AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 376450

1738 questions total · 24pages · All types, answers revealed

Page 5

Page 6 of 24

Page 7
376
MCQhard

Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs from account 123456789012 to the bucket my-trail-bucket. However, CloudTrail logs are not being delivered. What is the most likely reason?

A.The Principal should be the CloudTrail service principal for the specific region.
B.The Action should be s3:PutObjectAcl instead of s3:PutObject.
C.The resource ARN does not include the bucket name.
D.The policy is missing s3:GetBucketAcl permission.
AnswerD

Required by CloudTrail.

Why this answer

Option D is correct. The bucket policy must also grant the s3:GetBucketAcl permission to allow CloudTrail to verify the bucket's ACL. Without it, CloudTrail will fail.

Option A is wrong because the ARN is correct. Option B is wrong because the Action is correct. Option C is wrong because the Principal is correct.

377
Multi-Selectmedium

A security engineer is designing a VPC with private and public subnets. Which TWO actions improve network security? (Choose two.)

Select 2 answers
A.Use a single subnet for all resources to simplify network rules.
B.Use security groups to restrict traffic to the database from only the application tier.
C.Place database instances in a public subnet for easier management.
D.Use a NAT gateway in a public subnet for outbound traffic from private subnets.
E.Place an internet gateway in a private subnet.
AnswersB, D

Security groups provide stateful firewall rules for instance-level security.

Why this answer

Options A and D are correct. Option A is correct because a NAT gateway in a public subnet allows outbound internet for private instances without inbound access. Option D is correct because a security group on the RDS database allows fine-grained control.

Option B is wrong because an internet gateway in a private subnet would expose instances. Option C is wrong because a public subnet allows direct internet access. Option E is wrong because a single subnet defeats isolation.

378
MCQhard

A company uses AWS KMS to encrypt EBS volumes attached to EC2 instances. The security team wants to ensure that when an EC2 instance is terminated, the associated EBS volume is automatically deleted and the data is unrecoverable. However, the team also needs to retain the volume's data for 90 days for compliance purposes. What is the most secure and cost-effective approach?

A.Use Amazon Data Lifecycle Manager to create a snapshot and delete the volume after termination.
B.Before termination, create a snapshot of the volume, copy the snapshot encrypted with a new KMS key, then delete the volume and the original snapshot after 90 days.
C.Disable the KMS key used to encrypt the volume, then terminate the instance.
D.Configure the EC2 instance with 'DeleteOnTermination' attribute set to true and enable termination protection.
AnswerB

The snapshot copy with a new key ensures data is retained independently of the original volume and key.

Why this answer

Option D is correct because taking a snapshot of the volume before deletion, encrypting it with a different KMS key, and then deleting the volume ensures the data is retained for 90 days and the original volume is unrecoverable. Option A is wrong because disabling the key does not prevent data recovery if a snapshot exists. Option B is wrong because lifecycle manager does not handle deletion.

Option C is wrong because it does not preserve data.

379
Multi-Selectmedium

Which TWO are best practices for managing IAM policies? (Select TWO.)

Select 2 answers
A.Use wildcards (*) to simplify policy management
B.Use inline policies instead of managed policies
C.Use SCPs to enforce permissions
D.Grant least privilege by using specific actions and resources
E.Use AWS managed policies when possible
AnswersD, E

Least privilege is a security best practice.

Why this answer

Option D is correct because the principle of least privilege is a foundational security best practice in AWS IAM. By specifying exact actions (e.g., s3:GetObject) and resources (e.g., arn:aws:s3:::example-bucket/*) instead of using wildcards, you minimize the blast radius of a compromised credential or misconfigured policy. This aligns with the AWS Well-Architected Framework's security pillar, which mandates granting only the permissions required to perform a task.

Exam trap

The trap here is that candidates often confuse SCPs as a method to grant permissions, when in fact SCPs only define a maximum permission boundary and cannot grant any access—permissions must still be explicitly allowed by IAM policies within the account.

380
MCQeasy

A company wants to ensure that all traffic to an Amazon S3 bucket is encrypted in transit. Which bucket policy condition should be used?

A.aws:SourceVpce
B.aws:SecureTransport
C.s3:x-amz-server-side-encryption
D.aws:SourceIp
AnswerB

This condition key checks if the request was sent using SSL/TLS.

Why this answer

Option B is correct because it uses the aws:SecureTransport condition to enforce HTTPS. Option A is wrong because it enforces server-side encryption, not transit. Option C is wrong because aws:SourceIp restricts IP addresses.

Option D is wrong because it refers to a VPC endpoint condition.

381
MCQeasy

Which AWS service can be used to create a private network connection between a VPC and an on-premises data center over dedicated physical lines?

A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.AWS Direct Connect
D.VPC Peering
AnswerC

Direct Connect provides dedicated physical connection.

Why this answer

AWS Direct Connect is the correct service because it establishes a dedicated, private network connection from an on-premises data center to a VPC using physical Ethernet cables routed through an AWS Direct Connect location. This bypasses the public internet entirely, providing consistent latency, higher bandwidth, and a more reliable connection than internet-based options.

Exam trap

The trap here is that candidates confuse AWS Site-to-Site VPN with a dedicated connection, but VPNs always traverse the public internet and do not provide the physical isolation or consistent performance of Direct Connect.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself provide the physical dedicated lines; it requires an underlying connection like Direct Connect or VPN to attach to. Option B is wrong because AWS Site-to-Site VPN creates an encrypted tunnel over the public internet, not over dedicated physical lines, so it does not meet the requirement for a private connection over dedicated infrastructure. Option D is wrong because VPC Peering connects two VPCs within AWS using the AWS global network, but it cannot connect to an on-premises data center and does not involve dedicated physical lines.

382
MCQeasy

A security engineer is investigating a potential data exfiltration incident where an EC2 instance is sending large volumes of data to an unknown IP address. Which AWS service should the engineer use to capture and analyze the network traffic for evidence?

A.AWS WAF
B.AWS Shield
C.Amazon Inspector
D.VPC Traffic Mirroring
AnswerD

VPC Traffic Mirroring can capture and inspect network traffic from EC2 instances.

Why this answer

VPC Traffic Mirroring is the correct choice because it allows you to capture and inspect network traffic from an EC2 instance by mirroring the traffic to a monitoring appliance or a security tool. This enables deep packet inspection to analyze the contents of the data being sent to the unknown IP address, providing evidence for data exfiltration. Unlike other services, Traffic Mirroring operates at the network level, copying all packets (including payloads) without affecting the source instance.

Exam trap

The trap here is that candidates often confuse VPC Traffic Mirroring with VPC Flow Logs, but Flow Logs only capture metadata (source/destination IP, ports, protocol, packet count) and not the actual packet payloads, making them insufficient for evidence of data exfiltration content.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that inspects HTTP/HTTPS traffic at the application layer (Layer 7) and cannot capture or analyze raw network packets or non-HTTP traffic. Option B is wrong because AWS Shield is a DDoS protection service that mitigates volumetric attacks but does not provide packet capture or forensic analysis of outbound traffic. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposure, not a tool for capturing or analyzing live network traffic.

383
Multi-Selecthard

Which THREE measures should a security team implement to detect and respond to potential security incidents in an AWS environment? (Select THREE.)

Select 3 answers
A.Run Amazon Inspector assessments.
B.Enable AWS CloudTrail.
C.Enable AWS Config.
D.Enable VPC Flow Logs for all VPCs.
E.Enable Amazon GuardDuty.
AnswersB, C, E

Logs API calls for auditing.

Why this answer

Options B, C, and D are correct. Amazon GuardDuty continuously monitors for malicious activity. AWS CloudTrail logs API calls for investigation.

AWS Config tracks configuration changes that may indicate security issues. Option A is wrong because VPC Flow Logs are for network traffic analysis, not detection of all incidents. Option E is wrong because Amazon Inspector is for vulnerability assessment, not incident detection.

384
MCQeasy

A security engineer is investigating a potential security incident and needs to determine if an EC2 instance was launched with a specific AMI ID. Which AWS log should be examined?

A.AWS Config timeline
B.VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs (EC2 agent logs)
AnswerC

CloudTrail logs the RunInstances API call with AMI ID.

Why this answer

CloudTrail logs API calls, including RunInstances, which contains the AMI ID. Option A is wrong because VPC Flow Logs do not contain instance metadata. Option B is wrong because CloudWatch Logs does not capture EC2 launch events by default.

Option D is wrong because AWS Config records resource configurations but not the API call details.

385
MCQeasy

A company uses Amazon RDS for MySQL to store customer data. The security team wants to ensure that the database is encrypted at rest. The database is already running and contains production data. The team needs to enable encryption at rest with minimal downtime. What should they do?

A.Create a read replica with encryption enabled, promote it to a standalone instance, and update the application connection string
B.Attach an encrypted EBS volume to the RDS instance
C.Take a snapshot of the database, copy the snapshot with encryption enabled, and restore the encrypted snapshot to a new instance
D.Modify the existing DB instance and enable encryption using the AWS CLI
AnswerA

Creating an encrypted read replica allows migration with minimal downtime.

Why this answer

Option A is correct because you cannot enable encryption on an existing RDS instance; you must create a new encrypted instance and migrate. Option B is wrong because you cannot modify the existing instance to add encryption. Option C is wrong because snapshots can be encrypted, but you still need to restore to a new instance.

Option D is wrong because you cannot attach encrypted storage.

386
MCQeasy

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no resources can be created in a specific AWS Region except for the us-east-1 Region. Which policy type should the security team use?

A.IAM permissions boundary
B.IAM policy applied to the root user
C.Resource-based policy
D.Service control policy (SCP)
AnswerD

SCPs allow you to deny actions in specific Regions across all accounts in the organization.

