Which THREE actions should be taken when preserving forensic evidence from an EC2 instance during an incident? (Select THREE.)
Select 3 answers
A.Reboot the instance to clear any malicious processes.
B.Create an EBS snapshot of all volumes.
C.Terminate the instance to prevent further compromise.
D.Capture a memory dump using a tool like LiME.
E.Detach the instance from the network by modifying the security group.
AnswersB, D, E
Snapshots preserve the disk state at a point in time.
Why this answer
Option B is correct because creating an EBS snapshot preserves the exact state of the volume at the time of the incident, including any malicious files, logs, or artifacts. This snapshot can be used for offline forensic analysis without altering the original evidence. AWS recommends this as a first step in forensic acquisition to maintain chain of custody.
Exam trap
Cisco often tests the misconception that rebooting or terminating an instance is a safe containment step, but in forensic contexts these actions destroy volatile evidence and should be avoided until after memory and disk acquisition.
The above IAM policy is attached to an AWS Lambda function. The function is failing to write logs to CloudWatch Logs. What is the likely cause?
A.The resource ARN does not include the log group itself; only log streams
B.The actions list does not include logs:DescribeLogGroups
C.The policy is missing an explicit deny for other actions
D.The region in the ARN does not match the Lambda function's region
AnswerA
PutLogEvents requires access to the log group resource as well.
Why this answer
The IAM policy grants `logs:CreateLogStream` and `logs:PutLogEvents` but specifies a resource ARN that only covers log streams (`arn:aws:logs:us-east-1:123456789012:log-group:MyLogGroup:log-stream:*`). The Lambda function first needs to write to the log group itself (e.g., to create the log group or confirm its existence), which requires `logs:CreateLogGroup` or `logs:DescribeLogGroups` permissions on the log group resource ARN (`arn:aws:logs:us-east-1:123456789012:log-group:MyLogGroup`). Without that, the initial API call to the log group fails, preventing any log stream creation or log event delivery.
Exam trap
The trap here is that candidates focus on the actions (e.g., missing `logs:DescribeLogGroups`) rather than the resource ARN, which must include the log group itself (not just log streams) for the initial log group creation or access check.
How to eliminate wrong answers
Option B is wrong because `logs:DescribeLogGroups` is not required for writing logs; the Lambda execution role typically needs `logs:CreateLogGroup` on the log group resource to allow the function to create the log group if it doesn't exist, but the core issue is the resource ARN mismatch, not the missing action. Option C is wrong because an explicit deny is not needed; IAM defaults to an implicit deny for any action not explicitly allowed, so missing an explicit deny does not cause failures. Option D is wrong because the region in the ARN (`us-east-1`) matches the Lambda function's region in the scenario; the question does not indicate a region mismatch, and even if it did, the error would be a different one (e.g., cross-region access denied), not the specific failure to write logs.
A company uses AWS Organizations with multiple accounts and has enabled AWS Security Hub in the management account. The security team wants to automatically remediate a specific finding type that appears in Security Hub. Which combination of services should be used to achieve this?
A.Amazon EventBridge and AWS Lambda
B.AWS Config conformance packs and AWS Systems Manager Automation
C.Amazon Inspector and AWS Step Functions
D.Amazon GuardDuty and AWS Lambda
AnswerA
Security Hub sends findings to EventBridge, which can trigger a Lambda function for remediation.
Why this answer
Amazon EventBridge can capture Security Hub findings as events using an event rule that matches the specific finding type. When the rule triggers, it invokes an AWS Lambda function that contains the remediation logic, such as modifying security group rules or disabling access keys. This combination provides a serverless, event-driven architecture for automated response to Security Hub findings.
Exam trap
The trap here is that candidates may confuse Security Hub's integration with other AWS security services (GuardDuty, Inspector) as the trigger mechanism, when in fact EventBridge is the standardized event bus that Security Hub uses to emit findings for automated response.
How to eliminate wrong answers
Option B is wrong because AWS Config conformance packs are used to evaluate resource compliance against rules, not to reactively remediate specific Security Hub findings; while Systems Manager Automation can run remediation, the integration with Security Hub is typically done via EventBridge, not directly through conformance packs. Option C is wrong because Amazon Inspector is a vulnerability assessment service that generates its own findings, not a service for remediating Security Hub findings; Step Functions could orchestrate remediation but the trigger from Security Hub still requires EventBridge. Option D is wrong because Amazon GuardDuty is a threat detection service that generates its own findings, not a service for remediating Security Hub findings; while Lambda can be used for remediation, the correct trigger for Security Hub findings is EventBridge, not GuardDuty.
A security engineer needs to detect suspicious API calls across multiple AWS accounts. The engineer has enabled AWS CloudTrail in each account and is sending logs to a central S3 bucket. Which additional step should the engineer take to analyze the logs for potential threats?
A.Enable AWS Config rules to monitor CloudTrail configuration.
B.Enable AWS Trusted Advisor in the management account.
C.Enable Amazon GuardDuty in each account.
D.Enable VPC Flow Logs in each account.
AnswerC
GuardDuty analyzes CloudTrail logs for suspicious API activity.
Why this answer
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, including suspicious API calls, by analyzing CloudTrail management and data events, VPC Flow Logs, and DNS logs. By enabling GuardDuty in each account, the security engineer can automatically detect potential threats across all accounts without manual log analysis. This directly addresses the need to analyze CloudTrail logs for suspicious API calls at scale.
Exam trap
The trap here is that candidates may confuse VPC Flow Logs (network traffic) with CloudTrail logs (API activity), or think that Config rules or Trusted Advisor can detect suspicious API calls, when in fact GuardDuty is the dedicated threat detection service for this purpose.
How to eliminate wrong answers
Option A is wrong because AWS Config rules monitor resource configuration compliance (e.g., ensuring CloudTrail is enabled), not the content of API calls for threat detection. Option B is wrong because AWS Trusted Advisor provides best-practice recommendations for cost, performance, and security, but does not analyze CloudTrail logs for suspicious API calls. Option D is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) and are useful for network-level threat detection, but they do not analyze CloudTrail API call logs for suspicious activity.
Which TWO of the following are valid ways to enforce encryption at rest for data in Amazon S3? (Choose TWO.)
Select 2 answers
A.Use SSL/TLS
B.Use IAM policies
C.Use AWS CloudTrail
D.Use SSE-KMS
E.Use SSE-C
AnswersD, E
SSE-KMS uses KMS keys for encryption.
Why this answer
SSE-KMS and SSE-C are both methods for encrypting objects at rest. Option C is wrong because SSL/TLS is for in transit. Option D is wrong because IAM policies control access, not encryption.
An organization uses AWS KMS to encrypt S3 objects. They want to allow a developer to decrypt objects only if the request comes from a specific IP address range. Which IAM policy condition should be used?
A.Condition with kms:GrantOperations and aws:SourceIp.
B.Condition with kms:CallerAccount and aws:SourceIp.
C.Condition with kms:EncryptionContext and aws:SourceIp.
D.Condition with kms:ViaService and aws:SourceIp.
AnswerD
kms:ViaService ensures the request comes through S3, and aws:SourceIp restricts the IP.
Why this answer
Option A is correct because kms:ViaService condition ensures the request goes through S3, and aws:SourceIp restricts IP. Option B is wrong because kms:EncryptionContext is for encryption context, not IP. Option C is wrong because kms:CallerAccount is for account, not IP.
Option D is wrong because kms:GrantOperations is for grants, not IP.
A company uses an IAM role to allow an EC2 instance to access an S3 bucket. The security team wants to ensure that if the EC2 instance is compromised, the attacker cannot use the role credentials to access resources outside the account. What should the security team do?
A.Store the role credentials in AWS Secrets Manager and rotate them frequently.
B.Use an instance profile with a short-lived session token.
C.Use an SCP to deny all actions except S3 access for the role.
D.Attach a permissions boundary to the IAM role that limits access to only the required S3 bucket.
AnswerD
Permissions boundaries set the maximum permissions for the role.
Why this answer
Using a permissions boundary restricts the maximum permissions the role can have, limiting the impact of a compromised instance.
A security engineer is designing a monitoring solution for an AWS Lambda function that processes sensitive data. The function occasionally fails due to timeouts. The engineer needs to be alerted immediately when the function fails and also wants to analyze the error logs. Which combination of services should the engineer use?
A.Amazon CloudWatch Logs and Amazon Kinesis Data Firehose
B.Amazon CloudWatch Logs and CloudWatch Alarms with Amazon SNS
C.AWS CloudTrail and Amazon SNS
D.AWS Config and Amazon SNS
AnswerB
CloudWatch Logs stores logs, and CloudWatch Alarms trigger SNS notifications on errors.
Why this answer
Option D is correct because CloudWatch Logs captures Lambda execution logs, and CloudWatch Alarms can trigger SNS notifications based on metrics like errors. Option A is incorrect because CloudTrail records API calls, not function execution logs. Option B is incorrect because Config tracks resource configuration changes, not runtime errors.
Option C is incorrect because Kinesis Data Firehose is for data streaming, not real-time alerting.
Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most significant security concern indicated by this event?
A.The security group rule allows SSH access from any IP address (0.0.0.0/0).
B.The event is a normal administrative action and poses no security concern.
C.The user did not have MFA enabled when assuming the AdminRole.
D.The source IP address (203.0.113.5) is from an unusual location.
