A company has an Amazon S3 bucket that stores sensitive data. The security team wants to ensure that all access to the bucket is made only via HTTPS. Which policy should be used?
A.Enable CloudFront with HTTPS-only viewer protocol policy.
B.Use a VPC endpoint for S3 with a bucket policy that restricts access to the VPC endpoint.
C.Enable 'Block public access' on the bucket.
D.Add a bucket policy that denies access when aws:SecureTransport is false.
AnswerD
This explicitly denies non-HTTPS requests.
Why this answer
Option D is correct because a bucket policy with a condition that denies access if aws:SecureTransport is false ensures HTTPS only. Option A is wrong because CloudFront does not enforce HTTPS for S3 origin. Option B is wrong because S3 does not have an HTTPS-only bucket policy setting; it requires a custom policy.
Option C is wrong because a VPC endpoint does not enforce HTTPS.
A company needs to enforce that all Amazon S3 buckets are encrypted at rest. Which TWO actions should be taken? (Choose two.)
Select 2 answers
A.Enable AWS CloudTrail to log S3 API calls.
B.Use bucket policies to deny write operations without encryption.
C.Enable default encryption on each S3 bucket.
D.Create a KMS key and apply it to all buckets.
E.Use a service control policy (SCP) to deny the s3:PutBucketPublicAccessBlock action.
AnswersC, E
Default encryption encrypts new objects.
Why this answer
Option A is correct because enabling default encryption ensures all new objects are encrypted. Option D is correct because an SCP can deny creation of unencrypted buckets. Option B is wrong because bucket policies cannot enforce encryption on existing objects.
Option C is wrong because CloudTrail logs do not enforce encryption. Option E is wrong because KMS keys are used for encryption but do not enforce the policy.
A security engineer is investigating a potential security incident. CloudTrail logs show that an IAM user 'admin' deleted an S3 bucket at 2023-01-15T10:30:00Z. The engineer needs to find the source IP address and user agent of the request. Which CloudTrail log field contains this information?
A.eventID
B.requestParameters
C.userAgent and sourceIPAddress
D.resources
AnswerC
These fields contain the required information.
Why this answer
Option B is correct because the user agent is stored in the userAgent field and the source IP in sourceIPAddress. Option A is wrong because eventID is a unique identifier. Option C is wrong because requestParameters contains API parameters.
Option D is wrong because resources contains ARNs of affected resources.
A security team wants to receive real-time notifications when an IAM user makes a change to a security group. Which AWS service should be used to trigger the notification?
A.AWS Config
B.AWS CloudTrail with Amazon CloudWatch Events
C.Amazon S3 event notifications
D.Amazon GuardDuty
AnswerB
CloudTrail logs the API call and CloudWatch Events can trigger an alert.
Why this answer
Option D is correct because CloudTrail logs the API call, and CloudWatch Events can create a rule that matches the event and sends to SNS. Option A is wrong because Config evaluates resource configurations, not real-time API calls. Option B is wrong because S3 event notifications are for S3 objects.
Option C is wrong because GuardDuty is a threat detection service.
A company uses Amazon SQS to decouple its microservices. The messages contain personally identifiable information (PII). The security team requires that all messages be encrypted at rest. Currently, SQS is configured with SSE enabled using a customer managed KMS key. However, the team discovers that some messages are still being stored in plaintext in the dead-letter queue (DLQ) after the maximum receives are exceeded. The DLQ is also an SQS queue. What is the MOST likely reason?
A.The source queue's SSE is configured with AWS managed KMS key, which does not support cross-account DLQ.
B.The DLQ does not have SSE enabled, so messages are stored in plaintext.
C.The source queue's SSE configuration uses a different KMS key than the DLQ, causing decryption failure.
D.The KMS key policy does not allow the SQS service to decrypt the messages before moving them to the DLQ.
AnswerB
If the DLQ does not have SSE, messages will be stored unencrypted.
Why this answer
Option D is correct. If the DLQ does not have SSE enabled, or if it uses a different KMS key that is not accessible, messages may be stored in plaintext. Option A is wrong because KMS key policy does not affect encryption of the source queue if the DLQ is not encrypted.
Option B is wrong because the DLQ is a separate queue; the source queue's encryption does not apply to it. Option C is wrong because the source queue is already encrypted; the issue is the DLQ.
A company wants to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. Which AWS service can be used to enforce this requirement?
A.AWS Organizations
B.AWS Config
C.AWS Identity and Access Management (IAM)
D.Amazon Cognito
AnswerC
Correct: IAM policies can require MFA.
Why this answer
Option B is correct because IAM policies can include a condition that requires MFA. Option A is wrong because AWS Organizations manages accounts, not user MFA. Option C is wrong because AWS Config can check compliance but cannot enforce.
Option D is wrong because Amazon Cognito is for external identity.
A company uses Amazon GuardDuty to detect threats. The security team wants to be alerted when GuardDuty generates a finding with a severity level of HIGH or CRITICAL. Which AWS service should the team use to send notifications based on GuardDuty findings?
A.Amazon Simple Queue Service (SQS)
B.Amazon EventBridge and Amazon Simple Notification Service (SNS)
C.AWS Lambda
D.Amazon CloudWatch Logs and Amazon Simple Notification Service (SNS)
AnswerB
EventBridge can filter findings and trigger SNS for alerts.
Why this answer
Amazon EventBridge can capture GuardDuty findings as events using a rule that matches the 'GuardDuty Finding' event type. The rule can then invoke an SNS topic to send email or SMS notifications. This is the recommended pattern because EventBridge provides native integration with GuardDuty and supports filtering by finding severity using event patterns, while SNS handles the actual notification delivery.
Exam trap
The trap here is that candidates often assume GuardDuty findings go directly to CloudWatch Logs or that Lambda is required for filtering, but the native integration with EventBridge eliminates the need for custom processing or intermediate services.
How to eliminate wrong answers
Option A is wrong because Amazon SQS is a message queue service for decoupling application components, not for sending notifications; it would require a separate consumer to poll and send alerts. Option C is wrong because AWS Lambda alone cannot send notifications; it would need to invoke SNS or another service, making it an unnecessary intermediate step when EventBridge can directly route to SNS. Option D is wrong because GuardDuty findings are not automatically sent to CloudWatch Logs; GuardDuty publishes events to EventBridge, not to CloudWatch Logs, so this option introduces an incorrect data flow.
A company uses AWS KMS to encrypt data in Amazon RDS. The security team discovers that a developer accidentally deleted a customer master key (CMK) used for RDS encryption. What is the impact on the RDS instances that were encrypted with that key?
A.The RDS instances will become inaccessible and data will be lost
B.The key deletion can be reversed within 30 days
C.The RDS instances will be automatically re-encrypted with a new key
D.The RDS instances will continue to operate normally
AnswerA
Without the key, the encrypted data cannot be decrypted.
Why this answer
Option C is correct because deleting a KMS key renders encrypted RDS instances unrecoverable. Option A is wrong because the data is permanently inaccessible. Option B is wrong because you cannot simply re-encrypt without the original key.
Option D is wrong because the key deletion is not automatically reversible after the scheduled deletion period.
A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. Which combination of components provides a highly available, managed solution? (Select TWO.)
Select 2 answers
A.Add a route to the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway.
B.Launch a NAT instance in a public subnet.
C.Create a VPC endpoint for Amazon S3.
D.Create a NAT gateway in each Availability Zone.
E.Attach an internet gateway to the VPC.
AnswersA, D
Routes traffic from private subnet to NAT gateway.
Why this answer
Option A is correct because a NATgateway enables outbound internet access for instances in a private subnet while preventing inbound connections from the internet. It is a managed AWS service that automatically scales and is highly available within a single Availability Zone. By adding a route for 0.0.0.0/0 to the NAT gateway in the private subnet's route table, traffic destined for the internet is forwarded to the NAT gateway, which then uses an internet gateway to reach the internet.
Exam trap
The trap here is that candidates often think a single NATgateway is sufficient for high availability, but AWS requires one NAT gateway per Availability Zone to survive an AZ failure, and they may also confuse a VPC endpoint for S3 as a general internet access solution.
A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to ensure that all member accounts send findings to the delegated administrator account. However, some member accounts are not sending findings. What is the most likely cause?
A.The GuardDuty service-linked role is missing in the member accounts.
B.AWS CloudTrail is not enabled in the member accounts.
C.GuardDuty is not enabled in the member accounts, or they have not accepted the invitation.
D.VPC Flow Logs are not enabled in the member accounts.
AnswerC
Each member account must enable GuardDuty and accept the invitation.
Why this answer
GuardDuty must be enabled in each member account, and they must explicitly accept the invitation from the administrator account. Option C is correct. Option A is wrong because GuardDuty does not require VPC Flow Logs to be enabled.
Option B is wrong because the service-linked role is automatically created when GuardDuty is enabled. Option D is wrong because CloudTrail is not required for GuardDuty to send findings.
A security engineer is investigating an AWS CloudTrail log entry that shows an unauthorized API call to delete an S3 bucket. Which service should the engineer use to analyze the log data for patterns of similar malicious activity?
A.AWS Config
B.Amazon CloudWatch Logs Insights
C.AWS Artifact
D.Amazon GuardDuty
AnswerD
GuardDuty is purpose-built for threat detection using CloudTrail, VPC Flow Logs, and DNS logs.
