AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 151225

1738 questions total · 24pages · All types, answers revealed

Page 2

Page 3 of 24

Page 4
151
MCQmedium

A company uses S3 to store confidential documents. They want to ensure that objects are encrypted at rest using customer-provided encryption keys (SSE-C). Which header must be included in every PUT request?

A.x-amz-server-side-encryption: AES256
B.x-amz-server-side-encryption-customer-key: <key>
C.x-amz-server-side-encryption-customer-algorithm: AES256
D.x-amz-server-side-encryption: aws:kms
AnswerC

Required for SSE-C.

Why this answer

Option A is correct because SSE-C requires x-amz-server-side-encryption-customer-algorithm to be set to AES256. Option B is wrong because that header is for SSE-S3. Option C is wrong for SSE-KMS.

Option D is wrong because the key header must be provided separately.

152
MCQmedium

A company is designing a VPC for a three-tier web application that must be accessible from the internet only via HTTPS. The web servers must be able to initiate outbound connections to the internet for software updates, but the database servers must have no direct internet access. Which architecture meets these requirements?

A.Web servers in private subnets, database servers in public subnets, both behind an Application Load Balancer
B.Web servers in public subnets, database servers in private subnets with a route to a NAT Gateway in a public subnet
C.Web servers in private subnets with a route to a NAT Gateway, database servers in private subnets with no route to the NAT Gateway, both behind an Application Load Balancer in public subnets
D.Web servers in public subnets with Elastic IPs, database servers in private subnets with a route to an internet gateway
AnswerC

Web servers can reach the internet via NAT, database servers have no internet access, and the ALB handles HTTPS traffic.

Why this answer

Option D is correct because it uses a public subnet for the NAT Gateway and the ALB, private subnets for web servers (with a route to NAT for outbound) and database servers (no route to NAT). Option A is wrong because it gives database servers a route to NAT. Option B is wrong because it places web servers in public subnets with direct internet access, which is less secure.

Option C is wrong because it places database servers in public subnets.

153
MCQeasy

A company wants to automate the enforcement of security best practices across all AWS accounts in an organization. The solution should automatically remediate noncompliant resources. Which AWS service should be used to achieve this?

A.AWS Organizations service control policies (SCPs)
B.AWS IAM Access Analyzer
C.Amazon GuardDuty
D.AWS Config rules with auto-remediation
AnswerD

Config rules can detect and auto-remediate noncompliant resources.

Why this answer

Option B is correct because AWS Config rules can automatically remediate noncompliant resources using SSM Automation documents or Lambda functions. Option A is wrong because SCPs only enforce preventive controls, not auto-remediation. Option C is wrong because GuardDuty is a threat detection service, not for compliance automation.

Option D is wrong because IAM Access Analyzer analyzes resource policies for unintended access, not for enforcing best practices.

154
Multi-Selectmedium

A company wants to protect sensitive data stored in S3 from being accessed by unauthorized users. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Use IAM policies to restrict access to the bucket.
B.Enable S3 Versioning.
C.Enable default encryption on all S3 buckets.
D.Enable S3 Block Public Access at the account level.
E.Enable MFA Delete on the bucket.
AnswersA, D

IAM policies grant or deny access to S3 actions and resources.

Why this answer

Options A and C are correct. S3 Block Public Access prevents public access, and IAM policies control access at the user/role level. Option B is incorrect because encryption does not prevent access; it protects data if accessed.

Option D is incorrect because MFA Delete is for deletion protection, not access control. Option E is incorrect because Versioning does not control access.

155
Multi-Selecteasy

A company wants to allow a Lambda function to read messages from an SQS queue and write logs to CloudWatch Logs. Which TWO IAM actions should be included in the Lambda execution role?

Select 2 answers
A.logs:DeleteLogGroup
B.sqs:ReceiveMessage
C.cloudwatch:*
D.logs:CreateLogStream and logs:PutLogEvents
E.sqs:SendMessage
AnswersB, D

This allows the function to read messages from the queue.

Why this answer

Options B and D are correct because they are the specific actions needed. Option A is for writing to SQS, not reading. Option C is too broad for CloudWatch Logs.

Option E is for deleting logs, which is not needed.

156
MCQhard

A security engineer is configuring an Amazon S3 bucket to store CloudTrail logs. The engineer must ensure that the logs are encrypted at rest using an AWS KMS customer managed key (CMK) and that only the CloudTrail service has permission to decrypt the logs. Which bucket policy statement should the engineer add?

A.{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"kms:Encrypt","Resource":"*"}
B.{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"kms:Decrypt","Resource":"*"}
C.{"Effect":"Allow","Principal":"*","Action":"kms:Decrypt","Resource":"*"}
D.{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"kms:Decrypt","Resource":"*"}
AnswerB

This grants the CloudTrail service principal permission to decrypt using the CMK.

Why this answer

Option A is correct because it grants the CloudTrail service principal the necessary decrypt permission. Option B is wrong because the root user is not the CloudTrail service. Option C is wrong because it grants decrypt to all principals, which is too permissive.

Option D is wrong because the CMK key policy, not bucket policy, controls KMS permissions.

157
MCQmedium

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The Lambda function is configured with an execution role that has the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Resource": "arn:aws:sqs:us-east-1:123456789012:MyQueue" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] } The Lambda function is also configured with an SQS trigger that uses the same queue. The function code tries to send a message to an Amazon SNS topic, but the send fails with an AccessDenied error. What is the most likely cause?

A.The SQS queue has a resource-based policy that denies the Lambda function from sending to SNS.
B.The Lambda execution role does not have permissions to publish to SNS.
C.The SNS topic has a resource-based policy that denies the Lambda function.
D.The SQS queue is not configured to allow the Lambda function to send messages to SNS.
AnswerB

The policy only grants SQS and CloudWatch Logs permissions, not SNS.

Why this answer

Option A is correct. The Lambda execution role does not include permissions to publish to SNS. The function can only perform actions that are allowed by the role.

Option B is wrong because the SQS trigger does not affect the function's ability to call SNS. Option C is wrong because the SQS policy is not relevant to SNS. Option D is wrong because the SNS topic policy may not exist or may not deny; the error is due to missing IAM permissions.

158
MCQhard

A security engineer is reviewing AWS CloudTrail logs and notices repeated `UnauthorizedOperation` errors for `ec2:RunInstances` from a specific IAM user. The user has a policy that allows `ec2:RunInstances` with a condition `aws:RequestedRegion` set to `us-east-1`. The engineer confirms the user is launching instances in `us-east-1`. What is the most likely cause of the error?

A.The user does not have a service-linked role for EC2.
B.The IAM policy lacks a `Resource` element specifying which instances can be launched.
C.The user is trying to launch an instance type that is not supported in us-east-1.
D.The user is using an AWS CLI command that does not include the `--region` parameter, causing the request to go to a global endpoint.
AnswerD

The condition key checks the requested region; without specifying region, it may default to a global endpoint.

Why this answer

Option B is correct because the condition key `aws:RequestedRegion` checks the region endpoint used, but if the user is using a global endpoint or the request includes a different region parameter, it may fail. Option A is wrong because even if the instance type is not supported, the error would be different. Option C is wrong because service-linked roles do not affect RunInstances authorization.

Option D is wrong because the user already has a policy; an additional policy is not needed.

159
MCQmedium

An administrator is troubleshooting an issue where an IAM user cannot launch an EC2 instance in a specific VPC. The user has the AmazonEC2FullAccess policy attached. What is the most likely cause?

A.The user's permissions boundary blocks EC2 actions.
B.The user has exceeded the maximum number of EC2 instances allowed.
C.The VPC has an IAM policy attached that denies the ec2:RunInstances action.
D.The key pair specified is not owned by the user.
AnswerC

VPCs can have resource-based policies (e.g., VPC endpoint policies) that restrict actions.

Why this answer

Option A is correct because the VPC might have a resource-based policy or a network ACL (though IAM is more common) that restricts actions. However, a more precise answer is that the user may not have permissions to use the subnet or security group. Option B is wrong because the user has full access.

Option C is wrong because the user has full access. Option D is wrong because the key pair is not an IAM resource.

160
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to collect application logs. The security team wants to detect patterns that indicate security threats, such as multiple failed login attempts. Which TWO services can be used together to perform real-time log analysis and alerting?

Select 2 answers
A.Amazon Kinesis Data Analytics
B.Amazon OpenSearch Service
C.AWS Lambda
D.AWS Glue
E.Amazon Athena
AnswersB, C

CloudWatch Logs can stream logs to OpenSearch Service for analysis and visualization.

Why this answer

Options A and C are correct because CloudWatch Logs can stream logs to Amazon OpenSearch Service for analysis, and CloudWatch Logs can also be used with subscription filters to invoke a Lambda function for real-time processing. Option B is wrong because Amazon Athena is for querying data in S3, not real-time streaming. Option D is wrong because Kinesis Data Analytics is for streaming data but requires a Kinesis stream; it is not directly integrated with CloudWatch Logs as a destination.

Option E is wrong because AWS Glue is a batch ETL service, not for real-time.