AnswerA
This exposes the instance to the internet on port 22.
Why this answer
The event shows a security group rule allowing SSH (port 22) from 0.0.0.0/0, which is a serious security risk. Additionally, the user did not use MFA despite having AdminRole privileges. Option A is correct because the open SSH access is the primary concern.
Option B is wrong because while MFA not used is a concern, the open port is more critical. Option C is wrong because there is no indication of a compromised account. Option D is wrong because the event itself is not unusual but the configuration is.
A security engineer notices that an S3 bucket policy allows access to a principal from another AWS account. Which AWS feature can be used to check if this external access is intended?
A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage VPC security group rules across all accounts. Which AWS service should they use?
A.AWS Network Firewall
B.AWS Firewall Manager
C.AWS Config
D.Amazon Route 53 Resolver DNS Firewall
AnswerB
Firewall Manager provides central management of security group rules across accounts.
Why this answer
AWS Firewall Manager can centrally configure and manage security group rules across accounts. Option A is correct. Option B is for network firewall management.
Option C is for configuration compliance. Option D is for DNS firewalling.
A company has a three-tier web application running on AWS. The application consists of an Application Load Balancer (ALB), an EC2 Auto Scaling group for web servers, and an RDS MySQL database. The Security team recently discovered that the database is publicly accessible from the internet. They need to remediate this immediately while minimizing downtime. The database is critical for the application, and the application must remain available. The team has identified that the database security group currently allows inbound traffic from 0.0.0.0/0 on port 3306. The web servers are in a security group named 'web-sg'. The database security group is named 'db-sg'. The team wants to restrict access to only the ALB and the web servers. Which action should the team take to resolve the issue with the least downtime?
A.Create a new security group that allows inbound traffic from the web-sg security group on port 3306, then attach the new security group to the database instance.
B.Modify the inbound rule of the db-sg security group to allow traffic from the web-sg security group on port 3306 and remove the rule allowing traffic from 0.0.0.0/0.
C.Update the network ACL for the database subnet to deny inbound traffic from 0.0.0.0/0 on port 3306.
D.Move the RDS instance to a private subnet and update the application's database endpoint to use the new private IP address.
AnswerB
This change is immediate and does not affect running connections; new connections will be allowed only from web-sg.
Why this answer
Option B is correct because modifying the db-sg security group to allow inbound traffic from the web-sg security group (instead of 0.0.0.0/0) on port 3306 directly restricts database access to only the web servers. This change is applied immediately without requiring any resource recreation or downtime, as security group rules are stateful and take effect in real time. Removing the overly permissive rule eliminates the public exposure while keeping the existing database endpoint and application connectivity intact.
Exam trap
The trap here is that candidates may think creating a new security group (Option A) is safer or less disruptive, but modifying the existing security group is immediate and causes zero downtime, whereas attaching a new group can cause a brief connectivity gap during the transition.
How to eliminate wrong answers
Option A is wrong because creating a new security group and attaching it to the database instance would require detaching the existing db-sg and attaching the new one, which can cause a brief interruption in connectivity (downtime) and is unnecessary when the existing security group can be modified directly. Option C is wrong because network ACLs are stateless and apply at the subnet level, not the instance level; they would block traffic from 0.0.0.0/0 on port 3306 but would also require adding explicit allow rules for return traffic, and they do not replace the need to fix the security group rule that allows public access. Option D is wrong because moving the RDS instance to a private subnet requires creating a new RDS instance or modifying the existing one, which involves significant downtime and configuration changes (e.g., updating the application endpoint), and does not directly address the security group misconfiguration that allows public access.
A security engineer needs to ensure that all Amazon S3 buckets in an AWS account have server-side encryption (SSE) enabled. The engineer wants to automatically remediate any bucket that is created without SSE. Which solution should the engineer implement?
A.Use S3 bucket policies to deny access to objects without encryption.
B.Apply an IAM policy that requires SSE for all S3 actions.
C.Use AWS Config with a managed rule (s3-bucket-server-side-encryption-enabled) and an automatic remediation action.
D.Create a service control policy (SCP) that denies creation of buckets without encryption.
AnswerC
AWS Config can detect and automatically remediate non-compliant resources.
Why this answer
Option A is correct because AWS Config rules can be used to detect non-compliant buckets and trigger remediation actions. Option B is wrong because SCPs can deny creation of buckets without encryption but require careful policy writing. Option C is wrong because IAM policies enforce on principals, not buckets.
Option D is wrong because bucket policies can require encryption but only for access, not creation.
A security engineer needs to ensure that all API calls in an AWS account are logged and that the logs are encrypted at rest and retained for at least 7 years. Which THREE steps should the engineer take? (Choose THREE.)
Select 3 answers
A.Configure CloudTrail to deliver logs to Amazon S3 Glacier.
B.Set an S3 lifecycle policy to transition logs to Glacier after 7 years.
C.Enable S3 Cross-Region Replication to a bucket in another region.
D.Enable S3 default encryption on the log bucket.
E.Enable CloudTrail in the account.
AnswersB, D, E
Retains logs for 7 years.
Why this answer
Options B, C, and D are correct. Option B: CloudTrail logs API calls. Option C: S3 default encryption encrypts the logs.
Option D: Lifecycle policy transitions logs to Glacier for long-term retention. Option A is wrong because CloudTrail does not directly write to Glacier. Option E is wrong because S3 Replication is for copying, not retention.
A company is designing a network architecture for a critical application that must meet strict compliance requirements. The application consists of Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The instances need to access an Amazon RDS database in a different VPC. The company wants to minimize exposure to the internet. Which solution should the company use?
A.Use a site-to-site VPN connection between the VPCs.
B.Use a NAT gateway in the database VPC and route traffic through it.
C.Use a VPC Peering connection between the two VPCs.
D.Use an internet gateway and route traffic over the internet with security groups.
AnswerC
VPC Peering provides private connectivity using AWS infrastructure.
Why this answer
Option D is correct because VPC Peering provides a private network connection between VPCs without internet exposure. Option A is wrong because a NATgateway is for outbound internet from private subnets. Option B is wrong because an internet gateway exposes traffic to the internet.
Option C is wrong because a VPN connection is typically used for on-premises connectivity and adds complexity.
A security engineer is designing a network architecture for a multi-tier application. The web servers must be accessible from the internet, while the application servers must only be accessible from the web servers. Which TWO configurations should be used? (Choose TWO.)
Select 2 answers
A.Configure a NAT gateway in the private subnet for the application servers.
B.Place the web servers in a public subnet with a route to an internet gateway.
C.Use a network ACL on the application subnet to allow inbound traffic from the web subnet's IP range.
D.Place the application servers in a public subnet with a route to an internet gateway.
E.Configure the application servers' security group to allow traffic only from the web servers' security group.
AnswersB, E
This allows internet traffic to reach the web servers.
Why this answer
Placing web servers in a public subnet with an internet gateway allows internet access. Application servers in a private subnet with a security group that only allows traffic from the web servers' security group ensures isolation. Internet gateway on private subnet would defeat purpose; NAT gateway is for outbound only.
A security team is reviewing IAM roles and policies. They want to ensure that any new IAM role created in the account must include a specific managed policy (e.g., SecurityAudit). What AWS service can enforce this requirement?
A.AWS CloudTrail
B.AWS Config rules
C.Service control policy (SCP) in AWS Organizations
D.IAM permissions boundary
AnswerC
SCPs can deny role creation if required policy is not attached.
Why this answer
Option C is correct because SCPs can deny IAM role creation if the role does not have a specific policy attached. Option A is wrong because IAM policies define permissions, not enforce role creation rules. Option B is wrong because AWS Config can detect noncompliant roles but cannot prevent their creation.
Option D is wrong because CloudTrail logs API calls but does not enforce policies.
A company has an S3 bucket that contains sensitive data. The bucket policy allows access only from a specific VPC endpoint. A security engineer notices that objects in the bucket are being deleted by an IAM user from outside the VPC. The engineer checks the bucket policy and confirms that the policy denies access if the request does not come from the VPC endpoint. However, the deletions continue. What is the most likely cause?
A.The bucket policy is missing a Deny statement for the s3:DeleteObject action.
B.The VPC endpoint policy allows the deletion.
C.The IAM user is the bucket owner and the bucket policy does not apply to the owner.
D.The bucket has an ACL that allows the IAM user to delete objects.
AnswerC
Bucket policies do not apply to the account that owns the bucket; IAM policies would need to be used.
Why this answer
Option B is correct because the bucket owner's account has full control over the bucket, and bucket policies do not override the owner's permissions. Option A is wrong because if the bucket policy were incorrect, it would not deny access. Option C is wrong because ACLs are not used here.
Option D is wrong because the deletion is happening, so the user is not blocked by the policy.
A security engineer is configuring a centralized logging solution for multiple AWS accounts. The engineer needs to ensure that log files are encrypted at rest and that access to the logs is audited. Which combination of services and features should be used?
A.Use S3 SSE-S3 and enable S3 access logs.
B.Use AWS KMS to encrypt the logs before uploading to S3.
C.Use S3 SSE-C and enable CloudTrail for S3 data events.
D.Use S3 SSE-KMS and enable CloudTrail for S3 data events.
AnswerD
SSE-KMS provides encryption and key management; CloudTrail audits access.