Why this answer

Option A is correct because SCPs can restrict actions at the account level. Option B is wrong because IAM policies apply to users/roles, not accounts. Option C is wrong because resource-based policies apply to specific resources.

Option D is wrong because service control policies are the correct mechanism, not IAM permissions boundaries.

387
MCQhard

A security engineer needs to monitor for unauthorized API calls in real-time. Which combination of services should be used?

A.Amazon S3 event notifications and AWS Lambda
B.AWS CloudTrail and Amazon CloudWatch Logs with metric filters
C.AWS Config and Amazon SNS
D.Amazon GuardDuty and AWS CloudTrail
AnswerB

CloudTrail logs, CloudWatch alarms on patterns.

Why this answer

AWS CloudTrail records all API calls in an AWS account, and CloudWatch Logs can ingest those logs. By creating metric filters on CloudWatch Logs, you can define patterns that match unauthorized API calls (e.g., AccessDenied errors) and trigger alarms in real time. This combination provides the necessary logging and real-time monitoring capability.

Exam trap

Cisco often tests the distinction between services that log events (CloudTrail) versus services that detect threats (GuardDuty) versus services that monitor configuration (Config), leading candidates to choose GuardDuty because it sounds security-focused, but it does not provide real-time metric-based alerting on raw API calls.

How to eliminate wrong answers

Option A is wrong because Amazon S3 event notifications are designed to notify on S3 object-level events (e.g., PUT, DELETE), not on API calls across all AWS services; they lack the ability to monitor unauthorized API calls broadly. Option C is wrong because AWS Config is a service for resource inventory, configuration history, and compliance rules, not for real-time monitoring of API call logs; Amazon SNS alone cannot parse or filter API call data. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes findings from multiple sources (including CloudTrail) but does not provide real-time monitoring of raw API calls itself; it relies on CloudTrail for data but adds latency for threat analysis rather than immediate metric-based alerting.

388
MCQmedium

A company uses AWS KMS to encrypt data in Amazon Redshift. The security team needs to ensure that the KMS key cannot be deleted accidentally. What should be done?

A.Attach a key policy that denies deletion
B.Set a deletion window of at least 7 days
C.Disable the KMS key
D.Enable automatic key rotation
AnswerB

A deletion window provides a waiting period before deletion.

Why this answer

Enable key rotation and set a deletion window. Option A is wrong because disabling the key does not prevent deletion. Option B is wrong because the deletion window is not automatically set.

Option D is wrong because the key policy cannot prevent deletion.

389
MCQhard

A security engineer applies the above S3 bucket policy. An application tries to upload an object with the header "x-amz-server-side-encryption: AES256". What will happen?

A.The upload succeeds because the policy allows SSE-S3.
B.The upload fails because the encryption header does not match 'aws:kms'.
C.The upload succeeds because the object is encrypted.
D.The upload fails because the header is missing.
AnswerB

The first statement denies non-KMS encryption headers.

Why this answer

Option D is correct. The first statement denies PutObject if the encryption header is not "aws:kms". Since the header is "AES256", it does not equal "aws:kms", so the condition StringNotEquals is true, resulting in a deny.

The second statement denies if the header is null; here it is not null, so the second statement does not apply. Thus, the request is denied.

390
MCQmedium

A company has an EC2 instance that needs to access an S3 bucket. The security team wants to use the principle of least privilege. Which method should be used to grant access?

A.Use a security group to allow outbound traffic to S3.
B.Store AWS access keys on the instance and use them in the application.
C.Create an IAM role with an S3 access policy and attach it to the EC2 instance profile.
D.Create a bucket policy that grants access to the EC2 instance ID.
AnswerC

This is the secure and recommended method.

Why this answer

Option D is correct because an IAM role assigned to the EC2 instance is the best practice. Option A is wrong because access keys stored on the instance are less secure. Option B is wrong because a bucket policy with a principal of the instance ID is not possible; bucket policies use IAM principals.

Option C is wrong because security groups do not grant access to S3.

391
MCQmedium

A company needs to allow an external auditor to access a specific S3 bucket for 30 days. The auditor does not have an AWS account. What is the MOST secure way to grant temporary access?

A.Create an IAM user with long-term credentials and share them with the auditor.
B.Use AWS STS to issue temporary credentials via a custom identity broker.
C.Grant access via a bucket policy using the auditor's email address as a condition.
D.Create an IAM role and allow the auditor to assume it using SAML federation.
AnswerB

Temporary credentials can be issued after authenticating the auditor externally.

Why this answer

Option C is correct because you can create a role with a trust policy that allows the external auditor to assume it, and the auditor authenticates using their own credentials? But the auditor has no AWS account, so they cannot assume a role directly. The correct answer is to use a bucket policy granting access to a role that the auditor can assume via web identity federation? Actually, Option D is correct: Use STS temporary credentials with a custom federation broker. However, Option A is not secure.

Option B is not possible without AWS account. Option C is not possible without trust. Option D is the best: you can create a federation proxy that authenticates the auditor and issues temporary credentials.

Wait, let's reconsider. The correct answer is Option D: Use AWS STS to generate temporary credentials for the auditor after authenticating them via a custom identity broker. This is the recommended approach for granting access to external users without AWS accounts.

392
MCQmedium

A security engineer is reviewing a KMS key policy. What does this policy accomplish?

A.Allow the SecurityAudit role to decrypt and re-encrypt data only from the same AWS account
B.Deny decryption to the SecurityAudit role
C.Allow the SecurityAudit role to use the key only for specific KMS keys
D.Allow any user from account 123456789012 to use the key
AnswerA

Condition restricts to account 123456789012.

Why this answer

Option B is correct because the policy allows the SecurityAudit role to decrypt and re-encrypt only from the same account. Option A is wrong because it does allow decrypt and re-encrypt. Option C is wrong because the condition restricts to the same account.

Option D is wrong because the policy doesn't restrict key usage to specific resources.

393
MCQeasy

A company needs to ensure that data in transit between an EC2 instance and an RDS database is encrypted. Which solution meets this requirement?

A.Use a VPN connection between the VPC and the database
B.Enable encryption at rest on the RDS instance
C.Enable SSL/TLS on the database connection
D.Use client-side encryption on the application
AnswerC

SSL/TLS encrypts data in transit.

Why this answer

SSL/TLS encrypts data in transit between client and database. Option B is wrong because encryption at rest does not protect data in transit. Option C is wrong because VPN provides encryption but is overkill for direct connect.

Option D is wrong because client-side encryption would require application changes.

394
MCQmedium

A security engineer is designing a multi-tier web application. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The engineer needs to ensure that the EC2 instances only accept traffic from the ALB and not from any other source. Which security group configuration should the engineer use?

A.Allow inbound HTTP traffic from the ALB's public IP address on the EC2 instances' security group.
B.Allow inbound HTTP traffic from the VPC CIDR range on the EC2 instances' security group.
C.Allow inbound HTTP traffic from the ALB's security group on the EC2 instances' security group.
D.Allow inbound HTTP traffic from 0.0.0.0/0 on the EC2 instances' security group.
AnswerC

This restricts traffic to only the ALB.

Why this answer

Option B is correct because referencing the ALB's security group as the source allows inbound traffic only from the ALB. Option A allows all HTTP traffic. Option C uses the VPC CIDR, which is too broad.

Option D uses the ALB's public IP, which is not static and not recommended.

395
MCQmedium

A company needs to protect sensitive data in Amazon S3 from accidental deletion or overwriting. The data must be retained for at least 7 years after creation. Which combination of S3 features should be used?

A.Enable S3 Versioning and enable S3 Object Lock in Compliance mode
B.Use S3 Intelligent-Tiering and lifecycle policies
C.Enable S3 Versioning and MFA Delete
D.Enable S3 Object Lock in Governance mode and configure a lifecycle policy to expire objects after 7 years
AnswerD

Governance mode allows some users to bypass lock if needed, and lifecycle expiration can delete after retention period.

Why this answer

Option D is correct because Object Lock with Governance mode prevents deletion, and lifecycle policies can expire objects after 7 years. Option A only prevents deletion, not overwriting. Option B only protects against accidental deletion.

Option C only manages storage classes.

396
MCQhard

During an incident response, a security engineer needs to collect volatile memory from a compromised EC2 instance without affecting the running system. The instance is critical and cannot be stopped. Which approach is most appropriate?

A.Stop the instance, detach the root volume, and attach it to a forensics instance for analysis.
B.Use AWS License Manager to create a snapshot of the instance memory.
C.Use Amazon EC2 Rescue to collect memory dump.
D.Use AWS Systems Manager Run Command to execute a memory capture utility.
AnswerD

Run Command can execute scripts without stopping the instance.

Why this answer

Option D is correct because AWS Systems Manager Run Command allows you to execute a memory capture utility (such as WinPmem or LiME) on the EC2 instance without stopping it, preserving volatile memory for forensic analysis. This approach uses the SSM Agent to run commands remotely, minimizing impact on the running system while collecting critical evidence like running processes, network connections, and kernel data.

Exam trap

The trap here is that candidates may think stopping the instance (Option A) is safe for forensics, but they forget that volatile memory is lost on shutdown, making it useless for memory analysis.

How to eliminate wrong answers

Option A is wrong because stopping the instance destroys volatile memory (RAM contents are lost on power-off), defeating the purpose of collecting a memory dump. Option B is wrong because AWS License Manager is a service for managing software licenses, not for capturing instance memory; it has no capability to snapshot RAM. Option C is wrong because Amazon EC2 Rescue is a tool for diagnosing and troubleshooting EC2 issues (e.g., collecting logs and configuration data), but it does not perform a full memory dump; it focuses on system health, not forensic memory acquisition.

397
Multi-Selecteasy

Which TWO are valid methods to secure data at rest in Amazon S3? (Choose TWO.)