161
MCQmedium

A security engineer is investigating a potential data exfiltration from an S3 bucket that is configured to allow public access. The engineer wants to determine who accessed the bucket and from which IP addresses. Which AWS capability should be used?

A.Amazon S3 server access logs
B.AWS IAM Access Analyzer
C.AWS CloudTrail data events for S3
D.Amazon VPC Flow Logs
AnswerC

CloudTrail data events log S3 object-level operations with source IP and user identity.

Why this answer

AWS CloudTrail data events for S3 capture detailed API activity at the object level, including GetObject, PutObject, and DeleteObject calls. This allows the security engineer to identify exactly who accessed the bucket (via the user identity) and from which IP address (via the sourceIPAddress field in the CloudTrail event). Unlike management events, data events must be explicitly enabled and provide the granularity needed for this investigation.

Exam trap

The trap here is that candidates often confuse S3 server access logs (which also log IPs and request details) with CloudTrail data events, but server access logs lack IAM user identity information and are not integrated with AWS CloudTrail's centralized audit trail, making CloudTrail the correct choice for identity-aware investigation.

How to eliminate wrong answers

Option A is wrong because Amazon S3 server access logs provide detailed records of requests made to a bucket, including IP addresses and requester information, but they are delivered as log files to a target bucket and are not real-time; they also do not capture IAM user identity details as comprehensively as CloudTrail. Option B is wrong because AWS IAM Access Analyzer is used to identify resources shared with external entities by analyzing resource-based policies, not to track who accessed a bucket or from which IP addresses. Option D is wrong because Amazon VPC Flow Logs capture IP traffic metadata at the network interface level, but they do not log S3 API operations or the identity of the requester; S3 access via the internet or AWS PrivateLink may not even traverse a VPC flow log.

162
MCQmedium

Refer to the exhibit. A security engineer applies the bucket policy shown to an S3 bucket. The engineer attempts to upload a file using the AWS CLI without specifying any encryption. What is the outcome?

A.The upload fails because the policy denies all PutObject requests.
B.The upload succeeds because default encryption on the bucket will encrypt the object with SSE-S3.
C.The upload fails because the policy denies PutObject when encryption is not SSE-KMS.
D.The upload succeeds because the object is encrypted with SSE-S3 by default.
AnswerC

The condition denies if encryption is not SSE-KMS; no encryption header leads to denial.

Why this answer

Option B is correct because the bucket policy denies PutObject if the encryption is not SSE-KMS. If the upload does not specify encryption, the encryption header is not set, so the condition StringNotEquals evaluates to true (since no encryption is not equal to 'aws:kms'), and the upload is denied. Option A is wrong because default encryption is not enabled.

Option C is wrong because SSE-S3 is also denied. Option D is wrong because the policy does not allow unencrypted uploads.

163
Multi-Selecthard

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users must have MFA enabled. Which TWO methods can be used to enforce this? (Choose TWO.)

Select 2 answers
A.Attach an IAM policy that denies all actions unless MFA is present.
B.Configure a password policy that requires MFA.
C.Require MFA for all IAM roles.
D.Use a Service Control Policy (SCP) to deny actions when MFA is not present.
E.Enable MFA delete on S3 buckets.
AnswersA, D

This policy can be applied to users or groups to enforce MFA.

Why this answer

The correct options are B and D. A Service Control Policy can deny actions if MFA is not present, and an IAM policy with a condition for 'aws:MultiFactorAuthPresent' can be attached to users or groups. Option A is not effective because password policy does not enforce MFA usage.

Option C is about requiring MFA for API calls, but not enforcement. Option E is about roles, not users.

164
MCQeasy

A company wants to grant an IAM user the ability to rotate their own access keys. What is the least privileged IAM policy that allows this?

A.A policy with Action: 'iam:*AccessKey*' and Resource: 'arn:aws:iam::*:user/*'
B.A policy with Action: 'iam:ListAccessKeys' and 'iam:GetAccessKeyLastUsed' and Resource: '*'
C.A policy with Action: 'iam:CreateAccessKey', 'iam:DeleteAccessKey', 'iam:UpdateAccessKey' and Resource: 'arn:aws:iam::*:user/${aws:username}'
D.A policy with Action: 'iam:*' and Resource: '*'
AnswerC

This allows the user to manage only their own access keys.

Why this answer

Option B is correct because it allows the user to manage their own access keys. Option A is wrong because it grants full IAM access. Option C is wrong because it does not allow deleting or creating keys.

Option D is wrong because it requires a specific resource ARN with a wildcard, which is not necessary for self-management.

165
Multi-Selecthard

Which THREE of the following are best practices for securing an Amazon RDS database instance? (Select THREE.)

Select 3 answers
A.Enable encryption at rest using AWS KMS
B.Place the RDS instance in a private subnet
C.Use strong passwords and rotate them regularly
D.Enable public accessibility for ease of management
E.Use the default database port
AnswersA, B, C

Encryption at rest protects data if storage is compromised.

Why this answer

Options A, B, and E are correct because encryption at rest, private subnet, and strong passwords are security best practices. Option C is wrong because public accessibility should be disabled. Option D is wrong because default ports should be changed or firewalled, but this is not a primary best practice compared to the others.

166
MCQmedium

A developer is trying to push an image to Amazon ECR but receives an 'AccessDeniedException' error. The developer's IAM user has the 'AmazonEC2ContainerRegistryPowerUser' managed policy attached. What is the most likely reason for the failure?

A.The developer needs to call 'ecr:GetAuthorizationToken' and authenticate to the registry.
B.The developer is pushing from an unsupported region.
C.The ECR repository has a resource policy that denies the push.
D.The image is too large for ECR.
AnswerA

ECR requires an authorization token before pushing; PowerUser policy does not include GetAuthorizationToken.

Why this answer

Option B is correct because ECR requires authentication via 'ecr:GetAuthorizationToken' which is not included in the PowerUser policy. Option A is wrong because the error is not about resource policy. Option C is wrong because the error is access denied, not unsupported media type.

Option D is wrong because the error is not about image size.

167
MCQeasy

An application running on an EC2 instance needs to access an S3 bucket. What is the most secure way to grant the EC2 instance the necessary permissions?

A.Create an IAM role with the necessary S3 permissions and attach it to the EC2 instance as an instance profile.
B.Store the credentials in an encrypted file on the EC2 instance and decrypt them at runtime.
C.Store the AWS access key and secret key in the application code.
D.Use an S3 bucket policy that allows access from the EC2 instance's public IP address.
AnswerA

This allows the application to obtain temporary credentials securely.

Why this answer

Option B is correct because an IAM instance profile is the recommended way to grant permissions to EC2 instances. Option A is wrong because storing credentials in the code is insecure. Option C is wrong because storing credentials in an encrypted file still requires managing keys.

Option D is wrong because S3 bucket policies are not designed to grant permissions to EC2 instances directly.

168
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is configured to terminate SSL/TLS and forward traffic to the instances over HTTP. The security team wants to ensure that the instances only accept traffic from the ALB, not from any other source. How can this be achieved?

A.Configure the instance security group to allow HTTP traffic only from the VPC CIDR block.
B.Configure the instance security group to allow HTTP traffic only from the ALB's security group.
C.Configure the network ACL on the instance's subnet to allow HTTP traffic only from the ALB's private IP address.
D.Configure the instance security group to allow HTTP traffic only from the subnet CIDR block where the ALB resides.
AnswerB

Security group referencing ensures traffic only from the ALB.

Why this answer

Option C is correct because using the ALB's security group as the source in the instance security group ensures traffic only from the ALB. Option A is wrong because using the VPC CIDR would allow traffic from any resource in the VPC. Option B is wrong because using the subnet CIDR would allow traffic from any instance in that subnet.

Option D is wrong because using a network ACL would affect all instances in the subnet and cannot differentiate by source.

169
MCQhard

A security engineer notices that an IAM user has been inactive for 90 days. What is the best way to identify and disable such users?

A.Use CloudTrail to identify users with no recent events
B.Use AWS Config rule to detect inactive users
C.Use IAM Credential Report and disable users with no activity in 90 days
D.Use AWS Organizations to disable users
AnswerC

Credential Report shows last usage.

Why this answer

The IAM Credential Report provides a comprehensive CSV export of all IAM users in the account, including the `password_last_used` and `access_key_last_used_date` columns. This allows a security engineer to directly identify users who have had no activity for 90 days and then disable them by applying an IAM policy with a `Deny` effect or removing their credentials. It is the most straightforward, native, and accurate method for this specific task.

Exam trap

The trap here is that candidates confuse CloudTrail (which logs events) with the IAM Credential Report (which directly reports user activity), or they assume AWS Config can evaluate user inactivity when it is designed for resource configuration compliance, not behavioral monitoring.

How to eliminate wrong answers

Option A is wrong because CloudTrail records API activity but does not natively aggregate or report on user inactivity over a 90-day period; you would need to write custom queries and there is no built-in 'inactive user' view. Option B is wrong because AWS Config rules evaluate resource configurations (e.g., whether an IAM user has a policy attached) but cannot directly detect user login or API activity inactivity; there is no managed Config rule for 'inactive IAM user'. Option D is wrong because AWS Organizations is a service for managing multiple AWS accounts centrally, not for disabling individual IAM users within a single account.