Why this answer
S3 SSE-KMS provides encryption at rest with key management, and CloudTrail logs all access to the S3 bucket. Option C is correct. Option A is wrong because SSE-S3 does not provide key management or access audit.
Option B is wrong because SSE-C requires customer-managed keys but does not provide audit. Option D is wrong because KMS alone without CloudTrail does not audit access.
A company uses AWS CloudTrail to log management events. The security team wants to be alerted when an IAM user creates a new access key. Which solution would meet this requirement with the least operational overhead?
A.Create a CloudWatch Logs metric filter on the CloudTrail log group for CreateAccessKey events and set an alarm.
B.Create an Amazon EventBridge rule that matches the CreateAccessKey event and triggers an Amazon SNS notification.
C.Write a Python script that uses the CloudTrail LookupEvents API and run it on a scheduled basis using Amazon EventBridge Scheduler.
D.Develop a custom AWS Lambda function that queries CloudTrail logs in S3 every hour.
AnswerB
EventBridge provides near-real-time event matching with minimal overhead.
Why this answer
Option A is correct because CloudTrail events can be sent to CloudWatch Logs, and a metric filter with an alarm can detect the CreateAccessKey event. Option B is wrong because it requires custom code and is more overhead. Option C is wrong because EventBridge rules can directly match CloudTrail events without CloudWatch Logs.
Option D is wrong because Lambda is more overhead than a simple alarm.
A company runs a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The security team has implemented a centralized logging solution using Amazon S3 for ALB access logs and AWS CloudTrail logs. Recently, the team noticed that some ALB access logs are missing for certain time periods. The ALB is configured to deliver logs every 5 minutes to an S3 bucket with a bucket policy that grants the ALB service principal write access. The CloudTrail logs show no errors related to the ALB or S3. The S3 bucket is in the same region as the ALB. What is the most likely cause of the missing logs?
A.The S3 bucket has versioning enabled, which causes log delivery failures.
B.The bucket policy does not allow the ALB to write logs.
C.The ALB is not configured to send logs to the S3 bucket.
D.The S3 bucket is in a different AWS region than the ALB.
AnswerD
ALB can only deliver access logs to an S3 bucket in the same region.
Why this answer
Option B is correct because if the S3 bucket is in a different region, ALB cannot deliver logs cross-region. Option A is wrong because CloudTrail logs are not related to ALB log delivery. Option C is wrong because bucket policy is correct.
Option D is wrong because enabling versioning does not affect log delivery.
Refer to the exhibit. A company uses this CloudFormation template. What security best practice is being violated?
A.The instance type is too small for production workloads.
B.The security group allows SSH access from all IP addresses.
C.The AMI ID is not specified as a parameter.
D.The EBS volume is not encrypted.
AnswerB
Allowing SSH from 0.0.0.0/0 is a security risk.
Why this answer
Option C is correct because the security group allows SSH from anywhere (0.0.0.0/0), which is a security risk. Option A is wrong because the instance type is not inherently a security issue. Option B is wrong because the AMI ID is not necessarily a vulnerability.
Option D is wrong because there is no encryption setting; the EBS volume has Encrypted: false, which is a best practice violation, but the most critical is the open SSH.
A company is using Amazon RDS for PostgreSQL with encryption at rest using AWS KMS. The security team wants to ensure that only a specific set of IAM roles can manage the KMS key used for encryption. Which TWO steps should the team take?
Select 2 answers
A.Attach an IAM policy to the IAM roles that grants kms:Encrypt and kms:Decrypt
B.Modify the KMS key policy to allow the specific IAM roles to use the key
C.Attach an IAM policy to the IAM roles that grants kms:Decrypt only
D.Create an S3 bucket policy to restrict access to the KMS key
E.Use a VPC endpoint policy to restrict access to the KMS key
AnswersA, B
IAM policies can grant permissions if the key policy allows it.
Why this answer
Option B (Modify the KMS key policy to allow specific IAM roles to use the key) and Option C (Attach an IAM policy to the roles granting kms:Encrypt and kms:Decrypt) are correct. KMS key policies control who can use the key, and IAM policies grant permissions to roles. Option A is wrong because RDS does not use an S3 bucket policy.
Option D is wrong because only the key policy can grant kms:Decrypt; IAM policies alone cannot if the key policy restricts. Option E is wrong because VPC endpoints are for network access, not permissions.
Refer to the exhibit. A security engineer has attached this IAM policy to a user. What is the effect of this policy?
A.Allows uploads with KMS encryption or without encryption.
B.Allows uploads only when encryption is not specified.
C.Denies uploads when encryption is not provided.
D.Allows uploads only when using KMS encryption.
AnswerA
Both conditions are covered by the two statements.
Why this answer
The policy allows s3:PutObject only if encryption is set to aws:kms OR if no encryption header is provided (Null condition). Option D is correct because the two statements together allow both encrypted and unencrypted uploads. Option A is wrong because the first statement allows only KMS encryption, but the second allows unencrypted.
Option B is wrong because the policy does not explicitly deny unencrypted uploads. Option C is wrong because the second statement allows missing encryption header.
Refer to the exhibit. A security engineer runs the above AWS CLI command to encrypt a secret file. The command succeeds and returns a base64-encoded ciphertext. Which of the following statements is correct?
A.The command returns a plaintext data key and an encrypted copy.
B.The command will fail because fileb:// is not a valid prefix.
C.The command returns a base64-encoded ciphertext that can be decrypted with the same KMS key.
D.The command will fail because encryption context is required.
AnswerC
The encrypt API returns base64-encoded ciphertext.
Why this answer
Option C is correct. The command encrypts the plaintext file using the specified KMS key and returns the ciphertext as base64-encoded output. Option A is wrong because the command does not specify an encryption context; it's optional.
Option B is wrong because the command uses fileb:// which reads binary data; it will succeed if the file exists. Option D is wrong because the output is the ciphertext, not a data key.
A company has a CloudTrail trail that logs management events and delivers them to an S3 bucket. The security team notices that some expected API calls are missing from the logs. They suspect that the calls were made by a service that is not tracked by CloudTrail. Which AWS service is NOT tracked by CloudTrail?
A.AWS Lambda
B.Amazon CloudFront
C.Amazon S3
D.Amazon EC2
AnswerB
CloudFront does not support CloudTrail logging; it provides its own access logs.
Why this answer
Option D is correct because Amazon CloudFront does not log management events via CloudTrail; it uses its own access logs. Option A, B, and C are all tracked by CloudTrail.
A company uses AWS Secrets Manager to rotate database credentials automatically. The security team wants to ensure that while the secret is being rotated, applications can always retrieve a valid credential. Which rotation strategy should be used?
A.Use AWS IAM database authentication instead.
B.Use a single user rotation with immediate update.
C.Disable automatic rotation and manually update credentials.
D.Use the alternating users rotation strategy.
AnswerD
This strategy maintains two sets of credentials ensuring availability during rotation.
Why this answer
Option B is correct because the alternating users strategy creates two sets of credentials, so during rotation, one set remains valid. Option A is wrong because it may cause downtime if the single credential is updated. Option C is wrong because disabling rotation defeats the purpose.
Option D is wrong because IAM database authentication doesn't use secrets managed by Secrets Manager.
A security engineer is investigating a potential data exfiltration from an S3 bucket. The engineer has enabled S3 server access logs and CloudTrail data events. Which log source would provide the most granular details about the request, including the requester's IP address and user agent?
A.VPC Flow Logs
B.Amazon S3 server access logs
C.AWS CloudTrail data events
D.Amazon CloudWatch Logs
AnswerB
Server access logs include requester IP, user agent, and other details.
Why this answer
S3 server access logs provide detailed records of each request, including requester IP, user agent, and operation. CloudTrail data events also log S3 operations but may not include the user agent. VPC Flow Logs capture network traffic but not application-level details.
A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should be used?
A.AWS Config
B.Amazon CloudWatch
C.IAM Access Analyzer
D.AWS CloudTrail
AnswerD
CloudTrail logs all API calls for auditing.
Why this answer
Option B is correct because AWS CloudTrail records all API calls including IAM policy changes. Option A is wrong because AWS Config records resource state but not API calls. Option C is wrong because CloudWatch is for metrics and alarms.
Option D is wrong because IAM Access Analyzer finds external access, not change history.
A security team wants to detect and alert on potential security threats such as compromised instances or malicious activity within their AWS environment. Which TWO AWS services should be used together to provide comprehensive threat detection?
Select 2 answers
A.AWS Security Hub
B.AWS CloudTrail
C.Amazon Inspector
D.AWS Config
E.Amazon GuardDuty
AnswersA, E
Aggregates and prioritizes security findings.
Why this answer
Amazon GuardDuty provides intelligent threat detection, and AWS Security Hub aggregates findings from multiple services including GuardDuty. Option A and Option C are correct. Option B is wrong because CloudTrail is for logging, not threat detection.
Option D is wrong because Inspector is for vulnerability assessments. Option E is wrong because Config is for configuration compliance.
A financial services company uses AWS KMS to encrypt sensitive data. The security team has a requirement to rotate the CMK every 90 days and to maintain a record of all previous key versions for decryption of historical data. The team creates a new CMK every 90 days and manually updates applications to use the new key. This process is error-prone and causes downtime. What is the MOST operationally efficient solution that meets the requirements?
A.Enable automatic key rotation on the existing CMK.