Select 2 answers
A.Enabling default encryption on the S3 bucket.
B.Enabling MFA Delete.
C.Enabling S3 Versioning.
D.Configuring an S3 bucket policy to restrict access to specific IP addresses.
E.Using S3 Block Public Access settings.
AnswersA, E

Default encryption ensures objects are encrypted at rest.

Why this answer

Options B and D are correct. Server-side encryption (SSE-S3, SSE-KMS, SSE-C) and S3 Block Public Access are both methods to secure data at rest. Option A is wrong because bucket policies control access but do not encrypt data.

Option C is wrong because versioning helps with data recovery, not encryption. Option E is wrong because MFA Delete adds protection for deletion, not encryption.

398
MCQhard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The Security Engineer needs to ensure that traffic between VPCs is inspected by a central network appliance. Which architecture should the Engineer implement?

A.Use Transit Gateway with appliance mode enabled on the attachments to the inspection VPC, and route inter-VPC traffic through the inspection VPC.
B.Use VPC Peering connections between all VPCs and route traffic through the inspection VPC.
C.Place the network appliance in a public subnet of the inspection VPC and use internet gateways for routing.
D.Use Transit Gateway with route tables that point to the network appliance's ENI for all inter-VPC traffic.
AnswerA

Appliance mode allows Transit Gateway to send traffic to the appliance even if the return traffic takes a different path.

Why this answer

Option D is correct because Transit Gateway supports appliance mode on attachments, which enables asymmetric routing for inspection. Option A is wrong because VPC Peering does not support central inspection. Option B is wrong because placing the appliance in a public subnet is not secure and does not leverage Transit Gateway.

Option C is wrong because route tables alone do not force traffic to the appliance if asymmetric routing is not handled.

399
MCQmedium

A company wants to allow users from an external AWS account to assume an IAM role in its account. What must be configured in both accounts?

A.An IAM password policy in both accounts.
B.Only the trusting account's role trust policy.
C.Only the external account's IAM policy to allow sts:AssumeRole.
D.Both the trusting account's role trust policy and the external account's IAM policy to allow sts:AssumeRole.
AnswerD

Cross-account access requires both sides: trust policy and permissions policy.

Why this answer

Option C is correct because the trusting account (role owner) must have a trust policy allowing the external account, and the external account must have a policy granting users permission to assume the role. Option A is wrong because only the trusting account needs trust policy. Option B is wrong because only the external account needs to grant sts:AssumeRole.

Option D is wrong because neither account needs password policy.

400
MCQmedium

A security engineer notices that an IAM user, 'svc-backup', has full S3 access (s3:*) to all buckets. The engineer wants to restrict the user to only put objects into a specific bucket named 'mycompany-backup' and deny all other S3 actions. Which IAM policy should be attached?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::mycompany-backup/*"}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","NotAction":"s3:PutObject","Resource":"*","Condition":{...}}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"arn:aws:s3:::mycompany-backup/*"}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::mycompany-backup/*"},{"Effect":"Deny","Action":"s3:*","Resource":"*"}]}
AnswerD

This allows only PutObject and denies all other S3 actions, effectively restricting the user.

Why this answer

Option C is correct because it explicitly allows s3:PutObject on the target bucket and denies all other S3 actions. Option A is wrong because it only allows s3:PutObject but does not deny other actions, so other S3 actions would still be allowed if the user has another policy granting them. Option B is wrong because it allows all S3 actions on the bucket, which is too broad.

Option D is wrong because it denies all S3 actions except PutObject, but the Deny effect with NotAction can be confusing; however, the more straightforward approach is Option C.

401
MCQmedium

A security engineer discovers that an IAM policy allows 'iam:CreateUser' and 'iam:CreateAccessKey' for all users in the account. Which risk does this pose?

A.Users can create new IAM users and programmatic access keys
B.Users can disable CloudTrail logging
C.Users can decrypt data in S3
D.Users can modify VPC security groups
AnswerA

This allows creation of new users and keys, which can be used for unauthorized access.

Why this answer

Option C is correct because creating access keys allows programmatic access, and creating users allows creation of new identities. Option A is incorrect because it does not directly affect logging. Option B is incorrect because it does not directly affect encryption.

Option D is incorrect because it does not directly affect network traffic.

402
MCQmedium

A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to determine if any unauthorized SSH keys were added to the instance's authorized_keys file. Which AWS service should be used to detect this change?

A.Amazon Inspector
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerD

AWS Config can track file changes via Systems Manager Inventory or custom rules.

Why this answer

Option C is correct because AWS Config can track changes to EC2 instance configurations, including file changes if using AWS Systems Manager Inventory or custom rules, but more directly, AWS Config can monitor for changes to security groups and IAM roles, not file contents. However, for file changes, AWS Systems Manager (SSM) Inventory can track file changes. Option A is wrong because AWS CloudTrail records API calls, not file changes.

Option B is wrong because Amazon GuardDuty detects threats based on network and API activity. Option D is wrong because Amazon Inspector assesses vulnerabilities, not file integrity. The correct answer is actually not listed perfectly, but among the options, AWS Config with a custom rule can monitor for changes to the authorized_keys file if integrated with SSM.

However, the best answer is AWS Config (option C) because it can be used with SSM to detect file changes. Option D is wrong because Inspector does not detect file changes.

403
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is associated with a security group that allows outbound HTTPS (port 443) to 0.0.0.0/0. The private subnet route table has a default route (0.0.0.0/0) pointing to a NAT Gateway in the public subnet. The NAT Gateway's security group allows inbound HTTPS from the private subnet CIDR. However, the instance cannot download patches. What is the most likely cause?

A.The network ACL for the private subnet is blocking outbound traffic
B.The NAT Gateway's security group is blocking outbound traffic to the internet
C.The private subnet route table does not have a route to the NAT Gateway
D.The security group attached to the EC2 instance is blocking inbound traffic
AnswerB

NAT Gateway's security group must allow outbound HTTPS to 0.0.0.0/0.

Why this answer

NAT Gateway's security group must allow inbound HTTPS from the private subnet CIDR. The problem statement says it does, so that is not the issue. The most likely issue is that the NAT Gateway's security group must also allow outbound HTTPS to 0.0.0.0/0 for the return traffic.

Option D is correct. Option A is wrong because NACL is stateless but default NACL allows all. Option B is wrong because the security group allows outbound.

Option C is wrong because the route is present.

404
MCQhard

A company uses AWS KMS with a customer managed key to encrypt an S3 bucket. The security team notices that the KMS key is being used by an unintended IAM role. What is the MOST effective way to restrict the key usage to only the intended role?

A.Remove the default key policy and attach an IAM policy to the intended role
B.Use an S3 bucket policy to restrict access to the intended role
C.Modify the key policy to allow only the intended role and deny all others
D.Create a new KMS key and attach a new key policy
AnswerC

A key policy can explicitly allow only the intended role.

Why this answer

Using a KMS key policy with a condition on kms:CallerArn is the most effective. Option A is wrong because the key policy already exists and you cannot remove the default key policy. Option B is wrong because the original key policy may have allowed broad access.

Option D is wrong because S3 bucket policy does not control KMS key usage.

405
MCQhard

Refer to the exhibit. A security engineer applied the bucket policy shown. What is the effect of this policy?

A.All PutObject requests are denied.
B.Only GetObject requests that use HTTP are denied.
C.Only GetObject requests from specific IP ranges are denied.
D.All GetObject requests to the bucket are denied.
AnswerB

The condition denies access when SecureTransport is false, i.e., HTTP requests.

Why this answer

The bucket policy uses a `NotIpAddress` condition with the `aws:SourceIp` key to deny `s3:GetObject` requests that do not originate from the specified IP range (192.0.2.0/24). However, the `Null` condition on `aws:SecureTransport` ensures the policy only applies when the request is not using HTTPS (i.e., when `aws:SecureTransport` is false). Therefore, only GetObject requests over HTTP are denied; HTTPS requests from any IP are allowed, and PutObject requests are unaffected.

Exam trap

The trap here is that candidates overlook the `Null` condition on `aws:SecureTransport` and assume the `NotIpAddress` condition alone denies all requests from outside the IP range, missing that the policy only triggers when the request is over HTTP.

How to eliminate wrong answers

Option A is wrong because the policy only denies `s3:GetObject`, not `s3:PutObject`, so PutObject requests are not denied. Option C is wrong because the policy denies requests from IPs outside the specified range only when the request uses HTTP; it does not deny requests from specific IP ranges—it denies requests not from that range, but only under the HTTP condition. Option D is wrong because the policy does not deny all GetObject requests; it only denies those made over HTTP, leaving HTTPS GetObject requests unaffected.

406
MCQmedium

A security engineer needs to restrict outbound traffic from a VPC to only allow HTTPS traffic to specific domains (e.g., api.example.com). The VPC has a NAT gateway in a public subnet. What is the most secure way to implement this restriction?

A.Configure security group egress rules to allow HTTPS to 0.0.0.0/0.
B.Deploy an AWS Network Firewall in the VPC and configure domain filtering rules.
C.Configure network ACL outbound rules to allow HTTPS to the IP addresses of the allowed domains.
D.Create a VPC endpoint for Amazon S3 and route traffic through it.
AnswerB

Network Firewall can filter outbound traffic by domain name with TLS inspection.

Why this answer

Option D is correct. Using an AWS Network Firewall or a third-party firewall appliance allows stateful inspection of traffic and can filter by domain name. Option A (security group egress rules) cannot filter by domain name.

Option B (NACL) is stateless and cannot inspect domain names. Option C (VPC endpoint for S3) is for S3, not general HTTPS.

