. The CloudTrail trail is configured to use a KMS key, but some log files appear to be encrypted with the default Amazon S3 managed key (SSE-S3). What is the most likely cause?

A.The KMS key policy does not grant CloudTrail permission to use the key.
B.The CloudTrail trail is configured to use SSE-S3 instead of SSE-KMS.
C.The KMS key is in a different AWS region than the S3 bucket.
D.The S3 bucket has default encryption set to SSE-S3.
AnswerA

If CloudTrail cannot use the KMS key, it falls back to SSE-S3.

Why this answer

CloudTrail uses the KMS key for encrypting log files, but if the KMS key is not accessible due to permission issues, CloudTrail falls back to SSE-S3. Option B is correct. Option A is wrong because CloudTrail supports KMS keys regardless of region.

Option C is wrong because the trail configuration does not need to specify SSE-S3; KMS is specified. Option D is wrong because CloudTrail does not use S3 bucket default encryption; it uses the trail's KMS key.

1636
MCQmedium

A company stores sensitive data in an Amazon S3 bucket. They want to ensure that data is encrypted in transit when accessed from the internet. Which policy should they attach to the bucket?

A.{"Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"StringNotEquals": {"aws:SourceVpc": "vpc-12345"}}}
B.{"Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}}
C.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}}
D.{"Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket/*", "Condition": {"IpAddress": {"aws:SourceIp": "0.0.0.0/0"}}}
AnswerC

Denies all requests that are not over HTTPS.

Why this answer

Option C is correct because it uses a Deny effect with the aws:SecureTransport condition set to 'false', which explicitly blocks any request that does not use HTTPS/TLS. This ensures that all S3 operations (s3:*) on the bucket objects require encryption in transit, as any HTTP request will be denied. The Deny effect overrides any Allow, making this a robust policy to enforce encrypted access from the internet.

Exam trap

The trap here is that candidates often choose an Allow policy (like Option B) thinking it will permit only encrypted traffic, but they forget that an Allow with a condition does not block unencrypted requests—only a Deny can explicitly block them, and the condition must be inverted (e.g., 'false' to block HTTP).

How to eliminate wrong answers

Option A is wrong because it restricts access based on the source VPC (aws:SourceVpc), which controls network origin but does not enforce encryption in transit; requests from outside the VPC could still use HTTP. Option B is wrong because it uses an Allow effect with aws:SecureTransport set to 'false', which would allow only unencrypted requests (the opposite of the requirement) and also fails to deny encrypted requests. Option D is wrong because it denies requests from all IP addresses (0.0.0.0/0), which would block all internet traffic regardless of encryption, rather than selectively enforcing HTTPS.

1637
Multi-Selecthard

A company is using AWS Organizations to manage multiple accounts. The security team wants to restrict the use of specific instance types across all accounts. Which two AWS services can enforce this restriction? (Choose TWO.)

Select 2 answers
A.Service control policies (SCPs)
B.IAM policies
C.VPC Flow Logs
D.AWS CloudTrail
E.AWS Config rules
AnswersA, E

SCPs can restrict instance types across all accounts.

Why this answer

Options B and D are correct. SCPs in AWS Organizations can deny specific instance types across all accounts. AWS Config rules can evaluate instance types and trigger remediation.

Option A is wrong because IAM policies are per-account and cannot be applied across all accounts centrally. Option C is wrong because CloudTrail only logs. Option E is wrong because VPC flow logs monitor network traffic.

1638
MCQeasy

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?

A.Create an S3 bucket policy in each account to deny access to unencrypted buckets.
B.Use AWS Config rules to detect buckets without encryption and send alerts.
C.Create an IAM role in each account that requires encryption when creating buckets.
D.Create a service control policy (SCP) that denies s3:CreateBucket if the bucket does not have encryption enabled.
AnswerD

SCPs allow central policy enforcement across all accounts in the organization.