170
Multi-Selecthard

A company has a VPC with a single public subnet and a single private subnet. The private subnet contains an RDS MySQL database that should not be accessible from the internet. The public subnet contains a bastion host that is used for SSH access to the database instance. The security team wants to ensure that the database can only be accessed from the bastion host. Which two security group rules should be configured? (Choose TWO.)

Select 2 answers
A.Database security group: Allow inbound MySQL from the public subnet CIDR.
B.Database security group: Allow inbound MySQL from the bastion security group.
C.Bastion security group: Allow inbound SSH from a limited corporate IP range.
D.Database security group: Allow inbound MySQL from 0.0.0.0/0.
E.Bastion security group: Allow inbound SSH from 0.0.0.0/0.
AnswersB, C

This restricts database access to the bastion.

Why this answer

Options A and B are correct. The database security group should allow inbound MySQL from the bastion security group. The bastion security group should allow inbound SSH from a limited IP range (e.g., corporate IP).

Option C is wrong because allowing SSH from 0.0.0.0/0 is insecure. Option D is wrong because allowing MySQL from the public subnet CIDR would allow any instance in that subnet. Option E is wrong because allowing MySQL from 0.0.0.0/0 is insecure.

171
MCQeasy

A developer needs to grant an IAM user the ability to launch EC2 instances with specific tags. Which IAM condition key should be used to enforce that the instance is tagged with 'Environment=Production'?

A.aws:ResourceTag
B.aws:SourceIp
C.ec2:ResourceTag
D.aws:RequestTag
AnswerD

Enforces tags at request time.

Why this answer

aws:RequestTag is used to enforce tags at creation. Option B is for existing tags. Option C is for EC2-specific resource tags.

Option D is for source IP.

172
MCQhard

A security engineer is designing a cross-account access solution. An IAM role in Account A needs to be assumed by users from Account B. Which two components are required?

A.Permissions boundary on the role to limit permissions
B.Service control policy in Account A allowing AssumeRole
C.Trust policy allowing Account B to assume the role, and IAM policy in Account B allowing sts:AssumeRole
D.Resource-based policy on the role allowing cross-account access
AnswerC

This is the standard cross-account role setup.

Why this answer

Option D is correct because the trust policy in Account A allows Account B to assume the role, and users in Account B need permissions to call sts:AssumeRole. Option A is wrong because a resource-based policy on the role is not used. Option B is wrong because permission boundary is optional.

Option C is wrong because an SCP in Account B might deny the action.

173
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to upload an object to my-bucket using server-side encryption with AWS KMS (SSE-KMS). What is the outcome?

A.The upload fails because the Deny statement denies any PutObject that does not use AES256 encryption.
B.The upload fails because the Allow statement requires AES256 encryption.
C.The upload succeeds because the policy does not explicitly deny SSE-KMS.
D.The upload succeeds because the Allow statement matches the s3:PutObject action.
AnswerA

The Deny statement explicitly denies when encryption is not AES256.

Why this answer

Option D is correct because the Deny statement applies when encryption is not AES256, and SSE-KMS is not AES256. The Allow statement allows only AES256. Since SSE-KMS does not match, the Deny overrides.

Option A is wrong because the Deny statement denies. Option B is wrong because the Allow only allows AES256. Option C is wrong because the Deny is explicit.

174
MCQhard

Refer to the exhibit. A user named John encrypts a file using the AWS CLI. John then tries to decrypt the file but receives an AccessDenied error. John has full administrator permissions in IAM. What is the most likely cause?

A.The ciphertext blob is malformed because it was not base64-decoded before decryption.
B.John's IAM policy denies the kms:Decrypt action.
C.The KMS key policy does not grant John the kms:Decrypt permission.
D.The key ID used for encryption is different from the key used for decryption.
AnswerC

Key policy must explicitly allow decrypt for the user.

Why this answer

Option B is correct because the key policy controls access to the KMS key. Even with full admin permissions in IAM, if the key policy does not grant the user decrypt permission, the request fails. Option A is wrong because the ciphertext is not malformed; the encryption succeeded.

Option C is wrong because IAM permissions are not enough; key policy must allow. Option D is wrong because the error is about decrypt, not about key existence.

175
MCQhard

A security engineer attaches this policy to an IAM user. The user tries to download an object from the bucket from an IP address 10.1.0.5. What will happen?

A.The user will be denied access because the condition does not match
B.The user will be allowed access because the policy allows s3:GetObject
C.The policy is invalid and will cause an error
D.The user will be denied access because there is an explicit deny
AnswerA

The IP is outside the allowed range.

Why this answer

Option C is correct because the condition restricts access to IPs in 10.0.0.0/16, and 10.1.0.5 is not in that range. Option A is wrong because the condition is not satisfied. Option B is wrong because there is no explicit deny.

Option D is wrong because the policy is valid.

176
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in the member accounts must have multi-factor authentication (MFA) enabled to access the AWS Management Console. Which approach should be used?

A.Use AWS Config rules to detect users without MFA and automatically disable their access
B.Attach an SCP to the root OU that denies all AWS actions unless the request includes MFA authentication
C.Create an IAM policy in each account that allows console access only if MFA is present and attach it to all users
D.Attach an SCP to the root OU that adds an IAM policy requiring MFA to all users
AnswerB

This SCP will deny any action if the user does not authenticate with MFA, effectively enforcing MFA.

Why this answer

Option B is correct because a Service Control Policy (SCP) can deny all actions if a condition for MFA is not met, effectively enforcing MFA across all accounts. Option A is wrong because an SCP cannot attach IAM policies to users; it only sets permission boundaries. Option C is wrong because IAM policies in each account would require manual management and may not be enforced consistently.

Option D is wrong because AWS Config rules can detect non-compliance but cannot enforce MFA at the time of access.

177
MCQeasy

An application running on Amazon EC2 needs to access an S3 bucket containing sensitive data. The security team wants to avoid storing long-term AWS credentials on the instance. How should the EC2 instance be configured to access S3 securely?

A.Assign an IAM role with S3 permissions to the EC2 instance via an instance profile.
B.Store IAM user access keys in the instance's user data.
C.Attach a KMS key policy that allows the instance to decrypt S3 objects.
D.Generate S3 pre-signed URLs for all objects the instance needs to access.
AnswerA

IAM roles provide temporary credentials automatically rotated.

Why this answer

Option A is correct because using an IAM role with an instance profile is the recommended method to grant EC2 instances temporary credentials. Option B is incorrect because storing access keys on the instance is insecure. Option C is incorrect because S3 pre-signed URLs are for granting temporary access to specific objects, not for general instance access.

Option D is incorrect because EC2 does not support KMS key-based direct access to S3.

178
MCQeasy

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to an S3 bucket. What does this policy allow?

A.Allows a role from another account to describe, start, and stop EC2 instances in the current account.
B.Allows a role to describe, start, and stop EC2 instances in the account.
C.Allows all IAM users in the account to view EC2 instances.
D.Allows an IAM user to list and manage objects in the S3 bucket.
AnswerB

The policy grants EC2 actions to the specified role.

Why this answer

Option C is correct because the policy allows ec2:DescribeInstances, ec2:StartInstances, and ec2:StopInstances actions. The resource is '*', so all EC2 instances in the account are affected. Option A is wrong because the actions are not S3.

Option B is wrong because the policy allows start and stop. Option D is wrong because the principal is a role, not all users.

179
MCQmedium

A company is using Amazon API Gateway to expose a set of REST APIs. The APIs are backed by AWS Lambda functions. The security team wants to control access to the APIs using IAM authorization. The team has created an IAM policy for a group of developers that allows them to invoke the APIs only from within the corporate network (IP range 203.0.113.0/24). The policy is attached to an IAM group, and the developers are members of the group. However, when a developer tries to invoke the API from the corporate network, they receive a '403 Forbidden' error. The API Gateway endpoint is configured with IAM authorization. The IAM policy is as follows: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"execute-api:Invoke","Resource":"arn:aws:execute-api:us-east-1:123456789012:api-id/*","Condition":{"IpAddress":{"aws:SourceIp":"203.0.113.0/24"}}}]}. What is the MOST likely reason for the failure?

A.The resource ARN in the policy does not include the stage and method; it should be 'arn:aws:execute-api:us-east-1:123456789012:api-id/stage/GET/resource'.
B.The IAM policy must be attached directly to the IAM user, not to a group.
C.The condition key aws:SourceIp does not work for API Gateway; you must use a custom header.
D.API Gateway IAM authorization does not support resource-level conditions; you must use a Lambda authorizer.
AnswerA

The resource ARN must be more specific to match the API's resource hierarchy.

Why this answer

Option B is correct. For API Gateway IAM authorization, the resource ARN must include the stage and method, or use wildcards. The policy uses 'api-id/*' which may not match the actual resource path.

Option A is wrong because the condition is correct for IP restriction. Option C is wrong because the policy is attached to the group, so the developers should inherit it. Option D is wrong because API Gateway IAM authorization works with IAM policies; the issue is likely the resource ARN.

