AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 301375

1738 questions total · 24pages · All types, answers revealed

Page 4

Page 5 of 24

Page 6
301
MCQeasy

A company has a serverless application using AWS Lambda functions that process sensitive data. The security team wants to detect potential data exfiltration via DNS queries from the Lambda functions. Which service should be enabled to monitor DNS requests?

A.Amazon Route 53 Resolver DNS Firewall
B.AWS WAF
C.Amazon CloudWatch Logs
D.AWS GuardDuty
AnswerA

DNS Firewall logs and filters DNS queries.

Why this answer

Amazon Route 53 Resolver DNS Firewall is the correct choice because it provides DNS-layer filtering for outbound DNS queries from VPCs, including those made by Lambda functions. It can log and block DNS requests to known malicious domains, enabling detection of data exfiltration attempts that use DNS tunneling or command-and-control (C2) communication. This service integrates with VPC flow logs and CloudWatch to monitor DNS query patterns specifically.

Exam trap

The trap here is that candidates often confuse AWS WAF (web application firewall) with DNS-layer filtering, or assume GuardDuty natively monitors DNS queries without realizing it requires Route 53 Resolver DNS Firewall as a prerequisite data source.

How to eliminate wrong answers

Option B (AWS WAF) is wrong because it operates at the application layer (HTTP/HTTPS) to protect web applications from common exploits, not at the DNS layer, and cannot inspect or log DNS queries. Option C (Amazon CloudWatch Logs) is wrong because it is a log storage and monitoring service, not a DNS-specific monitoring tool; it can store logs from other services but does not natively capture or analyze DNS queries from Lambda. Option D (AWS GuardDuty) is wrong because while it uses threat intelligence to detect malicious activity, it relies on DNS logs from Route 53 Resolver DNS Firewall or VPC DNS logs as a data source; it does not directly monitor or log DNS queries itself.

302
MCQeasy

A company needs to encrypt data in transit between an EC2 instance and an RDS database. Which option should be used?

A.Enable encryption at rest for the RDS instance
B.Configure the database to use SSL/TLS connections
C.Use an AWS KMS key to encrypt the connection
D.Enable EBS encryption on the EC2 instance
AnswerB

SSL/TLS encrypts data in transit.

Why this answer

Option B is correct because encrypting data in transit between an EC2 instance and an RDS database requires the use of SSL/TLS protocols to secure the communication channel. AWS RDS supports SSL/TLS connections by enabling the `require_secure_transport` parameter or using a certificate bundle on the client side, ensuring that all data transmitted over the network is encrypted and protected from eavesdropping or man-in-the-middle attacks.

Exam trap

The trap here is that candidates often confuse encryption at rest (EBS or RDS encryption) with encryption in transit, or mistakenly think that KMS keys can be directly applied to network connections, when in fact SSL/TLS is the correct mechanism for securing data in motion.

How to eliminate wrong answers

Option A is wrong because encryption at rest protects data stored on disk, not data transmitted over the network between EC2 and RDS. Option C is wrong because AWS KMS is used to manage encryption keys for data at rest or envelope encryption, not to directly encrypt network connections; SSL/TLS uses certificates and cipher suites, not KMS keys. Option D is wrong because EBS encryption protects data at rest on the EC2 instance's volumes, not data in transit between the instance and the RDS database.

303
Multi-Selecteasy

Which TWO AWS services provide native integration with Amazon CloudWatch Logs for real-time monitoring of application logs? (Choose TWO.)

Select 2 answers
A.Amazon S3
B.Amazon Route 53
C.Amazon EC2
D.AWS Lambda
E.AWS CloudTrail
AnswersC, D

EC2 can use the CloudWatch agent to send logs.

Why this answer

Amazon EC2 is correct because it can be configured to send application logs to CloudWatch Logs via the CloudWatch Logs agent or unified CloudWatch agent, enabling real-time monitoring, search, and alerting on log data. AWS Lambda is correct because it natively integrates with CloudWatch Logs: every Lambda function execution automatically streams its logs to a CloudWatch Logs group, providing real-time visibility into function output and errors.

Exam trap

Cisco often tests the distinction between services that natively produce or stream application logs to CloudWatch Logs versus services that can only send logs via additional configuration or are limited to audit/API logs, leading candidates to mistakenly select CloudTrail or S3 as native integrations.

304
MCQhard

A company uses AWS Organizations and has a requirement to enforce that all EC2 instances launched in any account must have a specific tag "Environment" with value "Production". The security team wants to prevent any instance without this tag from being launched. They implement a service control policy (SCP) that denies the ec2:RunInstances action if the request does not include the required tag. However, they find that users are still able to launch instances without the tag. The SCP is attached to the root OU. The team also has an IAM policy that allows ec2:RunInstances with no conditions. What is the most likely reason the SCP is not preventing the launches?

A.The SCP does not apply to the root user in member accounts.
B.The IAM policy allows the action, which overrides the SCP deny.
C.The SCP is applied to the management account, not the member accounts.
D.The SCP uses ec2:ResourceTag instead of aws:RequestTag for the condition.
AnswerD

Use aws:RequestTag to enforce tags on creation.

Why this answer

Option D is correct because the SCP condition must use the ec2:ResourceTag condition key, but ec2:ResourceTag only works for existing resources, not for creation tags. For RunInstances, the condition key should be aws:RequestTag to enforce tags on creation. Option A is wrong because IAM policies are evaluated after SCPs, but SCPs can deny regardless.

Option B is wrong because SCPs apply to all users including root. Option C is wrong because the SCP is attached to the root OU, not management account.

305
MCQeasy

The exhibit shows an S3 bucket policy. The security team wants to ensure that only users from account 123456789012 can access objects in the bucket. What is a potential security issue with this policy?

A.The policy grants access to all IAM users in the account, not just specific ones.
B.The policy does not restrict access to a specific VPC.
C.The policy uses a wildcard in the resource ARN.
D.The policy does not require MFA.
AnswerA

Using the root ARN grants access to the entire account, not a specific principal.

Why this answer

The policy grants access to the entire account root (all users in that account) and does not restrict to specific IAM users or roles. Therefore, any user in the account can access the objects if they have permission to call s3:GetObject. Additionally, there is no condition for encryption in transit or at rest, but the primary issue is that it's too permissive within the account.

Option A is wrong because it grants access to the entire account. Option C is wrong because there is no condition for MFA. Option D is wrong because it does not restrict to specific IPs.

306
MCQmedium

A company has a serverless application using AWS Lambda, API Gateway, and DynamoDB. The security team wants to detect and respond to potential SQL injection attempts in API requests. They have enabled AWS WAF on the API Gateway and created a rule to block SQL injection. However, they also want to capture the blocked requests for analysis and store them in an S3 bucket. The team has configured WAF to send logs to Amazon Kinesis Data Firehose, which delivers to an S3 bucket. After testing, the team notices that the logs are not being delivered. The Firehose delivery stream is in the same AWS account, and the S3 bucket policy allows the Firehose service to write. What is the most likely cause?

A.The WAF web ACL is not configured to log blocked requests.
B.The Kinesis Data Firehose delivery stream does not have an IAM role with permissions to write to the S3 bucket.
C.The S3 bucket policy does not grant write permissions to the Firehose delivery stream's IAM role.
D.Kinesis Data Firehose delivers logs in batches every 5 minutes, so the team should wait longer.
AnswerB

The delivery stream must have an IAM role with s3:PutObject permissions on the bucket.

Why this answer

Option D is correct because Kinesis Data Firehose requires an IAM role to write to S3, and the role must have the necessary permissions. Even if the bucket policy allows, the delivery stream's IAM role must be configured. Option A is wrong because WAF logs are delivered in near real time, not in batch.

Option B is wrong because the bucket policy allows Firehose, but the role is separate. Option C is wrong because WAF is enabled and blocking requests, so it should generate logs.

307
Multi-Selectmedium

A security engineer is investigating a potential security incident involving an Amazon RDS database. The engineer needs to identify which of the following actions should be taken during the forensic analysis phase? (Select TWO.)

Select 2 answers
A.Enable automatic backups if not already enabled.
B.Disable deletion protection to allow cleanup.
C.Modify the security group to restrict database access.
D.Take a manual snapshot of the RDS instance.
E.Review AWS CloudTrail logs for API calls related to the RDS instance.
AnswersD, E

A manual snapshot preserves the database state for analysis.

Why this answer

Option D is correct because taking a manual snapshot preserves a point-in-time, immutable copy of the RDS instance for offline forensic analysis without altering the live database. This ensures that evidence is captured before any changes occur during the investigation, and the snapshot can be restored to a separate instance for safe examination.

Exam trap

The trap here is confusing containment actions (like modifying security groups) with forensic preservation actions, leading candidates to select Option C instead of recognizing that the first step in forensic analysis is to capture immutable evidence via a snapshot and review CloudTrail logs.

308
Multi-Selecteasy

A security engineer needs to protect an S3 bucket that contains sensitive data. Which two methods should the engineer use?

Select 2 answers
A.Use Amazon CloudFront to serve the content.
B.Enable VPC Flow Logs on the bucket.
C.Apply an S3 bucket policy that restricts access to specific IAM users or roles.
D.Use IAM policies to grant permissions to users and roles.
E.Enable S3 object ACLs.
AnswersC, D

Bucket policies define who can access the bucket.

Why this answer

Option C is correct because an S3 bucket policy is a resource-based policy that can explicitly restrict access to specific IAM users or roles, providing a direct mechanism to control who can access the bucket and its objects. This is essential for protecting sensitive data by ensuring only authorized principals can perform actions like s3:GetObject or s3:PutObject, regardless of other permissions.

Exam trap

The trap here is that candidates often confuse resource-based policies (bucket policies) with identity-based policies (IAM policies) and may think only one is sufficient, but the question asks for two methods, and both C and D are correct because they work together to enforce least-privilege access.