Why this answer
Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts for malicious activity, including unauthorized API calls like the S3 bucket deletion attempt. It uses machine learning and integrated threat intelligence to analyze CloudTrail management events, VPC flow logs, and DNS logs, enabling it to identify patterns of similar malicious behavior across your environment. This makes GuardDuty the correct choice for detecting and alerting on patterns of unauthorized activity, rather than just logging or compliance checks.
Exam trap
The trap here is that candidates confuse CloudWatch Logs Insights, which can query logs, with GuardDuty's automated threat detection, overlooking that GuardDuty is purpose-built for identifying patterns of malicious activity without requiring manual log analysis.
How to eliminate wrong answers
Option A is wrong because AWS Config is a service for evaluating resource configurations and compliance against rules, not for analyzing CloudTrail log patterns for malicious activity; it lacks threat detection capabilities. Option B is wrong because Amazon CloudWatch Logs Insights is a query tool for searching and analyzing log data, but it does not provide automated threat detection or pattern recognition for malicious activity; it requires manual querying and lacks built-in threat intelligence. Option C is wrong because AWS Artifact is a self-service portal for downloading AWS compliance reports and agreements, with no capability to analyze CloudTrail logs or detect unauthorized activity.
A security engineer is reviewing AWS CloudTrail logs and finds that an IAM user 'developer1' deleted an S3 bucket. The engineer needs to determine the source IP address of the delete operation. Which field in the CloudTrail log record contains this information?
A.userIdentity
B.requestParameters
C.eventTime
D.sourceIPAddress
AnswerD
sourceIPAddress contains the IP address from which the call was made.
Why this answer
Option B is correct because the 'sourceIPAddress' field in CloudTrail logs contains the IP address from which the API call was made. Option A is wrong because 'userIdentity' contains details about the IAM user or role, not the IP address. Option C is wrong because 'eventTime' is the timestamp of the event.
Option D is wrong because 'requestParameters' contains the parameters of the request, not the IP address.
A security engineer needs to monitor for unusual outbound network traffic from an EC2 instance. Which AWS service provides this capability?
A.Amazon CloudWatch Logs agent
B.VPC Flow Logs
C.Amazon Inspector
D.AWS Config
AnswerB
VPC Flow Logs capture network traffic metadata.
Why this answer
Option B is correct because VPC Flow Logs capture network traffic metadata, including source and destination IPs, ports, and protocols. Option A is wrong because CloudWatch Logs agent collects logs, not network flows. Option C is wrong because AWS Config records configuration changes.
Option D is wrong because Amazon Inspector is for vulnerability assessments.
An organization uses AWS Organizations with multiple accounts. The security team needs a centralized location to collect and analyze security findings from GuardDuty, Inspector, and Macie. Which AWS service should they use?
A.Amazon Detective
B.AWS Security Hub
C.Amazon CloudWatch
D.AWS Config
AnswerB
Security Hub centralizes security alerts across accounts and services.
Why this answer
AWS Security Hub is the correct service because it provides a centralized view of security alerts and compliance status across multiple AWS accounts. It aggregates findings from GuardDuty, Inspector, and Macie, normalizing them into the AWS Security Finding Format (ASFF), enabling the security team to analyze and prioritize threats in a single dashboard.
Exam trap
The trap here is that candidates confuse Amazon Detective’s investigative capabilities with Security Hub’s aggregation role, assuming Detective can centralize findings, when in fact Detective is a post-finding analysis tool that requires Security Hub or GuardDuty to provide the initial findings.
How to eliminate wrong answers
Option A is wrong because Amazon Detective is designed for in-depth investigation of security findings by analyzing VPC Flow Logs, CloudTrail, and GuardDuty data, but it does not aggregate findings from multiple services like Inspector and Macie into a single location. Option C is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, not a security findings aggregator; it lacks the native integration to collect and normalize findings from GuardDuty, Inspector, and Macie into a unified format. Option D is wrong because AWS Config is a resource inventory and compliance auditing service that tracks configuration changes, not a centralized hub for security findings from threat detection services.
A company has an Amazon S3 bucket with a bucket policy that restricts access to a specific VPC endpoint. However, users are still able to access the bucket from outside the VPC. Which THREE steps should the security engineer take to troubleshoot this issue? (Choose THREE.)
Select 3 answers
A.Verify that the security group associated with the VPC endpoint allows inbound traffic.
B.Check the VPC endpoint policy to ensure it allows the actions the users are performing.
C.Check that the route table for the subnets has a route to the VPC endpoint.
D.Ensure the VPC endpoint is in the same region as the S3 bucket.
E.Verify that the bucket policy includes a condition that denies access if the source VPC endpoint is not the specified one.
AnswersB, C, E
The endpoint policy might be restrictive.
Why this answer
Option A is correct because the bucket policy must explicitly deny access from outside the VPC endpoint. Option C is correct because the VPC endpoint policy must allow the required actions. Option E is correct because the route table must include a route to the S3 endpoint.
Option B is wrong because the VPC endpoint must be in the same region. Option D is wrong because security groups are not required for S3 endpoint access.
A company is implementing a security monitoring solution for its AWS environment. Which TWO services can be used to detect and alert on suspicious API activity? (Choose TWO.)
Select 2 answers
A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Inspector
D.AWS Config
E.VPC Flow Logs
AnswersA, B
GuardDuty analyzes CloudTrail events and other data sources to detect suspicious API activity.
Why this answer
Options B and D are correct. CloudTrail logs API activity and can trigger CloudWatch Alarms. GuardDuty uses machine learning to detect suspicious API calls.
Option A is wrong because VPC Flow Logs capture network traffic. Option C is wrong because AWS Config evaluates resource configurations. Option E is wrong because Inspector scans for vulnerabilities, not API activity.
A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. Which AWS service should be used to allow this without assigning a public IP address to the instance?
A.Internet Gateway
B.VPC Endpoint
C.NAT Gateway
D.VPN Connection
AnswerC
Allows outbound internet for private instances.
Why this answer
Option C is correct because a NATGateway allows instances in a private subnet to connect to the internet while preventing inbound traffic from the internet. Option A is wrong because an Internet Gateway alone does not allow outbound-only for private instances. Option B is wrong because a VPN connection is for hybrid connectivity, not internet access.
Option D is wrong because a VPC Endpoint is for private access to AWS services.
A company has an AWS Lambda function that processes sensitive data stored in an Amazon S3 bucket. The Lambda function needs to read objects from the S3 bucket and write results to a different S3 bucket. The security engineer is configuring IAM permissions for the Lambda execution role. The engineer wants to follow the principle of least privilege. The Lambda function is triggered by S3 events from the source bucket. The engineer creates an IAM policy that grants s3:GetObject on the source bucket and s3:PutObject on the destination bucket. However, when testing, the Lambda function fails with an access denied error when trying to process an object. The error message indicates that the Lambda function does not have permission to list the objects in the source bucket. The engineer checks the S3 event notification configuration and confirms that the event is configured correctly. What should the engineer do to resolve the issue?
A.Add s3:ListBucket permission for the source bucket to the Lambda execution role.
B.Add s3:GetObject permission for the destination bucket to the Lambda execution role.
C.Add s3:* permission for both buckets to the Lambda execution role.
D.Add s3:PutObject permission for the source bucket to the Lambda execution role.
AnswerA
Correct – Grants the required list permission.
Why this answer
C: Correct – The Lambda function needs s3:ListBucket permission to list objects in the source bucket when triggered by S3 events; the event notification provides the object key but the function may still need list permission for certain operations (e.g., if it uses S3 batch operations or if the SDK performs a list). A: Incorrect – Adding s3:PutObject on the source bucket is unnecessary and grants extra permission. B: Incorrect – Granting full S3 access violates least privilege.
D: Incorrect – The issue is not with the destination bucket; the error is about listing source bucket.
A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to ensure that if a KMS key is disabled, all subsequent attempts to decrypt data encrypted with that key fail. What is the BEST way to achieve this?
A.Rotate the KMS key immediately.
B.Revoke all grants associated with the KMS key.
C.Disable the KMS key.
D.Delete the KMS key.
AnswerC
Disabling a key prevents all cryptographic operations, including decryption, until re-enabled.
Why this answer
Option B is correct because disabling a KMS key immediately prevents use of that key for decryption. Option A is wrong because deleting a key is irreversible and may cause permanent data loss. Option C is wrong because key rotation does not affect access to the key.
Option D is wrong because revoking grants does not affect the key's ability to decrypt data encrypted with the key itself.
A financial services company uses AWS KMS to encrypt sensitive data in S3 and RDS. The security team requires a centralized audit trail of all KMS key usage, including key creation, deletion, and cryptographic operations. The audit logs must be stored in a separate AWS account for compliance. The team has enabled CloudTrail in the management account and configured a trail that logs to an S3 bucket in the audit account. However, they notice that KMS events such as Decrypt and GenerateDataKey are not appearing in the CloudTrail logs. The KMS key policy includes the following statement: {"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::management-account:root"},"Action":"kms:*","Resource":"*"}. What is the MOST likely reason for the missing KMS events?
A.The S3 bucket in the audit account does not have a bucket policy allowing writes from CloudTrail.
