AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 226300

1738 questions total · 24pages · All types, answers revealed

Page 3

Page 4 of 24

Page 5
226
MCQhard

A security engineer is reviewing the configuration of an S3 bucket. What is a security concern with the current configuration?

A.Versioning is enabled, which increases storage costs
B.The lifecycle rule will permanently delete current versions after 30 days
C.MFA Delete is enabled, which blocks legitimate administrative actions
D.The bucket policy grants public read access to all objects
AnswerD

Principal: * allows anyone to read objects.

Why this answer

Option B is correct because the bucket policy allows public read access to all objects. Option A is wrong because MFA Delete is enabled, which is good. Option C is wrong because lifecycle policy does not delete current versions.

Option D is wrong because versioning is enabled.

227
MCQmedium

A company has a multi-account AWS environment managed with AWS Organizations. The security team wants to ensure that no EC2 instance in any account can be launched without a specific tag 'CostCenter'. The team has created a Service Control Policy (SCP) that denies the ec2:RunInstances action if the request does not include the tag 'CostCenter'. However, they find that instances are still being launched without the tag in some accounts. What is the most likely reason?

A.The SCP uses the wrong condition key; it should use 'aws:ResourceTag' instead.
B.The accounts launching instances without tags are the management account.
C.The SCP does not include an explicit allow for the action.
D.The SCP is not attached to the organizational units containing the accounts.
AnswerB

The management account is not affected by SCPs.

Why this answer

Option C is correct because SCPs do not affect the management account; the management account is exempt from SCPs. Option A is wrong because IAM policies are account-specific; the SCP should still apply if attached. Option B is wrong because SCPs do not require explicit allow for all actions; they work by deny.

Option D is wrong because the condition key for tags is 'aws:RequestTag', not 'aws:ResourceTag'.

228
MCQmedium

A company uses Amazon CloudWatch Logs to collect application logs from EC2 instances. The security team wants to create an alarm that triggers when a specific error pattern appears in the logs. They have set up a metric filter and an alarm. However, the alarm is not triggering even though the error pattern exists in the logs. What is the most likely cause?

A.The log group retention period is set to 1 day.
B.The metric filter uses a custom namespace that is not allowed.
C.The metric filter was created before the log group.
D.The metric filter is only applied to log events that occur after the filter is created.
AnswerD

Metric filters do not backfill; they only apply to new log events.

Why this answer

Option B is correct because metric filters are evaluated on incoming log events, not on historical data. If the error pattern existed before the filter was created, it will not be counted. Option A is wrong because the filter can be created after logs are ingested.

Option C is wrong because the metric namespace does not affect filtering. Option D is wrong because the log group retention does not affect metric evaluation.

229
MCQmedium

A company is using Amazon RDS for MySQL and needs to monitor database login attempts for security analysis. Which feature should be enabled to capture authentication events?

A.Enable VPC Flow Logs for the RDS subnet
B.Enable RDS MySQL audit logs
C.Enable AWS CloudTrail data events for RDS
D.Enable the '--log_queries_not_using_indexes' parameter
AnswerB

Audit logs capture database login attempts and other events.

Why this answer

Option D is correct because RDS MySQL supports general logs and audit logs that can capture login attempts. Enabling the '--log_queries_not_using_indexes' parameter logs queries without indexes, not login attempts. Option B is wrong because VPC Flow Logs capture network traffic.

Option C is wrong because CloudTrail does not log database-level events.

230
MCQmedium

Refer to the exhibit. A security engineer is analyzing a VPC Flow Log entry from an EC2 instance with private IP 10.0.1.5. The log shows an outbound connection to IP 203.0.113.5 on port 443 from source port 22. The connection was accepted. What is the most likely scenario?

A.The instance is responding to an inbound SSH connection from the remote IP.
B.The instance is connecting to a remote server on the internal network.
C.The instance is receiving an SSH connection from the remote IP.
D.The instance is making an HTTPS request to a web server.
AnswerA

Flow logs capture both directions; source port 22 indicates reply.

Why this answer

Option C is correct. VPC Flow Logs record connections from the perspective of the network interface. The source IP and port are the instance's private IP and ephemeral port.

Here, the source port is 22 (SSH), which is unusual for an outbound connection. This suggests the entry might be a reply to an inbound SSH connection (since flow logs capture both directions). The instance is likely replying to an SSH session initiated from the remote IP.

Option A is wrong because port 22 is SSH, not HTTPS. Option B is wrong because the instance is the source in the log, not the destination. Option D is wrong because the remote IP is not private.

231
MCQeasy

A company needs to provide temporary credentials to mobile app users to access AWS resources. Which AWS service should be used to issue these credentials?

A.AWS IAM
B.AWS Cognito
C.AWS Security Token Service (STS)
D.AWS Key Management Service (KMS)
AnswerC

STS issues temporary security credentials for users.

Why this answer

Option B is correct because AWS STS is used to issue temporary credentials. Option A is incorrect because IAM is for managing users and roles, not issuing temporary credentials. Option C is incorrect because AWS Cognito is for identity pools but uses STS internally; the direct service is STS.

Option D is incorrect because AWS KMS is for encryption keys.

232
MCQmedium

A company is designing a data protection strategy for its Amazon RDS for MySQL database. The database contains sensitive data that must be encrypted at rest. The company also needs to manage the encryption keys using its own HSM. Which solution should be used?

A.Use client-side encryption with a key from CloudHSM
B.Use AWS CloudHSM to generate a key and import it into RDS
C.Enable encryption at rest using the default AWS KMS key
D.Use AWS KMS with a custom key store backed by AWS CloudHSM
AnswerD

Custom key store allows using own HSM.

Why this answer

RDS supports encryption at rest using KMS. To use a customer-managed HSM, you can use AWS CloudHSM with a custom key store in KMS. Option C is correct.

Option A is incorrect because RDS does not directly integrate with CloudHSM. Option B is incorrect because the default key is AWS managed. Option D is incorrect because RDS does not support client-side encryption for at-rest data.

233
MCQeasy

A startup uses a single AWS account for development. The developer has full administrative access and accidentally deleted an S3 bucket containing critical data. The security team wants to prevent similar incidents without hindering agility. What is the MOST effective control?

A.Remove the developer's permissions and require all changes through IT.
B.Configure an S3 lifecycle policy to archive objects to S3 Glacier.
C.Use AWS CloudTrail to monitor deletions and alert the security team.
D.Enable S3 Versioning and MFA Delete on the bucket.
AnswerD

Versioning allows recovery of deleted objects; MFA Delete adds protection.

Why this answer

Option D is correct because enabling S3 Versioning preserves all object versions, allowing recovery of deleted objects, while MFA Delete requires multi-factor authentication to permanently delete object versions or suspend versioning. This prevents accidental or unauthorized permanent deletions without hindering the developer's ability to create, read, and update objects, thus balancing security and agility.

Exam trap

The trap here is that candidates often choose CloudTrail (Option C) because it provides monitoring and alerts, but they overlook that it is a detective control, not a preventive or recovery control, and thus cannot stop or reverse the deletion of critical data.

How to eliminate wrong answers

Option A is wrong because removing the developer's permissions and requiring all changes through IT eliminates agility and violates the principle of least privilege by over-restricting access, which is not the most effective control for preventing accidental deletions while maintaining speed. Option B is wrong because an S3 lifecycle policy to archive objects to S3 Glacier only moves objects to a different storage class after a set period; it does not protect against immediate deletion of the bucket or its objects, nor does it enable recovery of already-deleted data. Option C is wrong because AWS CloudTrail monitors and alerts on API calls but does not prevent deletions; it only provides post-facto notification, which does not stop the incident or enable recovery of the deleted data.

234
MCQeasy

A company wants to block SSH access (port 22) to all EC2 instances from the internet, but allow SSH from a specific management VPN IP range (10.0.0.0/16). Which configuration should be used?

A.Configure a security group to allow inbound SSH from 10.0.0.0/16 only.
B.Use an IAM policy to restrict SSH access to the management IP range.
C.Configure a network ACL to allow inbound SSH from 10.0.0.0/16 and deny from 0.0.0.0/0.
D.Configure a security group to allow inbound SSH from 0.0.0.0/0 and deny from 10.0.0.0/16.
AnswerA

The default deny all rule will block other traffic.

Why this answer

Security groups are stateful and can be used to allow inbound SSH from the management IP range while denying all other traffic. Network ACLs are stateless and require separate inbound/outbound rules. IAM does not control network access.

235
Multi-Selectmedium

Which TWO actions are valid ways to grant an IAM user in Account A access to an S3 bucket in Account B? (Choose 2.)

Select 2 answers
A.Attach an IAM policy to the user in Account A that allows access to the S3 bucket.
B.Add a bucket policy in Account B that grants access to the user's ARN in Account A.
C.Use a service control policy (SCP) in Account B to allow access from Account A.
D.Create an IAM role in Account B with permissions to the bucket and allow the user in Account A to assume that role.
E.Add an IAM policy to the S3 bucket in Account B granting access to the user.
AnswersB, D

This allows the user direct access if the IAM policy in Account A also allows S3 actions.

Why this answer

Options B and C are correct. B: A bucket policy can grant cross-account access to a specific user. C: A role in Account B can be assumed by the user in Account A.