Why this answer

Option D is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally deny API actions across all accounts. By creating an SCP that denies `s3:CreateBucket` unless the request includes encryption parameters (SSE-S3 or SSE-KMS), you enforce encryption at the point of bucket creation, preventing non-compliant buckets from ever being created. This is the only approach that proactively enforces the policy across the entire organization, rather than relying on detection or per-account configurations.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config) with preventive controls (like SCPs), or assume that bucket policies or IAM roles can enforce encryption at creation time, when only SCPs can centrally deny the API call across an entire organization.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies control access to existing buckets, not the creation of buckets; they cannot prevent an unencrypted bucket from being created. Option B is wrong because AWS Config rules are detective, not preventive; they can alert on non-compliant buckets but do not enforce encryption at creation time. Option C is wrong because IAM roles are per-account and cannot enforce a policy across all accounts in an organization; additionally, IAM roles control who can create buckets but do not enforce encryption requirements on the bucket itself.

1639
MCQeasy

A security engineer needs to generate a report of all AWS Identity and Access Management (IAM) users who have not used their access keys in the last 90 days. Which AWS service can provide this information?

A.AWS IAM Credentials Report
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerA

Correct: The IAM Credentials Report includes last used timestamps.

Why this answer

Option B is correct because AWS IAM Credentials Report provides a CSV file with details about IAM users, including last activity dates. Option A is wrong because AWS CloudTrail logs API calls but does not provide a summary report. Option C is wrong because AWS Config evaluates configurations, not usage.

Option D is wrong because Amazon GuardDuty does not track IAM key usage.

1640
Multi-Selecteasy

A security engineer needs to detect and respond to malware on an EC2 instance. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon Inspector
B.AWS Lambda
C.Amazon CloudWatch
D.AWS WAF
E.Amazon GuardDuty with Malware Protection
AnswersB, E

Can automate response to GuardDuty findings.

Why this answer

AWS Lambda is correct because it can be used as a serverless compute target to automate incident response actions when malware is detected. For example, a Lambda function can be triggered by a GuardDuty finding to isolate the compromised EC2 instance by modifying security group rules or detaching the instance from an Auto Scaling group, enabling rapid, automated remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse Amazon Inspector's vulnerability scanning with malware detection, or assume CloudWatch alone can perform automated incident response, when in fact GuardDuty's Malware Protection is the only AWS-native service that directly detects malware on EC2, and Lambda is required for automated remediation.

1641
Multi-Selecteasy

A company uses AWS Systems Manager Session Manager to provide SSH access to EC2 instances without needing to open inbound ports. The security team wants to ensure that all session activity is logged and that only authorized users can start sessions. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Configure the EC2 instances to require SSH key pairs for authentication.
B.Enable AWS CloudTrail to log StartSession API calls.
C.Enable VPC Flow Logs to monitor network traffic.
D.Create IAM policies that allow the ssm:StartSession action only for specific users or roles.
E.Use security groups to restrict inbound traffic to the Session Manager endpoints.
AnswersB, D

CloudTrail logs all API calls, including Session Manager starts.

Why this answer

Option A and D are correct. Enabling CloudTrail logging captures API calls like StartSession. Using IAM policies with conditions to allow specific users is the standard way to control access.

Option B is not needed because Session Manager doesn't require SSH keys. Option C is not the primary method; IAM policies are used. Option E is unrelated.

1642
MCQeasy

A company wants to allow an IAM user to list only the objects in a specific S3 bucket named 'my-bucket'. Which IAM policy statement should be used?

A.{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}
B.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}
C.{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket/*","Condition":{"StringEquals":{"s3:prefix":""}}}
D.{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::my-bucket/*"}
AnswerB

Correctly grants only ListBucket on the bucket.

Why this answer

Option A is correct because it grants s3:ListBucket on the specific bucket without allowing other actions. Option B is wrong because it allows all S3 actions. Option C is wrong because it grants GetObject instead of ListBucket.