407
MCQhard

A security engineer is troubleshooting connectivity issues from an EC2 instance in a private subnet to an S3 bucket. The instance has a security group allowing outbound HTTPS (443) to 0.0.0.0/0, and the subnet's network ACL allows outbound HTTPS to 0.0.0.0/0. However, requests to S3 are timing out. Which additional configuration is most likely required?

A.Attach an IAM role to the EC2 instance with S3 permissions
B.Modify the security group to allow traffic to the S3 region-specific IP range
C.Add a VPC Gateway Endpoint for S3 and update the route table
D.Configure a TLS termination proxy
AnswerC

A Gateway Endpoint provides a route to S3 without internet access.

Why this answer

Option C is correct because S3 endpoints are accessed via a prefix list in route tables; without a VPC Gateway Endpoint for S3, traffic goes through a NAT Gateway or Internet Gateway, but the private subnet lacks a route to the internet. Option A is wrong because S3 supports HTTPS without TLS termination. Option B is wrong because S3 is a global service and does not require a specific region endpoint configuration at the VPC level.

Option D is wrong because S3 does not require an IAM role for connectivity; that is for access permissions.

408
MCQmedium

A security team discovers that an IAM user's credentials are being used from an unusual geographic location. Which AWS service can provide automated response to revoke the user's access immediately?

A.Amazon GuardDuty
B.AWS Systems Manager Automation
C.AWS Lambda
D.AWS Config
AnswerB

SSM Automation runbooks can execute actions like disabling access keys in response to events.

Why this answer

AWS Systems Manager Automation is correct because it can be triggered by Amazon GuardDuty findings (e.g., UnauthorizedAccess:IAMUser/AnomalousBehavior) via Amazon EventBridge to run an automation document that immediately revokes the IAM user's access keys and applies a deny-all policy. This provides a fully automated, low-latency response without requiring manual intervention or custom code.

Exam trap

The trap here is that candidates often pick Amazon GuardDuty because they associate it with threat detection, but they overlook that GuardDuty only detects and alerts—it requires a separate automation service like Systems Manager Automation to actually perform the revocation.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that identifies anomalous activity but does not have built-in capabilities to automatically revoke IAM user credentials; it relies on downstream services like Systems Manager Automation or Lambda for response. Option C is wrong because AWS Lambda is a compute service that can execute custom code to revoke credentials, but it is not a managed automated response service itself—it requires you to write and maintain the function, whereas Systems Manager Automation provides a pre-built, auditable runbook. Option D is wrong because AWS Config is a resource compliance and configuration tracking service; it cannot directly revoke IAM credentials or respond to real-time security events.

409
MCQmedium

A security engineer notices that an EC2 instance in a private subnet is able to make outbound connections to the internet. The instance does not have a public IP, and there is no NAT gateway or instance in the VPC. What is the most likely cause?

A.The VPC has an egress-only internet gateway for IPv6 traffic.
B.The instance has a public IP assigned automatically via Auto-assign Public IP.
C.The instance is using a VPC endpoint (Gateway type) for S3.
D.The subnet's route table has a default route (0.0.0.0/0) pointing to an internet gateway.
AnswerD

This would make the subnet effectively public, allowing outbound internet access.

Why this answer

An egress-only internet gateway is for IPv6, not IPv4. A VPC endpoint (Gateway type) for S3 or DynamoDB does not provide general internet access. The only remaining possibility is that the subnet's route table has a default route (0.0.0.0/0) pointing to an internet gateway, but the instance is in a private subnet? Actually, if it's a private subnet, there is no direct IGW.

The most likely cause is an AWS managed NAT gateway? But the question says no NAT gateway. Another possibility: the instance has a public IP assigned? But it says no public IP. Let's re-evaluate: The stem says no public IP and no NAT gateway/instance.

Possibly the VPC has a transit gateway or VPN? The answer might be that the VPC has an internet gateway attached and the subnet's route table has a default route to that IGW, but that would mean the subnet is public. However, the instance is in a private subnet (no direct route to IGW). The only way to get outbound internet without NAT is via an AWS service like a VPC endpoint for S3 or DynamoDB, but that's not general internet.

The correct answer is likely: The instance is using an AWS managed NAT gateway (but the question says no NAT gateway). Hmm, maybe the instance has an Elastic IP? But no public IP. Let's think differently: Possibly the instance is behind a Network Load Balancer with internet-facing? No.

The correct answer is: The VPC has an internet gateway and the subnet's route table has a default route to a NAT device that is not a NAT gateway (e.g., an EC2 NAT instance), but the question says no NAT instance. I think the intended answer is that the subnet's route table has a default route to an internet gateway (making it a public subnet), but the question says private subnet. Actually, the explanation should indicate that the subnet is actually public, but the engineer mistakenly thinks it's private.

However, the answer options: Let's provide plausible options.

410
MCQeasy

A security engineer finds this IAM policy attached to a user. The user is able to create CloudTrail trails but cannot start logging. What is the MOST likely reason?

A.The user lacks `iam:PassRole` permission for the CloudTrail service role.
B.The `StartLogging` action is not listed in the policy.
C.The policy does not specify the `cloudtrail:StartLogging` action.
D.The user does not have permission to create CloudTrail trails.
AnswerA

Starting logging requires passing an IAM role to CloudTrail.

Why this answer

The user can create CloudTrail trails but cannot start logging because starting logging requires the `iam:PassRole` permission to pass the CloudTrail service role to the CloudTrail service. Without this permission, CloudTrail cannot assume the role needed to write logs to the S3 bucket and deliver them to CloudWatch Logs, even though the user has `cloudtrail:CreateTrail` and `cloudtrail:StartLogging` actions in the policy.

Exam trap

The trap here is that candidates focus on the missing `cloudtrail:StartLogging` action in the policy, but the real issue is the missing `iam:PassRole` permission, which is a common oversight when configuring CloudTrail permissions.

How to eliminate wrong answers

Option B is wrong because the `StartLogging` action is not a permission; it is an API call, and the policy likely includes `cloudtrail:StartLogging` as an action, but the issue is the missing `iam:PassRole`. Option C is wrong because the policy does not need to specify `cloudtrail:StartLogging` as a separate action if it is already included; the problem is the missing `iam:PassRole` permission, not the absence of the action. Option D is wrong because the user is able to create CloudTrail trails, which directly contradicts the claim that they lack permission to create trails.

411
MCQmedium

A developer needs to allow an EC2 instance to read from a DynamoDB table named 'Orders' in the same account. The security team requires that the permissions be granted using an instance profile. Which steps should be taken?

A.Create an IAM role with a policy that allows dynamodb:GetItem on the 'Orders' table, create an instance profile, add the role to the profile, and launch the EC2 instance with the instance profile
B.Create an instance profile and attach a policy to it, then launch the EC2 instance with the instance profile
C.Create an IAM role with the required policy, then attach the role directly to the EC2 instance during launch
D.Create an IAM user with programmatic access, store the access key in a secure S3 bucket, and have the EC2 instance retrieve the credentials at startup
AnswerA

This is the standard procedure for granting permissions to EC2 instances.

Why this answer

Option A is correct because the instance profile is created, the IAM role is attached, and the EC2 instance is launched with that profile. Option B is wrong because the role itself is not attached directly to the instance; the instance profile must be used. Option C is wrong because storing credentials on the instance is insecure.

Option D is wrong because the instance profile is not just for the root user; the role is assumed automatically.

412
MCQeasy

A security engineer needs to audit all API calls made in an AWS account for the past 90 days. Which AWS service should the engineer use?

A.Amazon S3 access logs
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Logs
AnswerB

Records API calls for auditing.

Why this answer

Option A is correct because CloudTrail logs API calls and can be configured to store logs for 90 days. Option B is wrong because CloudWatch Logs is for application logs, not API calls. Option C is wrong because S3 is storage, not an auditing service.

Option D is wrong because Config is for resource configuration changes, not API calls.

413
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot upload objects to the S3 bucket 'example-bucket' using the AWS CLI from a remote location. What is the MOST likely cause?

A.The CLI is using HTTP instead of HTTPS.
B.The bucket policy denies access.
C.The bucket requires server-side encryption.
D.The user is not authorized to upload to the bucket.
E.The user does not have s3:PutObject permission.
AnswerA

The Deny statement blocks non-HTTPS requests.

Why this answer

Option B is correct. The Deny statement with condition aws:SecureTransport false blocks requests that are not using HTTPS. If the CLI is not configured to use HTTPS, the request will be denied.

Option A is wrong because the user has s3:PutObject permission. Option C is wrong because there is no encryption requirement. Option D is wrong because there is no bucket policy blocking.

Option E is wrong because the user has permission to upload.

414
Multi-Selectmedium

A security engineer is configuring a VPC for a web application. The VPC has public and private subnets. The web servers are in public subnets and the database servers are in private subnets. The engineer wants to ensure that the database servers are not accessible from the internet. Which two actions should the engineer take?

Select 2 answers
A.Place the database instances in a public subnet with a NAT gateway.
B.Assign public IP addresses to the database instances.
C.Ensure the route table for the database subnets does not have a default route to an Internet Gateway.
D.Create a security group for the database instances that allows inbound traffic only from the web servers' security group.
E.Configure a network ACL on the database subnets to deny all inbound traffic.
AnswersC, D

This prevents direct internet access to the database subnets.

Why this answer

Option A and Option D are correct. The database subnets should not have a route to the Internet Gateway, and their security group should only allow traffic from the web servers' security group. Option B is unnecessary; network ACLs are stateless and can be used, but security groups are sufficient.

Option C is incorrect because assigning public IPs would expose them. Option E is incorrect because a NAT gateway is for outbound internet access, not inbound.

415
MCQmedium

A security engineer configured the S3 bucket policy shown above for CloudTrail log delivery, but CloudTrail is not delivering logs. What is the MOST likely reason?