B.Create a new CMK every 90 days and update the alias to point to the new key. Applications reference the alias.
C.Use a CMK with imported key material and rotate the material every 90 days.
D.Continue creating new CMKs but use a script to update the application configuration files.
AnswerB
Alias updates are immediate and do not require application changes; old keys remain available for decryption.
Why this answer
Option B is correct because it uses aliases to decouple the key identifier from the application configuration. By creating a new CMK every 90 days and updating the alias to point to the new key, applications that reference the alias automatically use the new key without code changes, eliminating downtime. AWS KMS aliases are mutable pointers that can be reassigned to different CMKs, and the old key versions remain available for decryption of historical data.
Exam trap
The trap here is that candidates often confuse automatic key rotation (which only rotates backing keys within the same CMK) with creating a new CMK and using aliases, failing to recognize that automatic rotation does not meet a 90-day schedule and does not create a separate CMK for audit or compliance purposes.
How to eliminate wrong answers
Option A is wrong because automatic key rotation on an existing CMK creates new backing key versions every year (not 90 days) and does not create a new CMK; it only rotates the cryptographic material within the same CMK, which does not meet the 90-day rotation requirement. Option C is wrong because using a CMK with imported key material and rotating the material every 90 days still does not create a new CMK; it only replaces the key material within the same CMK, and the old key material is deleted, preventing decryption of historical data. Option D is wrong because it continues the error-prone manual process of updating application configuration files, which causes downtime and operational overhead, and does not leverage AWS KMS aliases for a seamless transition.
Which THREE are features of Amazon GuardDuty that help with threat detection? (Select THREE.)
Select 3 answers
A.Analyzes AWS Config configuration history.
B.Analyzes S3 object content for malware.
C.Analyzes VPC Flow Logs.
D.Analyzes DNS query logs.
E.Analyzes AWS CloudTrail management events.
AnswersC, D, E
GuardDuty uses VPC Flow Logs for network analysis.
Why this answer
Options A, B, and D are correct. GuardDuty uses machine learning and threat intelligence to detect threats. It analyzes CloudTrail events, VPC Flow Logs, and DNS logs.
Option C is wrong because GuardDuty does not analyze Config rules; that is AWS Config. Option E is wrong because GuardDuty does not inspect S3 object content; it analyzes S3 data events.
A company has a multi-account AWS environment managed by AWS Organizations. The security team wants to enable a centralized logging solution where all VPC flow logs, CloudTrail logs, and AWS Config configuration items are sent to a single S3 bucket in the security account. The team has already created the S3 bucket with appropriate bucket policies to allow cross-account writes. However, logs are not appearing from all accounts. What is the MOST likely reason for this issue?
A.The security account is not the master account of the AWS Organization.
B.The S3 bucket policy does not grant write access to the root user of each member account.
C.The member accounts do not have the required IAM roles to allow the logging services to write to the central bucket.
D.The S3 bucket is encrypted with SSE-KMS and the KMS key policy does not allow cross-account access.
AnswerC
Each member account needs a service-linked role (e.g., AWSServiceRoleForCloudTrail) to enable cross-account logging.
Why this answer
When using AWS Organizations, you can enable trusted access for CloudTrail, Config, and VPC Flow Logs to centrally manage logging. However, the service-linked roles must be created in each member account to allow the logging service to write to the central bucket. Option A is correct because the member accounts need the appropriate IAM roles.
Option B is wrong because Organizations does not need to be the master account for logging; a designated account can serve as the central logging account. Option C is wrong because the bucket policy should allow the logging service principal, not the account root. Option D is wrong because KMS encryption is not required for cross-account logging.
A financial services company must ensure that all data written to Amazon S3 is encrypted at rest and that the encryption keys are rotated every 90 days. The company also needs to maintain an audit trail of when keys were used. Which solution meets these requirements with the least operational overhead?
A.Use SSE-S3 with default encryption enabled
B.Use SSE-C with customer-provided keys and rotate keys using a Lambda function
C.Use SSE-KMS with a customer managed key and enable automatic key rotation
D.Use client-side encryption with the AWS Encryption SDK
AnswerC
KMS allows automatic yearly rotation and CloudTrail logs key usage.
Why this answer
Option B (SSE-KMS with a customer managed key and automatic key rotation) is correct because it provides encryption, automatic rotation every 365 days (the maximum allowed), and CloudTrail logs for auditing. Option A is wrong because SSE-S3 does not provide key rotation control. Option C is wrong because SSE-C requires manual key management.
Option D is wrong because client-side encryption adds overhead and does not leverage AWS key rotation.
A company's security policy requires that all S3 buckets be encrypted at rest. An security engineer needs to detect any S3 bucket that does not have default encryption enabled. Which AWS service should the engineer use to continuously monitor and alert on non-compliant buckets?
A.AWS CloudTrail
B.AWS Config
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB
Config can continuously evaluate resource configurations and trigger notifications for non-compliant resources.
Why this answer
AWS Config is the correct service because it provides continuous monitoring and evaluation of your AWS resource configurations against desired policies. You can create an AWS Config rule, such as the managed rule 's3-bucket-default-encryption-enabled', which automatically checks each S3 bucket for the presence of default encryption (SSE-S3 or SSE-KMS) and triggers an alert or remediation action for any non-compliant bucket. This aligns directly with the requirement to detect and alert on buckets lacking encryption at rest.
Exam trap
The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which evaluates resource configurations), leading them to choose CloudTrail for monitoring encryption settings when it only records the actions that change encryption, not the current state of encryption on each bucket.
How to eliminate wrong answers
Option A is wrong because AWS CloudTrail records API activity (e.g., PutBucketEncryption calls) but does not continuously evaluate the current configuration state of resources; it is an audit trail, not a compliance checker. Option C is wrong because AWS Trusted Advisor provides one-time or periodic checks for best practices (including S3 bucket permissions) but does not offer continuous, customizable monitoring or alerting for specific encryption settings like default encryption. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity; it does not evaluate resource configurations for compliance with encryption policies.
A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. Security engineers need to ensure that traffic between VPCs is inspected by a third-party firewall appliance deployed in a centralized inspection VPC. Which architecture should be used?
A.Use security groups in each VPC to allow only traffic from the firewall appliance's IP.
B.Establish VPC Peering connections between each VPC and the inspection VPC.
C.Configure Network ACLs in each VPC to deny traffic that does not originate from the inspection VPC.
D.Create a central inspection VPC with the firewall appliance. Configure Transit Gateway route tables to route traffic between VPCs through the inspection VPC.
AnswerD
Transit Gateway supports centralized routing for inspection.
Why this answer
Option B is correct because Transit Gateway route tables can be used to force traffic through the inspection VPC by attaching the firewall appliance to a VPC and using blackhole routes or specific routing. Option A is wrong because Network ACLs are stateless and cannot perform deep packet inspection. Option C is wrong because VPC Peering does not support transitive routing.
Option D is wrong because security groups are stateful but do not provide advanced firewall capabilities.
A company is using AWS CloudFormation to deploy a web application. The template includes an EC2 instance with a security group that allows inbound HTTP traffic from 0.0.0.0/0. The security team wants to ensure that this security group is never used in production. Which AWS service can automatically remediate this noncompliant configuration?
A.AWS Identity and Access Management (IAM)
B.AWS Config
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerB
AWS Config can evaluate rules and auto-remediate.
Why this answer
Option D is correct because AWS Config can evaluate rules and trigger auto-remediation via Systems Manager Automation or Lambda. Option A is wrong because IAM is for access control, not resource configuration. Option B is wrong because CloudTrail logs API calls but does not remediate.
Option C is wrong because GuardDuty is a threat detection service, not configuration compliance.
A company is using Amazon Route 53 and wants to log DNS queries for investigative purposes. The logs must be stored in a centralized S3 bucket in the security account. What is the MOST efficient way to achieve this?
A.Enable VPC Flow Logs and analyze DNS traffic.
B.Enable CloudWatch Logs for Route 53 and stream to a Lambda function that writes to S3.
C.Configure Route 53 Resolver query logging to deliver to the central S3 bucket.
D.Use a custom Lambda function to poll Route 53 logs and write to S3.
AnswerC
Route 53 Resolver query logging supports direct delivery to S3, and you can use cross-account bucket policies.
Why this answer
Option B is correct because Route 53 resolver query logs can be sent directly to S3, and by using AWS Organizations, you can centralize logging. Option A is wrong because CloudWatch Logs adds an extra step. Option C is wrong because VPC Flow Logs are for network traffic, not DNS queries.
Option D is wrong because Route 53 does not have a built-in Lambda integration for this purpose.
Refer to the exhibit. A security engineer runs the command above and sees that the flow log status is ACTIVE. However, the engineer notices that no logs are appearing in the CloudWatch log group. What is the most likely cause?
A.The TrafficType is set to ALL, which captures too much data and causes throttling.
B.The IAM role specified in DeliverLogsPermissionArn does not have permissions to PutLogEvents.
C.The flow log is attached to an ENI instead of a subnet.
D.The flow log destination is set to CloudWatch Logs but the log group is encrypted with KMS.
AnswerB
Without proper permissions, logs cannot be delivered.
Why this answer
Option B is correct. If the flow logs are ACTIVE but no logs appear, the IAM role may not have sufficient permissions to publish logs to CloudWatch Logs. Option A is incorrect because the flow log is attached to an ENI, not a subnet.