B.CloudTrail is not configured to log KMS data events.
C.CloudTrail does not log KMS Decrypt and GenerateDataKey events.
D.The KMS key policy does not grant CloudTrail permission to log events.
AnswerB
KMS data events are not logged by default; they must be explicitly enabled in the trail settings.
Why this answer
Option A is wrong because CloudTrail does log KMS events by default, but they are data events and must be explicitly enabled. Option B is correct because KMS data events (like Decrypt and GenerateDataKey) are not logged unless CloudTrail is configured to capture them. Option C is wrong because the key policy grants full access to the management account, so it is sufficient.
Option D is wrong because cross-account access is not the issue; the trail is logging to an S3 bucket in the audit account, but that does not affect which events are logged.
A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to inspect all traffic between VPCs using a third-party firewall appliance. Which architecture should be used?
A.Set up AWS Direct Connect and route all traffic through the on-premises firewall.
B.Use Transit Gateway with appliance mode and route tables to direct traffic through a firewall appliance in a central VPC.
C.Create VPC peering connections between each VPC and the firewall VPC.
D.Configure network ACLs in each VPC to block traffic unless it comes from the firewall.
AnswerB
This allows centralized inspection and scales well.
Why this answer
Centralized inspection using a Transit Gateway with appliance mode and appropriate route tables allows traffic to be forwarded to the firewall VPC for inspection. VPC peering does not support central inspection, and network ACLs are not suitable for inter-VPC traffic. Direct Connect alone does not provide inspection.
A company uses AWS KMS to encrypt objects in an S3 bucket. The security team wants to ensure that only users with the appropriate KMS key permissions can decrypt objects. Which THREE conditions should be included in the S3 bucket policy to enforce this? (Choose THREE.)
Ensures that the KMS key is used via S3 service, preventing direct KMS decryption.
Why this answer
Options A, C, and D are correct. To require use of a specific KMS key, you can use kms:ViaService and kms:EncryptionContext conditions. Option B is wrong because kms:GranteePrincipal is used in grants, not in bucket policies.
Option E is wrong because S3 does not have a condition key kms:KeySpec.
A company uses Network Load Balancer (NLB) in front of a fleet of EC2 instances in private subnets. Security team requires that the source IP addresses of clients be preserved in the access logs of the backend instances. Which configuration should the security engineer verify?
A.Configure proxy protocol v2 on the target group
B.Ensure the NLB is configured with a subnet from each Availability Zone and the targets are in the same subnets
C.Enable target group stickiness
D.Enable cross-zone load balancing on the NLB
AnswerB
NLB preserves source IP by default; no special configuration is needed.
Why this answer
NLB preserves source IP by default, so no special configuration is needed. Option C is correct. Option A is wrong because NLB uses the client IP directly.
Option B is wrong because proxy protocol is an alternative but not required for NLB. Option D is wrong because target group stickiness does not affect source IP preservation.
A company has a requirement to block traffic from specific IP addresses known to be malicious. The company has an Application Load Balancer (ALB) that fronts a web application. The security engineer needs to implement a solution that can block these IP addresses at the edge before they reach the ALB. Which AWS service should be used?
A.Configure security groups on the ALB to deny traffic from those IP addresses.
B.Enable AWS Shield Advanced and configure rate-based rules.
C.Add a network ACL rule to the ALB's subnet to deny the IP addresses.
D.Use AWS WAF with an IP set rule to block the malicious IP addresses.
AnswerD
WAF can block IPs at the edge before reaching the ALB.
Why this answer
Option B is correct. AWS WAF can be attached to an ALB and can block traffic based on IP addresses using IP match conditions. Option A (Security groups) are for instance-level and cannot be attached to ALB.
Option C (Network ACLs) are for subnets, not ALB. Option D (AWS Shield Advanced) provides DDoS protection but not IP-based blocking.
A company is using AWS KMS to encrypt S3 objects. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which KMS key policy configuration should be used?
A.Add a condition that allows decrypt only when kms:ViaService is s3.amazonaws.com and the caller role matches the specific role ARN.
B.Use an S3 bucket policy that denies decrypt for all principals except the specific IAM user.
C.Configure the IAM role with a policy that allows kms:Decrypt for the specific KMS key.
D.Attach a resource-based policy to the S3 bucket that grants decrypt permission to the IAM role.
AnswerA
Correctly restricts decrypt to the role via S3.
Why this answer
Option A is correct because using kms:ViaService condition restricts key usage to requests originating from S3, and kms:CallerRole can be used to restrict to a specific role. Option B is wrong because it grants blanket decrypt to the role without conditions. Option C is wrong because it grants decrypt to all roles.
Option D is wrong because it restricts to a specific user, not role.
A security engineer needs to ensure that all objects uploaded to an S3 bucket are automatically scanned for malware before being made accessible to users. Which solution is MOST appropriate?
A.Enable VPC Flow Logs to capture all access to the bucket.
B.Enable S3 Object Lock on the bucket.
C.Configure Amazon CloudWatch Logs to monitor S3 access logs.
D.Use S3 event notifications to invoke an AWS Lambda function that runs a malware scanning solution.
AnswerD
Lambda can process each object as it is uploaded.
Why this answer
Option C is correct because S3 events can trigger a Lambda function that runs a third-party malware scanner. Option A is wrong because S3 Object Lock is for write-once-read-many, not scanning. Option B is wrong because VPC Flow Logs are network logs.
Option D is wrong because CloudWatch Logs are for log storage, not scanning.
An IAM administrator ran the simulate-custom-policy command shown in the exhibit. The result shows an 'explicitDeny' for s3:ListBucket. What is the most likely reason?
A.The simulation incorrectly evaluates the policy due to a syntax error.
B.The resource ARN for ListBucket is incorrect; it should include a wildcard.
C.The policy does not include an action that allows s3:ListBucket, so it is implicitly denied.
D.The s3:ListBucket action is not valid for S3.
AnswerC
The policy only allows GetObject; ListBucket is not allowed, resulting in implicit deny, but the simulator might show explicitDeny if there is another policy.
Why this answer
Option C is correct because the policy does not allow s3:ListBucket, so it is implicitly denied; but the simulator shows 'explicitDeny' because there might be an attached policy that denies it. However, in this simulation, the policy only allows s3:GetObject, so ListBucket is not allowed. The 'explicitDeny' could be due to an SCP or a different policy attached to the user.
Option A is wrong because the resource ARN is correct. Option B is wrong because the policy does not include ListBucket. Option D is wrong because the action is spelled correctly.
A company uses Amazon S3 to store sensitive documents. They must ensure that all objects are encrypted at rest and that any attempt to upload an unencrypted object is denied. Which S3 bucket policy statement achieves this?
A.Deny s3:PutObject unless the request includes x-amz-server-side-encryption: AES256.
B.Deny s3:PutObject for all principals.
C.Deny s3:PutObject unless the request includes x-amz-server-side-encryption: AES256 AND the encryption is SSE-S3.
D.Allow s3:PutObject only when x-amz-server-side-encryption: AES256 is present.
AnswerC
Correctly denies unencrypted uploads by requiring the SSE header.
Why this answer
Option B is correct because it denies PutObject if the request does not include the x-amz-server-side-encryption header with value AES256. Option A is wrong because it only denies if the header is missing, but allows other values. Option C is wrong because it allows only AES256 but does not deny unencrypted.
Option D is wrong because it denies all PutObject requests.
A security engineer notices that an IAM role has a trust policy allowing any AWS account to assume it. Which attack is this misconfiguration most likely to enable?
A.Logging bypass via CloudTrail
B.Cross-service confused deputy attack
C.Unauthorized access by an external attacker
D.Privilege escalation by attaching additional policies
AnswerC
Any AWS account can assume the role, leading to unauthorized access.
Why this answer
Option C is correct because an IAM role trust policy that allows any AWS account (i.e., `"Principal": {"AWS": "*"}`) to assume the role means that any user or service in any AWS account can call the STS `AssumeRole` API to obtain temporary credentials for the role. This directly enables unauthorized access by an external attacker who can discover the role ARN and assume it, gaining all permissions attached to the role.
Exam trap
The trap here is that candidates may confuse a trust policy misconfiguration with a permissions policy misconfiguration, thinking that privilege escalation (Option D) is the primary risk, when in fact the trust policy directly controls who can assume the role, making unauthorized access the immediate and most likely attack.
How to eliminate wrong answers
Option A is wrong because CloudTrail logs all AWS API calls, including STS `AssumeRole` actions, and there is no mechanism in this misconfiguration to bypass or disable CloudTrail logging. Option B is wrong because a cross-service confused deputy attack involves a malicious service tricking another service into using its own permissions, not an overly permissive trust policy allowing any AWS account to assume a role. Option D is wrong because the misconfiguration is in the trust policy, not in the permissions policy; privilege escalation by attaching additional policies would require the attacker to already have IAM permissions to modify policies, which is not enabled by the trust policy alone.
A company uses AWS Organizations and wants to enable Amazon GuardDuty across all member accounts. The security team wants to centrally manage findings and automate responses. What is the MOST efficient way to achieve this?
A.Designate a Delegated Administrator account for GuardDuty in AWS Organizations and enable GuardDuty for all accounts from that account.