Option A is wrong because IAM users cannot be granted access directly to resources in other accounts via an IAM policy in their own account; the resource account must also grant access. Option D is wrong because the S3 bucket cannot have an IAM policy; it uses bucket policies. Option E is wrong because SCPs are used in AWS Organizations to set permissions boundaries, not to grant access.

236
MCQmedium

A company has an S3 bucket policy that allows cross-account access for a specific IAM role in another account. The bucket policy includes a Principal element with the ARN of the role. However, users in the other account that assume the role are unable to access the bucket. Which of the following is the MOST likely cause?

A.The IAM role does not have a permissions policy granting s3:GetObject on the bucket.
B.The bucket policy has an explicit Deny statement that overrides the Allow.
C.The role's trust policy does not allow the S3 service to assume the role.
D.The bucket policy uses the role ARN in the Principal element instead of the AWS account ID.
AnswerD

S3 bucket policies require the AWS account ID as Principal for cross-account access; role ARNs are not valid principals.

Why this answer

Option D is correct because when an S3 bucket policy uses a role ARN in the Principal element, the policy only grants access to that specific role session, not to the users who assume the role. Cross-account access via S3 bucket policies requires the Principal to be set to the AWS account ID (or a canonical user ID) of the other account, not the ARN of a role. The role ARN in the Principal element is not evaluated as a valid principal for S3 bucket policies in the same way as an account ID, causing the access to fail.

Exam trap

The trap here is that candidates often assume that specifying a role ARN in the Principal element of an S3 bucket policy is sufficient for cross-account access, but AWS requires the Principal to be the account ID for the policy to be evaluated correctly across accounts.

How to eliminate wrong answers

Option A is wrong because the question states the bucket policy allows cross-account access for a specific IAM role, and the issue is about the policy's Principal element, not the role's permissions policy; even if the role had an s3:GetObject permission, the bucket policy's Principal mismatch would still block access. Option B is wrong because there is no mention of an explicit Deny statement in the scenario; the problem is that the Allow statement itself is misconfigured due to the Principal element, not overridden by a Deny. Option C is wrong because the role's trust policy controls which entities can assume the role, not whether the S3 service can assume it; S3 does not assume roles—users or services assume roles, and the trust policy is irrelevant to S3 bucket policy evaluation.

237
Multi-Selectmedium

A company wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should the company take?

Select 3 answers
A.Create an IAM policy that denies all actions if aws:MultiFactorAuthPresent is false.
B.Enable CloudTrail to monitor MFA usage.
C.Attach the MFA enforcement policy to all IAM users or groups.
D.Set the password policy to require MFA.
E.Enable MFA for each IAM user.
AnswersA, C, E

This policy forces MFA to be used.

Why this answer

Option A, B, and D are correct because MFA devices must be assigned, an IAM policy can deny access if MFA is not present, and the policy must be attached to users or groups. Option C is wrong because CloudTrail does not enforce MFA. Option E is wrong because there is no built-in MFA enforcement for the root user via password policy.

238
Multi-Selecteasy

Which TWO AWS services can be used to detect and alert on unauthorized API calls in real time?

Select 2 answers
A.Amazon CloudWatch Alarms
B.AWS KMS
C.Amazon EventBridge
D.AWS IAM
E.AWS Config
AnswersA, C

CloudWatch can alarm on CloudTrail metric filters.

Why this answer

Options B and D are correct. Option B is correct because CloudTrail delivers events to CloudWatch Logs, and CloudWatch Alarms can trigger on metric filters. Option D is correct because EventBridge can process CloudTrail events and trigger alerts.

Option A is wrong because IAM is for identity management, not monitoring. Option C is wrong because Config is for compliance evaluation, not real-time alerting on API calls. Option E is wrong because KMS is for encryption key management.

239
MCQhard

A company uses AWS CloudTrail to log all API activity. The security team wants to ensure that logs are immutable after they are delivered to Amazon S3. Which combination of actions should be taken to meet this requirement? (Choose the best single answer that includes all necessary steps.)

A.Enable S3 Object Lock in governance mode on the bucket.
B.Enable MFA Delete on the bucket.
C.Enable versioning on the bucket.
D.Create a bucket policy that denies s3:DeleteObject actions.
AnswerA

Prevents objects from being deleted or overwritten for a specified retention period.

Why this answer

Enabling S3 Object Lock in governance mode provides immutability for logs against deletion or overwrite. Option A is correct. Option B is wrong because MFA Delete alone does not prevent overwrites.

Option C is wrong because bucket policies do not prevent deletion by authorized users. Option D is wrong because enabling versioning alone does not prevent deletion of all versions.

240
Drag & Dropmedium

Drag and drop the steps to implement a secure CI/CD pipeline with AWS CodePipeline and IAM in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Secure pipeline requires encrypted artifact bucket, IAM roles, source repo, build project with security scanning, and pipeline.

241
MCQeasy

A company needs to monitor for root account usage and receive immediate notifications. Which combination of AWS services should be used?

A.AWS Config and AWS Lambda
B.Amazon GuardDuty and AWS Lambda
C.S3 server access logs and Amazon Inspector
D.AWS CloudTrail, Amazon CloudWatch Logs, and Amazon SNS
AnswerD

CloudTrail logs root activity, CloudWatch monitors, SNS alerts.

Why this answer

Option A is correct because CloudTrail can be configured to send events to CloudWatch Logs, and a CloudWatch metric filter can detect root account activity, triggering an SNS notification. Option B is wrong because GuardDuty does not specifically monitor root account usage. Option C is wrong because Config records resource changes, not API calls.

Option D is wrong because S3 server access logs are for S3 access, not root usage.

242
Multi-Selecteasy

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can download objects. Which combination of actions should the company take? (Choose TWO.)

Select 2 answers
A.Attach an Internet gateway to the VPC and route traffic through it.
B.Attach a security group to the S3 bucket.
C.Create an S3 bucket policy that allows access only from the VPC using the aws:SourceVpc condition.
D.Create a NAT gateway in the VPC for outbound traffic.
E.Create a VPC endpoint for Amazon S3 in the VPC.
AnswersC, E

This restricts access to the specified VPC.

Why this answer

Option A (S3 bucket policy with aws:SourceVpc condition) and Option C (VPC endpoint for S3) are correct. The bucket policy with the aws:SourceVpc condition restricts access to requests originating from the specified VPC, and the VPC endpoint allows private connectivity to S3 from that VPC. Option B (Internet gateway) would allow public access.

Option D (NAT gateway) is for outbound traffic. Option E (Security group on S3) is not applicable.

243
MCQeasy

A company wants to detect and alert on SSH brute force attacks on EC2 instances. Which AWS service should be used?

A.AWS Config
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS CloudTrail
E.AWS Shield
AnswerB

GuardDuty uses threat intelligence to detect brute force attacks.

Why this answer

Option B is correct because GuardDuty can analyze VPC Flow Logs and DNS logs to detect brute force attempts. Option A is wrong because CloudTrail does not monitor network traffic. Option C is wrong because Inspector is for vulnerability scanning.

Option D is wrong because Config is for configuration compliance. Option E is wrong because Shield is for DDoS protection.

244
MCQhard

Refer to the exhibit. A user assumes the role and tries to terminate an instance, but gets an error. The instance i-12345678 has a tag 'Environment' with value 'dev'. What is the most likely reason for the failure?

A.The role policy has an implicit deny because the 'ec2:TerminateInstances' action is not allowed on the specific resource ARN due to missing account ID or region mismatch, or the session credentials have expired.
B.The role policy has a condition that requires the instance to have the tag 'Environment' set to 'dev', but the condition is evaluated against the principal, not the resource.
C.The role policy includes 'ec2:Describe*' which grants permission to describe all resources, but that does not include terminate. The condition on TerminateInstances requires the tag, but the user may not have passed the tag condition correctly.
D.The policy uses 'ec2:TerminateInstances' with a resource ARN that includes the region and account, but the instance may be in a different region or account.
AnswerA

The error is 'UnauthorizedOperation'. While the policy allows TerminateInstances with a condition, there may be an explicit deny elsewhere or the resource ARN might not match if the instance is in a different region/account. However, the most common cause is that the session credentials have expired (the expiration time is 01:00:00Z, and if the current time is after that, the credentials are invalid). Option D points to expiration, which is plausible.

Why this answer

The assumed role credentials have an expiration time. If the terminate-instances command is run after expiration, it will fail with UnauthorizedOperation. Alternatively, if the instance is not in the specified region or account, it would also fail.

Given the exhibit shows expiration time, option D is most likely.

245
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. The security team receives an alert that an IAM user is attempting to decrypt data using a key that they do not have access to. Which AWS service can be used to monitor and alert on such unauthorized KMS API calls?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail with CloudWatch Alarms
D.Amazon Inspector
AnswerC

CloudTrail logs KMS actions; alarms can be set on specific events.

Why this answer

Option B is correct because CloudTrail logs all KMS API calls, and CloudWatch Alarms can trigger alerts on specific events. Option A is wrong because GuardDuty focuses on threat detection, not specific API calls. Option C is wrong because Config monitors resource configurations, not API calls.

Option D is wrong because Inspector is for vulnerability assessment.