Option C is incorrect because the flow log can capture all traffic, but that would generate logs, not prevent them. Option D is incorrect because flow logs do not require encryption.
A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?
A.Use AWS Glue to crawl S3 and load into Amazon Redshift for analysis
B.Send CloudTrail logs to Amazon CloudWatch Logs, then use a subscription filter to Amazon Kinesis Data Firehose delivering to Amazon OpenSearch Service
C.Query CloudTrail logs directly using Amazon Athena
D.Configure S3 event notifications to invoke an AWS Lambda function that writes to Amazon OpenSearch Service
AnswerB
Enables near real-time streaming.
Why this answer
Option B is correct because it provides the lowest-latency path for real-time analysis: CloudTrail logs are delivered to CloudWatch Logs in near real-time, and a subscription filter streams them to Kinesis Data Firehose, which buffers and delivers directly to Amazon OpenSearch Service for immediate indexing and search. This architecture avoids batch processing, minimizes data movement overhead, and uses managed services that scale automatically, keeping both latency and cost low.
Exam trap
The trap here is that candidates often assume S3 event notifications (Option D) are the fastest path for real-time processing, but they overlook the inherent delivery delay of CloudTrail to S3 (up to 15 minutes) and the risk of Lambda concurrency limits causing dropped events under high log volume.
How to eliminate wrong answers
Option A is wrong because AWS Glue crawling S3 and loading into Amazon Redshift introduces significant batch processing latency (minutes to hours) and incurs high costs for Redshift compute and storage, making it unsuitable for real-time analysis. Option C is wrong because querying CloudTrail logs directly with Amazon Athena requires scanning the entire S3 object set per query, which adds seconds to minutes of latency and incurs per-scan costs that become prohibitive for continuous real-time detection. Option D is wrong because S3 event notifications for CloudTrail logs are typically delivered with a delay (up to 15 minutes) and invoking a Lambda function per object to write to OpenSearch Service creates a tight coupling that can lead to throttling, data loss under high volume, and higher operational overhead compared to the managed streaming pipeline in B.
A company uses AWS Organizations and wants to delegate administration of IAM Access Analyzer to a member account. Which AWS service should be used to enable this delegation?
A.AWS Service Catalog
B.AWS Organizations
C.AWS CloudTrail
D.AWS Config
AnswerB
You can register a delegated administrator for IAM Access Analyzer using AWS Organizations.
Why this answer
Option A is correct because IAM Access Analyzer can be delegated through AWS Organizations. Option B is incorrect because AWS CloudTrail is for logging. Option C is incorrect because AWS Config is for resource compliance.
Option D is incorrect because AWS Service Catalog is for creating and managing catalogs of IT services.
A security engineer is investigating an IAM role that was used to access AWS resources from an external account. The role has a trust policy that allows the external account to assume it. Which of the following is a required step for the external account to use the role?
A.Configure the role to require MFA for the external account.
B.Create a new IAM role in the external account with a trust policy allowing the role's ARN.
C.Add the external account's root user ARN to the role's trust policy.
D.Attach an IAM policy to an IAM user in the external account that allows sts:AssumeRole for the role ARN.
AnswerD
The external user needs permission to assume the role.
Why this answer
Option B is correct because the external account must have an IAM user or role with sts:AssumeRole permissions targeting the role ARN. Option A is wrong because the external account does not need to create a new role. Option C is wrong because the trust policy is on the role, not on the external account.
Option D is wrong because MFA is not required unless specified.
A startup is building a web application on AWS and needs to protect sensitive customer data at rest in an Amazon RDS for MySQL database. The compliance team requires that the encryption keys be managed by the company's on-premises hardware security module (HSM) and be rotated every 6 months. Which solution should the startup use?
A.Use AWS CloudHSM to store the encryption keys and enable RDS encryption with CloudHSM.
B.Use AWS KMS with a customer master key (CMK) and import key material from the on-premises HSM.
C.Store the encryption keys in AWS Secrets Manager and use them to encrypt the database.
D.Use AWS KMS with a custom key store backed by AWS CloudHSM.
AnswerA
CloudHSM provides a dedicated HSM that you control, and RDS can be encrypted using keys from CloudHSM.
Why this answer
AWS CloudHSM provides a dedicated hardware security module (HSM) that allows you to manage encryption keys on-premises-style, meeting the requirement for key management on the company's own HSM. When you enable Amazon RDS for MySQL encryption with CloudHSM, the database encryption keys are stored and managed in the CloudHSM cluster, and you can rotate them every 6 months as required. This solution directly satisfies the compliance team's mandate for on-premises HSM key management and periodic rotation.
Exam trap
The trap here is that candidates confuse AWS CloudHSM (a dedicated HSM service where you manage keys directly) with AWS KMS custom key stores (which also use CloudHSM but are managed through KMS), leading them to choose option D, which does not allow the company to manage keys on their own on-premises HSM.
How to eliminate wrong answers
Option B is wrong because AWS KMS with imported key material does not allow the key to be managed by the company's on-premises HSM; the key material is imported into KMS, but the HSM is not used for ongoing key operations or rotation. Option C is wrong because AWS Secrets Manager is a service for storing secrets, not for managing encryption keys for RDS encryption, and it does not integrate with an on-premises HSM for key management. Option D is wrong because a custom key store backed by AWS CloudHSM uses CloudHSM as the key store, but the keys are still managed by AWS KMS, not directly by the company's on-premises HSM, and the compliance team requires the keys to be managed by their own on-premises HSM, not an AWS-managed CloudHSM.
A security engineer is designing a network architecture for a three-tier web application. The web tier must be accessible from the internet, but the application and database tiers must not. Which VPC configuration should be used?
A.Place web and app tiers in public subnets, database in private subnet.
B.Place web tier in public subnets, app and database tiers in private subnets.
C.Place all tiers in private subnets and use a VPN for external access.
D.Place all tiers in public subnets with security groups restricting access.
AnswerB
This isolates app and database from internet.
Why this answer
Option D is correct because public subnets for web tier and private subnets for app and database tiers meet the requirements. Option A is wrong because all public subnets expose all tiers. Option B is wrong because all private subnets block internet access to web tier.
Option C is wrong because public subnets for app and database expose them.
Which TWO AWS services can be used to enforce that specific resource types (e.g., EC2 instances) are tagged with a 'CostCenter' tag? (Choose two.)
Select 2 answers
A.AWS Organizations tag policies
B.AWS Service Catalog
C.AWS Config
D.AWS CloudFormation
E.AWS IAM
AnswersA, C
Can enforce tags across accounts in the organization.
Why this answer
AWS Config can evaluate resource tagging and AWS Organizations can use tag policies. IAM is for permissions, not enforcement; CloudFormation can be used but not for existing resources; Service Catalog is for provisioning, not enforcement.
Refer to the exhibit. A security engineer is configuring the Amazon CloudWatch agent to collect logs from an Amazon ECS task. The configuration shown is used. However, the logs are not appearing in CloudWatch Logs. What is the most likely cause?
A.The multi_line_start_pattern is missing a closing delimiter.
B.The datetime_format is incorrect for the logs.
C.The configuration file is missing the 'logs' section at the top level.
D.The CloudWatch agent is not installed in the ECS task.
AnswerC
The CloudWatch agent configuration requires a 'logs' section containing the log definitions.
Why this answer
The configuration uses `log_group_name` but in the CloudWatch agent configuration for ECS, the correct key is `log_group_name` (lowercase) but more commonly the issue is that the agent requires `logs.region` and `logs.endpoint` to be set, or the IAM role is missing permissions. However, the exhibit uses `log_group_name` which is correct for the standalone agent, but for the ECS agent, the configuration is passed as environment variables or in the task definition. The most typical mistake is that the `log_group_name` is not properly nested under `logs`.
Option C is correct. Option A is wrong because the ECS agent can use CloudWatch agent. Option B is wrong because the format is standard.
Option D is wrong because the pattern is optional.
A company uses AWS KMS to encrypt data in Amazon S3. The security team needs to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. What is the most secure way to enforce this restriction?
A.Apply an S3 bucket policy that denies all principals except the IAM role
B.Set a KMS key policy that grants kms:Decrypt only to the IAM role
C.Use S3 access logs to monitor unauthorized decryption attempts
D.Attach an IAM policy to the role granting kms:Decrypt permission
AnswerB
Key policy directly controls who can use the key.
Why this answer
Option D is correct because using a KMS key policy with a condition for the IAM role provides fine-grained access control. Option A is wrong because bucket policies alone do not control KMS decryption. Option B is wrong because IAM policies alone can be attached to many principals.
Option C is wrong because S3 access logs do not enforce permissions.
What is the purpose of an AWS Service Control Policy (SCP) in AWS Organizations?
A.To grant specific permissions to users in member accounts.
B.To restrict only the root user of each member account.
C.To monitor and log API activity across the organization.
D.To set permission guardrails that restrict what actions accounts in the organization can perform.
AnswerD
SCPs define the maximum permissions for accounts.
Why this answer
Option A is correct: SCPs are used to centrally control the maximum available permissions for all accounts in an organization. Option B is wrong because SCPs do not grant permissions. Option C is wrong because SCPs apply to all users and roles, not just root.
Option D is wrong because SCPs are not for monitoring.
A company wants to encrypt data at rest in Amazon S3 using server-side encryption. They must manage the encryption keys themselves and rotate them annually. Which S3 encryption option should they use?