180
MCQhard

A security architect is designing a system where an S3 bucket must be accessed by users from multiple AWS accounts. The solution must use the principle of least privilege. Which approach should be used?

A.Create an IAM role in the bucket owner account and use a bucket policy that grants access to the role
B.Grant s3:ListBucket and s3:GetObject to all IAM users in the account
C.Use an SCP to allow access to the bucket for all accounts in the organization
D.Use an IAM role in each account with a bucket policy allowing the role
AnswerA

Users assume the role and get temporary credentials; bucket policy allows the role.

Why this answer

The best approach is to use S3 bucket policies with conditions that require the user to assume a specific IAM role in the bucket owner account. Option D is correct because it centralizes permissions and uses temporary credentials. Option A is wrong because it grants list access to all authenticated users.

Option B is wrong because resource-based policies (bucket policies) are better for cross-account. Option C is wrong because it allows full access to the whole organization.

181
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage VPC security group rules across all accounts. Which solution should be used?

A.Use AWS Firewall Manager to define security group policies and enforce them across accounts.
B.Use AWS Organizations Service Control Policies to restrict security group modifications.
C.Use AWS Config rules to automatically remediate non-compliant security groups.
D.Use AWS Network Firewall to inspect traffic and block unauthorized connections.
AnswerA

Firewall Manager is designed for centralized security group management.

Why this answer

Option B is correct because AWS Firewall Manager allows centralized management of security group rules across accounts and resources. Option A is wrong because AWS Config can evaluate compliance but not enforce rules. Option C is wrong because Service Control Policies (SCPs) control permissions at the account level, not network rules.

Option D is wrong because AWS Network Firewall is for network traffic inspection, not security group management.

182
MCQmedium

A company uses AWS KMS to encrypt data in Amazon RDS. They need to ensure that the key material is automatically rotated every year. Which key type should they use?

A.Custom key store
B.Customer managed key
C.AWS owned key
D.AWS managed key
AnswerD

AWS managed keys for RDS rotate automatically annually.

Why this answer

AWS managed keys (D) are automatically rotated every year by AWS without any action required from the customer. For Amazon RDS encryption using AWS KMS, the default key (aws/rds) is an AWS managed key that supports automatic annual rotation, meeting the requirement exactly. Customer managed keys (B) also support automatic rotation, but the question specifies 'every year' and AWS managed keys are the simplest choice that satisfies this, as they are automatically rotated annually by default.

Exam trap

The trap here is that candidates often confuse 'AWS managed key' with 'customer managed key' because both can be rotated, but the question tests whether you know that AWS managed keys are the default, automatically rotated keys used by services like RDS, and that customer managed keys require manual configuration for rotation.

How to eliminate wrong answers

Option A is wrong because a custom key store uses a CloudHSM cluster to store key material, and automatic key rotation is not supported for keys in a custom key store; rotation must be manually managed. Option B is wrong because while customer managed keys can be configured for automatic annual rotation, the question does not specify a need for customer control over the key, and AWS managed keys are the default, simpler option that also rotates annually. Option C is wrong because AWS owned keys are not visible to customers and are used by AWS services internally; they cannot be selected or managed by the customer for RDS encryption, and their rotation policy is not under customer control.

183
MCQmedium

A security engineer is designing a solution to automatically remediate non-compliant resources in an AWS account. The engineer needs to trigger an AWS Lambda function when an EC2 instance is launched without the required tags. Which AWS service should be used to detect the non-compliant resource and invoke the Lambda function?

A.AWS CloudTrail
B.AWS Config
C.Amazon GuardDuty
D.AWS Systems Manager
AnswerB

AWS Config rules can invoke Lambda for remediation.

Why this answer

Option A is correct because AWS Config rules can evaluate resources and trigger remediation via Lambda. Option B is wrong because CloudTrail logs API calls but does not trigger remediation. Option C is wrong because GuardDuty is for threat detection.

Option D is wrong because Systems Manager is for management, not compliance.

184
Multi-Selecteasy

Which THREE are valid methods for authenticating to AWS APIs? (Choose THREE.)

Select 3 answers
A.Access key ID and secret access key
B.SSH key pair
C.SAML federation
D.Client certificate
E.IAM role temporary credentials
AnswersA, C, E

Used for programmatic access to AWS APIs.

Why this answer

The correct options are A, C, and E. Access keys, IAM roles (via STS), and SAML federation are valid authentication methods. Option B, SSH keys, are for EC2 instance access, not AWS APIs.

Option D, client certificates, are not used for AWS API authentication.

185
Multi-Selecteasy

A Security Engineer is designing a secure VPC architecture. Which THREE components are essential for creating a public subnet that can host a web server accessible from the internet?

Select 3 answers
A.VPN connection to on-premises
B.Route table with a default route (0.0.0.0/0) pointing to the IGW
C.Security group allowing inbound HTTP/HTTPS from 0.0.0.0/0
D.NAT Gateway
E.Internet Gateway (IGW)
AnswersB, C, E

Routes internet-bound traffic from the subnet to the IGW.

Why this answer

Option B is correct because a public subnet requires a route table that directs traffic destined for 0.0.0.0/0 to an Internet Gateway (IGW). Without this default route, instances in the subnet cannot send or receive traffic from the internet, even if they have public IP addresses. The IGW acts as the target for this route, enabling bidirectional communication between the VPC and the internet.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with an Internet Gateway, mistakenly thinking a NAT Gateway can provide inbound internet access to a public subnet, when in fact it only supports outbound traffic from private subnets.

186
MCQmedium

A company uses AWS Organizations with all features enabled. The security team wants to ensure that no IAM users are created in any account. Which approach should be used?

A.Use AWS Config rules to detect IAM users and notify via SNS.
B.Enable AWS CloudTrail Insights to detect anomalous IAM activity.
C.Attach a service control policy (SCP) that denies iam:CreateUser.
D.Apply an IAM policy to the root user to deny iam:CreateUser.
AnswerC

SCPs can prevent actions across all accounts in the organization.

Why this answer

Option C is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict permissions across all accounts in the organization. By attaching an SCP that denies the `iam:CreateUser` action, you prevent the creation of IAM users in any member account, regardless of any IAM policies attached to users or roles within those accounts. This provides a guardrail that cannot be overridden by account administrators, ensuring compliance with the security team's requirement.

Exam trap

The trap here is that candidates often confuse IAM policies with SCPs, thinking that an IAM policy attached to the root user can block actions across the account, but SCPs are the only mechanism that can enforce such restrictions across all principals in an organization.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can only detect and notify about IAM users after they are created; they do not prevent the creation of IAM users, so they fail to meet the requirement of ensuring no IAM users are created. Option B is wrong because AWS CloudTrail Insights is designed to detect anomalous API activity and generate insights, but it does not block or prevent IAM user creation; it only provides post-event analysis. Option D is wrong because applying an IAM policy to the root user does not prevent IAM user creation in other accounts or even in the same account, as the root user is not subject to IAM policies; additionally, IAM policies cannot be attached to the root user, and even if they could, they would not affect other users or roles in the account.

187
MCQhard

A company is migrating its on-premises data warehouse to AWS. The data includes highly sensitive customer financial information. The company has the following requirements: 1) All data must be encrypted at rest using a key that is managed by the company's internal security team. 2) The encryption keys must be rotated every 90 days. 3) The data warehouse must support SQL queries and be highly available across multiple Availability Zones. 4) The solution must minimize the administrative overhead of managing keys. The security team has chosen Amazon Redshift as the data warehouse. They have enabled encryption using AWS KMS with a customer-managed key (CMK). They have set the key rotation period to 90 days using automatic key rotation. However, during a security review, an auditor points out that the key material is still stored in AWS KMS, and the company wants the key material to be stored in a hardware security module (HSM) that they control. Which of the following is the BEST course of action to meet the auditor's requirement while maintaining the other requirements?

A.Use AWS CloudHSM directly to generate and manage the encryption keys, and configure Redshift to use those keys via the CloudHSM client.
B.Create a custom key store in AWS KMS backed by an AWS CloudHSM cluster, and use a KMS key in that custom key store to encrypt the Redshift cluster.
C.Switch to using Amazon S3 server-side encryption with customer-provided keys (SSE-C) and use Redshift Spectrum to query the data.
D.Generate the key material on-premises and import it into KMS as a customer-managed key, then use that key for Redshift encryption.
AnswerB

This allows the company to control the HSM and store key material in it, while Redshift uses KMS for encryption.

Why this answer

Option C is correct because using a custom key store backed by AWS CloudHSM allows the company to store key material in their own HSM, and automatic key rotation can still be used (though manual rotation may be needed depending on the HSM). Redshift supports encryption with KMS, including custom key stores. Option A is wrong because SSE-C is for S3, not Redshift.

Option B is wrong because Redshift does not support CloudHSM directly; it requires KMS custom key store. Option D is wrong because importing key material does not allow the company to control the HSM; the key material is still stored in KMS.

188
Drag & Dropmedium

Drag and drop the steps to set up a secure S3 bucket with encryption and access control in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Secure S3 bucket requires encryption, public access block, bucket policy, versioning, and access logging.