A.The policy does not include s3:GetBucketAcl permission.
B.The bucket is in the wrong region.
C.The resource ARN is incorrect.
D.The bucket does not have default encryption enabled.
AnswerA

CloudTrail needs GetBucketAcl to verify bucket ACL.

Why this answer

Option C is correct because the bucket policy must also grant the s3:GetBucketAcl action for CloudTrail to verify the bucket ACL. Option A is wrong because encryption is not required. Option B is wrong because the region is not specified in the policy.

Option D is wrong because the resource ARN is correct for CloudTrail logs.

416
MCQhard

A security engineer is designing a centralized logging solution for a multi-account AWS environment. They need to ensure log files are tamper-proof and cannot be deleted or modified by anyone, including the root user of any account. Which configuration meets these requirements?

A.Create a bucket policy that denies s3:DeleteObject and s3:PutObject to all principals.
B.Enable MFA Delete on the S3 bucket and configure CloudTrail to log to that bucket.
C.Enable CloudTrail log file validation and store logs in a separate account.
D.Enable S3 Object Lock in Governance mode with a retention period, and use a separate account to manage the retention settings.
AnswerD

Object Lock prevents object deletion/modification, and Governance mode allows only users with special permissions to bypass retention, which can be restricted to a different account.

Why this answer

Option D is correct because S3 Object Lock in Governance mode prevents any user, including the root user, from deleting or overwriting objects until the retention period expires. By storing the logs in a separate account that manages the retention settings, the security engineer ensures that even if an attacker compromises the source account, they cannot modify or delete the logs because the lock is enforced by the destination account's S3 configuration.

Exam trap

The trap here is that candidates confuse MFA Delete (which only adds an extra authentication step for deletion but does not prevent root user deletion) with S3 Object Lock (which provides immutable storage that cannot be deleted or modified by any user, including root, during the retention period).

How to eliminate wrong answers

Option A is wrong because a bucket policy that denies s3:DeleteObject and s3:PutObject to all principals would also block legitimate log delivery from services like CloudTrail or S3 access logs, making the logging solution non-functional. Option B is wrong because MFA Delete only protects against accidental or unauthorized deletion of objects and requires the MFA token to be presented with the delete request; it does not prevent the root user from deleting objects if they have the MFA device, and it does not prevent modification (overwriting) of objects. Option C is wrong because CloudTrail log file validation only provides integrity verification through digital signatures (SHA-256 hashing) to detect tampering after the fact, but it does not prevent deletion or modification of log files; a malicious actor could still delete or alter logs, and the validation would only reveal that tampering occurred.

417
MCQhard

A company uses a multi-account AWS Organizations setup with hundreds of accounts. The security team uses AWS Security Hub in the management account to aggregate findings from all accounts. They have configured Amazon GuardDuty in all accounts and enabled AWS Config with recording. Recently, they noticed that Security Hub is not displaying any findings from GuardDuty in member accounts, even though GuardDuty is generating sample findings. The security team has verified that the Security Hub integration with GuardDuty is enabled in the management account. What is the most likely reason for the missing findings?

A.The IAM role for Security Hub in the management account lacks permissions to read findings from member accounts.
B.AWS Security Hub is not enabled in the member accounts.
C.Amazon GuardDuty is not enabled in the member accounts.
D.The member accounts have not enabled the integration between GuardDuty and Security Hub.
AnswerD

Each member account must enable the integration to forward findings to Security Hub.

Why this answer

Option D is correct because in a multi-account AWS Organizations setup, Security Hub in the management account aggregates findings from member accounts only if each member account has explicitly enabled the integration between GuardDuty and Security Hub. Even if GuardDuty is generating sample findings in member accounts, Security Hub will not display those findings unless the member account has enabled the GuardDuty-to-SecurityHub integration (via the Security Hub console or API). The management account enabling the integration does not automatically propagate the integration to member accounts.

Exam trap

The trap here is that candidates assume enabling the integration in the management account automatically propagates to all member accounts, but AWS requires each member account to explicitly enable the GuardDuty-to-SecurityHub integration for findings to be forwarded.

How to eliminate wrong answers

Option A is wrong because Security Hub in the management account uses AWS Organizations' trusted access and the AWSServiceRoleForSecurityHub service-linked role to read findings from member accounts; no additional IAM role permissions are required for cross-account reading of findings. Option B is wrong because Security Hub must be enabled in member accounts to receive findings, but the question states that Security Hub is aggregating findings from all accounts, implying it is enabled in member accounts; the issue is specifically about GuardDuty findings not appearing. Option C is wrong because the question explicitly states that GuardDuty is generating sample findings in member accounts, confirming GuardDuty is enabled and functioning in those accounts.

418
MCQeasy

A company wants to protect data in transit between an on-premises data center and Amazon S3. Which AWS service should be used to establish a dedicated, encrypted connection?

A.AWS Direct Connect without VPN
B.AWS Transit Gateway
C.AWS Direct Connect with an IPsec VPN
D.AWS Site-to-Site VPN over the internet
AnswerC

Dedicated, encrypted.

Why this answer

AWS Direct Connect with VPN provides a dedicated private connection with encryption. Option A is correct. Option B is for site-to-site VPN over internet, C is for transit, D is private connection without encryption by default.

419
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce that all S3 buckets across the organization have block public access enabled. Which policy should be used?

A.Configure a bucket policy on each S3 bucket to deny public access.
B.Create a service control policy (SCP) that denies s3:PutBucketPublicAccessBlock for all accounts.
C.Apply an IAM policy to the root user of each account.
D.Use AWS CloudFormation StackSets to deploy a bucket with public access blocked.
AnswerB

SCPs can deny actions across accounts in an organization.

Why this answer

Option A is correct because a service control policy (SCP) can be applied at the organizational level to deny actions that modify S3 public access settings. Option B is incorrect because IAM policies apply to users/roles, not accounts. Option C is incorrect because bucket policies are per-bucket, not organizational.

Option D is incorrect because CloudFormation StackSets deploy resources, not enforce policies.

420
MCQmedium

An IAM policy has the following statement: { "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:SecureTransport": "false" } } }. What does this policy do?

A.Denies all S3 access for any request.
B.Requires MFA for all S3 access.
C.Allows all S3 access only if using HTTPS.
D.Denies all S3 access if the request is not using HTTPS.
AnswerD

The condition checks for false SecureTransport.

Why this answer

Option B is correct because the policy denies all S3 actions when the request is not using HTTPS (SecureTransport false). Option A is wrong because it denies only non-HTTPS. Option C is wrong because it does not allow anything.

Option D is wrong because it does not require MFA.

421
Multi-Selecthard

A security engineer is reviewing an IAM policy that allows access to an S3 bucket. The policy includes a condition that checks 'aws:SourceIp'. However, users report they can still access the bucket from IP addresses not in the allowed list. Which THREE possible reasons could explain this behavior?

Select 3 answers
A.The policy is attached to an IAM group, but the user is not a member of that group
B.The 'aws:SourceIp' condition key is not supported for S3 actions
C.The policy is attached to an IAM role that is used by an AWS service, and the condition does not apply to service principals
D.The condition key is misspelled, causing the condition to be ignored
E.The bucket policy allows public access, overriding the IAM policy
AnswersC, D, E

If the role is assumed by a service, the source IP may not be the end user's IP.

Why this answer

Option C is correct because when an IAM role is assumed by an AWS service (e.g., AWS Lambda, EC2), the `aws:SourceIp` condition key does not apply to requests made by the service principal. The source IP address in such cases is the service's internal IP, not the end user's IP, and the condition is evaluated against the service's principal context, which does not include a source IP. This means the condition is effectively ignored for service-invoked actions, allowing access from any IP.

Exam trap

The trap here is that candidates assume `aws:SourceIp` always applies to all requests, but they overlook that when an AWS service assumes a role, the condition is evaluated against the service's principal context, not the original client's IP, causing the condition to be ignored.

422
MCQhard

A company has a VPC with a public subnet and a private subnet. An Amazon RDS instance is in the private subnet, and an application server is in the public subnet. The security team needs to allow the application server to connect to the RDS instance on port 3306 (MySQL). Which configuration will meet this requirement securely?

A.Add an inbound rule to the RDS security group that allows traffic from the VPC CIDR on port 3306.
B.Add an inbound rule to the RDS security group that allows traffic from the security group of the application server on port 3306.
C.Add an inbound rule to the RDS security group that allows traffic from the subnet CIDR of the application server on port 3306.
D.Add an inbound rule to the RDS security group that allows traffic from 0.0.0.0/0 on port 3306.
AnswerB

This restricts access to only the application server's security group.

Why this answer

Security groups are stateful; you can allow inbound traffic from the security group of the application server. Option A is correct. Option B is less secure because it allows all traffic from the subnet.

Option C is incorrect because it allows all traffic from the VPC. Option D is incorrect because it allows traffic from the internet.

423
Multi-Selecthard

A company needs to protect data in Amazon S3 by ensuring that only authorized users can access objects, and all access is logged. Which TWO services should be used together? (Choose TWO.)

Select 2 answers
A.AWS Identity and Access Management (IAM)
B.AWS CloudTrail
C.AWS KMS
D.AWS WAF
E.Amazon CloudWatch
AnswersA, B

IAM policies define who can access S3 objects.

Why this answer

AWS Identity and Access Management (IAM) is correct because it enables you to define granular permissions for S3 objects, ensuring that only authorized users or roles can access them via IAM policies or S3 bucket policies. AWS CloudTrail is correct because it logs all API calls made to S3, including object-level operations like GetObject and PutObject, providing an audit trail for access. Together, they satisfy the requirement of controlling access and logging all access.

Exam trap

The trap here is that candidates often confuse AWS KMS with access control because encryption is related to data protection, but KMS does not authorize user access or log access events, which are the core requirements in this question.