309
Multi-Selecthard

An organization uses AWS CloudTrail with a multi-region trail. The security team suspects that an attacker has deleted logs. Which THREE findings would indicate that log deletion occurred? (Choose THREE.)

Select 3 answers
A.An S3 bucket with MFA Delete enabled.
B.A `StopLogging` API call from an unknown IP address.
C.A gap in CloudTrail logs for a period of time.
D.Multiple `StartLogging` API calls in the logs.
E.A `DeleteTrail` API call.
AnswersB, C, E

Suspicious if unauthorized.

Why this answer

Option B is correct because a `StopLogging` API call from an unknown IP address indicates that logging was deliberately disabled, which an attacker could do to cover their tracks. CloudTrail records all `StopLogging` events, and an unexpected source IP is a strong indicator of unauthorized activity. This directly suggests log deletion or suppression, as stopping the trail prevents further log delivery.

Exam trap

The trap here is that candidates may confuse a security control (MFA Delete) with an indicator of compromise, or think that `StartLogging` calls imply deletion, when in fact they are normal operational events that do not directly signal log tampering.

310
MCQmedium

Refer to the exhibit. A security engineer reviews the CloudTrail trail configuration. What is a security concern?

A.The trail is not multi-region
B.The logs are not encrypted with a customer-managed KMS key
C.Log file validation is not enabled
D.CloudWatch Logs integration is missing
AnswerB

kmsKeyId is null, so SSE-S3 is used, which is less secure.

Why this answer

The security concern is that the CloudTrail logs are not encrypted with a customer-managed KMS key. By default, CloudTrail encrypts log files using SSE-S3 (S3-managed keys), which does not provide the customer with control over key rotation, access policies, or the ability to audit key usage. Using a customer-managed KMS key ensures that only authorized principals can decrypt the logs, and it enables fine-grained access control and audit trails via CloudTrail and CloudWatch Logs, which is critical for compliance and security monitoring.

Exam trap

Cisco often tests the misconception that default encryption (SSE-S3) is sufficient for compliance, but the exam expects you to recognize that customer-managed KMS keys provide additional control and auditability, making the lack of SSE-KMS a security concern.

How to eliminate wrong answers

Option A is wrong because a multi-region trail is not a mandatory security requirement; it is a configuration choice for aggregating logs from all regions, but the absence of multi-region does not directly expose logs to unauthorized access or tampering. Option C is wrong because log file validation provides integrity verification via hash digests, but it does not address encryption at rest; the lack of validation is a concern for integrity, not confidentiality, and the question specifically asks about a security concern related to the trail configuration shown. Option D is wrong because CloudWatch Logs integration is an optional feature for real-time monitoring and alerting, but its absence does not represent a direct security vulnerability; the primary concern is that logs are not encrypted with a customer-managed KMS key, which is a fundamental control for protecting sensitive audit data.

311
MCQmedium

A security engineer needs to enforce that all IAM users in an AWS account use multi-factor authentication (MFA) when making API calls. What is the MOST effective way to enforce this?

A.Enable MFA for the root user.
B.Enable CloudTrail to log MFA usage.
C.Attach an IAM policy that denies all actions unless MFA is present.
D.Use an AWS Organizations service control policy (SCP) that denies all actions unless MFA is present.
AnswerD

Enforces MFA at the account level, overriding any IAM policies.

Why this answer

Option C is correct because a service control policy (SCP) can be applied at the account level to deny all actions if MFA is not present. Option A is wrong because it only applies to the root user. Option B is wrong because IAM policies can be attached to users but can be overridden.

Option D is wrong because CloudTrail logs do not enforce MFA.

312
MCQeasy

A security engineer is configuring Amazon GuardDuty for the first time. The engineer wants to receive alerts when GuardDuty generates a finding of severity HIGH or higher. What is the simplest way to achieve this?

A.Create an Amazon EventBridge rule that matches GuardDuty findings and triggers an SNS topic.
B.Configure CloudWatch Logs to monitor GuardDuty logs and create a metric filter for high-severity findings.
C.Set up an S3 event notification on the GuardDuty findings bucket.
D.Configure GuardDuty to send email notifications for all findings.
AnswerA

Simple and effective.

Why this answer

Option B is correct because GuardDuty can send findings directly to CloudWatch Events (EventBridge), which can then invoke a Lambda function or send to an SNS topic. Option A is wrong because GuardDuty does not have native email alerts. Option C is wrong because GuardDuty does not use CloudWatch Logs directly.

Option D is wrong because GuardDuty findings are not stored in S3 by default.

313
MCQhard

A security engineer needs to ensure that an IAM role can be assumed only from a specific VPC. Which IAM policy condition key should be used?

A.aws:RequestedRegion
B.aws:VpcSourceIp
C.aws:SourceVpc
D.aws:SourceIp
AnswerC

Restricts to the specified VPC.

Why this answer

Option B is correct because aws:SourceVpc restricts requests to originate from a specific VPC. Option A is wrong because aws:SourceIp is for IP addresses. Option C is wrong because aws:VpcSourceIp is not a condition key.

Option D is wrong because aws:RequestedRegion is for region.

314
MCQeasy

An S3 bucket policy is created as shown. What is the effect of this policy?

A.It blocks all access to the bucket.
B.It denies all requests that are not made over HTTPS.
C.It allows anonymous access to the bucket over HTTPS.
D.It requires server-side encryption for all objects.
AnswerB

The condition denies when SecureTransport is false.

Why this answer

Option A is correct because the policy denies all actions when the request is not using HTTPS (SecureTransport is false). Option B is incorrect because it does not allow anonymous access. Option C is incorrect because it does not enforce encryption at rest.

Option D is incorrect because it does not block all access, only non-HTTPS requests.

315
Multi-Selectmedium

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that the logs are protected from unauthorized access and deletion. Which TWO actions should be taken?

Select 2 answers
A.Enable server-side encryption using AWS KMS (SSE-KMS) on the S3 bucket.
B.Use S3 bucket ACLs to restrict access.
C.Enable CloudTrail log file validation.
D.Enable S3 Versioning on the bucket.
E.Enable multi-factor authentication (MFA) for CloudTrail.
AnswersA, C

SSE-KMS encrypts the logs at rest.

Why this answer

Option A (enable log file validation) ensures integrity, and Option C (enable SSE-KMS) ensures encryption at rest. Option B is wrong because MFA is not a native CloudTrail feature. Option D is wrong because S3 Versioning helps but does not prevent deletion of the bucket.

Option E is wrong because S3 ACLs are not the best practice; bucket policies are preferred.

316
MCQeasy

A company wants to monitor failed SSH login attempts to EC2 instances. Which approach should be used?

A.Use the CloudWatch Logs agent to send /var/log/auth.log to CloudWatch Logs
B.Enable AWS CloudTrail for EC2 instances
C.Enable VPC Flow Logs
D.Use AWS Config to detect SSH access
AnswerA

The agent collects OS logs and sends them to CloudWatch Logs.

Why this answer

Publish OS-level logs to CloudWatch Logs using the CloudWatch agent. CloudTrail does not capture OS login attempts. VPC Flow Logs capture network traffic, not OS events.

Config is for resource compliance.

317
Multi-Selecthard

A security team wants to implement a centralized logging solution for multiple AWS accounts. The team needs to collect VPC Flow Logs, CloudTrail logs, and DNS query logs from all accounts. Which THREE services should the team use to aggregate these logs? (Choose THREE.)

Select 3 answers
A.AWS CloudHSM
B.AWS Config
C.Amazon Route 53 Resolver query logging
D.AWS CloudTrail
E.VPC Flow Logs
AnswersC, D, E

Resolver query logs can be published to a central S3 bucket for DNS query logs.

Why this answer

Options A, B, and D are correct. CloudTrail can be set up with an organization trail to aggregate management events. Route 53 Resolver query logging can publish to a central S3 bucket.

VPC Flow Logs can be published to a central S3 bucket or CloudWatch Logs. Option C is wrong because AWS Config does not aggregate logs. Option E is wrong because CloudHSM is a hardware security module, not for log aggregation.

318
Multi-Selecteasy

A security engineer is configuring VPC Flow Logs to capture network traffic metadata. Which TWO attributes can be captured in VPC Flow Logs? (Choose TWO.)

Select 2 answers
A.Packet payload
B.Source IP address
C.IAM user ID
D.Destination port
E.DNS query name
AnswersB, D

Captured.

Why this answer

VPC Flow Logs capture metadata about network traffic, including the source IP address (option B) and destination port (option D). The source IP address identifies the origin of the traffic, while the destination port indicates the application or service being targeted. These are standard fields in the flow log record format, as defined by AWS for capturing IP traffic metadata.

Exam trap

The trap here is that candidates often confuse network metadata with application-layer data, mistakenly thinking VPC Flow Logs can capture packet payloads or DNS query names, which are not part of the flow log record format.

319
Multi-Selectmedium

A company needs to monitor for unauthorized changes to security group rules. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.Amazon GuardDuty
B.AWS Config
C.Amazon Inspector
D.AWS CloudTrail
E.Amazon CloudWatch Events
AnswersB, E

Config tracks resource configuration changes.

Why this answer

Options B and D are correct. AWS Config can track changes to security group rules, and Amazon CloudWatch Events can trigger a notification when a config change is detected. Option A (GuardDuty) is for threat detection.

Option C (CloudTrail) logs API calls but is not the best for rule-level changes. Option E (Inspector) is for vulnerability scanning.

320
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that no sensitive data, such as database passwords, is exposed in plaintext in the CloudFormation templates. What is the MOST secure way to handle secrets?