246
MCQhard

Refer to the exhibit. A security engineer runs the iptables command on an EC2 instance in a VPC. The instance has a security group that allows all outbound traffic and inbound SSH from 0.0.0.0/0, HTTP from 0.0.0.0/0, and HTTPS from 0.0.0.0/0. A user from IP 203.0.113.5 tries to connect to the instance over HTTP. What will happen?

A.The connection succeeds because the security group allows HTTP.
B.The connection succeeds because iptables allows HTTP from anywhere.
C.The connection is dropped by iptables.
D.The connection is dropped by the security group.
AnswerC

Iptables drops the packet because the source IP is not in the allowed range.

Why this answer

Option B is correct because the iptables INPUT chain has a default DROP policy. The rules only allow HTTP (port 80) from the 10.0.0.0/16 subnet, but the user's IP is 203.0.113.5, which is not in that range. Therefore, the packet is dropped by iptables.

Option A is wrong because even though the security group allows HTTP, iptables drops it. Option C is wrong because SSH is allowed only from anywhere, but the request is HTTP. Option D is wrong because the security group allows HTTP, but iptables overrides.

247
MCQmedium

A financial services company uses AWS CloudTrail to log all API calls in their account. They store the logs in an S3 bucket with server-side encryption using AWS KMS (SSE-KMS). The security team needs to ensure that only authorized users can decrypt and read the logs. They have created a KMS key with a key policy that grants decrypt permissions to the security team's IAM roles. However, when a security engineer tries to download a log file from the S3 bucket using the AWS CLI, they receive an 'AccessDenied' error. The engineer has s3:GetObject permission on the bucket. What is the most likely cause?

A.The CloudTrail trail is not configured to use SSE-KMS.
B.The S3 bucket has a bucket policy that denies access to the engineer's IAM role.
C.The S3 bucket policy does not allow the engineer to read objects.
D.The KMS key policy does not grant the engineer's role permission to decrypt.
AnswerD

The engineer needs kms:Decrypt permission on the KMS key to read encrypted objects.

Why this answer

Option C is correct because the KMS key policy must grant the engineer's role kms:Decrypt permission. Option A is wrong because the error is not about S3 permissions. Option B is wrong because S3 bucket policy does not control KMS permissions.

Option D is wrong because CloudTrail does not need decrypt permission for reading logs.

248
Multi-Selectmedium

A security engineer needs to allow an IAM user to rotate their own access keys. Which TWO IAM actions must be allowed in the user's policy? (Choose TWO.)

Select 2 answers
A.iam:GetAccessKeyLastUsed
B.iam:DeleteAccessKey
C.iam:ListAccessKeys
D.iam:UpdateAccessKey
E.iam:CreateAccessKey
AnswersB, E

Needed to delete the old access key after creating a new one.

Why this answer

Option A and Option E are correct. To rotate access keys, the user needs to create a new key and delete the old one. Option B is wrong because UpdateAccessKey can change the status (Active/Inactive) but is not required for rotation.

Option C is wrong because ListAccessKeys is not strictly necessary; it helps but is not required. Option D is wrong because GetAccessKeyLastUsed is not needed.

249
MCQmedium

A company uses Amazon GuardDuty and wants to automatically isolate a compromised EC2 instance by removing it from the security group. Which approach should be used?

A.Set up an AWS Config rule to detect the finding and remediate.
B.Configure GuardDuty to directly modify the security group.
C.Create an Amazon EventBridge rule that triggers an AWS Lambda function to remove the instance from the security group.
D.Use AWS Systems Manager Automation to automatically modify the security group based on GuardDuty findings.
AnswerC

EventBridge can capture GuardDuty findings and invoke Lambda for automated remediation.

Why this answer

GuardDuty can send findings to EventBridge, which triggers a Lambda function to modify the security group. Option A is wrong because GuardDuty does not have native remediation actions. Option C is wrong because Systems Manager Automation is possible but requires a runbook.

Option D is wrong because AWS Config does not react to GuardDuty findings.

250
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The security team wants to ensure that the containers can only communicate with specific external APIs and not with other containers in the same task. Which security control should be applied?

A.Configure network ACLs on the subnets where the tasks run.
B.Apply an IAM policy to the task execution role to restrict API calls.
C.Attach a security group to the ECS task with outbound rules allowing only the specific API endpoints.
D.Use VPC endpoints to restrict traffic to specific APIs.
AnswerC

When using awsvpc network mode, tasks get their own security groups that can filter traffic.

Why this answer

Option D is correct because security groups for ECS tasks in awsvpc mode can control inbound/outbound traffic. Option A is wrong because IAM policies control API calls, not network traffic. Option B is wrong because network ACLs are stateless and applied at subnet level, not per task.

Option C is wrong because VPC endpoints are for accessing AWS services, not for container communication.

251
MCQmedium

A company wants to centrally manage IAM users and allow them to access multiple AWS accounts using a single set of credentials. Which AWS service should be used?

A.AWS IAM Identity Center (AWS SSO)
B.IAM roles with cross-account trust
C.AWS Organizations consolidated billing
D.Amazon Cognito user pools
AnswerA

Provides single sign-on with temporary credentials for multiple accounts.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it provides a centralized identity source that allows users to sign in once with a single set of credentials and then access multiple AWS accounts and business applications. It integrates with AWS Organizations to automatically manage permissions across accounts, eliminating the need for separate IAM users in each account.

Exam trap

The trap here is that candidates often confuse IAM roles with cross-account trust as a centralized solution, but they require manual role setup and do not provide a single sign-on portal or unified credential management across accounts.

How to eliminate wrong answers

Option B is wrong because IAM roles with cross-account trust allow users in one account to assume roles in another account, but they still require separate IAM users in the originating account and do not provide a single sign-on experience with a unified credential set. Option C is wrong because AWS Organizations consolidated billing only aggregates billing and payment across accounts; it does not manage user identities or provide authentication. Option D is wrong because Amazon Cognito user pools are designed for customer-facing identity and access management for web and mobile applications, not for centrally managing IAM users accessing multiple AWS accounts.

252
MCQeasy

A security engineer discovers an Amazon GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce' for an EC2 instance. The instance is part of an Auto Scaling group and has a public IP address. What is the MOST effective immediate step to mitigate the threat?

A.Modify the network ACL to block SSH traffic from the attacker's IP.
B.Terminate the instance without detaching it from the Auto Scaling group.
C.Update the security group to restrict SSH access to known IP addresses.
D.Detach the instance from the Auto Scaling group and terminate it.
AnswerD

This stops the attack and prevents the Auto Scaling group from automatically launching a new instance.

Why this answer

Option D is correct because the instance is compromised and part of an Auto Scaling group. Detaching it first prevents the Auto Scaling group from immediately replacing it with a new instance that might inherit the same vulnerability, allowing for forensic analysis. Terminating it after detachment stops the SSH brute force attack at its source without risking automatic re-provisioning of a similarly exposed instance.

Exam trap

The trap here is that candidates assume terminating the instance directly (Option B) is sufficient, failing to recognize that Auto Scaling groups automatically replace terminated instances, which can immediately re-expose the environment to the same threat.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and modifying them to block only the attacker's IP is ineffective against distributed brute force attacks; also, this does not address the compromised instance itself. Option B is wrong because terminating an instance that is part of an Auto Scaling group triggers the group to launch a replacement instance immediately, potentially recreating the same vulnerability if the underlying AMI or configuration is unchanged. Option C is wrong because updating the security group to restrict SSH access to known IPs is a preventive measure, not an immediate incident response step; it does not stop the ongoing attack on the already compromised instance.

253
MCQmedium

A security engineer is troubleshooting why CloudTrail logs are not being delivered to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured to log management events. However, no log files appear in the bucket. What is the MOST likely cause?

A.The trail is not logging data events.
B.The S3 bucket uses SSE-KMS encryption and the trail does not have permission to use the KMS key.
C.The S3 bucket is in a different AWS account.
D.The bucket policy is missing a Deny statement.
AnswerB

CloudTrail requires kms:Decrypt and kms:GenerateDataKey permissions on the KMS key to deliver logs to an encrypted bucket.

Why this answer

Option C is correct because if the S3 bucket is using SSE-KMS encryption, CloudTrail requires explicit permissions to use the KMS key. Option A is wrong because CloudTrail can deliver logs to buckets in different accounts with proper cross-account permissions. Option B is wrong because management events are logged by default.

Option D is wrong because the bucket policy is not missing.

254
MCQhard

A security engineer is investigating a potential breach. The engineer notices that an EC2 instance's security group allows inbound SSH (port 22) from 0.0.0.0/0. The instance is in a public subnet and has a public IP address. However, the engineer finds that SSH access is only possible from a specific IP address. What is the most likely explanation?

A.The network ACL allows inbound SSH from 0.0.0.0/0
B.The security group rule is being overridden by a more restrictive security group attached to the same instance
C.The security group rule is being evaluated but the instance's operating system firewall is blocking SSH
D.The network ACL denies inbound SSH from all IPs except the specific IP
AnswerD

NACLs are stateless and can override security group rules by denying traffic at the subnet level.

Why this answer

Option D is correct because a network ACL (NACL) can override security group rules if it denies inbound traffic. Option A is wrong because security groups are stateful; the inbound rule would allow traffic. Option B is wrong because if the NACL allowed traffic, it wouldn't explain the restriction.

Option C is wrong because security group rules are evaluated; the rule allowing all traffic would still apply.