A.SSE-S3
B.SSE-KMS with AWS managed key
C.SSE-C
D.Client-side encryption
AnswerC
SSE-C allows customer to provide and manage their own encryption keys, including rotation.
Why this answer
SSE-C allows customers to provide their own encryption keys and manage rotation. SSE-S3 uses AWS-managed keys (no customer control). SSE-KMS uses KMS keys but AWS manages rotation unless using customer-managed keys with automatic rotation.
Option C is correct because SSE-C gives full control over key management and rotation.
During incident response, a security engineer needs to preserve the state of a running EC2 instance for forensic analysis without losing volatile data. The instance is in an Auto Scaling group. Which action should the engineer take FIRST?
A.Detach the instance from the Auto Scaling group.
B.Stop the instance to preserve its EBS volumes.
C.Take an AMI of the instance immediately.
D.Suspend the `HealthCheck` and `ReplaceUnhealthy` processes on the Auto Scaling group.
AnswerD
Prevents Auto Scaling from interfering with the instance.
Why this answer
Option D is correct because suspending the `HealthCheck` and `ReplaceUnhealthy` processes on the Auto Scaling group prevents the group from detecting the instance as unhealthy and terminating it while the engineer preserves volatile data. This is the first step to ensure the instance remains running and accessible for forensic collection (e.g., memory dump) before any other actions that could alter its state.
Exam trap
The trap here is that candidates often choose to stop the instance or take an AMI first, not realizing that those actions destroy volatile data or require a stable state, whereas the correct first step is to prevent the Auto Scaling group from interfering with the running instance.
How to eliminate wrong answers
Option A is wrong because detaching the instance from the Auto Scaling group does not prevent the group from launching a replacement instance, but more critically, it does not protect the running instance from being terminated by other processes or manual actions; it also does not preserve volatile data. Option B is wrong because stopping the instance immediately loses volatile data (RAM, network connections, process state) which is critical for forensic analysis; the goal is to preserve the running state, not halt it. Option C is wrong because taking an AMI of the instance requires the instance to be in a stable state (often stopped or with consistent filesystem), and it does not capture volatile memory; it also takes time and could alter the instance state during the snapshot process.
A company is deploying a web application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic between the ALB and the EC2 instances be encrypted. Which configuration should the engineer implement?
A.Configure the ALB listener with HTTP protocol and the target group with HTTP protocol, then use a security group to restrict traffic.
B.Configure the ALB listener with HTTPS protocol and the target group with HTTP protocol.
C.Configure the ALB listener with TCP protocol and the target group with TCP protocol, then install SSL certificates on the EC2 instances.
D.Configure the ALB listener with HTTPS protocol and the target group with HTTPS protocol, and install SSL certificates on the EC2 instances.
AnswerD
This encrypts both frontend and backend traffic.
Why this answer
Option D is correct. To encrypt traffic between ALB and EC2, you must use HTTPS listeners on both sides: the ALB listener for frontend and the target group protocol for backend. Option A uses TCP, which is not encrypted.
Option B only encrypts the frontend. Option C uses HTTP, not encrypted.
A company uses AWS KMS to encrypt sensitive data. The security team wants to ensure that KMS keys can only be used by specific IAM roles and that key usage is logged. Which combination of actions should the team take? (Choose the best answer.)
A.Create an SCP to restrict KMS key usage and enable CloudWatch Logs.
B.Attach an IAM policy that allows kms:Encrypt and kms:Decrypt to the roles.
C.Configure the key policy to allow the root user and enable CloudTrail.
D.Configure the key policy to specify the IAM roles as key users and enable CloudTrail.
Option D is correct because key policies define who can use the key, and CloudTrail logs all KMS API calls. Option A is wrong because an SCP can only deny, not grant permissions. Option B is wrong because IAM policies alone are not enough; the key policy must allow IAM access.
Option C is wrong because the key policy must specify the IAM roles.
A company's security policy requires that all S3 bucket access logs be delivered to a central S3 bucket in the security account. A security engineer notices that some buckets are not delivering logs. The engineer needs to identify which buckets are not logging and ensure compliance. Which service should the engineer use to continuously monitor and report on S3 bucket logging?
A.Amazon Macie
B.Amazon S3 Inventory
C.AWS Config
D.AWS CloudTrail
AnswerC
AWS Config can evaluate whether S3 bucket logging is enabled.
Why this answer
AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired policies. By using an AWS Config managed rule like `s3-bucket-logging-enabled`, the security engineer can automatically detect S3 buckets that do not have logging enabled and receive compliance notifications, ensuring ongoing adherence to the security policy.
Exam trap
The trap here is confusing AWS CloudTrail (which logs API calls) with AWS Config (which evaluates resource configurations), leading candidates to mistakenly choose CloudTrail for configuration compliance checks instead of Config.
How to eliminate wrong answers
Option A is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data in S3, not to monitor bucket logging configurations. Option B is wrong because Amazon S3 Inventory provides a list of objects and their metadata for auditing or lifecycle management, but it does not evaluate or report on the logging configuration of the buckets themselves. Option D is wrong because AWS CloudTrail records API activity for governance and auditing, but it does not continuously assess the configuration state of S3 bucket logging settings.
Which THREE of the following are best practices for managing IAM access keys? (Choose THREE.)
Select 3 answers
A.Use IAM roles for EC2 instances instead of access keys
B.Use long-lived access keys for applications
C.Delete unused access keys
D.Embed access keys in application code for convenience
E.Rotate access keys regularly
AnswersA, C, E
Roles are more secure than embedding keys.
Why this answer
Options A, B, and D are best practices. Option C is not a best practice because access keys should be rotated, not kept indefinitely. Option E is incorrect because access keys should not be embedded in code; use roles instead.
A company wants to allow its developers to SSH into EC2 instances only from the corporate network IP range (203.0.113.0/24). Which configuration should be used to enforce this restriction?
A.Configure a network ACL on the subnet to allow inbound SSH from the corporate range and deny all other inbound traffic.
B.Use AWS Systems Manager Session Manager to connect to instances instead of SSH.
C.Add an IAM policy that allows `ec2:RunInstances` only if the request includes the corporate IP.
D.Add a security group rule that allows inbound SSH (port 22) from the corporate IP range.
AnswerD
Security groups are stateful and can restrict inbound traffic to a specific source.
Why this answer
Option C is correct because a security group rule can restrict inbound SSH to the specific IP range. Option A is wrong because IAM policies do not control network access. Option B is wrong because NACLs are stateless and require separate inbound and outbound rules.
Option D is wrong because Systems Manager Session Manager does not use SSH.
A company wants to automate the enforcement of security best practices across all AWS accounts. Which AWS service provides pre-built rules for security compliance?
A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Security Hub
D.AWS Config
AnswerC
Security Hub provides automated security checks and compliance standards.
Why this answer
AWS Security Hub is the correct answer because it provides a comprehensive view of security alerts and compliance status across AWS accounts, and it includes pre-built security standards and automated compliance checks based on frameworks such as the AWS Foundational Security Best Practices (FSBP), CIS AWS Foundations Benchmark, and PCI DSS. These pre-built rules allow you to automate the enforcement of security best practices without manual configuration.
Exam trap
The trap here is that candidates often confuse AWS Config's managed rules (which evaluate resource configurations) with Security Hub's pre-built security compliance standards, but Security Hub is specifically designed for aggregating and automating security best practices across accounts, while Config is a configuration auditing tool without built-in security compliance frameworks.
How to eliminate wrong answers
Option A is wrong because Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior using machine learning and threat intelligence, but it does not provide pre-built rules for security compliance or automated compliance checks. Option B is wrong because Amazon Inspector is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, but it does not offer pre-built compliance rules or enforce security best practices across accounts. Option D is wrong because AWS Config is a service that evaluates your resource configurations against desired configurations using custom or managed rules, but it does not provide pre-built security compliance standards or a consolidated dashboard for security best practices across accounts; it focuses on resource configuration auditing rather than security compliance enforcement.
A company uses AWS CloudTrail to log API activity. The security team wants to ensure that any modification to CloudTrail configuration is logged and that the logs are tamper-proof. Which feature should be enabled?
A.S3 MFA Delete on the CloudTrail S3 bucket
B.S3 Versioning on the CloudTrail S3 bucket
C.CloudTrail Log File Integrity Validation
D.CloudWatch Logs log stream encryption
AnswerC
Provides tamper-proofing.
Why this answer
Option B is correct because CloudTrail Log File Integrity Validation uses SHA-256 hashing and digital signatures to detect tampering. Option A is wrong because S3 Versioning does not prevent tampering of logs. Option C is wrong because MFA Delete protects against deletion, not modification.
Option D is wrong because CloudWatch Logs does not provide integrity validation.
Refer to the exhibit. An AWS KMS key policy includes the statement shown. The AdminRole tries to decrypt a ciphertext that was encrypted using the same KMS key with encryption context 'department=engineering'. What will happen?
A.The decrypt operation succeeds because the role has kms:Decrypt permission.
B.The decrypt operation succeeds because the encryption context is ignored during decryption.
C.The decrypt operation fails because the policy does not allow kms:Decrypt without matching context.
D.The decrypt operation fails because the encryption context does not match the condition.
AnswerD
The condition 'department=finance' is not met, so access is denied.