A.Use AWS KMS to encrypt the secrets and include the ciphertext in the template.
B.Use AWS Systems Manager Parameter Store or AWS Secrets Manager with dynamic references in the template.
C.Store the secrets in an encrypted S3 bucket and include the S3 URL in the template.
D.Pass the secrets as plaintext parameters to the stack at launch time.
AnswerB

Dynamic references allow CloudFormation to retrieve secrets at runtime without exposing them.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store or AWS Secrets Manager can securely store secrets and reference them in CloudFormation using dynamic references. Option A is wrong because secrets should not be stored in plaintext. Option C is wrong because AWS KMS encrypts but the encrypted secret would still be visible in the template.

Option D is wrong because secrets should not be passed as plaintext parameters.

321
MCQhard

A security team uses Amazon Macie to discover sensitive data in S3. They have configured Macie to run automated sensitive data discovery jobs. After reviewing the findings, they notice that some S3 objects containing personally identifiable information (PII) are not being flagged. What is the most likely cause?

A.The Macie service-linked role does not have permissions to read the objects.
B.The S3 bucket is in a different AWS Region than the Macie job.
C.The S3 objects are encrypted with SSE-S3.
D.The PII is in a format that Macie's managed data identifiers do not recognize, and no custom data identifier is configured.
AnswerD

Managed identifiers cover common patterns; custom identifiers are needed for proprietary or less common formats.

Why this answer

Macie uses managed data identifiers for common PII types. If the PII is in a format not covered (e.g., custom formats), it may not be detected. Macie also supports custom data identifiers that must be configured.

322
MCQmedium

A company has a policy that all IAM users must rotate their access keys every 90 days. How can this be enforced?

A.Use AWS Config to check key age and automatically deactivate old keys
B.Use an IAM password policy to set the key rotation period
C.Use AWS CloudTrail to monitor key usage and send alerts
D.Use an IAM policy with a condition for key age
AnswerA

AWS Config rules can check key age and trigger Lambda to deactivate old keys.

Why this answer

IAM access key last used information can be used with a custom policy and a condition that denies access if the key is older than 90 days. However, there is no built-in IAM policy condition for key age. Option C is correct because you can use AWS Config rules to check key age and trigger notifications, but the question asks for enforcement.

Option A is wrong because IAM does not have a built-in key rotation policy. Option B is wrong because password policy is for passwords, not access keys. Option D is wrong because CloudTrail is for logging, not enforcement.

323
MCQmedium

A company requires that all Amazon EC2 instances be launched only with an approved Amazon Machine Image (AMI) that has been hardened by the security team. Which AWS service should be used to enforce this requirement?

A.AWS Config
B.EC2 Image Builder
C.AWS Systems Manager Patch Manager
D.AWS Service Catalog
AnswerA

Correct: AWS Config can check that EC2 instances use approved AMIs.

Why this answer

Option B is correct because AWS Config can evaluate whether EC2 instances are launched from approved AMIs using a managed rule or custom rule. Option A is wrong because AWS Service Catalog can provide a product portfolio but does not enforce at launch. Option C is wrong because EC2 Image Builder builds and manages images but does not enforce usage.

Option D is wrong because AWS Systems Manager Patch Manager patches instances but does not control which AMIs are used.

324
MCQeasy

A security engineer is investigating a potential data exfiltration from an S3 bucket. The engineer needs to identify which IAM role or user accessed the bucket and from which IP address. Which AWS service should the engineer use to obtain this information?

A.AWS CloudTrail
B.AWS Config
C.VPC Flow Logs
D.Amazon GuardDuty
AnswerA

CloudTrail logs all API calls to S3, including IAM principal and source IP.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to S3, including the IAM role or user identity (via the `userIdentity` field) and the source IP address (via the `sourceIPAddress` field). For data exfiltration investigation, you need these specific details from management events or data events (e.g., `GetObject`, `PutObject`), which CloudTrail captures. Other services either lack identity-level detail or focus on network-level traffic without user attribution.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which show network traffic but not user identity) with CloudTrail (which shows API calls with identity), leading them to select VPC Flow Logs for IP-based investigation without realizing they need the IAM role or user context.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it evaluates resource configuration compliance and records configuration changes, not API-level access logs with user identity and source IP. Option C (VPC Flow Logs) is wrong because it captures network traffic metadata (IPs, ports, protocols) at the VPC level but does not include IAM user or role identity, nor does it log S3 API operations. Option D (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to identify anomalies; it does not directly provide raw access logs with user identity and source IP for forensic investigation.

325
Multi-Selectmedium

Which TWO actions are valid ways to restrict access to an Amazon S3 bucket using a bucket policy? (Choose two.)

Select 2 answers
A.Use the aws:SourceIp condition key to allow access only from a specific IP range.
B.Use the iam:RoleName condition key to allow access only from a specific IAM role.
C.Use the aws:Referer condition key to allow access only from a specific HTTP referer.
D.Use the aws:SourceVpce condition key to allow access only from a specific VPC.
E.Use the kms:EncryptionContext condition key to require that objects are encrypted with a specific KMS key.
AnswersA, C

The aws:SourceIp condition key can be used in bucket policies to restrict based on the requester's IP address.

Why this answer

The correct answers are A and C. Option A is correct because you can use the aws:SourceIp condition key to restrict by IP address. Option C is correct because you can use the aws:Referer condition key to restrict by HTTP referer.

Option B is wrong because aws:SourceVpce is for VPC endpoints, but it is used in bucket policies to restrict access to a specific VPC endpoint, not a VPC ID. Option D is wrong because IAM roles are not used directly in bucket policies; you use the IAM role's ARN with the aws:PrincipalArn condition, but not with kms:EncryptionContext. Option E is wrong because kms:EncryptionContext is used in KMS key policies, not S3 bucket policies.

326
Multi-Selecthard

A company wants to ensure that all S3 buckets are encrypted at rest. Which THREE services can be used to detect and alert on unencrypted buckets?

Select 3 answers
A.AWS Config
B.Amazon CloudWatch Logs Insights
C.Amazon VPC Flow Logs
D.AWS Security Hub
E.AWS CloudTrail with Amazon CloudWatch Events
AnswersA, D, E

Config has a managed rule to check if S3 buckets have encryption enabled.

Why this answer

Options A, B, and C are correct. AWS Config has a managed rule 's3-bucket-server-side-encryption-enabled' to detect unencrypted buckets. CloudTrail logs PutBucketEncryption API calls, and you can set up CloudWatch Events to alert when encryption is not enabled.

Security Hub aggregates findings from multiple services including Config and GuardDuty, and can generate alerts. Option D is incorrect because VPC Flow Logs do not relate to S3 encryption. Option E is incorrect because CloudWatch Logs Insights is a query tool, not a detection service.

327
MCQhard

A company has a security requirement to automatically isolate an Amazon EC2 instance that is generating high network traffic to a known malicious IP address. The company uses Amazon GuardDuty and AWS Lambda. Which combination of services and configurations should be used to achieve the isolation?

A.Use VPC Flow Logs to send logs to CloudWatch Logs, then create a metric filter that triggers a Lambda function.
B.Use Amazon GuardDuty to send findings to AWS Systems Manager Automation to run a document that isolates the instance.
C.Use Amazon GuardDuty to send findings to Amazon CloudWatch Events, which triggers an AWS Lambda function that modifies the security group to remove the instance.
D.Use AWS Config rules to detect the traffic and invoke a Lambda function to change the security group.
AnswerC

This is a standard pattern for automated response.

Why this answer

Option C is correct because Amazon GuardDuty generates findings for threats like communication with known malicious IPs, and these findings can be sent to Amazon CloudWatch Events (now Amazon EventBridge). CloudWatch Events can then trigger an AWS Lambda function that modifies the security group associated with the EC2 instance to remove its inbound/outbound rules, effectively isolating the instance. This automated workflow meets the security requirement without manual intervention.

Exam trap

The trap here is that candidates may think GuardDuty can directly trigger Systems Manager Automation (Option B) without the intermediate CloudWatch Events step, or they may confuse AWS Config's compliance evaluation with real-time network threat detection (Option D).

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs are used for network traffic analysis and logging, not for real-time threat detection; creating a metric filter to trigger a Lambda function would require custom logic to identify malicious IPs and would not leverage GuardDuty's built-in threat intelligence. Option B is wrong because while AWS Systems Manager Automation can run documents to isolate instances, GuardDuty does not natively send findings directly to Systems Manager Automation; it sends findings to CloudWatch Events, which can then trigger Systems Manager Automation, but the option omits the necessary CloudWatch Events integration. Option D is wrong because AWS Config rules are designed for compliance and resource configuration changes, not for detecting network traffic patterns or malicious IP communication; they cannot evaluate VPC Flow Logs or network traffic in real time.

328
Multi-Selecteasy

Which TWO AWS services can be used to detect anomalous API calls in an AWS account?

Select 2 answers
A.AWS CloudTrail with Amazon CloudWatch Logs metric filters.
B.AWS Shield Advanced.
C.Amazon GuardDuty.
D.AWS Config with managed rules.
E.AWS WAF.
AnswersA, C

Can detect patterns like multiple failed API calls.

Why this answer

AWS CloudTrail with Amazon CloudWatch Logs metric filters is correct because CloudTrail records all API calls, and you can create metric filters on CloudWatch Logs to match patterns indicative of anomalous activity (e.g., unauthorized API calls, root user activity). When the filter triggers a threshold, it can send an alarm via Amazon SNS, enabling detection of anomalous API calls in near real-time.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation (which checks resource configurations) with API call monitoring, leading them to select AWS Config instead of recognizing that only CloudTrail and GuardDuty (which uses CloudTrail logs and VPC Flow Logs for anomaly detection) can detect anomalous API calls.

329
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create or modify IAM roles. What is the MOST effective way to enforce this?

A.Use AWS Config rules to detect role creation and automatically delete the roles.
B.Set up a Lambda function that monitors CloudTrail and revokes role creation permissions.
C.Create an SCP that denies iam:CreateRole and iam:UpdateAssumeRolePolicy and attach it to the root organizational unit.
D.Create an IAM policy that denies role creation and attach it to each user in every account.
AnswerC

SCPs can centrally restrict permissions across accounts.