424
MCQeasy

A company needs to be alerted when root account credentials are used in their AWS account. Which service should be used to create a metric filter and alarm for this event?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerD

CloudWatch Logs can create metric filters and alarms on CloudTrail logs.

Why this answer

CloudWatch Logs can monitor CloudTrail logs for root account usage. A metric filter and alarm can be set up. GuardDuty has a finding for root usage but the requirement is to create a custom alarm.

Config evaluates resources.

425
Multi-Selecthard

Which THREE are best practices for securing AWS CloudTrail log files? (Choose three.)

Select 3 answers
A.Restrict access to the S3 bucket using a bucket policy that requires MFA and encryption.
B.Enable CloudTrail log file integrity validation.
C.Enable server-side encryption (SSE) for the S3 bucket.
D.Deliver logs to an S3 bucket in the same region as the trail.
E.Set a lifecycle policy to delete logs after 30 days.
AnswersA, B, C

Limits access to authorized users only.

Why this answer

Option A is correct because encrypting logs at rest protects confidentiality. Option C is correct because enabling log file integrity validation ensures tamper detection. Option D is correct because limiting access to the S3 bucket using bucket policies ensures only authorized principals can access logs.

Option B is incorrect because CloudTrail logs should be retained for at least one year, not 30 days. Option E is incorrect because CloudTrail does not support cross-region delivery to a single bucket automatically without additional configuration.

426
MCQhard

A company has a requirement that all Amazon EC2 instances must be launched with an IAM role that grants least-privilege permissions. The security team wants to prevent users from launching instances without a role, and also want to ensure that the role used is one of a set of approved roles. How can this be enforced?

A.Use an SCP to require that all EC2 instances have an IAM role attached.
B.Attach an IAM policy to users that denies ec2:RunInstances unless the ec2:InstanceProfile condition matches an approved profile ARN.
C.Use an SCP to deny ec2:RunInstances unless the instance profile is in a specific list of ARNs.
D.Use AWS Config to detect instances without a role and automatically terminate them.
AnswerB

This policy condition ensures that only instances with an approved IAM role can be launched.

Why this answer

Using an IAM policy with a condition that checks the IAM instance profile ARN against a list of approved profiles will enforce both requirements. Option B is wrong because it only requires a role, not an approved one. Option C is wrong because AWS Config can detect but not prevent.

Option D is wrong because SCPs cannot enforce specific instance profile ARNs because they apply at the account level and cannot reference resource-level conditions like ec2:InstanceProfile.

427
Multi-Selecthard

A security engineer is designing a solution to allow an external auditor to access logs in an S3 bucket in the company's AWS account. The auditor does not have an AWS account. The engineer needs to grant read-only access to the specific bucket for a limited time. Which TWO actions should the engineer take? (Choose two.)

Select 2 answers
A.Enable S3 Access Analyzer on the bucket to generate findings for the auditor.
B.Create a cross-account IAM role in the company's account and share the role ARN with the auditor.
C.Use AWS STS to issue temporary credentials that the auditor can use to access the bucket.
D.Generate a pre-signed URL for each log file the auditor needs to access.
E.Configure the bucket policy to grant access to 'Principal': '*' with a condition that limits access to the auditor's IP address.
AnswersC, D

STS can issue temporary credentials with a specified expiration; the auditor can use these to access the bucket.

Why this answer

Option C is correct because AWS Security Token Service (STS) can issue temporary, limited-privilege credentials (access key, secret key, and session token) that the auditor can use to authenticate API requests to the S3 bucket. This approach does not require the auditor to have an AWS account and allows the engineer to control the validity period (via the DurationSeconds parameter) to enforce a limited time window. Option D is correct because a pre-signed URL embeds temporary credentials and a specific expiration time, granting read-only access to a single object without requiring the auditor to have AWS credentials or an AWS account.

Exam trap

The trap here is that candidates often choose cross-account IAM roles (Option B) without realizing that the external user must have an AWS account to assume the role, which is explicitly not the case in this scenario.

428
MCQhard

A company uses AWS CloudTrail to log all API calls across multiple accounts in AWS Organizations. The security team notices that management events are being logged, but data events for Amazon S3 are not appearing in the CloudTrail logs for any account. The team needs to enable data event logging for S3 across all accounts. Currently, the organization trail is configured in the management account, and all member accounts have default CloudTrail configurations. What is the MOST efficient way to enable S3 data event logging for all current and future accounts in the organization?

A.Ask each member account to create a new trail in their own account with S3 data events enabled.
B.Update the existing organization trail's event selectors in the management account to include S3 data events for all accounts.
C.Enable S3 server access logging on all S3 buckets across the organization and aggregate logs in a central S3 bucket.
D.Create a new organization trail in the management account with S3 data events enabled, and share it with member accounts.
AnswerB

Updating the organization trail applies changes to all current and future accounts automatically.

Why this answer

The correct answer is C. By updating the organization trail's event selectors to include S3 data events, CloudTrail will automatically apply this configuration to all accounts in the organization, including future accounts. Option A is incorrect because member accounts cannot modify an organization trail.

Option B is incorrect because creating a new trail in each account is inefficient and does not leverage the organization trail. Option D is incorrect because S3 server access logs are a different feature and do not capture data events via CloudTrail.

429
MCQeasy

A company wants to encrypt data stored in Amazon S3 using server-side encryption with customer-provided keys (SSE-C). Which statement is correct regarding SSE-C?

A.The customer provides the encryption key in each request to S3.
B.AWS manages the encryption keys.
C.The same encryption key is used for all objects in the bucket.
D.The encryption key is stored in AWS KMS.
AnswerA

With SSE-C, you must include the encryption key in each request to upload or download an object.

Why this answer

SSE-C requires the customer to provide the encryption key and its MD5 digest in every PUT or GET request to Amazon S3. S3 uses the key to encrypt the object at rest and then discards the key; it is never stored by AWS. This ensures the customer retains full control over the encryption key material.

Exam trap

The trap here is that candidates confuse SSE-C with SSE-S3 or SSE-KMS, assuming AWS manages the keys or that keys are stored in KMS, when in fact SSE-C requires the customer to supply the key with every request and AWS never retains it.

How to eliminate wrong answers

Option B is wrong because SSE-C explicitly does not involve AWS managing the keys; the customer provides and manages the key. Option C is wrong because SSE-C requires a unique encryption key per request; the same key is not reused for all objects in the bucket unless the customer deliberately sends the same key each time. Option D is wrong because the encryption key is not stored in AWS KMS; SSE-C keys are provided by the customer in each request and are not persisted by AWS.

430
MCQeasy

A company wants to monitor CPU utilization of their EC2 instances and receive an alert when utilization exceeds 80% for 5 consecutive minutes. Which AWS service should be used to set up this metric alarm?

A.Amazon CloudWatch Alarms
B.Amazon Inspector
C.AWS Config
D.AWS CloudTrail
AnswerA

CloudWatch Alarms monitor metrics and trigger actions based on thresholds.

Why this answer

Option A is correct because CloudWatch Alarms can monitor any CloudWatch metric and trigger actions when a threshold is breached. Option B is wrong because AWS CloudTrail logs API calls. Option C is wrong because AWS Config monitors configuration changes.

Option D is wrong because Amazon Inspector is a vulnerability assessment service.

431
MCQmedium

A security engineer is configuring AWS CloudTrail to log management events for all AWS regions. The engineer needs to ensure that log files are encrypted at rest and that access to the log files is logged. Which solution meets these requirements?

A.Enable CloudTrail with SSE-C encryption and enable AWS CloudTrail Insights to log access.
B.Enable CloudTrail with SSE-S3 encryption and enable S3 server access logging on the destination bucket.
C.Enable CloudTrail with default encryption and enable AWS Config to log access.
D.Enable CloudTrail with SSE-KMS encryption and enable S3 server access logging on the destination bucket.
AnswerD

CloudTrail supports SSE-KMS for encryption at rest, and S3 server access logs capture requests to the bucket.

Why this answer

Option C is correct because CloudTrail can be configured to use SSE-KMS for encryption, and S3 server access logs can log access to the log files. Option A is wrong because SSE-S3 does not provide access logging. Option B is wrong because SSE-C is not supported by CloudTrail.

Option D is wrong because CloudWatch Logs does not encrypt log files at rest by default.

432
MCQeasy

A company needs to encrypt data at rest in its Amazon EBS volumes. The company wants to use an encryption key that is automatically rotated every year without any manual intervention. Which key type should be used?

A.Imported key material in a customer managed key
B.AWS managed key for EBS
C.Customer managed key with manual rotation
D.Default EBS encryption using an AWS managed key
AnswerB

AWS managed keys are automatically rotated annually.

Why this answer

AWS managed keys are automatically rotated annually. Customer managed keys can have automatic rotation enabled, but the question implies a managed solution. Option B is correct.

Option A is incorrect because customer managed keys require enabling automatic rotation. Option C is incorrect because imported keys do not support automatic rotation. Option D is incorrect because the default EBS encryption uses an AWS managed key, but the question asks for the key type.

433
MCQmedium

A security engineer is investigating a potential credential compromise. An IAM user's access key was used to launch EC2 instances in a region where the user has never operated before. The engineer wants to quickly identify all API calls made by this user in the last 24 hours, including the source IP addresses. Which AWS service or feature should be used?

A.AWS CloudTrail
B.VPC Flow Logs
C.AWS Trusted Advisor
D.Amazon CloudWatch Logs
AnswerA

CloudTrail records all management and data events, including API calls with user identity and source IP.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made by IAM users, including the source IP address, user identity, and request details. By querying CloudTrail logs for the specific IAM user's access key over the last 24 hours, the engineer can identify every EC2-related and other API call, along with the originating IP addresses, enabling rapid investigation of the potential credential compromise.