255
MCQmedium

A company has multiple AWS accounts and wants to centrally manage access using IAM Identity Center (AWS SSO). Which feature allows the company to define permissions once and reuse them across multiple accounts?

A.Application assignments
B.Identity providers
C.Permission sets
D.Account assignments
AnswerC

Define reusable collections of permissions for AWS accounts.

Why this answer

Option B is correct because permission sets in IAM Identity Center define collections of policies that can be assigned to users and groups across accounts. Option A is for managing access to external applications. Option C is for federation.

Option D is for account management.

256
MCQmedium

A security team needs to ensure that all API calls made in the AWS account are logged and the logs are stored in a central S3 bucket that is encrypted with a KMS key. Which combination of steps should the team take to achieve this?

A.Enable AWS Config and have it deliver configuration history to an encrypted S3 bucket.
B.Enable CloudWatch Logs and stream logs to an encrypted S3 bucket.
C.Enable VPC Flow Logs and publish to an encrypted S3 bucket.
D.Enable CloudTrail and configure it to deliver logs to an encrypted S3 bucket.
AnswerD

CloudTrail is designed to log API calls and can deliver to an encrypted S3 bucket.

Why this answer

Option D is correct because CloudTrail logs API calls and can deliver them to an encrypted S3 bucket. Option A is wrong because CloudWatch Logs does not directly store logs in S3. Option B is wrong because Config records resource changes, not API calls.

Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

257
MCQmedium

A company uses AWS CloudTrail to log all API calls. The security team needs to be alerted when an IAM user creates a new access key. Which approach is most efficient?

A.Enable AWS Config managed rule to detect access key creation and trigger an SNS notification.
B.Create a CloudWatch Events rule that matches the CreateAccessKey event and targets an SNS topic.
C.Use CloudWatch Logs Insights to run a query every minute on CloudTrail logs and send results to SNS.
D.Configure CloudTrail to send logs to an S3 bucket and enable S3 event notifications to an SNS topic.
AnswerB

CloudWatch Events can filter specific API calls in real-time and trigger actions like SNS notifications.

Why this answer

Option B is correct because CloudWatch Events can filter specific API calls and trigger a Lambda function to send notifications. Option A is incorrect because CloudTrail does not natively send alerts; it delivers logs to S3. Option C is incorrect because CloudWatch Logs Insights requires querying logs manually, not real-time alerting.

Option D is incorrect because Config records resource changes but is not optimized for API call alerts.

258
MCQmedium

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. The VPC has a VPC endpoint for S3 configured. Which policy should be attached to the bucket?

A.{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringEquals":{"aws:SourceVpce":"vpce-11111111"}}}
B.{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringEquals":{"aws:VpcSourceIp":"10.0.0.0/16"}}}
C.{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringEquals":{"aws:SourceVpc":"vpc-12345678"}}}
D.{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"IpAddress":{"aws:SourceIp":"10.0.0.0/16"}}}
AnswerA

This condition restricts access to traffic coming through the specified VPC endpoint.

Why this answer

Option C is correct because a VPC endpoint policy with aws:SourceVpce condition key restricts access to traffic coming through the specified VPC endpoint. Option A is wrong because aws:SourceVpc does not restrict to a specific endpoint. Option B is wrong because aws:SourceIp does not apply to VPC endpoint traffic.

Option D is wrong because aws:VpcSourceIp is not a valid condition key for VPC endpoints.

259
MCQeasy

A security engineer needs to capture all DNS queries made by EC2 instances in a VPC and send them to a security analytics tool. Which AWS service should be used to capture this traffic?

A.AWS Network Firewall
B.VPC Flow Logs
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerA

AWS Network Firewall can capture DNS logs by enabling DNS inspection.

Why this answer

Option C is correct because VPC Flow Logs capture IP traffic metadata but not DNS queries. AWS CloudTrail does not capture DNS queries. Amazon GuardDuty is a threat detection service.

AWS Network Firewall can capture DNS logs. Option A is wrong because VPC Flow Logs do not include DNS query details. Option B is wrong because CloudTrail records API calls, not DNS queries.

Option D is wrong because GuardDuty uses DNS logs from other sources.

260
MCQeasy

An IAM user receives an 'AccessDenied' error when trying to list objects in an S3 bucket. The user has the following policy attached: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::example-bucket"}]}. What is the most likely reason?

A.The policy is missing a condition
B.The bucket policy explicitly denies the action
C.The policy does not include s3:GetObject
D.The policy has a syntax error
AnswerB

An explicit deny in the bucket policy overrides the user policy allow.

Why this answer

The IAM policy grants the s3:ListBucket action on the bucket, which should allow listing objects. However, an explicit deny in a bucket policy overrides any allow, including those from IAM policies. Since the user receives an 'AccessDenied' error, the most likely cause is that the bucket policy explicitly denies the s3:ListBucket action for this user, as explicit denies take precedence over all allows.

Exam trap

The trap here is that candidates often assume an IAM policy alone is sufficient and forget that bucket policies can explicitly deny actions, overriding IAM allows, leading them to incorrectly choose options like missing permissions or syntax errors.

How to eliminate wrong answers

Option A is wrong because a missing condition would not cause an 'AccessDenied' error if the action and resource are correctly allowed; conditions only further restrict access, and their absence typically broadens access. Option C is wrong because s3:GetObject is not required for listing objects; s3:ListBucket alone is sufficient for the ListObjects operation. Option D is wrong because a syntax error would result in a different error (e.g., 'MalformedPolicy') or the policy would be invalid, not an 'AccessDenied' error during the API call.

261
MCQhard

A company stores data in Amazon S3 and uses AWS KMS with Customer Master Keys (CMKs) for encryption. The security team wants to audit when the CMK is used to decrypt data. Which of the following will provide this information?

A.AWS Config
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.S3 server access logs
AnswerC

CloudTrail records KMS Decrypt events.

Why this answer

Option D is correct because AWS CloudTrail logs all KMS Decrypt API calls. Option A is wrong because S3 server access logs record requests to S3, not the KMS decryption calls. Option B is wrong because CloudWatch Logs can store logs but does not generate them.

Option C is wrong because AWS Config records configuration changes, not API calls.

262
MCQhard

During a security incident, a security engineer needs to capture network traffic between an EC2 instance and an attacker's IP address for forensic analysis. The engineer has already identified the attacker's IP from CloudTrail logs. Which action captures the traffic without affecting the instance?

A.Update the network ACL to log all traffic to and from the attacker's IP.
B.Enable VPC Flow Logs on the subnet and query logs for the attacker's IP.
C.SSH into the instance and run tcpdump with a filter for the attacker's IP.
D.Create a VPC Traffic Mirroring session targeting the instance's ENI and mirror the traffic to a Network Load Balancer for capture.
AnswerD

Captures traffic without affecting the instance.

Why this answer

Option D is correct because VPC Traffic Mirroring captures all network traffic at the Elastic Network Interface (ENI) level without any performance impact or configuration change on the EC2 instance itself. It copies the traffic to a Network Load Balancer (NLB) or another target for capture and analysis, making it ideal for forensic investigation without disrupting the running instance.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (which only provide metadata) with full packet capture capabilities, or they assume that SSHing into the instance is acceptable despite the risk of altering the instance state during an active incident.

How to eliminate wrong answers

Option A is wrong because network ACLs do not log traffic; they only allow or deny traffic based on rules, and they operate at the subnet level, not per-instance. Option B is wrong because VPC Flow Logs capture metadata (source/destination IP, ports, protocol, packets) but not the actual packet payload, so they cannot provide the full network traffic needed for deep forensic analysis. Option C is wrong because SSHing into the instance and running tcpdump would alter the instance's state (e.g., by installing or running a process) and could interfere with the incident or be blocked if the instance is compromised.

263
Multi-Selecthard

Which THREE of the following are required to use client-side encryption with Amazon S3 using AWS KMS? (Choose three.)

Select 3 answers
A.An S3 bucket policy that forces encryption.
B.The encrypted data key is stored as metadata with the S3 object.
C.A KMS key policy that allows the S3 service to decrypt.
D.Permissions for the IAM user or role to call kms:GenerateDataKey.
E.The AWS SDK Encryption Client library.
AnswersB, D, E

The encrypted data key is stored alongside the object for later decryption.

Why this answer

Options B, C, and D are correct. The AWS SDK Encryption Client (B) handles client-side encryption. The client must call KMS to generate a data key (C).

The encrypted data key is stored with the object (D). Option A is wrong because the KMS key policy is not required for client-side encryption; the client needs IAM permissions. Option E is wrong because the S3 bucket policy is not required for client-side encryption.

264
Multi-Selecteasy

A company wants to detect and respond to potential security threats in near real-time. Which TWO services should the company use together to achieve this? (Choose TWO.)

Select 2 answers
A.AWS Config
B.Amazon Inspector
C.AWS CloudTrail
D.AWS Security Hub
E.Amazon GuardDuty
AnswersD, E

Security Hub aggregates findings and can automate responses.

Why this answer

AWS Security Hub (D) aggregates security findings from multiple AWS services, including Amazon GuardDuty, and provides a comprehensive view of security alerts and compliance status. Amazon GuardDuty (E) is a threat detection service that continuously monitors for malicious activity and unauthorized behavior using machine learning and integrated threat intelligence. Together, they enable near real-time detection and response by centralizing findings from GuardDuty in Security Hub, which can trigger automated remediation workflows via Amazon EventBridge.