Why this answer
Option D is correct because the KMS key policy includes a condition that requires the encryption context to match 'department=engineering'. When the AdminRole attempts to decrypt the ciphertext, the encryption context used during decryption must exactly match the context used during encryption. Since the policy enforces this condition with a kms:EncryptionContextKeys condition key, the decrypt operation fails if the context does not match, even though the role has kms:Decrypt permission.
Exam trap
The trap here is that candidates assume kms:Decrypt permission alone is sufficient for decryption, overlooking that encryption context conditions in the key policy can override the permission and cause a failure even when the IAM role has the correct action allowed.
How to eliminate wrong answers
Option A is wrong because having kms:Decrypt permission alone is insufficient; the policy also includes a condition that restricts decryption to requests with a matching encryption context. Option B is wrong because the encryption context is not ignored during decryption; AWS KMS requires the same encryption context to be provided for decryption as was used during encryption, and the policy enforces this with a condition. Option C is wrong because the policy does allow kms:Decrypt, but only when the encryption context matches; the failure is due to the context mismatch, not a lack of permission.
A company wants to allow an external auditor to assume a read-only role in their AWS account. The auditor's AWS account ID is 123456789012. Which trust policy should be attached to the role?
Allows the external account root with MFA requirement, secure and standard.
Why this answer
Option A is correct because it grants the external auditor's AWS account (via its root principal ARN) permission to assume the read-only role, while enforcing multi-factor authentication (MFA) as a security best practice. The `sts:AssumeRole` action is the standard mechanism for cross-account role assumption, and the `aws:MultiFactorAuthPresent` condition ensures the auditor uses MFA, reducing the risk of compromised credentials.
Exam trap
The trap here is that candidates often overlook the MFA condition or incorrectly specify a specific user ARN, failing to recognize that the root principal ARN is the correct way to grant access to an entire external account while maintaining flexibility and security.
How to eliminate wrong answers
Option B is wrong because it lacks the MFA condition, which is a critical security control for external access; without it, the auditor could assume the role without MFA, violating the principle of least privilege and increasing risk. Option C is wrong because it specifies a specific IAM user (`user/Auditor`) rather than the entire account (`root`), which is inflexible and would require updating the policy if the auditor's username changes or if multiple auditors need access. Option D is wrong because it uses `Deny` instead of `Allow`, which would explicitly block the auditor from assuming the role, and the principal format is invalid (missing `arn:aws:iam::` prefix).
A company has a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all API activity across all accounts is logged and immutable. CloudTrail is enabled in all accounts, but the logs are stored in individual account buckets. The team wants to centralize logs and prevent any account from disabling logging. What should they do?
A.Create a new CloudTrail trail for each account and configure S3 bucket policies to allow cross-account access.
B.Enable S3 MFA Delete on each account's log bucket and require MFA for IAM users.
C.Use CloudWatch Logs to aggregate logs and set a retention policy of 10 years.
D.Apply an SCP to deny cloudtrail:StopLogging and cloudtrail:DeleteTrail, and create an organization trail that delivers logs to a central S3 bucket with a bucket policy that prevents deletion.
AnswerD
SCPs prevent disabling, and organization trail centralizes logs.
Why this answer
Option D is correct because using an SCP to deny cloudtrail:StopLogging and cloudtrail:DeleteTrail prevents disabling, and creating an organization trail ensures logs are delivered to a central bucket. Option A is wrong because an organization trail already covers all accounts. Option B is wrong because S3 MFA Delete alone doesn't prevent CloudTrail disabling.
Option C is wrong because CloudWatch Logs doesn't provide immutable storage.
A company is using Amazon GuardDuty to detect threats in its AWS environment. The security team notices that GuardDuty is generating a high number of 'UnauthorizedAccess:IAMUser/MaliciousIPCaller' findings for an IAM user that is used by a legacy application. The security team has verified that the IP addresses flagged are not malicious but are legitimate IPs used by the application's third-party service. The company wants to suppress these findings without disabling GuardDuty entirely. Which solution is the MOST effective and secure?
A.Disable the specific finding type in GuardDuty settings.
B.Create a GuardDuty suppression rule that automatically archives findings for that IAM user.
C.Create a VPC flow log filter to exclude traffic from those IP addresses.
D.Modify the IAM user's permissions to restrict the IP addresses it can use.
AnswerB
Suppression rules allow you to filter out known false positives based on specific criteria.
Why this answer
GuardDuty supports suppression rules that allow you to automatically archive findings that match certain criteria. You can create a suppression rule based on the finding type and the IAM user's ARN to automatically archive these false positives. Option C is correct because it uses GuardDuty's built-in suppression feature.
Option A is wrong because disabling the finding type would suppress all similar findings for all users, which is too broad. Option B is wrong because modifying the IAM user's permissions does not affect GuardDuty findings. Option D is wrong because creating a VPC flow log filter does not suppress GuardDuty findings.
A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze CloudTrail logs from all accounts in a single S3 bucket. What is the most efficient way to achieve this?
A.Create a CloudTrail trail in each account and configure the same S3 bucket as the destination.
B.Use CloudWatch Logs subscription filter to send logs from each account to a central account.
C.Create a single organization trail in the management account that logs all accounts.
D.Use S3 cross-region replication to copy logs from each account's bucket to a central bucket.
AnswerC
Organization trails automatically apply to all accounts in the organization.
Why this answer
Option C is correct because AWS Organizations supports creating a single organization trail in the management account that automatically logs CloudTrail events for all accounts in the organization. This centralizes log collection into one S3 bucket without needing to configure trails per account, making it the most efficient and scalable approach for multi-account environments.
Exam trap
The trap here is that candidates often assume each account must have its own trail (Option A) or that a streaming solution like CloudWatch Logs (Option B) is required, overlooking the native organization-level trail feature that simplifies centralization.
How to eliminate wrong answers
Option A is wrong because creating a trail in each account and pointing to the same S3 bucket requires manual setup per account, does not scale efficiently, and can lead to permission conflicts or log overwrites if bucket policies are not correctly configured. Option B is wrong because CloudWatch Logs subscription filters are designed to stream log data to a central account for real-time processing, but they are not the most efficient way to collect CloudTrail logs for long-term storage in S3; they add complexity and cost for a task that organization trails handle natively. Option D is wrong because S3 cross-region replication copies objects between buckets in different regions, but it does not centralize logs from multiple accounts into a single bucket; it requires each account to have its own bucket and replication rules, adding overhead and potential for configuration errors.
A security engineer needs to monitor AWS account activity for suspicious API calls and receive alerts. Which AWS service should the engineer use to meet this requirement?
A.VPC Flow Logs
B.AWS Config with AWS Config Rules
C.AWS CloudTrail with CloudWatch Alarms
D.Amazon GuardDuty
AnswerC
CloudTrail logs API calls, and CloudWatch Alarms can trigger on metric filters for specific API activity.
Why this answer
Option C is correct because CloudTrail logs API activity and can be integrated with CloudWatch Alarms for alerts. Option A is wrong because GuardDuty focuses on threat detection from various data sources, not specifically API monitoring. Option B is wrong because VPC Flow Logs capture network traffic.
Option D is wrong because AWS Config tracks configuration changes.
A company uses Amazon GuardDuty and has enabled EKS audit logs as a data source. The security team wants to detect potential container escape attempts. Which TWO findings would indicate a container escape attempt? (Choose TWO.)
Indicates a container making Kubernetes API calls, which could be used to escalate privileges.
Why this answer
Option D is correct because the PrivilegeEscalation:EKS/KubernetesAPICallFromContainer finding specifically detects when a container makes Kubernetes API calls that indicate an attempt to escalate privileges, such as creating pods with elevated permissions or accessing cluster-admin roles. This is a direct indicator of a container escape attempt, as the container is interacting with the Kubernetes control plane to gain unauthorized access to the host or other resources.
Exam trap
The trap here is that candidates may confuse ECS-specific findings (like SuspiciousCommand) with EKS findings, or mistake general EC2 threats (like SSH brute force or crypto mining) as indicators of container escape, when only findings directly tied to Kubernetes API calls or sensitive mounts are relevant.
A company is designing a data protection strategy for Amazon EFS file systems. The security team requires encryption at rest and in transit. Additionally, the team needs to control which KMS keys can be used to encrypt the file system. Which THREE steps should the team take?
Select 3 answers
A.Configure a KMS key policy that allows the EFS service to use the key.
B.Enable encryption at rest using a customer-managed KMS key when creating the EFS file system.
C.Enable default encryption on the EFS file system using SSE-S3.
D.Use an IAM policy to restrict which users can create encrypted file systems.
E.Enable encryption of data in transit using the mount helper's tls option on the client.
AnswersA, B, E
Key policy must grant EFS permissions to use the key.
Why this answer
Option A is correct because EFS supports encryption at rest using a KMS key. Option B is correct because enabling encryption of data in transit using TLS is a separate setting. Option D is correct because a KMS key policy can restrict which keys can be used for EFS.
Option C is wrong because EFS does not support SSE-S3. Option E is wrong because IAM policies for users can restrict KMS actions, but key policy is more direct.
A company is using an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances in private subnets. The security team wants to ensure that only traffic from the ALB can reach the EC2 instances. Which security group configuration should be applied to the EC2 instances?
A.Allow inbound HTTP/HTTPS from the security group attached to the ALB.