Option D is wrong because it uses a condition that is not required for listing.

1643
MCQeasy

A company needs to audit all changes to IAM policies in their AWS account for compliance. Which AWS service should be enabled to record the API calls that modify IAM policies?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.VPC Flow Logs
AnswerC

Records API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail records API calls, including IAM policy changes. Option A is incorrect because AWS Config records resource configurations but not API call history. Option B is incorrect because VPC Flow Logs capture network traffic.

Option D is incorrect because CloudWatch Logs stores logs but does not capture API calls directly.

1644
MCQhard

During an incident, a security engineer needs to isolate a compromised Amazon EC2 instance without losing the ability to capture forensic data from its EBS volumes. What is the best course of action?

A.Terminate the instance immediately and take a snapshot after termination.
B.Take a snapshot of the EBS volumes, then detach the instance from the Auto Scaling group and modify the security group to deny all traffic.
C.Stop the instance, detach the volumes, and attach them to a forensic instance.
D.Change the security group to restrict traffic to only the forensic team's IP addresses.
AnswerB

Snapshot preserves data, then isolation by removing from ASG and blocking traffic.

Why this answer

Option B is correct because taking a snapshot of the EBS volumes preserves the forensic data before any changes occur, while detaching the instance from the Auto Scaling group prevents automatic replacement, and modifying the security group to deny all traffic isolates the instance without losing the running state or the ability to capture additional volatile data. This approach balances isolation with forensic preservation, ensuring the instance remains available for further analysis if needed.

Exam trap

The trap here is that candidates often confuse 'stopping' an instance with 'isolating' it, not realizing that stopping triggers OS shutdown processes that can destroy volatile evidence, whereas modifying the security group to deny all traffic achieves isolation without altering the instance state.

How to eliminate wrong answers

Option A is wrong because terminating the instance destroys the running state and any volatile data (e.g., memory, process list), and while a snapshot can be taken after termination, the EBS volumes may have been altered or deleted, losing critical forensic evidence. Option C is wrong because stopping the instance clears the instance store (if used) and may trigger OS-level shutdown scripts that could overwrite or delete forensic data; detaching volumes and attaching them to a forensic instance is a valid step but should be done after taking a snapshot to ensure a point-in-time copy, and stopping the instance is unnecessary and risky. Option D is wrong because restricting traffic to only the forensic team's IP addresses does not fully isolate the instance from lateral movement or external threats; the instance remains accessible and could still be compromised or used as a pivot point, and it does not prevent the instance from being terminated or altered by an attacker.

1645
MCQmedium

A company wants to automate the rotation of IAM user access keys every 90 days. Which AWS service can be used to enforce this?

A.AWS Organizations SCP to deny access if keys are older than 90 days.
B.AWS Config with a custom rule that checks key age and triggers a Lambda function to rotate keys.
C.AWS CloudTrail to monitor key usage and send notifications.
D.AWS Lambda on a schedule to rotate keys.
AnswerB

AWS Config can evaluate key age and invoke Lambda to rotate.

Why this answer

Option A is correct because IAM access key last used information can be monitored by AWS Config to trigger automatic rotation. Option B is wrong because CloudTrail logs API calls but does not rotate keys. Option C is wrong because Lambda can be used but needs to be triggered by something like Config.

Option D is wrong because SCPs do not rotate keys.

1646
MCQhard

A company uses AWS Key Management Service (KMS) to encrypt data at rest. The security team needs to ensure that only specific IAM roles can use a particular KMS key to encrypt and decrypt data. What is the most secure way to achieve this?

A.Create an IAM policy that allows kms:Encrypt and kms:Decrypt for the roles and attach it to the roles.
B.Create a KMS key policy that grants access only to the specific IAM roles using the kms:CallerArn condition.
C.Create a KMS key policy that grants access to the account and use IAM policies to restrict the roles.
D.Create a KMS key policy with Principal "*" and a condition that the request originates from the roles.
AnswerB

This restricts key usage to the specified roles.