Why this answer

A service control policy (SCP) can be applied to the root organizational unit to deny the specified actions across all accounts.

330
MCQmedium

A security engineer runs the above AWS CLI command. The engineer notices that the security group has no outbound rules. What is the implication of this configuration?

A.The EC2 instances in this security group cannot initiate outbound connections
B.The EC2 instances cannot receive inbound HTTP traffic
C.The security group allows all outbound traffic by default
D.Outbound traffic is allowed because security groups are stateful
AnswerA

Without outbound rules, all outbound traffic is denied.

Why this answer

Option A is correct because a security group without outbound rules will block all outbound traffic by default (since security groups are stateful and default deny egress). Option B is wrong because security groups are stateful; the inbound rule allows return traffic. Option C is wrong because the inbound rule allows HTTP from anywhere, but outbound is missing.

Option D is wrong because the security group does allow inbound HTTP.

331
Multi-Selectmedium

A company is using Amazon GuardDuty to detect threats. The security team wants to receive alerts for specific findings. Which TWO AWS services can be used to forward GuardDuty findings to a custom application for analysis? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Events (Amazon EventBridge)
B.Amazon Kinesis Data Streams
C.Amazon Simple Queue Service (SQS)
D.AWS Lambda
E.Amazon S3
AnswersA, E

GuardDuty publishes findings to EventBridge, which can then route to various targets.

Why this answer

Options B and D are correct because GuardDuty can send findings to CloudWatch Events (EventBridge) and also to S3 via CloudWatch Events or directly. Option A is wrong because GuardDuty does not natively send to SQS; you need EventBridge. Option C is wrong because GuardDuty does not send to Kinesis directly; you need EventBridge.

Option E is wrong because Lambda is not a destination; it can be a target of EventBridge.

332
MCQeasy

A company wants to protect data in transit between an on-premises application and Amazon S3. Which solution provides the highest security?

A.Use an AWS PrivateLink endpoint for S3.
B.Use a site-to-site VPN connection to the VPC and then access S3 via a VPC endpoint.
C.Use AWS Direct Connect without additional encryption.
D.Access S3 over HTTPS from the on-premises application.
AnswerA

PrivateLink keeps traffic within the AWS network, not over the internet.

Why this answer

Option A is correct because AWS PrivateLink connects via private IPs within the AWS network, avoiding the public internet. Option B is wrong because VPN encrypts but still traverses the internet or VPN connection. Option C is wrong because HTTPS over internet uses encryption but is exposed to internet threats.

Option D is wrong because Direct Connect provides a private connection but without encryption; additional encryption is needed.

333
MCQmedium

A security engineer is setting up automated incident response for a compromised IAM user. The engineer wants to automatically revoke the user's access keys and attach a deny-all policy when a GuardDuty finding of type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' is generated. Which services should be used to achieve this automation?

A.Amazon Simple Notification Service (SNS) and AWS Lambda
B.AWS Config and AWS Lambda
C.Amazon CloudWatch Events and AWS Lambda
D.AWS Systems Manager Automation and AWS Lambda
AnswerC

CloudWatch Events can match GuardDuty findings and invoke Lambda.

Why this answer

Amazon CloudWatch Events (now part of Amazon EventBridge) can capture GuardDuty findings in real-time and trigger a Lambda function to revoke IAM user access keys and attach a deny-all policy. This is the native, event-driven pattern for automated incident response to GuardDuty findings, as CloudWatch Events directly supports GuardDuty as an event source.

Exam trap

The trap here is that candidates often confuse CloudWatch Events with SNS or Config, not realizing that CloudWatch Events is the only service that natively integrates with GuardDuty as an event source for real-time, automated remediation workflows.

How to eliminate wrong answers

Option A is wrong because Amazon SNS alone cannot trigger a Lambda function in response to GuardDuty findings; SNS requires a subscription and does not natively filter GuardDuty events. Option B is wrong because AWS Config is designed for resource compliance and configuration history, not for real-time event-driven response to security findings like GuardDuty. Option D is wrong because AWS Systems Manager Automation is intended for managing EC2 instances and on-premises servers, not for revoking IAM user credentials or attaching IAM policies.

334
MCQhard

A company has a VPC with a public subnet and a private subnet. The public subnet hosts a NAT instance (Amazon Linux) that provides internet access to instances in the private subnet. The security team notices that the NAT instance is receiving high inbound traffic on port 22 from an external IP address. The team wants to block this traffic at the network layer without affecting other traffic. What is the most effective solution?

A.Move the NAT instance to a private subnet and use a NAT gateway instead.
B.Modify the security group attached to the NAT instance to block inbound SSH from the specific IP.
C.Use AWS WAF to block the IP address.
D.Add a network ACL rule on the public subnet to deny inbound traffic from the specific IP on port 22.
AnswerD

Network ACLs support deny rules and are stateless.

Why this answer

Option D is correct because a network ACL on the public subnet can explicitly deny inbound SSH from the specific IP address while allowing all other traffic. Option A is wrong because modifying the security group of the NAT instance to deny the IP would require a deny rule, but security groups only support allow rules; blocking SSH from all sources would prevent legitimate access. Option B is wrong because moving the NAT instance to a private subnet would break internet connectivity.

Option C is wrong because AWS WAF is for web application layer (HTTP/HTTPS), not SSH.

335
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer. The security team suspects that a DDoS attack is targeting the application. Which AWS service can be used to absorb and mitigate the attack at the network layer before traffic reaches the ALB?

A.AWS WAF
B.AWS Identity and Access Management (IAM)
C.Network ACLs
D.AWS Shield Advanced
AnswerD

Shield Advanced provides network and transport layer DDoS protection.

Why this answer

Option C is correct because AWS Shield Advanced provides enhanced DDoS mitigation for ALB. Option A is wrong because IAM is for access management. Option B is wrong because WAF is for application layer.

Option D is wrong because NACLs are stateless and not designed for DDoS mitigation.

336
MCQmedium

A security engineer is designing an automated incident response workflow for an Amazon EC2 instance that is compromised. The workflow must isolate the instance by removing it from the security group that allows SSH access. The engineer wants to use AWS Systems Manager Automation to run a document. What is the most secure way to grant the automation the necessary permissions to modify the security group?

A.Create a Systems Manager Automation service role with a least-privilege policy that includes ec2:ModifySecurityGroupRules and use that role in the automation.
B.Create an AWS Lambda function with permissions to modify the security group and call it from the automation.
C.Use the IAM user's permissions that trigger the automation.
D.Attach an IAM policy to the EC2 instance's instance profile that allows ec2:ModifySecurityGroupRules.
AnswerA

This is the recommended approach for least privilege.

Why this answer

Option A is correct because Systems Manager Automation can assume a dedicated service role with a least-privilege IAM policy that includes the specific action `ec2:ModifySecurityGroupRules`. This follows the security best practice of granting only the permissions required for the automation to modify the security group, without exposing broader privileges or relying on user or instance credentials.

Exam trap

The trap here is that candidates often confuse the instance profile role (used for the EC2 instance's own actions) with the automation service role (used for the Systems Manager service to perform actions on behalf of the engineer), leading them to incorrectly choose Option D.

How to eliminate wrong answers

Option B is wrong because introducing an AWS Lambda function adds unnecessary complexity and an additional attack surface; the automation can directly modify the security group via an assumed role without needing a middleman. Option C is wrong because using the IAM user's permissions violates the principle of least privilege and creates a security risk if the user has more permissions than needed; the automation should use a dedicated role, not inherit user credentials. Option D is wrong because attaching a policy to the EC2 instance profile grants permissions to the instance itself, not to the Systems Manager Automation service; the automation runs independently of the compromised instance and should not rely on the instance's role for incident response actions.

337
Multi-Selectmedium

A security engineer is designing a centralized logging solution for multiple AWS accounts. Which TWO services should be used to aggregate logs from all accounts into a single account? (Choose TWO.)

Select 2 answers
A.AWS Config
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.Amazon S3
E.AWS CloudTrail
AnswersC, E

CloudWatch Logs can use cross-account subscription filters.

Why this answer

Option A and Option C are correct. CloudTrail can be configured to deliver logs to a central S3 bucket across accounts, and CloudWatch Logs can use subscription filters to send logs to a central account. Option B is wrong because AWS Config can aggregate config data but not logs.

Option D is wrong because VPC Flow Logs can be sent to S3 or CloudWatch, but not directly to a central account. Option E is wrong because S3 is a destination, not an aggregation service.

338
MCQmedium

A company wants to securely store secrets used by an application running on EC2 instances. The secrets include database credentials and API keys. What is the MOST secure and manageable approach?

A.Store the secrets in the EC2 instance user data and retrieve them from the metadata service.
B.Embed the secrets in the application code and encrypt the code with a KMS key.
C.Use AWS Secrets Manager and attach an IAM role to the EC2 instance with permission to access the secrets.
D.Use AWS Systems Manager Parameter Store with a SecureString parameter and reference it in the application code.
AnswerC

Secrets Manager provides secure storage, automatic rotation, and IAM-based access control.

Why this answer

Option A is correct because AWS Secrets Manager integrates with IAM roles for access and can rotate secrets. Option B is wrong because storing secrets in the instance metadata is insecure. Option C is wrong because parameter store with encrypt parameter is secure but has fewer features than Secrets Manager.

Option D is wrong because embedding in code is not secure.

339
MCQeasy

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. The policy is intended to allow access only from the corporate network (10.0.0.0/8). What is a potential security issue with this policy?

A.The policy allows anonymous access from the specified IP range.
B.The policy grants access to all actions, not just GetObject.
C.The policy resource is incorrect; it should be the bucket ARN without the /*.
D.The policy does not include a condition to require MFA.
AnswerA

Principal "*" means anyone (anonymous) can access if they meet the IP condition.