B.Configure the network ACL to allow traffic from the ALB's private IP addresses.
C.Allow inbound HTTP/HTTPS from 0.0.0.0/0.
D.Allow inbound HTTP/HTTPS from the VPC CIDR block.
AnswerA
This ensures only traffic originating from the ALB is allowed.
Why this answer
Option B is correct because referencing the ALB's security group as the source ensures only traffic originating from the ALB can reach the EC2 instances. Option A is wrong because allowing traffic from the VPC CIDR would permit any instance in the VPC to access the EC2 instances, not just the ALB. Option C is wrong because allowing traffic from 0.0.0.0/0 would expose the instances to the internet.
Option D is wrong because a network ACL is stateless and does not use security group references.
A.Avoid using IAM roles and instead attach policies directly to users.
B.Use the root user for everyday administrative tasks.
C.Grant broad permissions to all users to simplify management.
D.Use conditions in IAM policies to restrict access based on tags or IP addresses.
E.Use IAM roles for applications that run on EC2 instances.
AnswersD, E
Conditions help enforce context-specific access.
Why this answer
Option D is correct because using conditions in IAM policies (e.g., `aws:SourceIp`, `aws:RequestTag`) allows you to enforce fine-grained access control based on contextual attributes like IP addresses or resource tags. This follows the principle of least privilege by restricting permissions to only the necessary scope, reducing the attack surface. For example, you can deny access to S3 buckets unless the request originates from a corporate IP range.
Exam trap
The trap here is that candidates often confuse IAM roles with IAM users, mistakenly thinking roles are only for cross-account access, when in fact roles are the recommended mechanism for granting permissions to AWS services like EC2, Lambda, and ECS.
A company has a requirement that all access keys for IAM users must be rotated every 90 days. A security engineer needs to implement an automated solution to identify and disable keys that are older than 90 days. Which approach meets the requirement with the least operational overhead?
A.Use AWS Trusted Advisor to check key age and send notifications.
B.Use AWS CloudTrail to monitor CreateAccessKey events and trigger a Lambda function to check key age.
C.Use IAM Access Analyzer to generate findings for unused keys and manually disable them.
D.Use an AWS Config rule with auto-remediation to disable keys older than 90 days.
AnswerD
Correct: Config rule evaluates and auto-remediation disables keys.
Why this answer
Option D is correct because AWS Config has a managed rule 'access-keys-rotated' that checks key age and can trigger auto-remediation via a Systems Manager automation document to disable old keys. Option A is wrong because IAM Access Analyzer does not manage key rotation. Option B is wrong because CloudTrail does not enforce rotation.
Option C is wrong because AWS Trusted Advisor only provides recommendations, not enforcement.
A company wants to allow users from its corporate Active Directory to access AWS resources. The company has set up an IAM identity provider for SAML. What must be created in IAM to map users to permissions?
A.An IAM role with a trust policy for the SAML provider
B.An OIDC identity provider
C.An IAM user for each Active Directory user
D.A federation role type
AnswerA
The role trust policy allows the SAML provider to issue tokens for the role.
Why this answer
A is correct because when using SAML-based federation, IAM roles are the mechanism to grant permissions to federated users. The role must have a trust policy that specifies the SAML identity provider as the principal, allowing users authenticated by the corporate Active Directory to assume the role and obtain temporary AWS credentials. This maps the SAML assertion attributes (such as the user's group or role) to IAM permissions via the role's permissions policy.
Exam trap
The trap here is that candidates confuse the IAM role trust policy with the SAML identity provider configuration itself, thinking the provider alone grants permissions, rather than understanding that the role bridges the SAML assertion to AWS permissions.
How to eliminate wrong answers
Option B is wrong because OIDC (OpenID Connect) is a separate identity federation protocol used for web identity providers like Google or Amazon Cognito, not for SAML-based Active Directory federation. Option C is wrong because creating an IAM user for each Active Directory user defeats the purpose of federation—it would require managing duplicate identities and credentials outside the corporate directory. Option D is wrong because 'federation role type' is not a valid IAM entity; IAM roles are categorized by trust policy type (e.g., service role, cross-account role, or identity provider role), but there is no distinct 'federation role type' in the AWS API or console.
A company wants to allow cross-account access to an S3 bucket in Account A for a user in Account B. What is the correct combination of steps?
A.Add a bucket policy in Account A allowing access to the user in Account B, and attach an IAM policy to the user in Account B allowing access to the bucket.
B.Create an IAM role in Account A with access to the bucket, and have the user in Account B assume that role.
C.Add a bucket policy in Account A allowing access to Account B, and no action is needed in Account B because the user already has permissions.
D.Add a bucket policy in Account A allowing access to Account B, and attach an IAM policy to the user in Account B allowing access to the bucket.
AnswerD
Both policies are required for cross-account access.
Why this answer
Option D is correct because cross-account access requires both a bucket policy allowing the user and an IAM user policy allowing access to the bucket. Option A is wrong because only the bucket policy is not sufficient; the user also needs permissions. Option B is wrong because the bucket policy needs to specify the user ARN, not just the account.
Option C is wrong because a role needs to be assumed, but the question asks for user access.
A security engineer is designing a network architecture in AWS. The engineer needs to ensure that all outbound traffic from a VPC goes through a centrally managed NAT device for logging and filtering. The VPC has multiple private subnets. Which TWO steps are required to accomplish this? (Choose TWO.)
Select 2 answers
A.Deploy an HTTP forward proxy in the public subnet.
B.Create a route table for the private subnets with a default route (0.0.0.0/0) pointing to the NAT device.
C.Set up a transit gateway and attach the VPC to it.
D.Create a gateway endpoint for Amazon S3.
E.Place the NAT device in a public subnet with a route to an internet gateway.
AnswersB, E
This routes outbound traffic from private subnets to the NAT device.
Why this answer
Option B and D are correct. Configuring the route tables to point to the NAT device ensures traffic goes through it. Placing the NAT device in a public subnet with an internet gateway allows it to reach the internet.
Option A is wrong because a transit gateway is not needed. Option C is wrong because a proxy is not required. Option E is wrong because a gateway endpoint is for S3/DynamoDB, not internet traffic.
Which THREE are valid ways to grant cross-account access to an S3 bucket? (Choose three.)
Select 3 answers
A.Use an IAM user in the source account with access keys.
B.Create an IAM role in the target account and allow the source account to assume it.
C.Use an S3 access point with a policy that allows cross-account access.
D.Create a bucket policy that grants access to the other account's root user.
E.Set the bucket ACL to grant full control to the other account.
AnswersB, C, D
Cross-account role assumption is a common pattern.
Why this answer
Options A, B, and C are correct. A bucket policy with the target account's root user ARN (A), an IAM role in the target account that can be assumed (B), and an S3 access point with a policy (C) all allow cross-account access. Option D allows list but not full access.
A company uses AWS Organizations and has GuardDuty enabled in all accounts. The security team wants to suppress low-severity findings that are known false positives for a specific member account. How can this be achieved with minimal administrative overhead?
A.Disable GuardDuty for that member account and rely on other accounts.
B.In the member account, create a suppression rule in GuardDuty for the specific finding types.
C.Use AWS Security Hub insights to filter out those findings from the aggregated view.
D.Ask the delegated administrator to add a suppression rule in the GuardDuty console for that account.
AnswerB
Member accounts can create suppression rules.
Why this answer
Option B is correct because GuardDuty supports suppression rules that can be created at the member account level to automatically archive low-severity findings that are known false positives. This approach allows the member account to manage its own findings without requiring changes to the GuardDuty configuration in the management account or other accounts, minimizing administrative overhead.
Exam trap
The trap here is that candidates may assume the delegated administrator can centrally manage suppression rules for member accounts, but GuardDuty requires suppression rules to be created within the account that owns the findings, not from the administrator account.
How to eliminate wrong answers
Option A is wrong because disabling GuardDuty for the member account would stop all threat detection in that account, not just suppress false positives, and would create a security blind spot. Option C is wrong because AWS Security Hub insights can filter the aggregated view but do not suppress findings in GuardDuty itself; the findings would still exist and count toward quotas or alerts in GuardDuty. Option D is wrong because the delegated administrator cannot add a suppression rule directly for a specific member account from the administrator console; suppression rules must be created within the context of the account where the findings are generated, i.e., the member account itself.
A company uses AWS CloudHSM to generate and store encryption keys for a custom application. The application runs on Amazon EC2 instances and uses the PKCS#11 interface to interact with the HSM. The security team recently discovered that a former employee may have obtained a copy of the cryptographic materials from the HSM. What should the security team do to minimize the impact?
A.Use AWS KMS to create a new key and re-encrypt all data. Then revoke the old key.
B.Delete the CloudHSM backup from the backup service. Then rotate all keys that were stored in the HSM.
C.Change the HSM administrator password and the crypto user passwords.
D.Delete the HSM cluster and create a new one. Restore the backup from a known good time.
AnswerB
Deleting the backup prevents restoration of the compromised material; rotating keys invalidates the copied material.
Why this answer
Option C is correct because CloudHSM backup contains the cryptographic material; deleting the backup ensures the former employee cannot restore the HSM's contents. Option A is wrong because deleting the HSM cluster does not delete the backup automatically. Option B is wrong because changing the HSM credentials does not invalidate the copied material.
Option D is wrong because KMS cannot revoke keys stored in CloudHSM.