189
MCQhard

Refer to the exhibit. A security engineer runs the above AWS CLI command to search for CreateKeyPair events in CloudTrail. The command returns no results, but the engineer knows that a key pair was created during that time. What is the most likely reason for the missing events?

A.CreateKeyPair is a data event and not recorded by CloudTrail.
B.The command was run in a different region than where the key pair was created.
C.CloudTrail events are only available after 24 hours.
D.CloudTrail is not enabled for management events.
AnswerB

CloudTrail events are regional; if the command runs in a different region, it won't see events from another region.

Why this answer

Option C is correct because CloudTrail events are delivered within about 15 minutes of the API call. The command looks for events in the past, so delivery time is not an issue. However, the most common reason for missing events is that the command is run in a different region than where the event occurred, or the trail is not logging management events.

Option A is wrong because CloudTrail logs management events by default. Option B is wrong because key pair creation is a management event. Option D is wrong because events are delivered quickly.

190
MCQmedium

Refer to the exhibit. An IAM user 'ExternalUser' from account 111111111111 tries to assume the role 'MyRole' in account 123456789012 but receives an error. The user has a policy that allows sts:AssumeRole. What is the most likely reason for the failure?

A.The role does not exist in the target account.
B.The user's AWS account has a service control policy (SCP) that denies sts:AssumeRole.
C.The user must have MFA enabled to assume the role.
D.The trust policy does not specify a principal.
AnswerB

SCP can deny the action even if the user has an allow policy.

Why this answer

Option B is correct because the trust policy allows the specific user ARN, but if the user does not have permission to assume the role from their account, they need an IAM policy allowing sts:AssumeRole on that role. The question says the user has such a policy, so that is not the issue. Option A is wrong because the trust policy does specify a principal.

Option C is wrong because the trust policy does not require MFA. Option D is wrong because the role exists. The error may be due to the user not having the correct trust policy? Actually, the trust policy allows the user, so that's fine.

Another possibility is that the user's account has an SCP that denies sts:AssumeRole. So option B is plausible: the user's account might have a service control policy (SCP) that denies the action. However, the question says 'the user has a policy that allows sts:AssumeRole' but an SCP could override.

So B is correct.

191
MCQmedium

A company uses AWS Key Management Service (KMS) to encrypt sensitive data in Amazon S3. The security team needs to ensure that the KMS key can only be used from within the company's VPC and not from the public internet. How can this be achieved?

A.Use an SCP to deny kms:Encrypt unless the request comes from the VPC.
B.Use AWS CloudTrail to monitor KMS calls and alert if they come from outside the VPC.
C.Create a VPC endpoint for KMS and modify the KMS key policy to allow usage only from the specified VPC endpoint.
D.Create a VPC endpoint for KMS and attach a bucket policy that requires the endpoint.
AnswerC

Key policy with condition 'aws:sourceVpce' restricts usage to the VPC endpoint.

Why this answer

Using a VPC endpoint for KMS and a key policy that restricts usage to the VPC endpoint prevents public internet access. Option A is wrong because it does not restrict usage to VPC. Option B is wrong because an SCP cannot restrict KMS key usage to a specific VPC.

Option D is wrong because CloudTrail does not enforce access restrictions.

192
MCQhard

Refer to the exhibit. A security engineer runs the describe-instances command for an EC2 instance. The instance has a public IP address. The security group "allow-ssh-http" has inbound rules that allow SSH from 0.0.0.0/0 and HTTP from 0.0.0.0/0. The engineer wants to block SSH access from the internet while keeping HTTP access. Which change should be made?

A.Remove the inbound rule that allows SSH from 0.0.0.0/0 from the security group.
B.Add a network ACL rule to deny SSH inbound from 0.0.0.0/0.
C.Disassociate the public IP address from the instance.
D.Modify the security group to add a deny rule for SSH from 0.0.0.0/0.
AnswerA

This will block SSH from the internet, as security groups are allow-only.

Why this answer

To block SSH from the internet, you should remove the inbound rule that allows SSH from 0.0.0.0/0. You could also modify the source IP range to a specific range, but the simplest is to remove the rule. Adding a deny rule is not possible in security groups; they are allow-only.

Changing the network ACL would affect the entire subnet. Removing the public IP would also block HTTP, which is not desired.

193
MCQhard

Refer to the exhibit. An IAM policy allows kms:Decrypt on a specific KMS key only when the encryption context includes department=finance. A user attempts to decrypt an S3 object that was encrypted with the same KMS key but with encryption context department=hr. Will the decryption succeed?

A.No, because the encryption context does not match.
B.No, because the key policy does not allow the user to decrypt.
C.Yes, because the user has kms:Decrypt permission on the key.
D.Yes, if the user also has kms:DescribeKey permission.
AnswerA

The condition requires encryption context department=finance; department=hr does not satisfy it.

Why this answer

Option B is correct. The condition requires the encryption context to be department=finance, but the object was encrypted with department=hr, so the decryption fails. Option A is wrong because the condition is not satisfied.

Option C is wrong because the user does not have kms:DescribeKey permission. Option D is wrong because the condition is not about the key policy.

194
MCQhard

A company uses cross-account IAM roles to allow a third-party auditor to access a specific S3 bucket. The auditor reports that they are getting 'Access Denied' errors when trying to list objects. The bucket policy allows access to the auditor's account. What additional configuration is needed?

A.Modify the trust policy of the IAM role to include the auditor's account.
B.Ensure the auditor's account does not have a service control policy (SCP) denying S3 actions.
C.Attach an IAM policy to the auditor's IAM user that allows s3:ListBucket on the specific bucket.
D.Add a bucket policy that grants access to the auditor's IAM user ARN.
AnswerC

Cross-account access requires both the resource policy and the principal's IAM policy to allow the action.

Why this answer

Option D is correct because cross-account access requires both the resource-based policy (bucket policy) and the identity-based policy (on the auditor's IAM user/role) to allow the action. Option A is wrong because the bucket policy already allows the account. Option B is wrong because SCPs are for the auditor's account, not the resource account.

Option C is wrong because the trust policy is for assuming the role, not for S3 access.

195
MCQhard

A security engineer notices that an IAM user has permissions that are not explicitly granted through any policy. The engineer suspects that the user might have inherited permissions from a group or role. Which IAM feature should the engineer use to identify the source of these permissions?

A.IAM Roles Anywhere
B.IAM Policy Simulator
C.CloudTrail Insights
D.IAM Access Analyzer
AnswerD

Can identify policies that grant access and their origins.

Why this answer

Option D is correct because IAM Access Analyzer provides policy validation and can help identify unintended access. Option A shows effective permissions but doesn't necessarily trace sources. Option B is for analyzing service roles, not user permissions.

Option C is for CloudTrail analysis.

196
MCQeasy

A company wants to allow an EC2 instance to access a DynamoDB table without traversing the internet. Which AWS feature should be used?

A.VPC Peering
B.ClassicLink
C.NAT Gateway
D.VPC Gateway Endpoint for DynamoDB
AnswerD

Gateway Endpoint provides private access to DynamoDB.

Why this answer

Option A is correct because VPC Gateway Endpoint for DynamoDB allows private connectivity. Option B is wrong because VPC Peering is for VPC-to-VPC. Option C is wrong because NAT Gateway is for internet access.

Option D is wrong because ClassicLink is for EC2-Classic, deprecated.

197
Multi-Selecthard

A company uses Amazon Redshift with encryption at rest using AWS KMS. They want to ensure that automated snapshots are encrypted with the same key and that cross-account snapshot sharing is secured. Which THREE steps should be taken?

Select 3 answers
A.Enable encryption on the Redshift cluster at creation time.
B.Create a new KMS key for snapshot encryption to isolate from the cluster key.
C.Modify the KMS key policy to allow the target AWS account to decrypt.
D.Create a snapshot copy grant for the target account to use the KMS key.
E.Enable AWS Config rule to detect unencrypted snapshots.
AnswersA, C, D

Encrypted clusters automatically encrypt snapshots.

Why this answer

Option A is correct because Redshift automatically encrypts snapshots if the cluster is encrypted. Option C is correct because to share snapshots cross-account, the KMS key must allow the target account to decrypt. Option D is correct because Redshift uses a snapshot copy grant to authorize the destination account to use the key.

Option B is wrong because separate key is not required; same key can be used if permissions allow. Option E is wrong because AWS Config rule doesn't enforce cross-account sharing security.

198
MCQeasy

A company uses AWS CloudTrail to log API calls in all accounts. The security team wants to be notified immediately when an IAM user creates a new access key for another user. Which combination of services should the team use?

A.AWS Config and Amazon Simple Email Service (SES).
B.Amazon GuardDuty and Amazon Simple Notification Service (SNS).
C.Amazon Macie and AWS Lambda.
D.AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (SNS).
AnswerD

CloudTrail logs events; CloudWatch Logs metric filter and alarm trigger SNS notification.

Why this answer

Option D is correct because it uses CloudTrail to capture the CreateAccessKey API call, sends those logs to CloudWatch Logs, and then triggers a CloudWatch alarm that publishes to an SNS topic for immediate notification. This combination provides real-time alerting on the specific IAM event without requiring additional services.