Exam trap

The trap here is that candidates often confuse AWS Config or CloudTrail as threat detection services, but they are primarily configuration auditing and API logging tools, respectively, and lack the real-time threat analysis capabilities of GuardDuty and Security Hub.

265
MCQmedium

A security engineer is troubleshooting connectivity issues between two EC2 instances in the same VPC but different subnets. Both instances have security groups that allow all traffic from each other's security group. However, traffic is still blocked. What is the most likely cause?

A.The instances are in different VPCs.
B.The network ACL for one or both subnets is blocking the traffic.
C.The route tables do not have a route between the subnets.
D.VPC Flow Logs are not enabled.
AnswerB

Network ACLs are stateless and can block traffic even if security groups allow it.

Why this answer

Option C is correct because network ACLs are stateless and must allow both inbound and outbound traffic for the connection. Even if security groups allow traffic, a network ACL can block it. Option A is wrong because route tables handle routing, not filtering.

Option B is wrong because VPC flow logs only monitor traffic, not block it. Option D is wrong because the default VPC has a default network ACL that allows all traffic, but custom ACLs may have restrictive rules.

266
MCQmedium

A company wants to protect sensitive data stored in Amazon S3 by enforcing encryption in transit. Which policy should be used to deny requests that do not use HTTPS?

A.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*", "Condition": {"Bool": {"aws:SecureTransport": "true"}}}
B.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*", "Condition": {"Bool": {"aws:SecureTransport": "false"}}}
C.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*", "Condition": {"Null": {"s3:x-amz-server-side-encryption": "true"}}}
D.{"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "*"}
AnswerB

This policy denies requests where SecureTransport is false (non-HTTPS).

Why this answer

A bucket policy with a condition on aws:SecureTransport denies non-HTTPS requests. Option A is wrong because it refers to encryption at rest. Option C is wrong because it denies all requests.

Option D is wrong because it denies HTTPS traffic, which is the opposite.

267
MCQeasy

An IAM user reports that they are unable to launch an EC2 instance in us-east-1. The IAM policy attached to the user allows ec2:RunInstances but with a condition that the instance type must be t2.micro. What could be the reason for the failure?

A.The user is trying to launch an instance type other than t2.micro.
B.The user has not attached a security group to the instance.
C.The IAM policy does not include ec2:RunInstances for us-east-1.
D.The user's account has reached the EC2 instance limit.
AnswerA

The condition restricts to t2.micro; any other type would be denied.

Why this answer

Option A is correct because the condition likely specifies 'ec2:InstanceType' equals 't2.micro', so if the user tries to launch any other type, the action is denied. Option B is irrelevant because the policy allows the action. Option C is not a common condition.

Option D is unrelated.

268
Multi-Selecthard

A security engineer needs to monitor cross-account access to resources. Which THREE AWS services can be used to log or detect such access? (Choose THREE.)

Select 3 answers
A.AWS CloudTrail
B.Amazon VPC Flow Logs
C.Amazon GuardDuty
D.AWS Config
E.Amazon Inspector
AnswersA, C, D

Logs API calls including cross-account access.

Why this answer

AWS CloudTrail is correct because it logs all API calls made to the AWS environment, including cross-account access events such as AssumeRole, GetFederationToken, or any action performed by an IAM role from another account. These logs capture the source identity, target resource, and request parameters, enabling security engineers to detect and audit cross-account activity.

Exam trap

The trap here is that candidates often confuse network-level logging (VPC Flow Logs) with API-level logging (CloudTrail) or assume vulnerability scanners (Inspector) can detect access events, but only CloudTrail, GuardDuty, and Config provide the necessary identity and resource-level visibility for cross-account access monitoring.

269
MCQmedium

A company is using AWS Config to track resource changes. They want to receive notifications when a security group is modified to allow inbound traffic from 0.0.0.0/0. What is the most efficient way to achieve this?

A.Use IAM Access Analyzer to detect publicly accessible security groups.
B.Enable Amazon GuardDuty and use its findings for security group changes.
C.Create a custom AWS Config rule with an AWS Lambda function that checks for public inbound traffic.
D.Create a CloudTrail trail and filter on AuthorizeSecurityGroupIngress events.
AnswerC

AWS Config can continuously evaluate security group rules and trigger actions.

Why this answer

AWS Config rules can evaluate resources against desired configurations. A custom AWS Config rule using a Lambda function can check security group rules and trigger notifications via SNS. Option A is wrong because CloudTrail logs API calls but requires parsing.

Option C is wrong because IAM Access Analyzer focuses on resource policies. Option D is wrong because GuardDuty is for threat detection.

270
MCQhard

Refer to the exhibit. A security engineer is analyzing a CloudTrail log entry for an EC2 RunInstances call. The engineer needs to determine if the instance launch was authorized by an IAM policy. Which field should the engineer check to identify the IAM policy that was used to authorize the action?

A.The 'vpcEndpointId' field to see if the call came through a VPC endpoint.
B.The 'sourceIP' field to identify the IP address.
C.The 'eventType' field to determine the type of event.
D.The 'userIdentity' field to identify the IAM user or role that made the call.
AnswerD

The userIdentity shows who made the call; then you can review the attached policies.

Why this answer

The 'userIdentity' field in a CloudTrail log entry contains details about the IAM user or role that made the API call, including the ARN and the access key ID. To identify the specific IAM policy that authorized the action, the security engineer must first know the identity (user/role) from the 'userIdentity' field, then cross-reference that identity with the IAM policies attached to it. The policy itself is not directly listed in the log entry, but the identity is the key to tracing authorization.

Exam trap

The trap here is that candidates may think the 'eventType' or 'sourceIP' fields directly reveal authorization details, but CloudTrail does not log the specific policy that was evaluated; instead, the 'userIdentity' field is the critical link to identify the IAM entity whose policies were applied.

How to eliminate wrong answers

Option A is wrong because the 'vpcEndpointId' field indicates whether the call originated from a VPC endpoint, which is relevant for network-level logging and VPC endpoint policies, not for identifying the IAM policy that authorized the RunInstances action. Option B is wrong because the 'sourceIP' field shows the IP address from which the call was made, which is used for network-level analysis or source IP conditions in policies, but does not directly identify the IAM policy that authorized the action. Option C is wrong because the 'eventType' field indicates whether the event is an API call (AwsApiCall), a console login, or a service event, but it provides no information about the specific IAM policy used for authorization.

271
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets in the organization are encrypted with server-side encryption (SSE-S3) and that no public access is allowed. The team has created an SCP that denies the s3:PutBucketPublicAccessBlock action and also denies s3:PutBucketPolicy if the policy would grant public access. However, the team discovers that some buckets in the production account still have public access enabled. The SCP is applied to the root OU, which includes the production account. What is the most likely reason that the SCP is not being enforced?

A.The SCP does not have an explicit allow for the actions it denies; SCPs require an explicit allow to take effect.
B.The SCP only applies to IAM users and roles, not to the root user.
C.The production account is the management account of the organization, and SCPs do not affect the management account.
D.The SCP is not attached to the production account's OU; it is attached to the root OU.
AnswerC

Management account is not affected by SCPs.

Why this answer

Option C is correct. SCPs do not affect the management account; they only apply to member accounts. If the production account is the management account, SCPs will not apply.

Option A is incorrect because SCPs don't require explicit allow; they deny by default if not allowed. Option B is incorrect because SCPs affect all IAM principals in the account. Option D is incorrect because SCPs can be applied to OUs.

272
MCQhard

A company uses AWS SSO to manage access to multiple accounts. An employee leaves the company. What is the most efficient way to revoke all AWS access for that employee?

A.Deactivate the user in the connected identity provider (e.g., Active Directory).
B.Delete the corresponding IAM user in every AWS account.
C.Remove the user from all groups in AWS SSO.
D.Delete the IAM role that the user assumes in each account.
AnswerA

This immediately revokes all access across accounts via AWS SSO.

Why this answer

Option B is correct because deactivating the user in the identity provider (IdP) will invalidate all sessions and prevent new ones. Option A is wrong because deleting the IAM user in each account is inefficient. Option C is wrong because removing from groups in AWS SSO may not immediately revoke active sessions.

Option D is wrong because deleting the IAM role would break access for other users.

273
MCQmedium

A security engineer is troubleshooting why an EC2 instance in a private subnet cannot access the internet through a NAT gateway. The route table for the private subnet has a default route pointing to the NAT gateway. The NAT gateway is in a public subnet with a route to an internet gateway. What is the most likely cause of the issue?

A.The NAT gateway does not have an Elastic IP address associated.
B.The EC2 instance's security group is blocking outbound traffic.
C.The NAT gateway's security group is blocking outbound traffic.
D.The NAT gateway does not have a route to the internet gateway in its route table.
AnswerA

A NAT gateway requires an Elastic IP for outbound traffic.

Why this answer

Option C is correct because the NAT gateway must have an associated Elastic IP to communicate with the internet. Option A is wrong because the security group of the NAT gateway must allow outbound traffic, but the default is permissive. Option B is wrong because the NAT gateway itself does not need a route to the internet gateway; its public subnet does.