B.Use AWS CloudFormation StackSets to deploy a GuardDuty detector in each account.
C.Enable AWS Security Hub in the management account and configure it to ingest GuardDuty findings from member accounts.
D.Enable GuardDuty in each member account individually and configure cross-account access to a central S3 bucket.
AnswerA
This allows centralized management and automatic enablement of new accounts.
Why this answer
Option B is correct because GuardDuty supports multi-account management via a Delegated Administrator, which can enable GuardDuty in all accounts and aggregate findings. Option A is wrong because it requires manual steps. Option C is wrong because Security Hub aggregates findings but does not enable GuardDuty.
Option D is wrong because CloudFormation StackSets can deploy but are less efficient for enabling a service across many accounts.
A security engineer needs to ensure that all new IAM users are created with a strong password policy enforced. Which action should be taken?
A.Set a custom IAM password policy in the account
B.Use AWS Config to automatically delete users with weak passwords
C.Create a Lambda function that checks password strength on user creation
D.Use AWS Secrets Manager to generate passwords
AnswerA
Account password policy enforces minimum requirements for all IAM users.
Why this answer
IAM password policy is set at the account level and applies to all users. Custom password policies cannot be per-user; the account policy enforces strength for all.
A company has an S3 bucket that stores financial records. The security team wants to ensure that any object uploaded to the bucket is automatically encrypted with a specific AWS KMS key. The team creates a bucket policy that denies s3:PutObject unless the request includes the correct encryption header. However, some users who upload objects using the AWS Management Console report that their uploads fail. What is the most likely cause?
A.The console uses multipart uploads, which require encryption headers on each part.
B.The KMS key policy does not allow the s3:PutObject operation.
C.The console does not support server-side encryption.
D.S3 Transfer Acceleration is enabled, which bypasses the bucket policy.
AnswerA
Multipart uploads have different API calls; the bucket policy condition must account for them.
Why this answer
Option A is correct because the AWS Management Console uses multipart uploads for large objects, and multipart uploads require the encryption header to be specified in each part upload. Option B is wrong because the bucket policy can enforce encryption; a KMS key policy is separate. Option C is wrong because S3 Transfer Acceleration does not affect encryption.
Option D is wrong because the console respects bucket policies.
A company needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record these changes?
A.Amazon S3
B.Amazon CloudWatch Logs
C.AWS Config
D.AWS CloudTrail
AnswerD
CloudTrail logs all API calls, including IAM policy modifications.
Why this answer
AWS CloudTrail records API calls, including IAM policy changes. Option B is correct because CloudTrail logs all IAM policy modifications. Option A is wrong because AWS Config records resource state changes but not API calls.
Option C is wrong because CloudWatch Logs stores logs but does not record API calls. Option D is wrong because S3 is a storage service.
A company uses AWS Organizations with a management account and several member accounts. The security team wants to restrict the use of specific AWS services (e.g., EC2, Lambda) in certain accounts based on the account's environment (dev, test, prod). Which approach should be used to implement this requirement?
A.Use AWS CloudTrail to monitor API calls and revoke access after the fact.
B.Create IAM roles in each account with policies that deny access to services.
C.Use AWS Organizations to tag accounts (e.g., Environment=Dev) and use SCPs with conditions to deny access to services based on tags.
D.Use AWS Config rules to detect and alert when restricted services are used.
AnswerC
Tag-based SCPs allow fine-grained control across accounts.
Why this answer
Option A is correct because tagging accounts in Organizations and using SCPs with conditions allows granular control based on account tags. Option B is wrong because IAM roles are per-user, not per-account service restrictions. Option C is wrong because Config rules detect usage but do not prevent it.
Option D is wrong because CloudTrail logs but does not enforce restrictions.
A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects in the bucket are encrypted at rest. The bucket currently has default encryption configured with SSE-S3. A new requirement mandates that all objects must be encrypted with SSE-KMS using a specific customer-managed key. What is the MOST efficient way to enforce this without re-uploading existing objects?
A.Use S3 Inventory to list objects and a script to copy each object to itself with new encryption
B.Use S3 Lifecycle policy to transition objects and re-encrypt them
C.Update the bucket default encryption to SSE-KMS and enable automatic re-encryption
D.Update the bucket default encryption to SSE-KMS and use S3 Batch Operations to re-encrypt existing objects
AnswerD
Correct: S3 Batch Operations can copy objects with new encryption settings.
Why this answer
Option C is correct because you can update the default encryption configuration to use SSE-KMS, and then use S3 Batch Operations to re-encrypt existing objects. Option A is wrong because changing the default encryption does not automatically re-encrypt existing objects. Option B is wrong because S3 Lifecycle policies do not re-encrypt objects.
Option D is wrong because you cannot change encryption of existing objects by copying them in place; you need to copy to a new location.
Which TWO actions can be taken to protect an S3 bucket from accidental public access? (Choose 2.)
Select 2 answers
A.Enable S3 Block Public Access at the account level
B.Use a bucket policy that denies s3:PutBucketPolicy unless the request comes from a specific VPC
C.Enable default encryption for the bucket
D.Enable MFA Delete on the bucket
E.Use an IAM policy that requires MFA for all S3 actions
AnswersA, B
Blocks all public access to S3 buckets.
Why this answer
Options B and C are correct. Enabling S3 Block Public Access at the account level prevents any public access. Using bucket policies with conditions that require encryption does not directly prevent public access.
Option A is wrong because MFA delete protects against accidental deletion, not public access. Option D is wrong because encryption does not prevent public access. Option E is wrong because requiring MFA for access does not prevent public access.
Which THREE are best practices for securing IAM in an AWS environment? (Choose THREE.)
Select 3 answers
A.Use IAM roles for applications running on EC2.
B.Enable MFA for all IAM users.
C.Use the AWS account root user for daily administrative tasks.
D.Grant broad permissions to simplify management.
E.Rotate IAM user access keys regularly.
AnswersA, B, E
Roles provide temporary credentials and are more secure than access keys.
Why this answer
Option A is correct because using IAM roles for EC2 instances eliminates the need to store long-term AWS credentials (access keys) on the instance. Instead, the instance assumes the role via the EC2 metadata service, which automatically rotates temporary security credentials (via AWS STS). This follows the principle of least privilege and reduces the risk of credential leakage.
Exam trap
Cisco often tests the misconception that the root user is acceptable for daily tasks because it has full access, but the trap is that the root user lacks granular audit trails and cannot be restricted by IAM policies, making it a massive security risk for routine operations.
A company wants to implement automated remediation of security findings from Amazon GuardDuty. Which THREE AWS services can be used together to create an automated response workflow? (Select THREE.)
Select 3 answers
A.Amazon CloudWatch Events (EventBridge)
B.AWS Lambda
C.AWS Step Functions
D.Amazon SQS
E.AWS Config
AnswersA, B, C
Receives GuardDuty findings and triggers Lambda or Step Functions.
Why this answer
Amazon GuardDuty sends findings to Amazon CloudWatch Events (EventBridge) as events. You can configure an EventBridge rule to match specific GuardDuty findings and trigger an AWS Lambda function for automated remediation. AWS Step Functions can orchestrate complex remediation workflows involving multiple Lambda functions or other AWS services, providing retry logic and error handling.
Exam trap
The trap here is that candidates often select Amazon SQS or AWS Config because they are associated with event-driven architectures or compliance, but they are not the core services used in the standard GuardDuty automated remediation pattern, which relies on EventBridge, Lambda, and Step Functions.
A security engineer needs to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which TWO conditions must be configured?
Select 2 answers
A.aws:SourceIp
B.aws:UserAgent
C.aws:SourceVpce
D.aws:SourceVpc
E.aws:Referer
AnswersC, D
Restricts to a specific VPC endpoint ID.
Why this answer
Option A and C are correct because aws:SourceVpce restricts to a specific VPC endpoint, and aws:SourceVpc restricts to a specific VPC. Option B is wrong because aws:SourceIp is not applicable for VPC endpoint. Option D is wrong because aws:UserAgent is not relevant.
Option E is wrong because aws:Referer is not relevant.
A startup is building a serverless application using AWS Lambda to process user-uploaded images. The images are stored in an S3 bucket with server-side encryption (SSE-S3) enabled. The Lambda function reads the images, performs transformations, and writes the results to a different S3 bucket. The security engineer wants to ensure that data is encrypted at rest and in transit throughout the pipeline. The Lambda function is configured with an IAM role that has permissions to read from the source bucket and write to the destination bucket. Which additional configuration is REQUIRED to ensure end-to-end encryption?
A.Add a bucket policy to the source bucket that denies requests not using aws:SecureTransport.
B.No additional configuration is required; Lambda uses HTTPS by default to call S3.
C.Grant the Lambda function's IAM role permission to call KMS Decrypt and Encrypt.
D.Enable VPC endpoints for S3 and configure Lambda to use them.
AnswerB
Lambda's SDK uses HTTPS endpoints, ensuring encryption in transit. SSE-S3 provides encryption at rest.
Why this answer
Option A is correct because Lambda functions use HTTPS endpoints by default when calling S3 API operations. Option B is wrong because Lambda does not need to call KMS; SSE-S3 is server-side and Lambda can read encrypted objects without additional permissions. Option C is wrong because Lambda already uses HTTPS to communicate with S3.