Exam trap

The trap here is that candidates often confuse AWS Config (which is reactive and compliance-focused) with CloudTrail (which is event-driven and real-time), leading them to choose Option A instead of the correct CloudTrail + CloudWatch Logs + SNS combination.

How to eliminate wrong answers

Option A is wrong because AWS Config is designed for resource compliance and configuration history, not real-time event-driven notification; SES is an email service that lacks the push notification capabilities needed for immediate alerts. Option B is wrong because GuardDuty focuses on threat detection using anomaly detection and threat intelligence feeds, not on monitoring specific IAM API calls like CreateAccessKey. Option C is wrong because Macie is a data security service that discovers and protects sensitive data in S3, not a service for monitoring IAM user activity or API calls.

199
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group across multiple Availability Zones. The application uses an Application Load Balancer (ALB) to distribute traffic. The security team has implemented a security group for the ALB that allows inbound HTTPS from 0.0.0.0/0 and a security group for the EC2 instances that allows inbound HTTP from the ALB's security group. Recently, the company experienced a security incident where an attacker exploited a vulnerability in the application to gain access to an EC2 instance and then moved laterally to the database. The database is in a private subnet and uses a security group that allows inbound traffic from the EC2 instance security group on port 3306 (MySQL). The security team wants to prevent lateral movement in the future. Which of the following is the MOST effective course of action?

A.Use VPC peering to isolate the database subnet from the application subnet.
B.Deploy AWS WAF in front of the ALB to block known malicious IPs.
C.Create a network ACL for the private subnet that denies outbound traffic from the EC2 instances to the database subnet.
D.Implement a host-based firewall on each EC2 instance to restrict outbound connections to only the database endpoint.
AnswerD

This provides fine-grained control over outbound traffic from the application.

Why this answer

Option C is correct because implementing a host-based firewall (e.g., AWS Systems Manager Agent with a firewall policy) on each EC2 instance can restrict outbound connections from the application to only necessary destinations, preventing lateral movement. Option A (network ACLs) can block traffic at the subnet level but are not as granular for individual instances. Option B (VPC peering) is not relevant.

Option D (AWS WAF) protects against web exploits but does not prevent lateral movement after compromise.

200
MCQhard

A security engineer is investigating a potential data exfiltration incident. The engineer notices that an EC2 instance in a private subnet is making outbound connections to an external IP address on port 443. The VPC has a NAT gateway in a public subnet, and the route table for the private subnet directs 0.0.0.0/0 to the NAT gateway. The security group for the instance allows all outbound traffic. Which AWS service can the engineer use to determine which IAM role or user is responsible for launching the instance?

A.AWS Config
B.VPC Flow Logs
C.IAM Access Analyzer
D.AWS CloudTrail
AnswerD

CloudTrail logs RunInstances API calls with user identity.

Why this answer

AWS CloudTrail logs all API calls, including RunInstances, capturing the user or role that launched the instance. Option A (VPC Flow Logs) shows IP traffic but not user identity. Option C (AWS Config) shows resource configuration but not who launched it.

Option D (IAM Access Analyzer) analyzes policies.

201
MCQhard

During an incident response, a security engineer needs to capture a memory image of a compromised Amazon EC2 instance running Linux. The instance is in a production Auto Scaling group. Which approach is BEST?

A.Use AWS CloudFormation to create a new stack with a forensic instance and copy the compromised instance's data.
B.Terminate the instance immediately to prevent further damage and launch a replacement.
C.Detach the instance from the Auto Scaling group, isolate it by changing security groups, and use AWS Systems Manager Run Command to execute a memory acquisition tool.
D.Take a snapshot of the EBS volumes and attach them to a forensic instance to analyze memory.
AnswerC

Preserves memory and allows forensic collection.

Why this answer

Option C is correct because it preserves the volatile memory evidence by detaching the instance from the Auto Scaling group (preventing replacement) and isolating it via security group changes, then using AWS Systems Manager Run Command to execute a memory acquisition tool like LiME or AVML. This approach captures the memory image without shutting down the instance, which would destroy the evidence, and avoids the risk of the Auto Scaling group automatically terminating or replacing the instance during the investigation.

Exam trap

The trap here is that candidates confuse disk forensics (EBS snapshots) with memory forensics, assuming a snapshot captures RAM, or they prioritize immediate containment (termination) over evidence preservation, which violates the core incident response principle of 'preserve before remediate'.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation is an infrastructure-as-code service for provisioning resources, not a forensic tool; copying data from a compromised instance does not capture volatile memory, which is lost when the instance is stopped or terminated. Option B is wrong because terminating the instance immediately destroys the memory image and other volatile evidence, making forensic analysis impossible; incident response requires preserving evidence before remediation. Option D is wrong because an EBS snapshot captures only the persistent disk state (file system and storage), not the contents of RAM; memory analysis requires a dedicated memory acquisition tool executed on the running instance.

202
MCQmedium

A security engineer is designing a system to centrally manage security rules across multiple AWS accounts. The engineer wants to ensure that any resources that are non-compliant with security policies are automatically remediated. Which combination of services should the engineer use?

A.AWS CloudTrail with Amazon SNS
B.Amazon GuardDuty with AWS Step Functions
C.AWS Security Hub with Amazon EventBridge
D.AWS Config with AWS Lambda for automatic remediation
AnswerD

Config evaluates compliance and can invoke Lambda for remediation.

Why this answer

Option A is correct because AWS Config can detect non-compliant resources and trigger Lambda functions for remediation. Option B is wrong because Security Hub provides findings but does not automatically remediate. Option C is wrong because CloudTrail logs events but does not evaluate compliance.

Option D is wrong because GuardDuty provides threat detection but not configuration compliance.

203
MCQeasy

A security engineer needs to automatically detect and respond to unauthorized API calls in an AWS account. Which two services should be used together?

A.AWS CloudTrail and Amazon EventBridge
B.Amazon GuardDuty and Amazon SNS
C.AWS Config and AWS Lambda
D.Amazon Inspector and Amazon S3
AnswerA

CloudTrail logs API calls, EventBridge triggers automated responses.

Why this answer

CloudTrail logs API calls, and CloudWatch Events (now Amazon EventBridge) can trigger automated responses. Option C is correct. Option A (Config + Lambda) is for configuration compliance.

Option B (GuardDuty + SNS) is for threat detection alerting. Option D (Inspector + S3) is for vulnerability assessment.

204
Multi-Selecteasy

Which TWO of the following are valid IAM policy condition keys? (Choose TWO.)

Select 2 answers
A.aws:RequestedRegion
B.aws:RequestedService
C.aws:SourceIp
D.aws:PrincipalService
E.aws:SourceArn
AnswersA, C

Valid condition key for region.

Why this answer

The `aws:RequestedRegion` condition key is valid and used to restrict access to specific AWS Regions. It evaluates the Region endpoint that the API request is sent to, allowing you to enforce that actions can only be performed in designated Regions, such as us-east-1 or eu-west-2.

Exam trap

The trap here is that candidates often confuse `aws:SourceArn` with `aws:SourceIp` or assume `aws:RequestedService` is a real key because it sounds plausible, but AWS does not define these keys in the IAM documentation, leading to incorrect selections.

205
MCQhard

Refer to the exhibit. A security engineer applies this bucket policy to an S3 bucket. A user without HTTPS tries to download an object. What is the outcome?

A.The request is denied because the condition matches
B.The request fails because the condition does not match
C.The request succeeds because the policy has a Deny effect
D.The request succeeds because the resource is not specific enough
AnswerA

Policy denies when SecureTransport is false.

Why this answer

The bucket policy includes a condition that denies requests when `aws:SecureTransport` is `false`. Since the user attempts to download an object without HTTPS, the condition matches, and the explicit Deny effect overrides any Allow. Therefore, the request is denied.

Exam trap

The trap here is that candidates may think a Deny effect always denies, but they must check whether the condition evaluates to true; if the condition does not match, the Deny is not applied, and the request could succeed based on other policies.

How to eliminate wrong answers

Option B is wrong because the condition does match (the request lacks HTTPS, so `aws:SecureTransport` is false), so the Deny applies. Option C is wrong because the policy has a Deny effect, which denies the request, not allows it to succeed. Option D is wrong because the resource is specific enough (the bucket ARN is explicit), and the Deny effect is triggered by the condition, not by resource specificity.

206
Multi-Selecthard

A company has a requirement to detect and alert on anomalous IAM user behavior, such as a user logging in from an unusual geographic location. The company uses AWS Organizations and has multiple accounts. Which services should the company use to meet this requirement? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS Config
C.Amazon GuardDuty
D.IAM Access Analyzer
E.AWS CloudTrail
AnswersC, D

GuardDuty can detect unusual IAM user behavior, such as anomalous login locations.

Why this answer

Correct options: B (GuardDuty) and C (IAM Access Analyzer). GuardDuty can detect unusual login locations. IAM Access Analyzer helps identify external access.

Option A is wrong because CloudTrail is a logging service, not a detection service. Option D is wrong because Config is for resource configuration. Option E is wrong because CloudWatch Logs alone does not detect anomalies.