Option D is wrong because security groups are not applied to NAT gateways in the same way; they are applied to the ENI.

274
MCQhard

A company stores sensitive data in an S3 bucket with versioning enabled. They want to ensure that objects are encrypted at rest using SSE-KMS. A security audit reveals that some older object versions are encrypted with SSE-S3. What is the MOST efficient way to re-encrypt those older versions with SSE-KMS?

A.Create a lifecycle policy to transition objects to a new storage class
B.Use the AWS CLI s3 sync command with the --sse aws:kms option
C.Use S3 Batch Operations to copy objects with SSE-KMS encryption
D.Manually re-upload the objects via the S3 console
AnswerC

Batch Operations can re-encrypt objects in place.

Why this answer

Option A is correct because S3 Batch Operations can copy objects in place, preserving versions and applying new encryption. Option B is wrong because lifecycle policies do not re-encrypt. Option C is wrong because S3 sync does not handle versioning.

Option D is wrong because the S3 console does not have a bulk re-encrypt feature for versions.

275
MCQeasy

A security engineer is reviewing AWS CloudTrail logs and notices repeated `CreateTrail` API calls from an IAM user that is not authorized to create trails. What is the MOST likely cause of these log entries?

A.The IAM user attempted to create a trail but was denied due to lack of permissions.
B.AWS GuardDuty is generating simulated events.
C.S3 server access logs are enabled for the trail's S3 bucket.
D.CloudTrail is configured to log only data events.
AnswerA

CloudTrail records all API calls, including denied attempts.

Why this answer

The repeated `CreateTrail` API calls in CloudTrail logs indicate that an IAM user is attempting to create a trail. Since the user lacks the required `cloudtrail:CreateTrail` permission, the API call is recorded as an attempted action that was denied by AWS Identity and Access Management (IAM) policy evaluation. CloudTrail logs all API calls, including those that fail due to insufficient permissions, which is why these entries appear in the logs.

Exam trap

The trap here is that candidates may think CloudTrail only logs successful API calls, but in reality, it logs all API calls, including those that are denied, which is why the repeated `CreateTrail` entries appear even though the user is not authorized.

How to eliminate wrong answers

Option B is wrong because AWS GuardDuty generates security findings and simulated events related to threats, not CloudTrail `CreateTrail` API calls; GuardDuty does not produce CloudTrail log entries. Option C is wrong because S3 server access logs record requests made to an S3 bucket, such as GET or PUT operations, not CloudTrail API calls like `CreateTrail`. Option D is wrong because CloudTrail's data events configuration controls which data plane operations are logged (e.g., S3 object-level events), but it does not affect the logging of management events like `CreateTrail`; the API call would still be logged regardless of data event settings.

276
MCQhard

Refer to the exhibit. A security engineer investigates a potential unauthorized deletion of an AWS CloudTrail trail. The engineer runs the command and receives the output shown. Which additional step should the engineer take to determine if the trail deletion was unauthorized?

A.Enable AWS Config rules to monitor CloudTrail configuration changes and cross-reference the event time with an approved change window.
B.Check the source IP address 203.0.113.50 against a list of approved corporate IP ranges.
C.Review the IAM user 'admin' permissions to see if they have the cloudtrail:DeleteTrail permission.
D.Use CloudTrail Insights to detect unusual API activity for the DeleteTrail event.
AnswerA

Cross-referencing with an approved change window helps determine if the deletion was planned and authorized, addressing the authorization aspect directly.

Why this answer

The engineer needs to determine if the deletion was unauthorized. Checking the source IP or permissions may not be sufficient. The best approach is to verify if the deletion occurred within an approved change window, which can be tracked via AWS Config or change management processes.

277
Multi-Selectmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all S3 buckets created by CloudFormation have encryption enabled by default. Which TWO approaches can achieve this?

Select 2 answers
A.Create an AWS Config rule that checks for S3 bucket encryption and auto-remediates
B.Enable S3 Block Public Access at the account level
C.Attach a service control policy (SCP) to the root OU that denies S3 bucket creation without encryption
D.Attach an IAM role to the CloudFormation service that grants permissions to encrypt buckets
E.Use a CloudFormation stack policy to deny creation of S3 buckets without encryption
AnswersA, E

Config rules can enforce encryption and trigger remediation actions.

Why this answer

Options B and D are correct. A CloudFormation Stack Policy (B) can enforce encryption settings. AWS Config rules (D) can detect and remediate non-compliant buckets.

Option A is wrong because S3 Block Public Access does not enforce encryption. Option C is wrong because SCPs apply to accounts, not CloudFormation stacks. Option E is wrong because IAM roles do not enforce encryption on S3 buckets.

278
Multi-Selectmedium

Which TWO actions can be used to restrict access to an S3 bucket to only requests that originate from a specific VPC?

Select 2 answers
A.Use a security group to allow inbound traffic from the VPC to S3.
B.Use an IAM policy with a condition key aws:SourceVpce to restrict access to the VPC endpoint.
C.Configure a VPC endpoint for S3 and attach a bucket policy that allows access only from that endpoint.
D.Use a network ACL to allow traffic from the VPC to S3.
E.Use an IAM policy with a condition key aws:SourceIp to restrict access to the VPC CIDR.
AnswersB, C

IAM policies can restrict based on VPC endpoint ID.

Why this answer

Option B is correct because the `aws:SourceVpce` condition key in an IAM policy allows you to restrict access to an S3 bucket to requests that originate from a specific VPC endpoint (VPC Endpoint ID). This ensures that only traffic coming through that VPC endpoint can access the bucket, effectively limiting access to the VPC. Option C is also correct because you can configure a VPC endpoint for S3 and attach a bucket policy that explicitly allows access only from that endpoint using the `aws:SourceVpce` condition, achieving the same restriction.

Exam trap

The trap here is that candidates often confuse IAM policies with bucket policies or think that security groups or network ACLs can directly control access to S3, but S3 is a managed service and does not process security group or NACL rules; only bucket policies and IAM policies with VPC endpoint conditions can enforce such restrictions.

279
MCQhard

A company stores sensitive customer data in Amazon S3. The security team has enabled default encryption with SSE-S3 on the bucket. The compliance team requires that all access to the bucket be logged and that any unauthorized access attempts be detected in real time. The company has AWS CloudTrail enabled. Which additional steps should the security team take to meet the compliance requirements?

A.Enable S3 server access logs and enable Amazon GuardDuty with S3 protection
B.Enable AWS Config rules to detect unauthorized access
C.Enable CloudTrail data events for the S3 bucket and use Amazon Detective
D.Enable VPC Flow Logs and use Amazon Athena to analyze logs
AnswerA

Server access logs provide detailed logging; GuardDuty provides real-time threat detection.

Why this answer

Option C is correct because enabling S3 server access logs captures all requests, and Amazon GuardDuty can detect suspicious activity in real time. Option A is wrong because CloudTrail management events do not log data events by default. Option B is wrong because VPC Flow Logs do not log S3 access.

Option D is wrong because AWS Config is for configuration changes, not real-time threat detection.

280
Multi-Selecthard

Which TWO of the following are valid use cases for IAM permissions boundaries? (Choose TWO.)

Select 2 answers
A.To allow cross-account access to an S3 bucket
B.To prevent an IAM user from escalating privileges
C.To allow developers to create roles with limited permissions
D.To delegate permission management to non-administrators
E.To restrict access to an S3 bucket based on IP address
AnswersB, C

Boundaries limit the maximum permissions.

Why this answer

Options A and D are valid uses. Option B is incorrect because permissions boundaries don't delegate administration. Option C is incorrect because boundaries are applied to IAM entities, not resource-based policies.

Option E is incorrect because cross-account access is governed by trust policies, not boundaries.

281
MCQhard

A company uses AWS CloudHSM to generate and store encryption keys for a custom database. The security team needs to back up the keys to another AWS Region for disaster recovery. What is the most secure and efficient way to achieve this?

A.Create a backup of the source CloudHSM cluster and copy the backup to the destination Region.
B.Export the keys from the source CloudHSM cluster and import them into a destination cluster in the other Region.
C.Enable cross-Region replication on the CloudHSM cluster.
D.Use the key_mgmt_util command-line tool to copy the keys to an on-premises HSM, then upload to the destination Region.
AnswerA

CloudHSM backups can be copied across regions for disaster recovery.

Why this answer

Option C is correct because CloudHSM supports copying backups across regions using the AWS CLI or console, which is secure and efficient. Option A is incorrect because exporting keys directly is not supported; backups are used. Option B is incorrect because manual copy (e.g., scp) is not supported.

Option D is incorrect because cross-region replication does not apply to CloudHSM backups.

282
MCQmedium

A company is migrating its on-premises data center to AWS. The company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect its on-premises network (192.168.0.0/16) to the VPC using an AWS Site-to-Site VPN. The security engineer has configured the virtual private gateway (VGW) and the customer gateway (CGW) with the correct settings. The VPN tunnel status is UP, but the on-premises servers cannot ping the EC2 instances in the VPC. The EC2 instances have security groups that allow ICMP traffic from the on-premises network. The VPC route table has a route for the on-premises network pointing to the VGW. What is the most likely cause of the issue?