Exam trap

The trap here is that candidates may confuse VPC Flow Logs (network-level traffic) with CloudTrail (API-level activity), mistakenly thinking flow logs can identify which IAM user performed an action, when in fact flow logs only show IP addresses and ports without user identity.

How to eliminate wrong answers

Option B (VPC Flow Logs) is wrong because it captures network traffic metadata (IP addresses, ports, protocols) at the VPC level, not API calls made by IAM users; it cannot show which user or access key initiated an EC2 instance launch. Option C (AWS Trusted Advisor) is wrong because it provides best-practice checks and recommendations (e.g., security groups, cost optimization), not a record of API activity or source IPs for user actions. Option D (Amazon CloudWatch Logs) is wrong because it is a service for monitoring, storing, and accessing log files from various AWS resources (e.g., application logs, Lambda logs), but it does not natively capture IAM user API call history; CloudTrail logs can be sent to CloudWatch Logs, but CloudWatch Logs itself is not the source of API call records.

434
MCQmedium

A company has a security requirement to capture all DNS queries made by EC2 instances for threat analysis. Which AWS service can provide this capability with minimal configuration?

A.VPC Flow Logs
B.Amazon Inspector
C.Amazon Route 53 Resolver DNS Firewall
D.AWS CloudTrail
AnswerC

Route 53 Resolver DNS Firewall can log and filter DNS queries.

Why this answer

Amazon Route 53 Resolver DNS Firewall can capture and log all DNS queries made by EC2 instances by enabling DNS query logging to Amazon S3 or CloudWatch Logs. This requires minimal configuration because it integrates directly with the VPC's DNS resolver, automatically capturing outbound DNS traffic without needing agents or changes to instance configurations.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (which capture network traffic metadata) with DNS query logging, not realizing that DNS queries are application-layer (Layer 7) and require a DNS-specific logging mechanism like Route 53 Resolver DNS Firewall's query logging feature.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture IP traffic metadata (source/destination IPs, ports, protocols) but do not capture DNS query names or content; they operate at Layer 3/4, not Layer 7. Option B is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposure, not a DNS query logging or threat analysis tool. Option D is wrong because AWS CloudTrail records API calls made to AWS services (e.g., EC2 RunInstances), not network-level DNS queries from instances.

435
Multi-Selecteasy

A security engineer needs to grant a user read-only access to an S3 bucket. Which THREE of the following are required in the IAM policy?

Select 3 answers
A.Action: s3:ListBucket
B.Action: s3:GetObject
C.Action: s3:PutObject
D.Effect: Allow
E.Action: s3:DeleteObject
AnswersA, B, D

Correct: Allows listing objects.

Why this answer

Options A, B, and D are correct. To grant read-only access, the policy must allow s3:ListBucket on the bucket resource and s3:GetObject on the object resources. Option C is wrong because s3:PutObject is write access.

Option E is wrong because s3:DeleteObject is not needed for read-only.

436
MCQeasy

A company needs to ensure that data in transit between an on-premises data center and Amazon S3 is encrypted. Which AWS service should be used to establish a dedicated encrypted connection?

A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.AWS Direct Connect with VPN
D.AWS Client VPN
AnswerC

Dedicated private connection with encryption.

Why this answer

AWS Direct Connect provides a dedicated, private network connection from an on-premises data center to AWS, but it does not inherently encrypt data in transit. By combining Direct Connect with a VPN (IPsec tunnel), you get both a dedicated connection and encryption of all traffic between the on-premises network and Amazon S3. This ensures data in transit is protected while avoiding the public internet.

Exam trap

The trap here is that candidates often assume Direct Connect alone provides encryption, but it does not—it only provides a private, dedicated physical link; encryption must be added via a VPN overlay, which is why the combination is the correct answer.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that connects VPCs and on-premises networks, but it does not itself provide encryption or a dedicated connection; it can route traffic over VPN or Direct Connect but is not the service that establishes the encrypted link. Option B is wrong because AWS Site-to-Site VPN uses the public internet to create an encrypted tunnel, which does not provide a dedicated connection; it relies on internet routing and can suffer from variable latency and bandwidth. Option D is wrong because AWS Client VPN is a managed remote access VPN service for individual clients (e.g., laptops) to connect to AWS, not for establishing a dedicated encrypted connection between an entire on-premises data center and S3.

437
MCQmedium

A security engineer is reviewing the security group rules for a web server. The security group currently has the following inbound rules: allow HTTP from 0.0.0.0/0, allow HTTPS from 0.0.0.0/0, and allow SSH from 0.0.0.0/0. Which change should the engineer make to improve security?

A.Remove the HTTP rule and keep only HTTPS.
B.Change the SSH rule to allow from the VPC CIDR only.
C.Change the SSH rule to allow from a specific IP range used by the company's administrators.
D.Add a rule to allow ICMP from 0.0.0.0/0.
AnswerC

This limits SSH access to authorized users.

Why this answer

Option D is correct. SSH should be restricted to specific IPs (e.g., corporate network) to prevent unauthorized access. Option A is unnecessary if the rules already exist.

Option B would break functionality. Option C is not sufficient; SSH should be restricted.

438
MCQhard

A company uses Amazon Route 53 for DNS and wants to log all DNS queries made from its VPC. The logs must be stored in Amazon S3 for compliance purposes. Which solution meets these requirements?

A.Enable Route 53 Resolver query logging and publish to an S3 bucket.
B.Install a CloudWatch Logs agent on each EC2 instance and configure it to send DNS logs to CloudWatch Logs.
C.Enable AWS CloudTrail for DNS API calls and deliver to an S3 bucket.
D.Enable VPC Flow Logs and publish to an S3 bucket.
AnswerA

Route 53 Resolver query logging captures DNS queries made by resources in your VPC and can deliver logs to S3.

Why this answer

Option B is correct because Route 53 Resolver query logs can log DNS queries made by resources within a VPC and can be exported to S3. Option A is wrong because VPC Flow Logs capture IP traffic, not DNS queries. Option C is wrong because CloudWatch Logs can capture logs but not directly from Route 53 Resolver without additional configuration.

Option D is wrong because AWS CloudTrail does not log DNS query content.

439
MCQhard

During an incident response, a security engineer needs to preserve the state of an EC2 instance for forensic analysis. The instance is running a production workload that cannot be interrupted. Which of the following actions should the engineer take FIRST to ensure data integrity?

A.Run the dd command to clone the root volume to another EBS volume.
B.Create an AMI from the instance while it is running.
C.Take a snapshot of the attached EBS volumes while the instance is running.
D.Use AWS Systems Manager Run Command to create a memory dump and store it in S3.
AnswerD

Memory dumps capture volatile data for forensic analysis without stopping the instance.

Why this answer

Option D is correct because during an incident response, preserving volatile data (such as memory contents) is critical before any other action that might alter the system state. AWS Systems Manager Run Command can execute a command (e.g., using `dd` or `LiME`) to capture a memory dump and store it in Amazon S3 without interrupting the production workload. This ensures that forensic artifacts like running processes, network connections, and encryption keys are preserved before any disk-level operations that could overwrite or modify evidence.

Exam trap

The trap here is that candidates often prioritize disk-level preservation (snapshots or AMIs) as the first step, forgetting that volatile memory contains critical evidence that is lost the moment the instance is stopped or snapshotted, and that AWS Systems Manager can capture this data without interrupting the workload.

How to eliminate wrong answers

Option A is wrong because running the `dd` command to clone the root volume to another EBS volume requires the volume to be unmounted or in a consistent state; doing so on a running production instance can cause data corruption or I/O errors, and it does not capture volatile memory. Option B is wrong because creating an AMI from a running instance without first freezing the filesystem (e.g., using `fsfreeze`) can result in an inconsistent image due to ongoing writes, and it does not capture memory contents. Option C is wrong because taking a snapshot of attached EBS volumes while the instance is running does not guarantee crash consistency unless all volumes are snapshotted simultaneously (multi-volume snapshot), and it still fails to preserve volatile memory data that is essential for forensic analysis.

440
MCQmedium

A company wants to allow its employees to authenticate to the AWS Management Console using their existing corporate credentials. Which AWS service should be used to integrate with the company's identity provider?

A.AWS Secrets Manager
B.AWS Directory Service for Microsoft Active Directory
C.AWS Certificate Manager
D.AWS IAM Identity Center (AWS SSO)
AnswerD

IAM Identity Center supports federation with external IdPs.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it is specifically designed to enable single sign-on (SSO) from an external identity provider (IdP) to AWS accounts and business applications. It supports federation via SAML 2.0 or OIDC, allowing employees to authenticate using their existing corporate credentials and then access the AWS Management Console without needing separate IAM users.

Exam trap

The trap here is that candidates often confuse AWS Directory Service for Microsoft Active Directory with federation, but Directory Service is for managing AD domains in AWS, not for integrating with an external corporate IdP to provide SSO to the AWS console—that requires IAM Identity Center or IAM SAML federation.

How to eliminate wrong answers

Option A is wrong because AWS Secrets Manager is a service for securely storing and rotating secrets (e.g., database credentials, API keys), not for federating identity or integrating with an external IdP for console access. Option B is wrong because AWS Directory Service for Microsoft Active Directory is used to create a managed Microsoft AD domain in AWS or connect to an on-premises AD, but it does not directly provide the federation layer to authenticate corporate users to the AWS Management Console via an external IdP; that requires IAM Identity Center or IAM SAML federation. Option C is wrong because AWS Certificate Manager (ACM) manages SSL/TLS certificates for securing network traffic, not identity federation or authentication to the AWS console.

441
MCQeasy

A company is migrating sensitive data to Amazon S3. The data must be encrypted at rest using keys managed by the company. The company also requires an audit trail of key usage. Which solution meets these requirements?