Option D is wrong because while an S3 bucket policy can enforce HTTPS, it is not required for end-to-end encryption; Lambda's default HTTPS connection already provides encryption in transit.
A company wants to grant cross-account access to an S3 bucket owned by Account A to a user in Account B. The bucket policy in Account A allows access from Account B. What additional configuration is required?
A.The IAM user in Account B must have a policy that allows access to the S3 bucket.
B.Nothing; the bucket policy is sufficient.
C.The bucket must be configured with ACLs.
D.An SCP must allow the s3:GetObject action.
AnswerA
Correct: Both resource-based and identity-based policies are needed.
Why this answer
Option B is correct because cross-account access requires both a resource-based policy (bucket policy) and an identity-based policy (IAM user/role policy) in the trusted account. Option A is wrong because the IAM role is not needed, but the user must have permissions. Option C is wrong because SCPs affect all accounts in an organization but are not required.
Option D is wrong because the user's permissions are needed.
A security engineer needs to monitor for unauthorized changes to security group rules in an AWS account. Which AWS service can evaluate security group rules against a desired configuration and alert on changes?
A.AWS Security Hub
B.AWS Config
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerB
Evaluates resources against desired configurations and alerts on changes.
Why this answer
AWS Config can monitor security group rules and trigger notifications when they change from the desired configuration. Option C is correct. Option A is wrong because CloudTrail logs API calls but does not evaluate configuration against a desired state.
Option B is wrong because GuardDuty is for threat detection, not configuration monitoring. Option D is wrong because Security Hub aggregates findings but does not directly monitor security groups.
A developer needs to grant an IAM user access to a specific S3 bucket only. Which IAM policy element should be used to restrict access to that bucket?
A.Principal
B.Condition
C.Resource
D.Action
AnswerC
Resource specifies the bucket ARN.
Why this answer
Option C is correct because the Resource element specifies the ARN of the S3 bucket. Option A is wrong because Principal specifies who gets access, not the resource. Option B is wrong because Action specifies allowed actions.
Option D is wrong because Condition specifies when the policy applies.
A company has multiple AWS accounts and wants to centrally aggregate VPC Flow Logs from all accounts into a single S3 bucket in the logging account. What is the MOST secure way to configure cross-account delivery?
A.Use AWS CloudTrail to log flow logs and deliver to the central bucket.
B.Create VPC Flow Logs in each account, specifying the central S3 bucket ARN as the destination, and configure the bucket policy to allow the flow logs service principal to write.
C.Share the central bucket's access key with each account to write directly.
D.Use Amazon Kinesis Data Firehose to stream flow logs from each account to the central S3 bucket.
AnswerB
This is the standard cross-account flow log delivery method.
Why this answer
Option A is correct because VPC Flow Logs can be published to a central S3 bucket by specifying the bucket ARN in the flow log creation, and the bucket policy must grant the flow logs service principal (delivery.logs.amazonaws.com) permission to write objects. Option B is wrong because CloudTrail is for API logging, not VPC Flow Logs. Option C is wrong because Kinesis Data Firehose is not directly supported for VPC Flow Logs delivery.
Option D is wrong because sharing the bucket access key is insecure.
A security engineer needs to enable VPC Flow Logs to capture traffic metadata. Which THREE components are required to create a VPC Flow Log?
Select 3 answers
A.A CloudWatch Logs log group to publish the flow logs.
B.A VPC, subnet, or network interface to monitor.
C.An S3 bucket to store the flow logs.
D.An Amazon Kinesis Data Firehose delivery stream.
E.An IAM role that grants permissions to publish logs.
AnswersA, B, E
Flow logs are published to CloudWatch Logs.
Why this answer
A CloudWatch Logs log group is required because VPC Flow Logs publish traffic metadata to CloudWatch Logs as the default destination. The flow logs are stored as log streams within the specified log group, enabling querying and monitoring via CloudWatch Logs Insights. Without a log group, there is no destination for the flow log records to be sent to.
Exam trap
The trap here is that candidates often assume S3 is mandatory because it is a common storage service, but VPC Flow Logs require either CloudWatch Logs or S3 as a destination, and the question specifies the three required components, making S3 optional and thus incorrect.
Refer to the exhibit. A security engineer runs the AWS CLI command to look up console login events. The output shows two successful login events for user1 within 5 minutes. What should the engineer suspect?
A.The user created a new access key.
B.The user's credentials may be compromised.
C.The user's account is being used by multiple users.
D.The user has disabled multi-factor authentication (MFA).
AnswerB
Multiple logins in a short time from the same user could indicate credential theft.
Why this answer
Two successful console login events for the same user within 5 minutes, especially from different source IP addresses or user agents, is a strong indicator of credential compromise. An attacker who has obtained the user's password can log in while the legitimate user is also active, creating overlapping sessions. AWS CloudTrail records the `ConsoleLogin` event with details like `sourceIPAddress` and `userAgent`, which the engineer should examine to confirm whether the logins originated from different locations or devices.
Exam trap
The trap here is that candidates may assume multiple logins are due to shared credentials or MFA misconfiguration, but the key indicator of compromise is the temporal proximity of two successful logins, which strongly suggests an attacker is using the same credentials concurrently.
How to eliminate wrong answers
Option A is wrong because creating a new access key does not generate console login events; access key creation is recorded as `CreateAccessKey` in CloudTrail, not as a `ConsoleLogin` event. Option C is wrong because while multiple users could theoretically share an account, AWS Identity and Access Management (IAM) best practices prohibit sharing credentials, and the overlapping logins more likely indicate an attacker using stolen credentials rather than legitimate sharing. Option D is wrong because disabling MFA does not cause multiple login events within a short timeframe; MFA status changes are recorded as `DeactivateMFADevice` events, and the absence of MFA would not explain two rapid successive logins.
A security engineer is designing a network architecture for a web application that must be highly available and secure. The application uses an Application Load Balancer (ALB) in front of EC2 instances. Which architecture meets these requirements?
A.Place both the ALB and EC2 instances in private subnets across two Availability Zones.
B.Place the ALB in private subnets and EC2 instances in public subnets across two Availability Zones.
C.Place the ALB in public subnets and EC2 instances in private subnets across two Availability Zones.
D.Place both the ALB and EC2 instances in public subnets across two Availability Zones.
AnswerC
ALB handles internet traffic, instances are protected.
Why this answer
Placing ALB in public subnets and EC2 instances in private subnets provides security (instances not directly exposed) and high availability across AZs. Option C is correct. All in public (A) exposes instances.
All in private (B) blocks internet traffic. ALB in private (D) cannot receive internet traffic.
A security engineer is investigating a potential data exfiltration incident. The engineer notices that an EC2 instance with an attached IAM role has been making API calls to an S3 bucket in another AWS account. The engineer wants to identify the source of the API calls and determine if the calls are malicious. Which AWS service should the engineer use to view the API calls made by the IAM role?
A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudTrail
AnswerD
CloudTrail records API calls made by IAM roles and provides details such as source IP, user agent, and request parameters.
Why this answer
AWS CloudTrail is the correct service because it records all API calls made by IAM roles, including the source IP address, user agent, and the specific actions performed. In this scenario, CloudTrail logs will show the exact API calls made by the EC2 instance's IAM role to the S3 bucket in another account, enabling the security engineer to identify the source and determine if the calls are malicious.
Exam trap
The trap here is that candidates confuse VPC Flow Logs (which show network traffic) with CloudTrail (which shows API calls), or they assume GuardDuty provides raw logs instead of just alerts, leading them to pick a service that cannot directly answer the question of viewing the specific API calls made by the IAM role.
How to eliminate wrong answers
Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log AWS API calls or IAM role activity. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes CloudTrail, VPC Flow Logs, and DNS logs for anomalies, but it does not directly provide the raw API call logs needed to view the specific actions taken by the IAM role. Option C is wrong because AWS Config records resource configuration changes and compliance, not the API calls made by IAM roles.
A company has a requirement that all IAM users must use strong passwords. The security engineer needs to enforce a password policy that requires minimum 12 characters, at least one uppercase letter, and at least one number. The engineer sets the password policy in IAM. However, existing users with weak passwords are not forced to change them. What should the engineer do to enforce the policy for existing users?
A.Manually reset each user's password to a strong password.
B.Enable 'Allow users to change their own password' in the policy.
C.Re-apply the password policy to each user.
D.Set the password expiration period to 0 to force immediate password change.
AnswerD
Setting expiration to 0 forces users to change passwords on next login.
Why this answer
Option D is correct because setting the password policy to expire existing passwords will force users to change them on next login. Option A is wrong because the policy is already set; users are not forced to change. Option B is wrong because allowing users to change passwords does not enforce the policy.
Option C is wrong because resetting passwords manually is not scalable and not required.
A company wants to allow its development team to have full access to Amazon S3 buckets that are tagged with 'Environment: Dev'. Which IAM policy element should be used to restrict access based on tags?
A.Use 'aws:PrincipalTag' in the Condition element
B.Use 'aws:SourceTag' in the Condition element
C.Use 'aws:RequestTag' in the Condition element
D.Use 'aws:ResourceTag' in the Condition element
AnswerD
'aws:ResourceTag' allows you to restrict actions based on tags attached to the resource.