Why this answer

Option A is correct because the policy's `Principal: "*"` element allows anonymous access from any IP address, and the `Condition` block only restricts the source IP to 10.0.0.0/8. This means any unauthenticated request originating from within the corporate network (10.0.0.0/8) is permitted, effectively granting anonymous access to the S3 bucket. The intended goal of restricting access to authenticated corporate users is not achieved, as no `aws:userid` or `aws:username` condition is enforced.

Exam trap

The trap here is that candidates assume an IP address condition in a bucket policy automatically implies authenticated access, but AWS explicitly allows anonymous access when `Principal: "*"` is used, even with IP restrictions.

How to eliminate wrong answers

Option B is wrong because the policy uses `Action: "s3:GetObject"` which is a specific read action, not all actions; the issue is about authentication, not action scope. Option C is wrong because the resource ARN `arn:aws:s3:::example-bucket/*` is correct for object-level operations like GetObject; the bucket ARN without `/*` would be needed for bucket-level operations (e.g., ListBucket). Option D is wrong because MFA is not required by the scenario; the policy's flaw is allowing anonymous access, not the absence of MFA, and MFA is typically enforced via a separate condition key (`aws:MultiFactorAuthPresent`).

340
Multi-Selecthard

A company uses AWS CloudTrail to log all API activity. The security team wants to detect when an IAM user creates an access key for another user, which is a potential privilege escalation. Which TWO actions should the team take to set up this detection?

Select 3 answers
A.Create an AWS Config managed rule to detect CreateAccessKey calls.
B.Create a CloudWatch alarm based on the metric filter.
C.Create a CloudWatch Logs metric filter that matches the event CreateAccessKey.
D.Use Amazon EventBridge to create a rule that matches the CloudTrail event and triggers an AWS Lambda function.
E.Enable Amazon GuardDuty and create a custom threat list.
AnswersB, C, D

The alarm can send notifications when the filter matches.

Why this answer

Option B is correct because a CloudWatch alarm based on a metric filter allows the security team to monitor CloudTrail logs in real time and trigger an alert when a specific API call (CreateAccessKey) is made by an IAM user for another user. The metric filter extracts the event from CloudTrail logs stored in CloudWatch Logs, and the alarm evaluates the metric against a threshold to notify the team of potential privilege escalation.

Exam trap

The trap here is that candidates often confuse AWS Config managed rules (which evaluate resource state) with CloudTrail event detection (which requires log-based monitoring), leading them to select Option A instead of the correct combination of metric filters and alarms or EventBridge rules.

341
MCQeasy

A security engineer needs to ensure that an Amazon RDS database instance is not accessible from the internet. Which configuration step will achieve this?

A.Deploy the DB instance in a multi-AZ configuration.
B.Set the DB instance to be publicly accessible and restrict security group inbound rules.
C.Set the DB instance to be not publicly accessible and place it in a private subnet.
D.Use the default VPC security group for the DB instance.
AnswerC

This prevents internet access.

Why this answer

Option C is correct because setting a DB instance to be not publicly accessible ensures that it does not receive a public IP address, and placing it in a private subnet (one without a route to an internet gateway) prevents any direct inbound or outbound traffic from the internet. This combination guarantees that the RDS instance is isolated from the public internet, aligning with the security requirement.

Exam trap

The trap here is that candidates often assume security group rules alone can fully control internet access, overlooking the critical distinction between public and private IP assignment and subnet routing that determines actual internet reachability.

How to eliminate wrong answers

Option A is wrong because deploying in a multi-AZ configuration provides high availability and failover support, but does not affect network accessibility; the DB instance can still be publicly accessible if configured otherwise. Option B is wrong because setting the DB instance to be publicly accessible assigns a public IP address, and while restricting security group inbound rules can limit traffic, the instance itself remains reachable from the internet, violating the requirement. Option D is wrong because using the default VPC security group does not inherently prevent internet access; the default security group typically allows all outbound traffic and may have permissive inbound rules, and the instance could still be publicly accessible if placed in a public subnet.

342
MCQhard

Refer to the exhibit. A user receives the above error when trying to decrypt a file using AWS KMS. The key policy is shown below: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/AdminRole" }, "Action": "kms:Decrypt", "Resource": "*" } ] } What is the likely cause of the error?

A.The ciphertext was encrypted with a different KMS key
B.The KMS key does not exist
C.The command syntax is incorrect
D.The IAM user 'john' is not granted kms:Decrypt in the key policy
AnswerD

Correct: The key policy only allows the AdminRole, not the user.

Why this answer

Option A is correct because the key policy only allows the AdminRole to decrypt, not the user 'john'. Option B is wrong because the key exists and the ARN is valid. Option C is wrong because the wrong key ID would result in a different error.

Option D is wrong because the ciphertext is provided and the CLI command is correct.

343
Multi-Selectmedium

Which TWO actions can help protect data at rest in Amazon EBS volumes? (Choose 2.)

Select 2 answers
A.Enable automatic encryption of EBS snapshots by default.
B.Use an instance type that supports encryption at rest.
C.Configure the operating system to use encrypted file systems.
D.Enable EBS encryption by default in the AWS Account settings.
E.Use encrypted EBS volumes with AWS KMS customer-managed keys.
AnswersD, E

This encrypts all new EBS volumes.

Why this answer

Options A and C are correct. A: Enabling EBS encryption by default ensures new volumes are encrypted. C: Using EBS encryption with KMS encrypts the volume at rest.

Option B is wrong because data on EBS is not automatically encrypted; the OS must be configured. Option D is wrong because EBS snapshots are not automatically encrypted; they can be encrypted during copy. Option E is wrong because EBS encryption is independent of instance type.

344
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to audit all KMS key usage, including who used the key, when, and what operation was performed. Which AWS service should be used to meet this requirement?

A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudHSM
AnswerA

CloudTrail logs KMS API calls for auditing.

Why this answer

AWS CloudTrail is the correct service because it records all AWS KMS API calls as events, including who made the request, the source IP address, the time of the request, and the specific operation performed (e.g., Encrypt, Decrypt, GenerateDataKey). These audit logs are stored in an S3 bucket and can be analyzed to meet the security team's requirement for full key usage auditing.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance monitoring with CloudTrail's API auditing, or assume GuardDuty's threat detection includes detailed usage logs, when in fact only CloudTrail provides the granular, user-specific API call records required for auditing KMS key usage.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because it is a threat detection service that monitors for malicious activity using anomaly detection and threat intelligence, not a service that records detailed API-level audit logs of KMS key usage. Option C (AWS Config) is wrong because it evaluates resource configurations and compliance rules (e.g., whether KMS keys have automatic rotation enabled), but it does not capture who performed KMS operations or when they occurred. Option D (AWS CloudHSM) is wrong because it provides dedicated hardware security modules for key generation and storage, but it does not generate audit logs of API calls; CloudHSM logs are limited to HSM-level events and require separate integration with CloudTrail for API auditing.

345
Drag & Dropmedium

Drag and drop the steps to configure Amazon GuardDuty for multi-account security in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Multi-account GuardDuty requires enabling in master, inviting members, accepting, configuring export, and delegating admin.

346
MCQeasy

A company has a requirement to audit all API calls made to AWS services in their account. Which AWS service should be used to meet this requirement?

A.AWS Config
B.Amazon Inspector
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerD

CloudTrail records all API calls for auditing.

Why this answer

Option B is correct because AWS CloudTrail records API activity in the account. Option A is wrong because Amazon GuardDuty is a threat detection service. Option C is wrong because AWS Config records resource configuration changes, not API calls.

Option D is wrong because Amazon Inspector is a vulnerability assessment service.

347
Multi-Selectmedium

Which TWO actions can be taken to improve the security of an Amazon RDS for MySQL database instance? (Choose TWO.)

Select 2 answers
A.Place the RDS instance in a private subnet and restrict inbound traffic to the application security group.
B.Disable automated backups to reduce storage costs.
C.Enable Multi-AZ deployment for fault tolerance.
D.Assign a public IP address to the RDS instance for easier access from the internet.
E.Enable encryption at rest using AWS KMS.
AnswersA, E

Network isolation improves security.

Why this answer

Options A and D are correct. Enabling encryption at rest protects data, and using a VPC security group restricts network access. Option B is wrong because disabling automated backups reduces durability but does not directly improve security.

Option C is wrong because Multi-AZ is for high availability, not security. Option E is wrong because assigning a public IP address increases exposure.

348
MCQmedium

A company is using Amazon S3 to store backup files that must be retained for 7 years. The files are accessed infrequently but must be available within minutes when needed. The company wants to minimize storage costs while ensuring data is encrypted at rest. Which storage class and encryption combination is most cost-effective?

A.S3 Glacier Instant Retrieval with SSE-S3
B.S3 Glacier Deep Archive with SSE-S3
C.S3 Glacier Flexible Retrieval with SSE-KMS
D.S3 Standard-IA with SSE-KMS
AnswerA

Instant retrieval and cost-effective.

Why this answer

S3 Glacier Deep Archive is the lowest-cost storage class for long-term retention but has retrieval times of 12 hours, which does not meet the 'minutes' requirement. S3 Glacier Instant Retrieval provides milliseconds retrieval and is cost-effective for infrequent access. Option B is correct.

SSE-S3 provides encryption at no additional cost. Options A and C have longer retrieval times. Option D is more expensive.

349
MCQhard

A company uses Amazon EBS volumes for EC2 instances. The security team requires that all EBS volumes be encrypted at rest. The team creates an AWS Config rule to check whether EBS volumes are encrypted. However, some volumes are non-compliant even though they have encryption enabled. What is the most likely reason?