A.Use SSE-S3 with default encryption.
B.Use SSE-C and store the keys in AWS Secrets Manager.
C.Use SSE-KMS with a customer-managed key and enable CloudTrail for KMS.
D.Use AWS CloudHSM to generate and store keys, and use Amazon S3 with SSE-KMS.
AnswerC

Customer-managed KMS keys provide audit via CloudTrail.

Why this answer

Option B is correct because AWS KMS with a customer-managed key provides encryption at rest and integrates with AWS CloudTrail to log every use of the key. Option A is wrong because SSE-S3 uses Amazon-managed keys; no customer control or audit. Option C is wrong because SSE-C does not provide key usage auditing.

Option D is wrong because CloudHSM can be used but requires more effort for audit; KMS is simpler.

442
MCQmedium

A company uses IAM roles for cross-account access. Developers in Account A need to assume a role in Account B. What must be true for the AssumeRole call to succeed?

A.Account A must have an SCP that allows sts:AssumeRole
B.The user in Account A must have MFA enabled
C.The role's trust policy must allow Account A and the user must have sts:AssumeRole permission
D.The role in Account B must have a permissions boundary
AnswerC

Both conditions are required.

Why this answer

Option D is correct because the trust policy in Account B must allow Account A, and the user in Account A must have sts:AssumeRole permission. Option A is wrong because an SCP in Account A might allow it. Option B is wrong because MFA is not required.

Option C is wrong because the role exists.

443
MCQmedium

A company needs to encrypt data at rest in Amazon S3 using customer-provided encryption keys. The keys must be stored securely and rotated automatically every 90 days. Which solution meets these requirements?

A.Use SSE-C and upload new keys to S3 every 90 days.
B.Use AWS KMS with a customer-managed key (CMK) and enable automatic key rotation.
C.Use SSE-S3 and enable automatic key rotation in the S3 bucket properties.
D.Use AWS CloudHSM and generate a new key every 90 days via a custom script.
AnswerB

KMS CMKs support automatic rotation every 90 days (or yearly).

Why this answer

Option C is correct because AWS KMS with customer-managed keys (CMK) allows automatic key rotation every 90 days (or yearly if managed by KMS). Option A is wrong because SSE-S3 uses Amazon-managed keys with automatic rotation of 90 days, but the keys are not customer-provided. Option B is wrong because SSE-C requires customers to provide keys but does not offer automatic rotation.

Option D is wrong because CloudHSM requires manual key rotation.

444
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team notices a series of `UpdateTrail` API calls from a user in the Security account, disabling logging on a multi-region trail. The user has a policy that allows `cloudtrail:UpdateTrail` only on trails with a specific tag. However, the trail does not have that tag. What is the MOST likely reason the call succeeded?

A.The trail did not have the required tag at the time of the API call due to a race condition.
B.The trail had an explicit deny in the same policy that was overridden by a separate allow.
C.The user's permissions were granted through a service control policy (SCP) that allowed the action.
D.CloudTrail API calls are not logged and bypass IAM policies.
AnswerA

If the tag condition was not met, the call should have failed unless the user had other permissions.

Why this answer

Option A is correct because AWS IAM policies are evaluated based on the resource's tags at the time of the API call. If the `UpdateTrail` API call was made while the trail's tag was being removed or added, a race condition could cause the trail to temporarily lack the required tag, allowing the action to succeed despite the policy's intent. This is a known edge case in IAM tag-based authorization, where eventual consistency of tag changes can lead to unintended access.

Exam trap

The trap here is that candidates assume IAM tag-based conditions are strictly enforced in real-time, but AWS's eventual consistency model can create race conditions that allow actions to succeed even when tags are not present at the exact moment of the API call.

How to eliminate wrong answers

Option B is wrong because an explicit deny in the same policy would always override any allow, and the scenario states the policy only allows `cloudtrail:UpdateTrail` on tagged trails, not that there is an explicit deny. Option C is wrong because a service control policy (SCP) can only deny or allow actions at the account level, but it cannot override a resource-based condition like a tag requirement; if the SCP allowed the action, the user still needed the tag condition to be met. Option D is wrong because CloudTrail API calls are indeed logged by CloudTrail itself (as management events), and IAM policies are always evaluated for every API call, including those to CloudTrail.

445
MCQmedium

A company uses AWS WAF to protect a web application. The security team wants to block requests that contain SQL injection patterns. Which WAF rule type should be used?

A.IP set rule
B.Geographic match rule
C.Rate-based rule
D.SQL injection match rule
AnswerD

SQL injection match rules inspect request parameters for SQL-like patterns.

Why this answer

Option D is correct because AWS WAF provides a dedicated SQL injection match rule that inspects incoming requests for SQL injection patterns in the URI, query string, or body. This rule uses a set of predefined SQL-like patterns (e.g., 'OR 1=1', 'UNION SELECT') to detect and block malicious input, directly addressing the security team's requirement.

Exam trap

The trap here is that candidates may confuse a rate-based rule (which controls request volume) with a content-based rule (which inspects payloads), leading them to pick Option C instead of the correct SQL injection match rule.

How to eliminate wrong answers

Option A is wrong because an IP set rule matches requests based on source IP addresses, not on content patterns like SQL injection. Option B is wrong because a geographic match rule filters traffic based on the country of origin, not on request payload content. Option C is wrong because a rate-based rule limits the number of requests from a single IP over a time window, which is used for DDoS mitigation, not for detecting SQL injection patterns.

446
MCQeasy

A company requires that all access to its S3 buckets be logged for compliance. Which AWS service should be used to record API calls to S3?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail records API calls for auditing.

Why this answer

AWS CloudTrail records API calls for auditing. Option A is wrong because AWS Config tracks resource configuration changes. Option B is wrong because Amazon Inspector assesses vulnerabilities.

Option D is wrong because Amazon GuardDuty detects threats.

447
MCQeasy

A Security Engineer needs to block SSH traffic (port 22) from the internet to all EC2 instances in a VPC. Which approach is the most secure and scalable?

A.Add a security group rule to deny inbound traffic on port 22 from 0.0.0.0/0.
B.Add a network ACL rule to deny inbound traffic on port 22 from 0.0.0.0/0 at the subnet level.
C.Add a network ACL rule to allow inbound traffic on port 22 from 0.0.0.0/0 and then add a deny rule for the same traffic.
D.Add a security group rule to block inbound traffic on port 22 from 0.0.0.0/0 at the VPC level.
AnswerB

Network ACLs can deny traffic and are applied at the subnet boundary.

Why this answer

Option A is correct because a network ACL at the subnet level blocks all traffic to port 22 from the internet before it reaches instances. Option B is wrong because you cannot deny rules in security groups; you can only allow. Option C is wrong because NACLs are stateless and require explicit outbound rules; however, the question asks to block inbound SSH, which a NACL can do.

Option D is wrong because security groups are not applied at the VPC level.

448
MCQhard

A security engineer is designing a cross-account IAM role to allow users in Account A to access resources in Account B. The engineer wants to restrict access to only users who have authenticated with multi-factor authentication (MFA) in Account A. What condition key should the engineer use in the trust policy of the IAM role in Account B?

A.aws:SourceIp
B.aws:MultiFactorAuthPresent
C.aws:RequestedRegion
D.aws:UserAgent
AnswerB

This condition key checks if the user authenticated with MFA.

Why this answer

Option D is correct because aws:MultiFactorAuthPresent is the condition key to check MFA status. Option A is wrong because aws:SourceIp checks source IP. Option B is wrong because aws:RequestedRegion checks region.

Option C is wrong because aws:UserAgent checks user agent string.

449
Multi-Selectmedium

A security engineer is investigating a potential data exfiltration incident where an attacker used a compromised EC2 instance to transfer data to an external IP. Which TWO AWS services can provide evidence of the network traffic and the API calls made from the instance?

Select 2 answers
A.VPC Flow Logs
B.AWS Config
C.Amazon GuardDuty
D.Amazon Inspector
E.AWS CloudTrail
AnswersA, E

Captures IP traffic information.

Why this answer

VPC Flow Logs capture metadata about IP traffic going to and from network interfaces, including the source/destination IP, ports, protocol, and packet/byte counts. This provides direct evidence of data being transferred to an external IP address from the compromised EC2 instance. AWS CloudTrail records API calls made within the AWS environment, such as those executed by the EC2 instance's IAM role or the instance itself (e.g., via the AWS CLI or SDK), which can reveal actions like starting data transfers or modifying security groups to allow exfiltration.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty as a source of raw evidence (like logs) when it is actually a detection service that consumes logs from other services (VPC Flow Logs, CloudTrail, DNS logs) to generate alerts, not a storage or retrieval service for the underlying traffic or API data.

450
MCQeasy

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record policy changes?

A.Amazon Inspector
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerB

CloudTrail logs all API calls, including IAM policy changes.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made in the AWS account, including IAM policy changes (e.g., CreatePolicy, PutRolePolicy, AttachUserPolicy). These events are captured as CloudTrail log entries, providing a complete audit trail of who made the change, when, and from which source IP. This directly meets the requirement to audit all changes to IAM policies.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks resource configuration state) with CloudTrail (which tracks API call history), leading them to choose AWS Config because it can detect drift, but it does not provide the detailed audit trail of who made the change and when.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and unintended network exposure, not a service that records API activity or policy changes. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS logs, VPC flow logs, and CloudTrail events for malicious activity, but it does not itself record or store the raw API call history for IAM policy changes. Option D is wrong because AWS Config evaluates and records resource configuration changes (e.g., whether an IAM policy is attached to a user) and can trigger rules, but it does not capture the API call details (who, when, source IP) that are required for a complete audit trail of policy changes; that is CloudTrail's role.

Page 5

Page 6 of 24

Page 7