Why this answer
Option B is correct because IAM policies can use Condition blocks with 'aws:ResourceTag' to restrict actions based on resource tags. Option A is incorrect because 'aws:RequestTag' is used to require specific tags on requests, not on resources. Option C is incorrect because 'aws:SourceTag' is not a valid condition key.
Option D is incorrect because 'aws:PrincipalTag' is used to restrict based on the principal's tags.
A company has a multi-account strategy and wants to ensure that all API calls from member accounts are logged to a centralized S3 bucket in the security account. Which configuration is required?
A.Use Amazon Kinesis Data Streams to stream CloudTrail events from all accounts to the central S3 bucket
B.Create an organization trail in the management account that logs all accounts
C.Create a CloudTrail trail in each member account and specify the same S3 bucket
D.Enable AWS Security Hub in the security account and configure it to collect CloudTrail logs
AnswerB
Organization trail logs all accounts and delivers to a single S3 bucket.
Why this answer
Option B is correct because AWS Organizations allows you to create an organization trail in the management account that automatically applies to all member accounts. This ensures that CloudTrail logs from every account in the organization are delivered to a single, centralized S3 bucket in the security account without needing per-account configuration. The organization trail uses the management account’s CloudTrail configuration to enable logging across the entire organization, and the S3 bucket policy must grant the necessary permissions for CloudTrail to write logs from all accounts.
Exam trap
The trap here is that candidates often assume creating separate trails per account (Option C) is simpler or more reliable, but they overlook the AWS Organizations integration that allows a single organization trail to automatically cover all accounts, reducing administrative overhead and ensuring consistent log delivery.
How to eliminate wrong answers
Option A is wrong because Amazon Kinesis Data Streams is a real-time data streaming service, not a logging destination for CloudTrail; CloudTrail can deliver logs to S3 or CloudWatch Logs, but Kinesis Data Streams is not a native CloudTrail destination for centralized logging. Option C is wrong because creating a separate trail in each member account and specifying the same S3 bucket requires manual configuration per account, does not scale, and does not leverage AWS Organizations for automatic management; additionally, each member account would need its own bucket policy to allow writes, which is error-prone. Option D is wrong because AWS Security Hub is a security posture management service that aggregates findings from various AWS services, but it does not collect or store CloudTrail logs; it can ingest CloudTrail events as a data source for findings, but it does not replace the need for a centralized S3 bucket for log storage.
A company has an Amazon S3 bucket with versioning enabled. They want to ensure that all objects in the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). They also want to prevent any future uploads that are not encrypted with SSE-KMS. Which combination of actions should they take?
A.Add a bucket policy that denies s3:PutObject if s3:x-amz-server-side-encryption is not aws:kms. Use S3 Inventory to report encryption status of existing objects.
B.Use AWS Config rule s3-bucket-server-side-encryption-enabled to check compliance.
C.Use S3 Object Lock with governance mode.
D.Enable default encryption with SSE-KMS on the bucket. Use S3 Inventory to report encryption status.
AnswerA
Deny policy enforces for future uploads; inventory audits existing objects.
Why this answer
Option A is correct because a bucket policy denying PutObject without SSE-KMS prevents non-compliant uploads, and S3 Inventory reports encryption status. Option B only checks compliance, does not enforce. Option C does not enforce encryption.
Refer to the exhibit. A developer receives an 'UnauthorizedOperation' error when launching an EC2 instance with the specified security group. The developer has permissions to use ec2:RunInstances. What is the most likely cause?
A.The security group contains an inbound rule with a source of 0.0.0.0/0 for port 80, which is too permissive and triggers a service control policy (SCP) that denies launching instances with overly permissive rules.
B.The security group allows inbound HTTPS from the entire RFC 1918 address space, but the instance is in a public subnet.
C.The security group allows outbound all traffic, which violates the principle of least privilege.
D.The instance type t2.micro is not available in the specified subnet's Availability Zone.
AnswerA
SCPs can deny actions based on resource tags or conditions, but security group rules themselves do not cause launch failures. However, SCPs can deny RunInstances if the security group has rules that violate policy. The error indicates a permissions issue, likely due to an SCP that denies launching instances with 0.0.0.0/0 inbound rules.
Why this answer
The 'UnauthorizedOperation' error indicates an IAM or SCP permissions issue. Since the developer has ec2:RunInstances permissions, an SCP likely denies the action when the security group has a rule allowing 0.0.0.0/0. Option C is the most plausible given the exhibit.
A company is storing sensitive data in Amazon S3 buckets. They want to ensure that all uploaded objects are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Which bucket policy statement will enforce this?
Option A is correct because it uses a Deny effect with a StringNotEquals condition on the s3:x-amz-server-side-encryption header set to 'aws:kms'. This ensures that any PutObject request that does not include the header specifying SSE-KMS is denied, effectively enforcing that all uploaded objects must be encrypted with AWS KMS. The Deny effect overrides any Allow, making this policy robust against accidental or malicious uploads without the required encryption.
Exam trap
The trap here is that candidates often choose an Allow policy (Option C) thinking it enforces encryption, but without a Deny, requests that omit the encryption header are still allowed by default, making the policy ineffective.
How to eliminate wrong answers
Option B is wrong because it enforces SSE-S3 (AES256) instead of SSE-KMS, which does not meet the requirement for server-side encryption with AWS KMS. Option C is wrong because an Allow effect with a StringEquals condition is insufficient; it does not block uploads that lack the encryption header, as the default behavior (no explicit Deny) would allow them. Option D is wrong because it enforces SSE-S3 (AES256) via a Deny, which again is not SSE-KMS and would incorrectly block valid SSE-KMS uploads while allowing non-compliant ones.
A company is using IAM roles to grant EC2 instances access to an S3 bucket. The security team wants to ensure that the instances can only access their own bucket. Which policy should be attached to the IAM role to enforce this?
This policy correctly restricts access to objects in my-bucket only.
Why this answer
Option C is correct because the condition aws:SourceIp is not relevant for EC2 instances; the correct approach is to use a resource-based policy on the S3 bucket that allows access only from the IAM role. Option A is wrong because it allows all S3 actions. Option B is wrong because it allows all resources.
Option D is wrong because it uses an IP condition that is not applicable.
A company runs a web application on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The application stores user session data in an ElastiCache Redis cluster. The security team receives an alert from GuardDuty that one of the EC2 instances is communicating with a known command-and-control (C2) IP address. The instance ID is i-0a1b2c3d4e5f. The security engineer needs to contain the threat immediately while preserving the instance for forensic analysis. Which course of action should the security engineer take?
A.Apply a new security group that denies all inbound and outbound traffic to the instance.
B.Remove the security group from the Auto Scaling group to isolate the instance.
C.Terminate the EC2 instance immediately to stop the communication.
D.Create an AMI of the instance for forensic analysis and then terminate the instance.
AnswerA
This instantly isolates the instance from the network, stopping the C2 traffic while preserving the instance for forensic investigation.
Why this answer
Option A is correct because applying a new security group that denies all inbound and outbound traffic immediately stops the C2 communication at the network layer without destroying the instance. This preserves the instance for forensic analysis (e.g., memory dump, disk imaging) while containing the threat. The security group acts as a virtual firewall, and changing it is a non-destructive, reversible action that can be applied directly to the instance even if it is part of an Auto Scaling group.
Exam trap
The trap here is that candidates often choose to terminate the instance (Option C) thinking it is the fastest containment, but they overlook the critical requirement to preserve the instance for forensic analysis, which termination destroys.
How to eliminate wrong answers
Option B is wrong because removing the security group from the Auto Scaling group does not isolate the instance; the instance retains its existing security group(s) and continues to communicate. Option C is wrong because terminating the instance destroys the forensic evidence (e.g., volatile memory, running processes, disk state) and prevents further analysis. Option D is wrong because creating an AMI takes time and does not immediately stop the C2 communication; the instance remains active and can continue exfiltrating data or receiving commands during the AMI creation process.
A security engineer is configuring AWS CloudWatch Logs to monitor for suspicious activity. They want to create a metric filter that detects when an IAM user calls the `iam:CreateAccessKey` API. The engineer writes the following filter pattern: `{ ($.eventName = "CreateAccessKey") }`. After testing, the filter does not trigger. What is the most likely reason?
A.The filter pattern syntax is incorrect; it should use square brackets.
B.The metric filter is not associated with the correct log group.
C.CloudWatch Logs does not support metric filters for CloudTrail logs.
D.The filter pattern does not include the eventSource field, so it might match events from other services.
AnswerD
Including eventSource ensures the filter only matches IAM events.
Why this answer
CloudTrail logs are JSON objects. The filter pattern must match the JSON structure. The correct pattern should include the eventSource or use the proper path.
Typically, the pattern should be `{ ($.eventSource = "iam.amazonaws.com") && ($.eventName = "CreateAccessKey") }`. Without eventSource, the filter may match other services with the same event name.
A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The instance is part of an Auto Scaling group behind an Application Load Balancer. The engineer needs to immediately stop the exfiltration while preserving forensic evidence. What is the BEST course of action?
A.Detach the EBS volume from the instance.
B.Terminate the EC2 instance immediately.
C.Shut down the instance from within the OS.