Why this answer

Option B is correct because using a key policy with a condition for the kms:CallerArn attribute restricts usage to the specified roles. Option A is wrong because IAM policies alone cannot restrict KMS key usage if the key policy allows all principals. Option C is wrong because key policy with Principal "*" grants access to all, even with a condition.

Option D is wrong because a condition for the IAM role's ARN is not a standard KMS condition key.

1647
MCQeasy

A company wants to protect data stored in Amazon S3 by encrypting it at rest using keys managed by the company. Which encryption option should be used?

A.SSE-KMS
B.SSE-C
C.Client-side encryption
D.SSE-S3
AnswerB

Correct: SSE-C allows the customer to provide their own encryption keys.

Why this answer

Option B is correct because SSE-C allows the customer to provide and manage their own encryption keys. Option A is wrong because SSE-S3 uses AWS-managed keys. Option C is wrong because SSE-KMS uses AWS KMS managed keys.

Option D is wrong because client-side encryption is not an S3 server-side encryption option.

1648
MCQmedium

A company uses cross-account roles to allow developers in the 'dev' account to access resources in the 'prod' account. The trust policy in 'prod' allows the 'dev' account to assume the role. The developers have an IAM policy that allows sts:AssumeRole on the role ARN. However, when a developer tries to assume the role via the AWS CLI, they get an error that the role cannot be assumed. The developer can list the role using IAM. What is the MOST likely cause?

A.The developer's IAM policy does not include sts:AssumeRole.
B.The developer is not providing the required external ID when calling sts:AssumeRole.
C.The developer must use MFA to assume the role.
D.The role ARN specified in the policy is incorrect.
AnswerB

External ID is required if the trust policy specifies it.

Why this answer

Option A is correct. The trust policy must allow the specific IAM entity (user or role) or the entire account. If the trust policy allows the account, it should work.

But if the trust policy requires an external ID and the developer does not provide it, the assumption will fail. Option B is wrong because the developer's policy allows the action. Option C is wrong because the role exists.

Option D is wrong because the developer is not using MFA unless required.

1649
MCQeasy

Refer to the exhibit. A security engineer runs this CloudWatch Logs Insights query on a log group. What is the purpose of this query?

A.Retrieve the 20 most recent log events that contain only 'ERROR'.
B.Retrieve the 20 most recent log events that contain 'ERROR' or 'WARN'.
C.Display all log events grouped by log level.
D.Count the number of ERROR and WARN events in the last hour.
AnswerB

The filter and sort achieve this.

Why this answer

The query filters log events containing 'ERROR' or 'WARN', sorts them by timestamp descending, and returns the 20 most recent. Option A is correct. Option B is wrong because it returns both ERROR and WARN.

Option C is wrong because it does not count them. Option D is wrong because it does not group by log level.

1650
Multi-Selectmedium

A security engineer needs to monitor DNS query logs for malicious domain names. Which THREE services can be used together to collect, analyze, and alert on DNS logs? (Choose THREE.)

Select 3 answers
A.Amazon CloudWatch Logs
B.AWS Lambda
C.Amazon Route 53 Resolver Query Logs
D.Amazon GuardDuty
E.Amazon Athena
AnswersA, B, C

Can store and filter DNS logs.

Why this answer

Amazon CloudWatch Logs is correct because it can ingest DNS query logs from Route 53 Resolver Query Logs and serve as a centralized log storage and monitoring service. It allows you to create metric filters and alarms to detect patterns indicative of malicious domain queries, enabling real-time alerting on suspicious DNS activity.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty's DNS-based threat detection capabilities with the ability to directly collect and alert on custom DNS query logs, but GuardDuty operates on its own internal data sources and does not provide the same level of custom log monitoring and alerting as the combination of Route 53 Resolver Query Logs, CloudWatch Logs, and Lambda.

Page 21

Page 22 of 24

Page 23