A.The customer gateway is not configured with the correct public IP address of the VGW.
B.The VPN tunnel is not configured with the correct pre-shared key.
C.The security group for the EC2 instances does not allow inbound ICMP from the on-premises network.
D.The VPC route table does not have a route for the on-premises CIDR (192.168.0.0/16) pointing to the virtual private gateway.
AnswerD

Without this route, traffic from the VPC to on-premises is dropped.

Why this answer

Option A is correct. The VPC route table needs a route for the on-premises CIDR pointing to the VGW. If this route is missing, traffic from the VPC to on-premises will not be routed correctly.

Option B is incorrect because security groups are stateful and allow return traffic. Option C is not required if the VPN is configured correctly. Option D is incorrect because the VGW is the correct target.

283
MCQeasy

An administrator needs to allow a Lambda function to write logs to CloudWatch Logs. What is the BEST way to grant these permissions?

A.Store AWS credentials in the Lambda function code.
B.Attach a resource-based policy to the Lambda function.
C.Create an IAM role with the necessary CloudWatch Logs permissions and assign it as the Lambda function's execution role.
D.Attach the AdministratorAccess managed policy to the Lambda function's execution role.
AnswerC

Standard best practice for Lambda permissions.

Why this answer

Option B is correct: attach an execution role to the Lambda function that includes permissions for logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Option A uses resource-based policy which is not typical for Lambda. Option C is overly permissive.

Option D uses user credentials, not best practice.

284
MCQmedium

Refer to the exhibit. A security engineer runs the CLI command and receives the output shown. The engineer expects to see flow logs for a specific subnet, but the output shows the resource ID as a VPC. What is the most likely reason?

A.The flow log is not active; it shows ACTIVE, so that's not the issue.
B.The flow log is configured to deliver to CloudWatch, but the log group name is incorrect.
C.The IAM role does not have permissions to deliver logs for subnets.
D.The flow log was created at the VPC level, not at the subnet level.
AnswerD

The resource ID in the output is the VPC ID, indicating the flow log is for the VPC.

Why this answer

Option A is correct because the filter is by log group name, and the flow log created is for the entire VPC, not a subnet. The engineer may have created the flow log at the VPC level. Option B is wrong because the CLI command shows the flow log status as ACTIVE.

Option C is wrong because the role is valid. Option D is wrong because the flow log is delivering to CloudWatch Logs, which is a valid destination.

285
MCQhard

A security engineer notices that an Amazon EC2 instance has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. The instance is a bastion host. What is a more secure alternative to this configuration?

A.Change the SSH port to a non-standard port to avoid automated attacks.
B.Restrict the inbound SSH rule to a single IP address from the corporate network.
C.Replace the security group rule with a network ACL that allows SSH from 0.0.0.0/0.
D.Remove the inbound SSH rule and use AWS Systems Manager Session Manager to access the instance.
AnswerD

Session Manager provides secure access without inbound ports, using IAM for authentication and authorization.

Why this answer

The correct answer is C because using AWS Systems Manager Session Manager allows SSH access without opening any inbound ports, and it uses IAM policies for access control. Option A is wrong because a NACL is stateless and would still require an inbound rule; also, NACLs are not a replacement for security group configuration. Option B is wrong because changing the port does not improve security; attackers scan all ports.

Option D is wrong because restricting to a single IP is better than open to all, but Session Manager is more secure as it eliminates inbound ports entirely.

286
MCQmedium

A company stores sensitive customer data in Amazon S3. To comply with data protection regulations, they need to automatically prevent any new objects from being made publicly accessible. Which S3 feature should they configure?

A.Enable S3 Block Public Access at the account level.
B.Configure a bucket policy that denies s3:PutObject with a condition for public access.
C.Use S3 default encryption with SSE-S3.
D.Enable S3 Object Lock in governance mode.
AnswerA

Block Public Access provides a centralized way to prevent any public access to buckets and objects.

Why this answer

Option B is correct because S3 Block Public Access settings at the account or bucket level can enforce that no new objects or ACLs grant public access. Option A is wrong because bucket policies can be circumvented if not enforced; Block Public Access is a preventative guardrail. Option C is wrong because Object Lock prevents deletion/overwrite but doesn't control public access.

Option D is wrong because default encryption only encrypts data at rest.

287
Multi-Selecthard

A security engineer is configuring Amazon GuardDuty in a multi-account environment. The engineer wants to enable GuardDuty in the management account and automatically enable it for all member accounts. Which THREE steps are required?

Select 3 answers
A.Have each member account manually enable GuardDuty.
B.Create an S3 bucket for GuardDuty findings in each member account.
C.Configure GuardDuty to automatically enable for all accounts in the organization via the Organizations integration.
D.Accept the invitation from the administrator account in each member account.
E.Enable GuardDuty in the management account.
AnswersC, D, E

This allows automatic enablement for new accounts.

Why this answer

GuardDuty must be enabled in the management account first. Then, using Organizations, GuardDuty can be automatically enabled for all existing and new accounts. Member accounts must also accept the invitation to join the GuardDuty administrator account.

288
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer. The application uses an Amazon RDS for MySQL database. The security team requires that all data in transit between the EC2 instances and the database be encrypted. The database is in a private subnet. The EC2 instances are in a public subnet. The security team also wants to minimize latency. What should be done to meet these requirements?

A.Use AWS Certificate Manager to issue a certificate for the RDS endpoint
B.Set up a VPN connection between the EC2 instances and the RDS instance using an IPsec VPN
C.Place the EC2 instances and RDS in the same subnet and use a NAT gateway
D.Enable SSL/TLS on the RDS instance and configure the application to use encrypted connections
AnswerD

This encrypts data in transit with minimal latency.

Why this answer

Option B is correct because enabling SSL/TLS on the RDS instance and requiring encrypted connections from the application encrypts data in transit. Option A is wrong because RDS does not natively support IPsec VPN. Option C is wrong because using a NAT gateway adds latency and does not encrypt the database connection.

Option D is wrong because AWS Certificate Manager is for load balancers and CloudFront, not for database connections.

289
MCQeasy

A company wants to use AWS CloudFormation to manage infrastructure. The security team requires that all templates are scanned for security vulnerabilities before deployment. Which service should be integrated into the pipeline?

A.Amazon Inspector
B.AWS CloudFormation Guard
C.AWS Config
D.AWS Shield Advanced
AnswerB

Guard allows policy-as-code to validate templates pre-deployment.

Why this answer

AWS CloudFormation Guard (cfn-guard) is a policy-as-code tool that allows you to define rules to validate CloudFormation templates against security best practices before deployment. It integrates into CI/CD pipelines to enforce compliance with organizational policies, such as ensuring encryption is enabled or public access is restricted, directly addressing the requirement to scan templates for security vulnerabilities.

Exam trap

The trap here is confusing runtime vulnerability scanning (Amazon Inspector) with pre-deployment template validation (CloudFormation Guard), leading candidates to choose Inspector because they associate 'security vulnerabilities' with runtime scanning rather than infrastructure-as-code compliance.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans running EC2 instances, container images, and Lambda functions for software vulnerabilities and network exposure, not CloudFormation templates. Option C is wrong because AWS Config is a service for evaluating and auditing the configuration of deployed AWS resources against desired policies, not for scanning infrastructure-as-code templates before deployment. Option D is wrong because AWS Shield Advanced is a managed Distributed Denial of Service (DDoS) protection service for applications running on AWS, not a tool for scanning CloudFormation templates.

290
MCQmedium

A security engineer is designing a cross-account access policy. The engineer has an S3 bucket in Account A and wants to grant read access to a user in Account B. Which combination of policies is required?

A.A bucket policy in Account A that allows access to the user in Account B.
B.A bucket ACL in Account A granting access to the user in Account B.
C.An IAM policy in Account B that grants s3:GetObject to the bucket.
D.A bucket policy in Account A allowing the user, and an IAM policy in Account B granting s3:GetObject.
AnswerD

Both policies are necessary for cross-account access.

Why this answer

Option D is correct because both a bucket policy in Account A allowing the user and an IAM policy in Account B granting s3:GetObject are required. Option A is wrong because bucket policy alone is insufficient. Option B is wrong because IAM policy alone is insufficient.

Option C is wrong because ACLs are legacy and less secure.

291
MCQmedium

A security engineer is designing a VPC with public and private subnets in two Availability Zones. The company requires that all outbound traffic from private subnets to the internet must go through a single, centrally managed NAT gateway. Which combination of resources and route table entries should be used?

A.A single NAT gateway in a public subnet, and a default route (0.0.0.0/0) in each private subnet route table pointing to that NAT gateway.
B.A single NAT gateway in a private subnet, and a default route in each private subnet pointing to the NAT gateway.
C.One NAT gateway per private subnet, each with a route to an internet gateway.
D.One NAT gateway per Availability Zone, with routes to the internet gateway.
AnswerA

This provides centralized outbound internet access.

Why this answer

Option C is correct because placing a single NAT gateway in a public subnet and adding a default route to the NAT gateway in the private subnet route tables achieves the requirement. Option A is wrong because each private subnet needs its own route entry. Option B is wrong because using multiple NAT gateways defeats central management.

Option D is wrong because NAT gateways cannot be placed in private subnets.

292
MCQhard

A company has a multi-account AWS Organization with hundreds of accounts. The security team wants to prevent any IAM user from creating access keys in any account. What is the most scalable and secure approach?