A.The volumes were created from unencrypted snapshots.
B.The volumes are encrypted with a different KMS key than the one specified in the Config rule.
C.The volumes are not encrypted at the time of creation, even though encryption is enabled later.
D.The Config rule is configured to check for a specific KMS key alias.
AnswerC

The Config rule checks the volume's encryption attribute; if a volume was created unencrypted and then encrypted via a snapshot, the volume remains non-compliant if the encryption attribute is not set.

Why this answer

Option D is correct because the AWS Config managed rule 'encrypted-volumes' checks if EBS volumes are encrypted, but it does not check the default encryption setting for the account; it only checks the volumes themselves. Option A is wrong because Config rules check the configuration, not the encryption key. Option B is wrong because the rule checks volumes, not snapshots.

Option C is wrong because the rule does not check encryption keys.

350
MCQeasy

A company uses S3 to store sensitive customer data. Which AWS service can automatically discover and classify this data to help meet compliance requirements?

A.Amazon GuardDuty
B.AWS Config
C.Amazon CloudWatch
D.Amazon Macie
AnswerD

Amazon Macie automatically discovers and classifies sensitive data.

Why this answer

Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Option B is correct because Macie is designed for data discovery and classification. Option A is incorrect because AWS Config tracks resource configuration changes.

Option C is incorrect because CloudWatch monitors performance and logs. Option D is incorrect because GuardDuty focuses on threat detection.

351
MCQhard

An IAM policy has the following statement: {"Effect":"Deny","Action":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}. What does this policy achieve?

A.Denies all actions that are not made over HTTPS
B.Allows all actions only when using HTTPS
C.Enforces HTTPS for S3 bucket policies only
D.Blocks all actions for a specific AWS service
AnswerA

Correctly denies when SecureTransport is false.

Why this answer

This policy statement uses the `aws:SecureTransport` condition key with a `Bool` condition set to `false`. When the condition evaluates to true (i.e., the request is not using HTTPS/TLS), the `Deny` effect applies to all actions on all resources. This effectively denies any API call made over HTTP (non-secure transport), ensuring that only HTTPS requests are allowed.

The policy does not explicitly allow anything; it only denies non-HTTPS traffic, so all actions are implicitly allowed when made over HTTPS.

Exam trap

The trap here is that candidates often confuse a `Deny` with a `Bool` condition as an implicit `Allow` for the opposite condition, but the policy only denies non-HTTPS requests and does not grant any explicit allow, so all actions are allowed by default when HTTPS is used.

How to eliminate wrong answers

Option B is wrong because the policy does not contain an `Allow` statement; it only denies non-HTTPS requests, so it does not affirmatively allow actions. Option C is wrong because the policy applies to all AWS services and resources, not just S3 bucket policies; the `Resource` is `*`, meaning it covers every service. Option D is wrong because the policy does not block all actions for a specific service; it blocks all actions across all services only when the request is not using HTTPS.

352
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic between the ALB and EC2 instances be encrypted. Which configuration ensures this requirement is met?

A.Use an HTTPS listener on the ALB and configure the target group with HTTPS.
B.Use a TCP listener on the ALB and a TCP target group.
C.Configure security group inbound rules to allow only HTTPS traffic.
D.Use an HTTP listener on the ALB and HTTP on the target group.
AnswerA

HTTPS ensures encryption from ALB to instances.

Why this answer

Option D is correct because HTTPS listeners on the ALB terminate the client's TLS connection and establish a new TLS connection to the target group, ensuring encryption. Option A is wrong because HTTP does not encrypt traffic. Option B is wrong because security group rules do not enforce encryption.

Option C is wrong because TCP listeners do not provide encryption.

353
MCQeasy

A company uses Amazon GuardDuty to detect threats. The security team wants to receive real-time notifications for all GuardDuty findings with a severity of HIGH or CRITICAL. What is the MOST efficient way to achieve this?

A.Create a CloudWatch Events rule that matches GuardDuty findings with severity HIGH or CRITICAL and targets an SNS topic.
B.Use the GuardDuty console to set up email alerts for high-severity findings.
C.Configure GuardDuty to export findings to an S3 bucket and use S3 event notifications to trigger an SNS topic.
D.Stream GuardDuty findings to CloudWatch Logs and create a metric filter to trigger an alarm.
AnswerA

CloudWatch Events provides real-time event filtering and notification.

Why this answer

Option C is correct because GuardDuty can send findings to CloudWatch Events, which can then trigger an SNS notification based on severity. Option A is wrong because GuardDuty findings are not sent to S3 directly. Option B is wrong because GuardDuty does not have a built-in notification feature.

Option D is wrong because CloudWatch Logs does not parse GuardDuty findings natively.

354
MCQhard

A company uses Amazon GuardDuty to monitor for malicious activity in its AWS environment. The security team receives a high number of findings, many of which are false positives. They want to reduce noise by suppressing findings for known benign activities, such as internal vulnerability scans performed by the security team. GuardDuty has a feature to create suppression rules based on finding criteria. However, the team also wants to ensure that if a new type of threat is detected, it is immediately escalated. What is the MOST effective way to manage GuardDuty findings?

A.Set GuardDuty to only generate findings for medium and high severity, ignoring low severity findings.
B.Create a suppression rule that blocks all findings from the internal IP range used by the security team.
C.Disable the specific GuardDuty finding types that generate false positives.
D.Create suppression rules that automatically archive findings matching the known benign activity criteria, and periodically review the suppressed findings.
AnswerD

Suppression rules target specific criteria and allow for periodic review to ensure no missed threats.

Why this answer

The correct answer is C. GuardDuty suppression rules automatically archive findings that match certain criteria, reducing noise. However, the team should still review suppressed findings periodically to ensure no actual threats are missed.

Option A is incorrect because disabling the entire finding type would miss genuine threats. Option B is incorrect because lowering the severity threshold would increase noise. Option D is incorrect because a blanket suppression rule might miss important variations of the threat.

355
MCQmedium

During a security review, a security engineer notices that an S3 bucket contains sensitive data but has a bucket policy that allows access from any principal in the account. The engineer needs to identify any unintended cross-account access to this bucket. Which AWS service should be used?

A.AWS Config
B.AWS IAM Access Analyzer
C.AWS Trusted Advisor
D.Amazon Macie
AnswerB

Access Analyzer reviews resource policies to identify external entities.

Why this answer

AWS IAM Access Analyzer helps identify resources that are shared with external principals by analyzing resource-based policies (like S3 bucket policies). In this scenario, the bucket policy allows access from any principal in the account, but IAM Access Analyzer can detect if the policy also grants access to principals outside the AWS account (cross-account access). It generates findings for any policy that allows access from an external entity, making it the correct service to identify unintended cross-account access.

Exam trap

The trap here is that candidates often confuse AWS Config (which can detect public S3 buckets) with IAM Access Analyzer (which specifically detects cross-account access), leading them to choose Config when the question explicitly asks for unintended cross-account access, not just public access.

How to eliminate wrong answers

Option A is wrong because AWS Config evaluates resource compliance against rules but does not specifically analyze bucket policies for cross-account access; it can detect public access but not granular cross-account sharing. Option C is wrong because AWS Trusted Advisor provides best-practice checks (including S3 bucket permissions) but only flags buckets that are publicly accessible or open to all authenticated AWS users, not specifically cross-account access from a specific external account. Option D is wrong because Amazon Macie discovers and classifies sensitive data using machine learning, but it does not analyze bucket policies for cross-account permissions; it focuses on data content, not access controls.

356
MCQhard

Refer to the exhibit. A security engineer is reviewing the bucket encryption configuration. The bucket is used to store sensitive data. The company policy requires that all objects be encrypted using AWS KMS with a customer managed key. What should the engineer do to meet the policy?

A.Enable the bucket key and set SSEAlgorithm to AES256
B.Use client-side encryption with a KMS key
C.Update the bucket encryption configuration to use SSEAlgorithm: aws:kms and specify a KMS key ID
D.Add a bucket policy that requires kms:Encrypt permission for all PutObject requests
AnswerC

Changes default encryption to SSE-KMS.

Why this answer

The current configuration uses SSE-S3 (AES256). To use SSE-KMS, the engineer should modify the bucket encryption configuration to use aws:kms and specify a key ID. Option A is correct.

Option B is incorrect because specifying a KMS key in the bucket policy does not enforce encryption. Option C is incorrect because enabling default encryption with SSE-S3 does not change the algorithm. Option D is incorrect because client-side encryption is not server-side.

357
MCQhard

A global e-commerce company operates in three AWS Regions: us-east-1, eu-west-1, and ap-southeast-1. The company uses AWS Organizations with 50 member accounts grouped by business unit. The security team recently discovered that several S3 buckets containing customer data were accidentally made public due to misconfigured bucket policies. The team wants to implement a preventive control that blocks any S3 bucket from becoming public across all accounts, while still allowing authorized cross-account access. The solution must be centrally managed and not require changes to existing IAM policies. Additionally, the team needs to be notified immediately when a public bucket is attempted. Which solution meets all requirements?

A.Use Amazon Macie to discover public buckets and alert the security team.
B.Create an SCP that denies s3:PutBucketPolicy only for policies that specify 'Principal': '*' or 'Principal': {'AWS': '*'}
C.Create an SCP that denies s3:PutBucketPolicy and s3:PutBucketAcl when the condition includes making the bucket public, and use CloudTrail and CloudWatch Events to send notifications on denied API calls.
D.Deploy an AWS Config rule in each account that triggers a Lambda function to make non-compliant buckets private.
AnswerC

SCPs are preventive and centrally managed; CloudTrail logs denied events, and CloudWatch Events can trigger SNS for notifications.

Why this answer

Option C is correct because it uses an SCP to centrally deny the s3:PutBucketPolicy and s3:PutBucketAcl actions when the request would make a bucket public, which is a preventive control that blocks the operation before it happens. The requirement for immediate notification is met by using CloudTrail to log the denied API calls and CloudWatch Events to trigger alerts, all without modifying existing IAM policies or requiring per-account changes.