D.Remove the instance from the target group and apply a security group that denies all traffic.
AnswerD
Stops traffic and preserves the instance for investigation.
Why this answer
Option D is correct because removing the instance from the target group immediately stops new traffic from the Application Load Balancer to the instance, while applying a security group that denies all outbound traffic (e.g., a custom security group with no outbound rules) halts any ongoing exfiltration without destroying the instance or its attached EBS volumes. This preserves the forensic evidence (memory, disk, logs) for later analysis, unlike termination or shutdown which could lose volatile data.
Exam trap
The trap here is that candidates often choose 'Terminate the EC2 instance immediately' (Option B) thinking it stops the exfiltration fastest, but they overlook the need to preserve forensic evidence and the fact that termination destroys the instance and its associated data, making post-incident analysis impossible.
How to eliminate wrong answers
Option A is wrong because detaching the EBS volume does not stop the instance from sending outbound traffic over the network; the instance continues running and can still exfiltrate data via network interfaces. Option B is wrong because terminating the instance immediately destroys the instance, its attached EBS volumes (unless termination protection is enabled and the 'Delete on Termination' flag is set to false), and any volatile forensic evidence (e.g., memory contents, running processes). Option C is wrong because shutting down the instance from within the OS (e.g., via 'shutdown -h now') stops the instance but does not guarantee that the OS will complete the shutdown cleanly; more importantly, it does not isolate the instance from the network first, allowing continued exfiltration during the shutdown process, and it may trigger Auto Scaling to launch a replacement instance before forensic capture.
A company wants to ensure that all Amazon S3 bucket policies comply with a security baseline that prohibits public read access. Which TWO methods can be used to detect non-compliant buckets? (Choose TWO.)
Select 2 answers
A.Enable AWS CloudTrail to monitor GetPublicAccessBlock calls.
B.Use IAM Access Analyzer to review bucket policies for public access.
C.Use Amazon Inspector to scan bucket policies.
D.Use AWS Config with the s3-bucket-public-read-prohibited managed rule.
E.Use AWS Trusted Advisor to check S3 bucket permissions.
AnswersB, D
Access Analyzer can analyze resource policies to identify public access.
Why this answer
AWS Config has managed rules for S3 bucket public read access. IAM Access Analyzer can identify buckets that are publicly accessible. CloudTrail is for logging API calls, not for detecting public access.
Trusted Advisor checks S3 bucket permissions but is at the account level, not per bucket? Actually, Trusted Advisor can check for public buckets. But the question says TWO, and the options include Trusted Advisor. Let's include both Config and Trusted Advisor? But IAM Access Analyzer is also valid.
However, typical exam answer: AWS Config and IAM Access Analyzer. Trusted Advisor is often considered a best practice check but not as granular. I'll go with Config and Access Analyzer.
A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all access to the bucket is encrypted in transit. What is the most effective way to enforce this?
A.Enable default encryption on the S3 bucket using SSE-S3.
B.Enable AWS CloudTrail to log all S3 access and alert on non-HTTPS requests.
C.Add a bucket policy that denies access if the request does not use HTTPS (aws:SecureTransport condition).
D.Create an IAM policy that denies S3 actions without the condition aws:SecureTransport.
AnswerC
This condition denies non-HTTPS requests.
Why this answer
Option B is correct because a bucket policy with a condition aws:SecureTransport ensures only HTTPS requests are allowed. Option A is wrong because enabling default encryption only encrypts at rest, not in transit. Option C is wrong because CloudTrail logs do not enforce encryption.
Option D is wrong because IAM policy can deny non-HTTPS but it's better to enforce at the bucket level.
During an incident response, a security engineer needs to preserve the state of an EC2 instance's root volume for forensic analysis. The instance is still running. Which action should be taken to ensure the data is preserved without altering it?
A.Stop the instance and then create an AMI.
B.Create a snapshot of the root volume.
C.Use dd if=/dev/xvda over SSH to copy the volume.
D.Detach the root volume and attach it to a forensics instance.
AnswerB
Snapshot captures the current state without altering data.
Why this answer
Creating a snapshot of the root volume is the correct action because it captures a point-in-time, crash-consistent copy of the volume's data without requiring the instance to be stopped or the volume to be detached. This preserves the current state of the running instance for forensic analysis while ensuring the data is not altered by the snapshot process itself, as AWS snapshots are read-only and do not modify the source volume.
Exam trap
The trap here is that candidates may think stopping the instance (Option A) is necessary to ensure data consistency, but they overlook that stopping alters the system state and that a snapshot of a running instance is still a valid, unaltered point-in-time copy for forensic purposes.
How to eliminate wrong answers
Option A is wrong because stopping the instance changes its state (e.g., flushes memory, stops processes) and may alter or lose volatile data that is critical for forensic analysis; creating an AMI from a stopped instance also introduces additional metadata and is not a direct, unaltered copy of the root volume. Option C is wrong because using dd over SSH to copy the root device (/dev/xvda) while the instance is running will result in an inconsistent copy due to ongoing writes, and it modifies the source volume by reading it, potentially triggering forensic concerns about data integrity and chain of custody. Option D is wrong because detaching the root volume from a running instance forces an immediate stop of the instance (since the root volume is required for operation), which alters the system state and may cause data loss or corruption; attaching it to a forensics instance then introduces the risk of write operations to the volume.
A company is using AWS Organizations to manage multiple accounts. The security team wants to prevent the creation of Amazon EC2 instances with public IP addresses in all accounts. Which TWO actions should the team take to implement this control using Service Control Policies (SCPs)?
Select 2 answers
A.Use the condition key 'ec2:LaunchTemplate' to deny public IPs.
B.Create an SCP that adds an IAM policy to deny ec2:RunInstances.
C.Create an SCP with a Deny effect for ec2:RunInstances where the request parameter ec2:AssociatePublicIpAddress is true.
D.Attach the SCP to the root organizational unit.
E.Create an SCP that requires the tag 'PublicIP' to be set to 'false'.
AnswersC, D
This condition denies launching instances with public IPs.
Why this answer
Options B and D are correct. The SCP must deny the ec2:RunInstances action when the parameter for public IP is set to true (B), and it must be attached to the root organizational unit (D) to cover all accounts. Option A is wrong because SCPs cannot modify IAM permissions; they can only deny or allow actions.
Option C is wrong because SCPs cannot enforce tagging; they can deny actions based on tags. Option E is wrong because the condition key for public IP is ec2:AssociatePublicIpAddress.
A company has a multi-account AWS environment with 50 accounts. The security team uses AWS CloudTrail to log management events in each account and delivers logs to a centralized S3 bucket in the security account. Recently, the team noticed that some CloudTrail logs are missing from the central bucket for a few accounts. The logs appear to be delivered intermittently. The security engineer checks the CloudTrail configuration in one of the affected accounts and sees that the trail is configured to deliver to the central bucket. The bucket policy in the security account allows CloudTrail to write from all accounts. The engineer also checks the CloudTrail console and sees that the trail status is 'Logging'. What is the MOST likely cause of the intermittent log delivery?
A.The S3 bucket has default encryption enabled, which interferes with CloudTrail writes.
B.The S3 bucket has a Lifecycle policy that deletes objects prematurely.
C.The CloudTrail trail is using Kinesis Data Firehose for delivery, which has a throughput limit.
D.The CloudTrail trail in each account is not associated with an SQS queue, causing delivery failures.
AnswerD
Cross-account delivery requires an SQS queue to buffer logs.
Why this answer
Option A is correct. CloudTrail uses SQS to deliver logs from multiple accounts to a central bucket. If the SQS queue is not configured properly or is throttled, logs may be lost.
Option B is wrong because CloudTrail does not use Kinesis. Option C is wrong because S3 Lifecycle policies do not affect delivery. Option D is wrong because the issue is not about encryption.
A company has a multi-account AWS environment using AWS Organizations. The security team has enabled AWS CloudTrail with an organization trail that delivers logs to a centralized S3 bucket in the management account. They have also enabled Amazon GuardDuty in all accounts. Recently, they noticed that some EC2 instances in a member account are exhibiting unusual network behavior, such as outbound traffic to known malicious IP addresses. The security engineer needs to quickly determine the source of the traffic and identify which EC2 instances are affected. The engineer has access to the management account and the member account. Which course of action should the engineer take to most efficiently investigate this incident?
A.Use AWS Config to review the configuration changes of the EC2 instances and identify any anomalies.
B.Use Amazon Detective to investigate the GuardDuty findings and analyze VPC Flow Logs to identify the affected instances.
C.Use Amazon Inspector to scan the EC2 instances for vulnerabilities and correlate with network traffic.
D.Query the VPC Flow Logs stored in the centralized S3 bucket using Amazon Athena to find the source IP and affected instances.
AnswerB
Detective provides a consolidated investigation experience across logs and findings.
Why this answer
Option A is correct because Amazon Detective can automatically analyze VPC Flow Logs, CloudTrail logs, and GuardDuty findings to provide a visual investigation of the incident, including identifying the affected EC2 instances and the source of the traffic. Option B is wrong because manually querying VPC Flow Logs with Athena is time-consuming and less efficient. Option C is wrong because AWS Config does not provide network traffic analysis.