207
Multi-Selecthard

A company wants to ensure that all API calls in their AWS account are logged and immutable. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Enable MFA delete on the S3 bucket
B.Use AWS Config rules to monitor CloudTrail configuration
C.Enable S3 Object Lock on the CloudTrail S3 bucket
D.Encrypt the S3 bucket with AWS KMS
E.Enable AWS CloudTrail for all regions
AnswersC, E

Object Lock prevents log deletion or modification.

Why this answer

CloudTrail logs API calls. To ensure immutability, S3 Object Lock prevents deletion or overwriting. MFA delete adds protection.

Config does not prevent log tampering. KMS encrypts but does not prevent deletion.

208
Multi-Selecthard

Which THREE of the following are characteristics of IAM roles? (Choose 3.)

Select 3 answers
A.Roles have long-term credentials like access keys.
B.Roles require a password for assumption.
C.Roles can be assumed by IAM users in another AWS account.
D.Roles have a trust policy that specifies who can assume the role.
E.Roles can be attached to EC2 instances to grant permissions to applications.
AnswersC, D, E

Cross-account access is a common use case.

Why this answer

Roles are assumed by trusted entities, provide temporary credentials, and can be used by AWS services.

209
Multi-Selectmedium

A company is designing a centralized logging solution for VPC Flow Logs across multiple AWS accounts. The solution must meet the following requirements: - Centralized storage in an S3 bucket in the security account. - Real-time analysis of flow logs. - Minimal operational overhead. Which TWO actions should the company take? (Choose two.)

Select 2 answers
A.Use AWS Organizations to enable VPC Flow Logs in all accounts and deliver to a central S3 bucket.
B.Create a single VPC Flow Log subscription in the security account that captures logs from all VPCs.
C.Use Amazon Kinesis Data Firehose to deliver flow logs to the central S3 bucket.
D.Create a CloudWatch Logs subscription filter in each account to stream logs to the security account.
E.Configure S3 replication from each account's bucket to the central bucket.
AnswersA, C

Organizations allows you to deploy flow log configurations across accounts using StackSets.

Why this answer

Option A is correct because AWS Organizations allows you to centrally manage flow log subscriptions. Option C is correct because Amazon Kinesis Data Firehose can stream flow logs to S3 and enable real-time analysis via Kinesis Analytics. Option B is wrong because CloudWatch Logs subscription filter is not the most efficient for real-time analysis.

Option D is wrong because S3 replication adds complexity and is not real-time. Option E is wrong because cross-account flow logs cannot be delivered directly via a single subscription from the security account; each account must create its own flow log.

210
Multi-Selecteasy

Which TWO of the following are valid AWS IAM security best practices?

Select 2 answers
A.Implement a strong password policy for IAM users.
B.Share IAM user access keys among team members for convenience.
C.Delete IAM users instead of disabling them when not needed.
D.Enable multi-factor authentication (MFA) for privileged users.
E.Use the AWS account root user for everyday administrative tasks.
AnswersA, D

Password policies enforce complexity and rotation.

Why this answer

Option A is correct: a password policy enforces complexity. Option D is correct: MFA adds an extra layer of security. Option B is wrong: access keys should not be shared.

Option C is wrong: root user should be avoided for daily tasks. Option E is wrong: deleting users is not a best practice; deactivating is better.

211
Multi-Selectmedium

A security engineer is designing a system to allow an EC2 instance to write logs to an S3 bucket. Which TWO steps are required?

Select 2 answers
A.Configure the security group of the EC2 instance to allow outbound HTTPS traffic to S3.
B.Create a VPC endpoint for S3 in the same subnet as the EC2 instance.
C.Add a bucket policy that allows the IAM role to perform s3:PutObject.
D.Create an IAM role with a policy that allows s3:PutObject on the bucket and attach it to the EC2 instance.
E.Enable AWS CloudTrail to capture log write events.
AnswersC, D

The bucket policy must explicitly grant access to the role.

Why this answer

Options A and D are correct. The EC2 instance needs an IAM role with permissions to write to the bucket (A), and the bucket policy must allow the role to write (D). Option B is wrong because CloudTrail is for API logging, not application logs.

Option C is wrong because the VPC endpoint is for private connectivity, not required. Option E is wrong because a security group does not grant IAM permissions.

212
MCQhard

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The connection is set up with a private VIF to a VPC using a virtual private gateway. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be implemented?

A.Configure TLS on the applications
B.Set up an IPsec VPN over the Direct Connect private VIF
C.Use a site-to-site VPN over the internet instead of Direct Connect
D.Enable encryption on the Direct Connect private VIF
AnswerB

Creates an encrypted tunnel over the private connection.

Why this answer

Option B (IPsec VPN over Direct Connect) is correct because it encrypts the traffic over the private VIF. Option A is wrong because Direct Connect itself does not encrypt. Option C is wrong because using a VPN over the internet is less secure and not over Direct Connect.

Option D is wrong because TLS is for application layer, not network layer.

213
MCQmedium

An IAM policy is attached to a user. The user reports that they cannot list objects in the bucket 'example-bucket' from their home office IP address 203.0.113.50. What is the most likely cause?

A.The policy effect is Deny by default.
B.The resource ARN should be arn:aws:s3:::example-bucket without the /*.
C.The policy does not allow the s3:ListBucket action.
D.The IP address condition restricts access to the 10.0.0.0/24 range.
AnswerD

Correct: The condition only allows requests from the specified IP range.

Why this answer

Option B is correct because the policy allows s3:* actions only if the source IP is in the 10.0.0.0/24 range (private IP). Since the user's home office IP is 203.0.113.50 (public), the condition fails. Option A is wrong because the policy allows s3:* which includes s3:ListBucket.

Option C is wrong because the resource is specified as arn:aws:s3:::example-bucket/* which only matches objects, not the bucket itself. However, the error is about listing objects, which requires s3:ListBucket on the bucket resource, not the objects. That is a resource issue, but the main issue is the IP condition.

Option D is wrong because the effect is Allow.

214
Multi-Selecthard

A security team is designing an automated incident response system. The system must meet the following requirements: (1) automatically respond to GuardDuty findings, (2) ensure that response actions are logged and immutable, and (3) allow for human approval before destructive actions. Which services should the team use? (Select THREE.)

Select 3 answers
A.Amazon EventBridge
B.AWS CloudTrail
C.AWS Step Functions
D.AWS Lambda
E.Amazon Simple Notification Service (SNS)
AnswersA, B, C

EventBridge receives GuardDuty findings and triggers workflow.

Why this answer

Amazon EventBridge (A) is correct because it can receive GuardDuty findings in near real-time and route them to downstream targets for automated response. This enables the first requirement by triggering workflows directly from GuardDuty events without custom polling.

Exam trap

The trap here is that candidates often select Lambda as the sole compute service, overlooking that Step Functions is required to orchestrate the human approval step and that CloudTrail is needed for immutable logging, not just EventBridge and Lambda alone.

215
MCQeasy

A company is experiencing unauthorized access attempts to an S3 bucket. Which AWS service can be used to detect and alert on such events in real time?

A.Amazon Macie
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerD

GuardDuty provides real-time threat detection for S3 access.

Why this answer

Option B is correct because Amazon GuardDuty uses threat intelligence to detect suspicious activity, including unauthorized S3 access attempts. Option A is wrong because AWS CloudTrail is for logging, not real-time detection. Option C is wrong because Amazon Macie is for data classification.

Option D is wrong because AWS Config is for compliance.

216
MCQeasy

A security engineer needs to ensure that an Amazon S3 bucket is not publicly accessible. Which AWS service can be used to continuously monitor and alert if the bucket becomes public?

A.AWS CloudTrail
B.AWS Config
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

Correct: AWS Config evaluates resource configurations against rules.

Why this answer

Option A is correct because AWS Config has managed rules like 's3-bucket-public-read-prohibited' that can evaluate S3 bucket policies and ACLs. Option B is wrong because AWS CloudTrail records API calls but does not evaluate resource configurations. Option C is wrong because Amazon GuardDuty focuses on threat detection.

Option D is wrong because AWS Trusted Advisor provides best-practice checks but not continuous monitoring and alerting.

217
MCQhard

A company has a requirement to detect and respond to threats in near real-time by analyzing VPC Flow Logs. The logs are generated in a VPC and sent to CloudWatch Logs. What is the MOST efficient way to analyze these logs for suspicious patterns and trigger automated responses?

A.Stream logs to Amazon Elasticsearch Service and use Kibana alerts
B.Use S3 event notifications to trigger Lambda functions on new log files
C.Export logs to S3 and use Amazon Athena queries with scheduled rules
D.Use Amazon Kinesis Data Analytics for real-time analysis and AWS Lambda for automated response
AnswerD

Kinesis Data Analytics can process streaming data and trigger Lambda for immediate action.

Why this answer

Amazon Kinesis Data Analytics can process streaming VPC Flow Logs from CloudWatch Logs in near real-time using SQL or Apache Flink, enabling immediate detection of suspicious patterns. AWS Lambda can then be triggered to automate incident response actions, such as updating security groups or isolating instances, making this the most efficient solution for near real-time threat detection and response.