A.Use IAM Access Analyzer to generate findings when access keys are created.
B.Configure IAM password policies in each account to disallow access keys.
C.Apply an SCP that denies the IAM:CreateAccessKey action to all accounts in the organization.
D.Create an AWS Config rule in each account to automatically delete access keys.
AnswerC

SCPs centrally enforce permissions across all accounts.

Why this answer

Option A is correct: a service control policy (SCP) at the root or OU level can deny the IAM:CreateAccessKey action, which applies to all accounts in the organization. Option B is wrong because it does not prevent users in other accounts from creating keys. Option C is wrong because IAM Access Analyzer does not block actions.

Option D is wrong because it requires manual updates and is not scalable.

293
Multi-Selectmedium

A security engineer is investigating a potential data exfiltration from an AWS account. Which TWO CloudTrail events would be MOST indicative of data exfiltration via S3?

Select 2 answers
A.`PutObject` API calls from a known internal IP.
B.`CopyObject` API calls from a production bucket to a bucket in another AWS account.
C.`ListObjects` API calls from an EC2 instance in the same VPC.
D.`GetObject` API calls from an IP address in an unfamiliar geographic region.
E.`DeleteObject` API calls from the root user.
AnswersB, D

Copying data to an external account is a common exfiltration technique.

Why this answer

Option B is correct because `CopyObject` API calls from a production bucket to a bucket in another AWS account indicate data being replicated or moved across account boundaries, which is a strong signal of potential data exfiltration. This action bypasses typical network controls and can transfer large volumes of data without requiring a download, making it a common exfiltration technique.

Exam trap

The trap here is that candidates often focus on `GetObject` as the primary exfiltration vector, but `CopyObject` is equally dangerous because it can move data directly to another account without leaving a network egress trail.

294
MCQhard

A security engineer is designing an IAM policy to allow an application running on an EC2 instance to read objects from a specific S3 bucket (my-bucket) and write objects to a different S3 bucket (my-other-bucket). The application uses an IAM role with the following trust policy. Which additional policy should be attached to the role to meet the requirements with least privilege?

A.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": "arn:aws:s3:::*/*" } ] }
B.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }
C.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/*" }, { "Effect": "Allow", "Action": ["s3:PutObject"], "Resource": "arn:aws:s3:::my-other-bucket/*" } ] }
D.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": "arn:aws:s3:::my-bucket/*" } ] }
AnswerC

Correctly scopes read to my-bucket and write to my-other-bucket.

Why this answer

Option A is correct because it uses separate statements for read and write actions, with resource ARNs limited to the respective buckets, and does not include unnecessary actions. Option B grants s3:PutObject to the wrong bucket. Option C grants full S3 access.

Option D uses a wildcard for resources.

295
MCQhard

During a security incident, a security engineer needs to preserve forensic evidence from an EC2 instance that may be compromised. The instance is running a critical application. Which approach minimizes data loss while ensuring the integrity of the evidence?

A.Create an EBS snapshot, then isolate the instance by modifying the security group and removing it from the load balancer.
B.Immediately terminate the instance to stop any ongoing malicious activity.
C.SSH into the instance and run forensic tools to capture memory.
D.Detach the instance from the Auto Scaling group and leave it running without changes.
AnswerA

Snapshot preserves data; isolation prevents lateral movement.

Why this answer

Option A is correct because creating an EBS snapshot preserves the disk state at the point of the incident, capturing forensic evidence without altering the running instance. Isolating the instance by modifying the security group (e.g., removing all inbound/outbound rules) and removing it from the load balancer stops network traffic and prevents further compromise, minimizing data loss while maintaining the integrity of the evidence for later analysis.

Exam trap

The trap here is that candidates may think terminating the instance is the safest way to stop malicious activity, but they overlook the irreversible loss of forensic evidence and the need to preserve the disk state for investigation.

How to eliminate wrong answers

Option B is wrong because immediately terminating the instance destroys volatile data (e.g., memory, running processes) and the disk state, losing critical forensic evidence and preventing root cause analysis. Option C is wrong because SSH-ing into a potentially compromised instance risks alerting the attacker, altering evidence, or allowing the attacker to cover tracks; forensic memory capture should be done via hypervisor-level tools (e.g., AWS Nitro System's memory capture) or by attaching a forensic instance to the EBS volume. Option D is wrong because leaving the instance running without changes allows ongoing malicious activity to continue, potentially corrupting evidence or causing further damage; isolation (via security group and load balancer removal) is necessary to preserve the state.

296
MCQmedium

A company uses Amazon GuardDuty and AWS Security Hub in a single AWS account. The security team has created a custom action in Security Hub to send findings to a custom Lambda function for automated response. The Lambda function is designed to take remediation actions based on the finding type. During testing, the team notices that the Lambda function is not being invoked when new findings are generated. The Lambda function's resource-based policy allows invocations from Security Hub, and the function's execution role has necessary permissions. What is the most likely reason for the failure?

A.No Amazon EventBridge rule is configured to send Security Hub findings to the Lambda function.
B.GuardDuty is not enabled for all required resource types.
C.The Lambda function's execution role does not have permission to access GuardDuty.
D.The Lambda function's resource-based policy does not include Security Hub as a principal.
AnswerA

Custom actions in Security Hub rely on EventBridge rules to target Lambda.

Why this answer

Option C is correct because Security Hub custom actions require an EventBridge rule to route findings to the Lambda function. Without the rule, Security Hub cannot invoke Lambda directly. Option A is wrong because the function's execution role permissions are for accessing other AWS resources, not for being invoked.

Option B is wrong because Security Hub findings are generated even if GuardDuty is enabled. Option D is wrong because the Lambda function's resource-based policy allows invocation from Security Hub, but Security Hub does not directly invoke Lambda; it uses EventBridge.

297
MCQeasy

Refer to the exhibit. A security engineer reviews the bucket policy for an S3 bucket. The engineer attempts to upload an object to the bucket using the AWS CLI without the --ssl flag (HTTP). What is the outcome?

A.The upload succeeds because the policy allows all actions.
B.The upload fails because the policy denies requests that are not using HTTPS.
C.The upload succeeds because the bucket has default encryption enabled.
D.The upload fails because the policy denies s3:PutObject only.
AnswerB

Condition denies if SecureTransport is false (HTTP).

Why this answer

Option C is correct because the bucket policy denies all s3 actions if the request is not using HTTPS (SecureTransport is false). Since the engineer uses HTTP (no SSL), the condition matches and the upload is denied. Option A is wrong because the bucket does not have a default encryption setting.

Option B is wrong because the policy denies all actions, not just put. Option D is wrong because the policy denies, not allows.

298
Multi-Selectmedium

A company wants to enforce that all IAM users use MFA. Which THREE actions should be taken to achieve this?

Select 3 answers
A.Set an IAM password policy requiring MFA.
B.Enable MFA devices for all IAM users.
C.Create an IAM policy that denies all actions unless MFA is authenticated.
D.Use IAM Access Analyzer to validate policies.
E.Use AWS Single Sign-On (SSO) with MFA.
AnswersB, C, D

MFA must be enabled on each user.

Why this answer

Option B is correct because enabling MFA devices for all IAM users is a prerequisite for enforcing MFA usage. Without an assigned MFA device, a user cannot authenticate via MFA, and any policy requiring MFA would lock them out. This action ensures each user has a physical or virtual MFA device associated with their IAM user account.

Exam trap

The trap here is confusing IAM password policy settings with MFA enforcement mechanisms, leading candidates to select option A, which does not exist in AWS IAM.

299
MCQmedium

A company uses AWS KMS with a custom key store backed by AWS CloudHSM. The security team wants to ensure that the key material never leaves the HSM and that all cryptographic operations are performed within the HSM. Which of the following actions should the team take?

A.Create the KMS key as an asymmetric key in a custom key store and set the key usage to 'SIGN_VERIFY'.
B.Enable the 'Prevent key material export' option in the KMS key policy.
C.Create the KMS key as a symmetric key in the default key store.
D.Create the KMS key in a custom key store and set the key usage to 'ENCRYPT_DECRYPT'.
AnswerD

Custom key store with symmetric keys ensures key material stays in the HSM.

Why this answer

Option A is correct because using a custom key store with CloudHSM ensures that KMS operations are performed in the HSM and key material is not exportable. Option B is wrong because symmetric keys do not leave the HSM, but the question asks to ensure it never leaves; custom key store already ensures that. Option C is wrong because asymmetric keys can be exported if the HSM allows.

Option D is wrong because disabling key export in KMS is not a direct setting; it's inherent in custom key stores.

300
MCQeasy

A security analyst needs to receive an alert when an IAM user attempts to perform an action they are not authorized to perform. Which AWS service can be used to monitor and alert on such authorization failures?

A.AWS Organizations SCPs
B.AWS CloudTrail with CloudWatch metric filter and alarm
C.AWS IAM Access Analyzer
D.AWS Config
AnswerB

CloudTrail logs API errors, and CloudWatch can alert on them.

Why this answer

CloudTrail logs all API calls, including AccessDenied errors. A CloudWatch metric filter on CloudTrail logs can trigger an alarm. Option C is correct.

Option A is wrong because IAM Access Analyzer is for external access analysis. Option B is wrong because Service Control Policies are for organizations. Option D is wrong because Config does not monitor API calls.

Page 3

Page 4 of 24

Page 5