Exam trap

The trap here is that candidates often confuse detective controls (like Macie or Config rules that remediate) with preventive controls (like SCPs that block the action), and they may overlook that SCPs can deny specific API actions with conditions to precisely target public bucket creation without affecting authorized cross-account access.

How to eliminate wrong answers

Option A is wrong because Amazon Macie is a data discovery and classification service that can detect public buckets after they exist, but it is a detective control, not a preventive control that blocks the action. Option B is wrong because an SCP that denies s3:PutBucketPolicy only when 'Principal': '*' or 'Principal': {'AWS': '*'} is specified does not cover all ways a bucket can become public, such as through bucket ACLs (s3:PutBucketAcl) or policies that grant public access via other principal patterns (e.g., 'Principal': {'AWS': 'arn:aws:iam::123456789012:root'} with a condition that allows anonymous access). Option D is wrong because an AWS Config rule that triggers a Lambda function to make non-compliant buckets private is a reactive (corrective) control, not a preventive control that blocks the bucket from becoming public in the first place, and it requires per-account deployment rather than being centrally managed.

358
Multi-Selecthard

A company is migrating on-premises file servers to Amazon EFS. The data must be encrypted at rest and in transit. Which THREE steps should the company take to meet these requirements?

Select 3 answers
A.Use a KMS customer managed key for encryption at rest
B.Use AWS Certificate Manager to issue a certificate
C.Install an SSL certificate on the EFS file system
D.Mount the EFS file system using TLS
E.Enable encryption at rest on the EFS file system
AnswersA, D, E

Customer managed keys allow control and rotation.

Why this answer

Option A (Enable encryption at rest on the EFS file system), Option B (Mount the EFS file system using TLS), and Option D (Use a KMS customer managed key for encryption) are correct. Encryption at rest is enabled on the file system. Encryption in transit is achieved by using TLS when mounting.

Using a customer managed key provides control over the encryption key. Option C is wrong because EFS does not use SSL certificates. Option E is wrong because AWS Certificate Manager is for other services, not EFS mount encryption.

359
Multi-Selecthard

A security engineer is designing a permissions boundary for an IAM user. Which TWO statements about permissions boundaries are correct?

Select 2 answers
A.Permissions boundaries can be applied to service-linked roles.
B.Permissions boundaries can only be applied to IAM users, not roles.
C.The effective permissions are the intersection of the identity-based policy and the permissions boundary.
D.Permissions boundaries can override resource-based policies.
E.A permissions boundary alone does not grant permissions; an identity-based policy is also required.
AnswersC, E

Intersection of both policies.

Why this answer

Options A and C are correct. A: A permissions boundary limits the maximum permissions for the user, but the user must also have an identity-based policy granting the actions. C: The effective permissions are the intersection of the boundary and the identity-based policy.

Option B is wrong because resource-based policies are not affected by boundaries. Option D is wrong because boundaries do not affect service-linked roles. Option E is wrong because boundaries can be used with roles as well.

360
MCQmedium

A company wants to ensure that IAM users with console access have strong passwords. Which IAM password policy setting should the company configure to enforce the use of at least one uppercase letter?

A.MinimumPasswordLength
B.RequireUppercaseCharacters
C.RequireNumbers
D.RequireSymbols
AnswerB

Enforces at least one uppercase letter.

Why this answer

Option B is correct because 'RequireUppercaseCharacters' enforces uppercase letters. Option A is wrong because 'RequireNumbers' is for digits. Option C is wrong because 'RequireSymbols' is for special characters.

Option D is wrong because 'MinimumPasswordLength' is about length, not character types.

361
MCQeasy

A security engineer is investigating a potential data exfiltration incident. The engineer suspects that an attacker is using an Amazon S3 bucket to exfiltrate data. Which AWS service can be used to analyze S3 access logs and detect anomalous patterns?

A.Amazon CloudFront
B.Amazon Athena
C.AWS Shield
D.AWS WAF
AnswerB

Athena can query S3 access logs for analysis.

Why this answer

Amazon Athena is the correct choice because it allows you to run SQL queries directly against Amazon S3 access logs stored in S3, enabling you to analyze large volumes of log data for anomalous patterns such as unusual data transfer volumes, repeated access from unfamiliar IP ranges, or unexpected object reads. This serverless query service is purpose-built for ad-hoc analysis of structured and semi-structured data in S3 without needing to load data into a separate database, making it ideal for incident response investigations.

Exam trap

The trap here is that candidates often confuse AWS WAF or CloudFront as log analysis tools because they are associated with web traffic inspection, but neither provides the ability to query S3 access logs for data exfiltration patterns.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that accelerates static and dynamic content delivery; it does not provide query capabilities for S3 access logs and cannot analyze log data for anomalies. Option C is wrong because AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards against network and transport layer attacks; it does not inspect or analyze S3 access logs for data exfiltration patterns. Option D is wrong because AWS WAF is a web application firewall that filters HTTP/HTTPS traffic based on rules to protect against common web exploits; it operates at the application layer and cannot query or analyze S3 access logs.

362
Multi-Selecthard

A company is using AWS KMS to encrypt data in Amazon S3 and Amazon RDS. Which THREE practices should be followed to ensure the security of the KMS keys?

Select 3 answers
A.Enable automatic key rotation for the KMS keys.
B.Disable automatic key rotation to maintain control over the key material.
C.Share the KMS key across multiple AWS accounts using cross-account access.
D.Use IAM policies and key policies to restrict access to the KMS key to only required principals.
E.Enable CloudTrail to log all KMS API calls.
AnswersA, D, E

Rotates backing keys annually.

Why this answer

Options A, C, and E are correct. Key rotation is a security best practice. Granting least privilege access limits exposure.

Using CloudTrail provides audit trail. Option B is wrong because sharing keys across accounts increases risk. Option D is wrong because disabling automatic rotation may be necessary but is not a security best practice.

363
MCQmedium

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The engineer needs to immediately block the traffic and capture a packet capture for forensic analysis. Which combination of actions should the engineer take?

A.Use Amazon GuardDuty to block the IP and enable VPC Traffic Mirroring.
B.Add a network ACL deny rule for the malicious IP, and enable VPC Traffic Mirroring.
C.Stop the EC2 instance and enable VPC Flow Logs.
D.Modify the security group to deny outbound traffic to the IP, and enable VPC Flow Logs.
AnswerB

Network ACLs support deny rules and are stateless, allowing immediate blocking; Traffic Mirroring captures full packets.

Why this answer

Option B is correct because a network ACL (NACL) is a stateless firewall that operates at the subnet level, allowing immediate blocking of traffic to/from a specific IP address without affecting the instance's security group rules. Enabling VPC Traffic Mirroring captures a full packet-level copy of the traffic for forensic analysis, which is superior to VPC Flow Logs (which only capture metadata). This combination provides both rapid containment and deep forensic data.

Exam trap

The trap here is that candidates confuse security groups (stateful, allow-only) with network ACLs (stateless, allow/deny) and mistakenly think a security group can block a specific IP, or they assume VPC Flow Logs provide packet-level capture when they only provide metadata.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service, not a blocking mechanism; it cannot directly block traffic, and VPC Traffic Mirroring is not enabled via GuardDuty. Option C is wrong because stopping the EC2 instance halts all traffic but prevents capturing live malicious traffic for analysis, and VPC Flow Logs only provide metadata (source/destination IP, ports, protocol) not full packet payloads. Option D is wrong because security groups are stateful and cannot deny outbound traffic to a specific IP address; they only support allow rules, and VPC Flow Logs do not capture packet contents.

364
MCQmedium

A company requires that all IAM users in the Security team must use multi-factor authentication (MFA) to access the AWS Management Console. The company has enabled MFA for all users, but the Security team administrator reports that some users can still sign in without MFA. Which action should the administrator take to enforce MFA for all sign-ins?

A.Create a new IAM policy that requires MFA for programmatic access only.
B.Enable the 'aws:MultiFactorAuthPresent' condition in the IAM password policy.
C.Update the password policy to require MFA for all IAM users.
D.Attach an IAM policy that denies all actions if 'aws:MultiFactorAuthPresent' is false.
AnswerD

This explicitly denies access without MFA, enforcing MFA for console sign-in.

Why this answer

Option D is correct because attaching an IAM policy that explicitly denies access unless MFA is present will enforce MFA for all actions, including console sign-in. Option A is wrong because the default condition key 'aws:MultiFactorAuthPresent' is not set to 'true' for console sign-in; it is only set for API calls. Option B is wrong because requiring MFA for programmatic access does not affect console sign-in.

Option C is wrong because password policy cannot enforce MFA at sign-in.

365
MCQhard

A security engineer is troubleshooting an issue where an Amazon RDS for MySQL DB instance is not encrypting data at rest. The DB instance was created without encryption. The engineer needs to enable encryption without significant downtime. What is the MOST effective approach?

A.Take a snapshot of the DB instance and enable encryption on the snapshot
B.Take a snapshot, copy it with encryption enabled, and restore a new DB instance from the encrypted snapshot
C.Modify the DB instance and enable encryption in the console
D.Create a read replica with encryption and promote it
AnswerB

Correct: This is the standard procedure to encrypt an unencrypted RDS instance.

Why this answer

Option D is correct because the only way to enable encryption on an unencrypted RDS instance is to create a snapshot, copy it with encryption, and restore a new encrypted instance. Option A is wrong because RDS does not support enabling encryption on existing instances. Option B is wrong because modifying the DB instance does not allow encryption.

Option C is wrong because you cannot enable encryption on a snapshot; you must copy it.

366
MCQmedium

A company has a multi-account AWS Organization with 50 accounts. The security team uses AWS CloudTrail to log all API calls and sends the logs to a central S3 bucket in the security account. The team wants to ensure that any attempt to disable CloudTrail logging or delete the trail is detected and automatically remediated within 5 minutes. They have configured an AWS Config rule that triggers an AWS Lambda function when the CloudTrail configuration changes. However, the Lambda function is not being invoked when they test by stopping the trail. The Lambda function's IAM role has permissions to start and update CloudTrail. CloudTrail logs show that the Config rule is evaluating the resource, but the Lambda function is not triggered. What is the most likely cause?