Exam trap

The trap here is that candidates often choose batch-oriented solutions like Athena or S3 event notifications, overlooking the explicit 'near real-time' requirement in the question, which demands a streaming analytics approach.

How to eliminate wrong answers

Option A is wrong because streaming logs to Amazon Elasticsearch Service (now OpenSearch Service) and using Kibana alerts introduces significant latency due to indexing and query overhead, and it is not designed for near real-time automated response. Option B is wrong because S3 event notifications trigger Lambda functions on new objects, but VPC Flow Logs are sent to CloudWatch Logs, not directly to S3, and this approach would require an additional export step, breaking near real-time analysis. Option C is wrong because exporting logs to S3 and using Athena with scheduled rules is a batch-oriented process that incurs minutes of delay, failing the near real-time requirement.

218
MCQhard

A security engineer attaches the above SCP to an OU containing development accounts. The engineer expects that only t3.micro instances can be launched, but developers report that they cannot launch any EC2 instances. What is the MOST likely reason?

A.The SCP syntax is invalid because it uses Deny without an explicit Allow.
B.The condition StringNotEquals is evaluated incorrectly for EC2 instance types.
C.The SCP is applied at the organization root and overrides the OU-level policy.
D.The SCP denies all ec2 actions because there is no explicit allow statement.
AnswerD

SCPs do not grant permissions; they only filter what is allowed by IAM. Without an explicit allow, the default is deny.

Why this answer

Option D is correct because SCPs operate on a default-deny model: all actions are implicitly denied unless explicitly allowed. The policy only denies non-t3.micro instance types but does not include an explicit Allow statement for ec2:RunInstances or any other EC2 action. Without an explicit Allow, the implicit deny blocks all EC2 actions, including launching t3.micro instances.

Exam trap

The trap here is that candidates assume a Deny statement with a condition implicitly allows all other actions, forgetting that SCPs follow a default-deny model where any action not explicitly allowed is denied.

How to eliminate wrong answers

Option A is wrong because SCPs do not require an explicit Allow alongside a Deny; they can use Deny alone to restrict actions, but the issue here is the lack of any Allow statement. Option B is wrong because the StringNotEquals condition is evaluated correctly—it denies instance types that are not t3.micro, but the problem is the missing Allow for the action itself. Option C is wrong because the SCP is attached to the OU, not the root, and even if a root-level SCP existed, it would not override the OU-level policy unless explicitly set to deny; SCPs are additive and the most restrictive applies.

219
MCQhard

A security team wants to collect and analyze logs from multiple AWS services including CloudTrail, VPC Flow Logs, and AWS WAF. They need a centralized solution that can filter, transform, and route logs to multiple destinations in near real-time. Which AWS service should they use?

A.Amazon CloudWatch Logs Insights
B.Amazon CloudWatch Logs subscription filters with AWS Lambda
C.Amazon Kinesis Data Streams combined with Amazon Kinesis Data Firehose
D.Amazon S3 with S3 Event Notifications
AnswerC

Kinesis Data Streams ingests real-time data, and Firehose can deliver to multiple destinations.

Why this answer

Option D is correct because Amazon CloudWatch Logs subscription filter can send logs to Lambda for transformation, but not route to multiple destinations easily. Option A is correct because Amazon Kinesis Data Streams can ingest logs and then use Kinesis Data Analytics for transformation and Kinesis Data Firehose for routing to multiple destinations. Option B is incorrect because S3 is a storage destination, not a processing and routing service.

Option C is incorrect because CloudWatch Logs Insights is for querying, not real-time routing.

220
Multi-Selecteasy

Which TWO actions can help protect against DDoS attacks at the network layer?

Select 2 answers
A.Configure security groups to restrict inbound traffic.
B.Configure network ACLs to deny all inbound traffic.
C.Use AWS WAF to filter malicious requests.
D.Subscribe to AWS Shield Advanced.
E.Use VPC peering to distribute traffic.
AnswersC, D

WAF can block common DDoS patterns.

Why this answer

AWS Shield Advanced (A) provides DDoS protection, and using AWS WAF (B) helps filter malicious traffic. Option A and B are correct. Security groups (C) are stateful firewalls, not DDoS protection.

NACLs (D) are stateless firewalls. VPC peering (E) is for connectivity.

221
MCQmedium

A company uses S3 to store sensitive customer data. They want to ensure that all S3 buckets have encryption enabled at rest. Which S3 feature should be used to automatically enforce encryption on all newly created objects?

A.S3 Block Public Access
B.S3 Object Lock
C.S3 Bucket Policy with a condition requiring server-side encryption
D.S3 Inventory
AnswerC

A bucket policy with a condition such as 'aws:SecureTransport' or 's3:x-amz-server-side-encryption' can deny uploads without encryption.

Why this answer

Option D is correct because S3 Bucket Policies can be used to deny uploads of unencrypted objects. Option A is incorrect because S3 Block Public Access does not enforce encryption. Option B is incorrect because S3 Inventory only provides metadata, not enforcement.

Option C is incorrect because S3 Object Lock is for retention, not encryption.

222
MCQeasy

A solutions architect needs to design a system where an EC2 instance can write logs to CloudWatch Logs. Which IAM entity should be used to grant permissions to the EC2 instance?

A.A resource-based policy on the EC2 instance
B.An IAM role with an instance profile
C.An IAM user with access keys stored on the instance
D.An IAM group
AnswerB

Role with instance profile provides temporary credentials to the instance.

Why this answer

An IAM role with an instance profile is the correct approach because it allows the EC2 instance to assume temporary, rotated credentials via the AWS Security Token Service (STS). The instance profile is attached to the EC2 instance, and the AWS SDK or CLI automatically retrieves credentials from the instance metadata service (IMDS) to authenticate API calls to CloudWatch Logs. This eliminates the need to store long-term credentials on the instance and follows the principle of least privilege.

Exam trap

The trap here is that candidates may confuse IAM groups with IAM roles, thinking a group can be attached to an EC2 instance, but groups only apply to IAM users and cannot be assumed by AWS services.

How to eliminate wrong answers

Option A is wrong because a resource-based policy on an EC2 instance does not exist; EC2 instances use IAM roles (via instance profiles) for permissions, not resource-based policies like those for S3 buckets or KMS keys. Option C is wrong because storing IAM user access keys on the EC2 instance is a security risk—keys are long-term credentials that can be compromised, and AWS best practices mandate using IAM roles with temporary credentials instead. Option D is wrong because an IAM group is a container for IAM users and cannot be directly attached to an EC2 instance; permissions must be assigned via an IAM role with an instance profile.

223
MCQeasy

A company is migrating sensitive data to Amazon S3. They need to ensure that data is encrypted at rest using an AWS KMS customer managed key (CMK). The security team wants to enforce encryption for all new objects uploaded to an S3 bucket. Which policy should be attached to the bucket?

A.A bucket policy that allows s3:PutObject only if the user has KMS permissions
B.An S3 bucket default encryption setting with AES256
C.An S3 Lifecycle policy to transition objects to Glacier after 30 days
D.A bucket policy with a condition that denies s3:PutObject unless the request includes the x-amz-server-side-encryption-aws:kms header
AnswerD

Denies unencrypted uploads.

Why this answer

Option A uses a condition to deny PutObject if encryption is not set, which enforces encryption. Option B only audits, C is too permissive, D allows unencrypted uploads.

224
MCQeasy

A company wants to centrally manage and enforce security policies across all accounts in AWS Organizations. Which AWS service should be used to define and apply guardrails?

A.IAM Policy Simulator
B.AWS Control Tower
C.AWS Shield
D.AWS Config
AnswerB

Control Tower provides guardrails for multi-account governance.

Why this answer

Option D is correct because AWS Control Tower provides a managed service to set up a multi-account environment with guardrails. Option A is wrong because AWS Config is for compliance, not policy enforcement. Option B is wrong because IAM Policy Simulator is for testing.

Option C is wrong because AWS Shield is for DDoS protection.

225
Multi-Selecteasy

Which TWO actions are best practices for securing an AWS account's root user? (Choose 2.)

Select 2 answers
A.Share the root user password with the team for emergency access
B.Use a strong password and store it securely
C.Enable multi-factor authentication (MFA) on the root user
D.Use the root user for daily administrative tasks
E.Create access keys for the root user for programmatic access
AnswersB, C

Strong password is a basic security measure.

Why this answer

Option B is correct because the root user has unrestricted access to all AWS resources and services, so a strong, complex password (e.g., at least 14 characters with mixed case, numbers, and symbols) is essential to prevent brute-force or credential-stuffing attacks. Storing this password securely—such as in a password manager with restricted access or a physical safe—ensures it is available only to authorized personnel for emergency break-glass scenarios, aligning with the principle of least privilege and the AWS Well-Architected Framework's security pillar.

Exam trap

The trap here is that candidates often think sharing the root password with the team (Option A) is a valid emergency access strategy, but AWS explicitly recommends using IAM roles with a break-glass process (e.g., AWS Systems Manager Incident Manager) instead, as shared passwords create auditability and credential rotation issues.

Page 2

Page 3 of 24

Page 4