Option D is wrong because Amazon Inspector is for vulnerability assessment, not network traffic analysis.
A company is required to audit all changes to IAM policies. Which AWS service should be used to record these changes?
A.AWS Config
B.Amazon CloudWatch Logs
C.Amazon S3
D.AWS CloudTrail
E.IAM Access Analyzer
AnswerD
CloudTrail records management events including IAM policy changes.
Why this answer
AWS CloudTrail is the correct service because it records API activity in your AWS account, including all IAM policy changes made via the AWS Management Console, SDKs, CLI, or AWS services. Each event is captured as a CloudTrail event with details such as the identity making the request, the time of the request, and the request parameters, enabling a complete audit trail of IAM policy modifications.
Exam trap
The trap here is that candidates often confuse AWS Config's ability to track configuration changes with CloudTrail's ability to record API-level audit trails, but Config only shows the state of resources over time without the identity and context of who made the change.
How to eliminate wrong answers
Option A is wrong because AWS Config is a configuration management service that evaluates resource configurations against desired policies and records configuration changes, but it does not capture the API-level audit trail of who made the change and when. Option B is wrong because Amazon CloudWatch Logs is used for monitoring, storing, and accessing log files from various sources, but it does not natively record IAM policy changes unless CloudTrail logs are sent to it. Option C is wrong because Amazon S3 is an object storage service that can store CloudTrail log files, but it does not itself record or generate audit logs of IAM policy changes.
Option E is wrong because IAM Access Analyzer helps identify resources shared with external entities by analyzing resource-based policies, but it does not record a history of policy changes.
A security engineer needs to ensure that all traffic between two EC2 instances in different subnets is encrypted in transit. What is the most secure and efficient solution?
A.Configure network ACLs to allow traffic
B.Use VPC Peering
C.Set up an IPsec VPN between the instances
D.Configure security groups to allow traffic
AnswerC
IPsec encrypts all IP traffic between the endpoints.
Why this answer
Option A is correct because an IPSecVPN provides encryption in transit. Option B is wrong because VPC Peering does not encrypt traffic. Option C is wrong because security groups do not encrypt.
A security team wants to audit all changes to IAM policies in the AWS account. Which AWS service should be used to track these changes?
A.AWS Config
B.AWS Trusted Advisor
C.AWS CloudTrail
D.AWS CloudWatch Logs
AnswerC
Records all API calls, including PutUserPolicy, PutRolePolicy, etc.
Why this answer
AWS CloudTrail records all API calls, including IAM policy changes. Config records resource configuration changes but CloudTrail provides detailed event history.
A security engineer is configuring Amazon Inspector to assess EC2 instances for software vulnerabilities. The engineer has installed the SSM Agent on all instances and ensured that the instances have internet access. However, Amazon Inspector shows the instances as 'Unmanaged'. What is the MOST likely cause?
A.The IAM role attached to the EC2 instance does not have permissions to publish metrics to CloudWatch.
B.The security group attached to the instance blocks outbound traffic to the Amazon Inspector service.
C.The instance does not have the EC2 instance metadata service enabled.
D.The SSM Agent is not running or is not registered with AWS Systems Manager.
AnswerD
Inspector relies on SSM Agent for inventory and assessment; an unregistered agent results in 'Unmanaged' status.
Why this answer
Option B is correct because Amazon Inspector requires the SSM Agent to communicate with the SSM service; if the agent is not running or not registered, the instance cannot be managed. Option A is wrong because IAM permissions for the agent are not the issue; the agent communicates via SSM. Option C is wrong because security groups control network traffic but not agent registration.
Option D is wrong because instance metadata service is not required for Inspector.
A Security Engineer is configuring a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to download patches from the internet. Which TWO actions should the Engineer take to allow the web server internet access without exposing the database to the internet?
Select 2 answers
A.Create a bastion host in the public subnet and configure the web server to use it as a proxy.
B.Create a VPC endpoint for Amazon S3.
C.Create a NAT Gateway in the public subnet.
D.Attach an Internet Gateway to the VPC and add a route to the Internet Gateway in the private subnet's route table.
E.Add a route in the private subnet's route table that points 0.0.0.0/0 to the NAT Gateway.
AnswersC, E
NAT Gateway enables outbound internet access for instances in private subnets.
Why this answer
Option A (NATGateway) and Option C (route table update) are correct because a NAT Gateway in the public subnet allows instances in private subnets to initiate outbound traffic to the internet, and updating the private subnet route table directs internet-bound traffic to the NAT Gateway. Option B is wrong because an Internet Gateway is used for public subnets, not private. Option D is wrong because a VPC endpoint for S3 is for accessing S3 privately, not for general internet access.
Option E is wrong because a bastion host is for SSH access, not for internet access.
A security engineer is setting up automated incident response for a compromised EC2 instance. The engineer wants to isolate the instance immediately upon detection of a GuardDuty finding. Which AWS service can be used to automatically trigger a Lambda function that modifies the instance's security group?
A.AWS Step Functions
B.Amazon Inspector
C.Amazon CloudWatch Events
D.AWS Config
AnswerC
CloudWatch Events can match GuardDuty findings and invoke Lambda functions.
Why this answer
Amazon CloudWatch Events (now part of Amazon EventBridge) can be configured with a rule that matches specific GuardDuty finding events. When a finding is detected, the rule triggers a Lambda function that can modify the EC2 instance's security group to isolate it, for example by removing all inbound rules or replacing the group with a restrictive one. This provides the automated, event-driven response required.
Exam trap
The trap here is that candidates may confuse Amazon Inspector (a vulnerability scanner) with GuardDuty (a threat detection service), or assume AWS Config's compliance rules can react to security findings, when in fact only CloudWatch Events/EventBridge provides the direct event-driven trigger for GuardDuty findings.
How to eliminate wrong answers
Option A is wrong because AWS Step Functions is a workflow orchestration service that coordinates multiple AWS services, but it is not directly triggered by GuardDuty findings; it would require an intermediary like CloudWatch Events to start the workflow. Option B is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposure, not a real-time event trigger for incident response actions. Option D is wrong because AWS Config is a service for evaluating resource configurations against desired policies and tracking changes, but it cannot directly trigger a Lambda function in response to a GuardDuty finding; it uses rules that evaluate configuration changes, not security findings.
A company wants to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. What is the best way to achieve this?
A.Enable MFA in the account settings.
B.Attach an IAM policy to all users that denies console access without MFA.
C.Set a password policy that requires MFA.
D.Use an SCP to deny access if MFA is not present.
AnswerB
A policy with condition aws:MultiFactorAuthPresent is required.
Why this answer
Option D is correct because an IAM policy with a condition requiring MFA for console access is the standard approach. Option A is wrong because MFA is not enforced by default. Option B is wrong because password policy does not enforce MFA.
Option C is wrong because SCPs are not typically used for user-level MFA enforcement.
A company uses AWS CloudTrail to log all API calls. During an incident investigation, the security team needs to identify who deleted an S3 bucket. CloudTrail logs are stored in a centralized S3 bucket with server-side encryption using AWS KMS. Which additional step is required to ensure the CloudTrail logs can be queried quickly for this investigation?
A.Enable CloudTrail Lake
B.Stream logs to CloudWatch Logs and use CloudWatch Logs Insights
C.Use Amazon Athena with a table defined over the S3 bucket
D.Enable Amazon GuardDuty
AnswerC
Athena can query CloudTrail logs stored in S3 using standard SQL.
Why this answer
Option D is correct because CloudTrail logs are JSON files, and Athena can query them directly using DDL and DML. Option A is wrong because CloudTrail Lake is a managed query service but not necessary if logs are in S3; Athena is more direct. Option B is wrong because CloudWatch Logs Insights queries CloudWatch Logs, not S3 objects.
Option C is wrong because GuardDuty is for threat detection, not log query.
A company has a multi-account AWS environment using AWS Organizations. The security team wants to centralize all CloudTrail logs from all accounts into a single S3 bucket in the management account. They have enabled CloudTrail in the management account with an organization trail that delivers logs to an S3 bucket. However, logs from member accounts are not appearing. The S3 bucket policy includes permissions for CloudTrail to write logs, but it does not explicitly grant access to member accounts. What should the team do to ensure that member account CloudTrail logs are delivered to the central S3 bucket?
A.Ask each member account to create a new trail that delivers logs to the same S3 bucket.
B.Disable the organization trail and recreate it, ensuring that all member accounts are selected.
C.Verify that the organization trail is configured correctly with the 'Include all accounts in my organization' option enabled, and that the S3 bucket policy allows CloudTrail to write from all accounts.
D.Modify the S3 bucket policy to grant write access to the CloudTrail service principal for each member account's AWS account ID.
AnswerC
An organization trail requires proper configuration and bucket policy to allow access from member account CloudTrail services.
Why this answer
The correct answer is C. An organization trail automatically delivers logs from all accounts without needing separate trails in each account. If logs are not appearing, the issue is likely that the organization trail is not properly configured or member accounts are not enabled.
Option A is incorrect because member trails cannot write to a bucket in another account without proper cross-account permissions, and this approach is not recommended. Option B is incorrect because disabling and re-enabling might not fix the underlying issue. Option D is incorrect because the bucket policy must allow CloudTrail from all accounts, but the primary cause is often the organization trail setup.