A.The S3 bucket policy does not allow CloudTrail to write logs.
B.The Lambda function's IAM role does not have permission to modify CloudTrail.
C.The CloudTrail trail does not have permission to send logs to the S3 bucket.
D.The AWS Config service does not have permission to invoke the Lambda function.
AnswerD

Config needs a resource-based policy on the Lambda function allowing it to invoke.

Why this answer

Option A is correct because AWS Config must have permissions to invoke the Lambda function. Even if the Lambda function has permissions to modify CloudTrail, Config needs permission to invoke it. Option B is wrong because CloudTrail does not need permissions to invoke Lambda.

Option C is wrong because the Lambda function has permissions, but Config does not. Option D is wrong because the issue is not with the S3 bucket.

367
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to enable CloudTrail for all accounts and centrally store logs. What is the most efficient way to achieve this?

A.Use an S3 bucket policy to allow cross-account log delivery
B.Create a CloudTrail trail in the management account and apply it to all accounts in the organization
C.Use AWS Lambda to create trails in each account
D.Ask each account admin to create their own CloudTrail trail and deliver to a central S3 bucket
AnswerB

Organization trails log all accounts centrally.

Why this answer

AWS Organizations can create a trail in the management account that logs all accounts. Deleting existing trails is not required. Each account creating its own trail is inefficient.

S3 bucket policy alone does not enable logging.

368
MCQhard

A company uses Amazon RDS for MySQL and needs to monitor database activity for suspicious queries, such as unauthorized access attempts or SQL injection. The security team wants to centralize the logs from multiple RDS instances and analyze them in near real-time. Which solution should be implemented?

A.Enable RDS Enhanced Monitoring and stream the metrics to Amazon CloudWatch.
B.Enable VPC Flow Logs for the RDS instances and analyze the logs using Amazon Athena.
C.Enable AWS CloudTrail for RDS API calls and use Amazon GuardDuty to analyze the logs.
D.Enable database audit logs on each RDS instance, stream them to Amazon CloudWatch Logs, and use CloudWatch Logs Insights to query the logs.
AnswerD

Audit logs capture SQL queries; CloudWatch Logs provides centralized storage and analysis.

Why this answer

Option C is correct because enabling RDS Enhanced Monitoring provides OS-level metrics, not SQL queries, so it is not suitable. Option A is correct: RDS provides database audit logs that can be streamed to CloudWatch Logs, and CloudWatch Logs Insights allows querying and analyzing logs in near real-time. Option B is wrong because VPC Flow Logs capture network traffic, not SQL queries.

Option D is wrong because AWS CloudTrail records API calls, not database queries.

369
MCQhard

A company is deploying a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The security team wants to protect the application from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used?

A.AWS WAF.
B.AWS Network Firewall.
C.AWS Shield Advanced.
D.AWS Security Hub.
AnswerA

AWS WAF can inspect HTTP requests and block SQL injection and XSS.

Why this answer

Option A is correct because AWS WAF is a web application firewall that can protect against common web exploits. Option B is wrong because Shield Advanced provides DDoS protection, not application-layer exploits. Option C is wrong because Network Firewall is for network-level filtering, not application-layer.

Option D is wrong because Security Hub is a security posture management service, not a protection service.

370
MCQmedium

A company uses AWS CloudTrail to log API activity across multiple accounts. The security team wants to ensure that any S3 bucket created with public read access is detected within minutes. Which solution is MOST efficient?

A.Create an Amazon EventBridge rule that matches CloudTrail CreateBucket API calls and triggers a Lambda function that inspects the bucket's public access settings and alerts if public.
B.Use AWS Config rules to check S3 bucket public access settings and trigger an AWS Lambda function to send alerts.
C.Use S3 server access logs and run a daily script to parse the logs for PutBucketAcl actions.
D.Enable CloudTrail log file validation and use Athena to query logs hourly for CreateBucket events with public ACLs.
AnswerA

EventBridge events are near-real-time, and the Lambda can immediately check and alert.

Why this answer

Option C is correct because using CloudTrail with an Amazon EventBridge rule on CreateBucket events combined with S3 public access checks via AWS Config or direct API calls allows near-real-time detection. Option A is wrong because it relies on CloudTrail log file delivery to S3, which can have delays. Option B is wrong because it only reports current state, not immediate changes.

Option D is wrong because it requires manual setup and polling.

371
MCQmedium

A security engineer is troubleshooting an issue where CloudTrail logs are not being delivered to the specified S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?

A.The S3 bucket uses server-side encryption with customer-provided keys (SSE-C).
B.The S3 bucket has a bucket policy that denies access to the CloudTrail service principal.
C.The S3 bucket does not have versioning enabled.
D.The S3 bucket is in a different AWS account.
AnswerB

An explicit deny in the bucket policy would override the allow.

Why this answer

Option B is correct because S3 bucket policies that explicitly deny access to AWS services can override allows. Option A is wrong because CloudTrail does not require SSE-C; it supports SSE-S3. Option C is wrong because versioning is not required for CloudTrail log delivery.

Option D is wrong because CloudTrail can deliver logs across accounts with proper permissions.

372
Multi-Selecteasy

A security engineer is configuring automated response to a specific GuardDuty finding type. The engineer wants to automatically block the offending IP address in the security group when a finding is generated. Which TWO AWS services should the engineer use together to achieve this? (Choose TWO.)

Select 2 answers
A.AWS Lambda
B.AWS Config
C.Amazon Simple Notification Service (SNS)
D.Amazon EventBridge
E.Amazon CloudWatch Logs
AnswersA, D

Lambda can run code to modify security groups based on the finding details.

Why this answer

AWS Lambda is correct because it can execute custom code to modify security group rules, such as removing an offending IP address. Amazon EventBridge is correct because it can capture GuardDuty findings as events and trigger the Lambda function in response to a specific finding type. Together, they enable automated, event-driven remediation without manual intervention.

Exam trap

The trap here is that candidates often choose SNS because it is commonly associated with GuardDuty alerts, but they overlook that SNS cannot perform API actions like modifying security groups—only Lambda or Step Functions can execute the remediation logic.

373
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze VPC Flow Logs from all accounts. What is the MOST efficient way to achieve this?

A.Use AWS Firewall Manager to deploy VPC Flow Logs and aggregate logs in a single account.
B.Configure VPC Flow Logs to deliver to a central CloudWatch Logs log group in the management account.
C.Configure VPC Flow Logs to deliver to a central S3 bucket in the security account, and use a bucket policy that grants the source accounts permission to write.
D.Set up VPC Flow Logs in each account to deliver to local S3 buckets, then use S3 replication to copy to a central bucket.
AnswerC

VPC Flow Logs can deliver directly to S3 cross-account using a bucket policy.

Why this answer

Option C is correct because it uses a central S3 bucket in the security account with a bucket policy that grants the PutObject permission to the VPC Flow Logs delivery service from each source account. This is the most efficient approach as it avoids per-account configuration overhead, eliminates the need for cross-account replication, and provides a single location for centralized analysis using services like Amazon Athena or Amazon QuickSight.

Exam trap

The trap here is that candidates assume Firewall Manager (Option A) handles log aggregation, but it only manages the configuration policy, not the actual log delivery destination; similarly, many mistakenly think CloudWatch Logs (Option B) supports cross-account delivery natively, which it does not.

How to eliminate wrong answers

Option A is wrong because AWS Firewall Manager can centrally deploy VPC Flow Logs configurations but does not aggregate the logs themselves; it only manages the policy, and logs still need to be delivered to a central destination. Option B is wrong because CloudWatch Logs log groups cannot be written to cross-account by default; VPC Flow Logs can only deliver to a CloudWatch Logs log group in the same account, and centralizing requires additional infrastructure like a subscription filter or Lambda to forward logs. Option D is wrong because it introduces unnecessary complexity and cost by requiring S3 replication, which adds latency and storage overhead, and is less efficient than direct cross-account delivery to a central bucket.

374
MCQhard

A company's security team discovers that an EC2 instance in the production account has been compromised. The instance has an IAM role attached that allows it to read from an S3 bucket containing sensitive data. The team needs to immediately stop the data exfiltration while preserving the evidence. What should the team do first?

A.Detach the S3 bucket from the VPC endpoint.
B.Apply an inline policy to the IAM role that denies all S3 actions.
C.Remove the IAM role from the EC2 instance.
D.Terminate the compromised EC2 instance immediately.
AnswerB

This immediately stops the role's ability to access S3.

Why this answer

Option C is correct because applying a deny-all policy to the role's S3 access will immediately stop the exfiltration without terminating the instance, preserving evidence. Option A is wrong because terminating the instance may destroy evidence. Option B is wrong because modifying the bucket policy takes time and may not be immediate.

Option D is wrong because removing the role may cause issues and does not immediately stop the exfiltration if the role is cached.

375
MCQhard

A security engineer notices that an IAM role allows an EC2 instance to access a DynamoDB table. The instance is compromised. What is the best way to immediately revoke the instance's access without affecting other resources that use the same role?

A.Attach a permissions boundary to the role that denies all DynamoDB actions.
B.Stop the EC2 instance.
C.Modify the trust policy of the role to deny the instance's ARN.
D.Delete the IAM role.
AnswerA

A permissions boundary can restrict the role's permissions without deleting it.

Why this answer

Option C is correct: using a permissions boundary can limit the role's permissions. Option A is wrong because deleting the role would affect all resources using it. Option B is wrong because stopping the instance may not be immediate and could be delayed.

Option D is wrong because modifying the trust policy would break all instances using that role.

Page 4

Page 5 of 24

Page 6