AWS Certified Security Specialty SCS-C02 (SCS-C02) — Questions 601675

1738 questions total · 24pages · All types, answers revealed

Page 8

Page 9 of 24

Page 10
601
MCQeasy

A developer needs to grant an EC2 instance read-only access to an S3 bucket. Which of the following is the most secure way to provide these permissions?

A.Use an IAM role and store the credentials in AWS Systems Manager Parameter Store, then retrieve them at instance launch.
B.Create an IAM role with read-only access and attach it to the EC2 instance profile.
C.Create a bucket policy that grants read-only access to the instance's public IP address.
D.Create an IAM user with read-only access and store the access keys in the instance's user data.
AnswerB

IAM roles for EC2 provide temporary credentials without managing keys.

Why this answer

Option B is correct because an IAM role attached to the EC2 instance via instance profile avoids long-term credentials. Option A is wrong because storing access keys on the instance is less secure. Option C is wrong because a bucket policy grants access to all principals, not just the instance.

Option D is wrong because storing keys in SSM Parameter Store still exposes credentials to the instance.

602
MCQhard

Refer to the exhibit. An organization applies this SCP to an OU containing a developer account. A developer in that account tries to launch an m5.large instance using the AWS Management Console. What is the outcome?

A.The instance launches successfully because the SCP only applies to StartInstances, not RunInstances.
B.The launch fails because the SCP denies RunInstances for instance types other than t2.micro and t2.small.
C.The instance launches successfully because the SCP does not explicitly allow any actions.
D.The launch fails only if the developer's IAM policy also denies the action.
AnswerB

Condition StringNotEquals matches m5.large, so Deny applies.

Why this answer

The SCP explicitly denies the ec2:RunInstances action when the condition key ec2:InstanceType does not match t2.micro or t2.small. Since m5.large is not in the allowed list, the deny effect applies, and the launch fails regardless of any IAM policy that might allow it. SCPs act as a guardrail that overrides IAM permissions, so even if the developer has full IAM access, the SCP blocks the operation.

Exam trap

The trap here is that candidates confuse SCPs with IAM policies, thinking an explicit allow in IAM can override an SCP deny, but SCPs act as a boundary that cannot be bypassed by any IAM permission.

How to eliminate wrong answers

Option A is wrong because the SCP explicitly denies ec2:RunInstances, not just ec2:StartInstances; the exhibit shows 'Deny' for RunInstances with a condition on instance type. Option C is wrong because SCPs do not need to explicitly allow actions; they default to allowing all actions unless a deny is applied, and here a deny is applied for non-compliant instance types. Option D is wrong because SCPs are evaluated before IAM policies; a deny in an SCP cannot be overridden by an IAM allow, so the launch fails regardless of the developer's IAM policy.

603
MCQeasy

A company needs to share an encrypted Amazon S3 object with another AWS account. The object is encrypted with an AWS KMS customer managed key. Which steps are required?

A.Use an object ACL to grant the other account read access.
B.Update both the bucket policy and the KMS key policy to grant cross-account access.
C.Update the bucket policy to allow the other account to access the object.
D.Update the KMS key policy to allow the other account to decrypt.
AnswerB

Both policies must allow the external account to access the object and decrypt it.

Why this answer

Option D is correct because both bucket policy and key policy need to grant cross-account access. Option A is wrong because only bucket policy is not enough; the key policy must also allow. Option B is wrong because key policy alone is insufficient; the bucket policy must allow s3:GetObject.

Option C is wrong because object ACLs cannot grant cross-account access when KMS encryption is used.

604
Multi-Selectmedium

A security engineer is designing a governance framework for a multi-account AWS environment. The engineer needs to ensure that all accounts comply with the principle of least privilege for IAM roles and that any non-compliant resources are automatically reported. Which two AWS services should the engineer use together to achieve this? (Choose TWO.)

Select 2 answers
A.AWS Security Hub
B.AWS Service Catalog
C.Amazon GuardDuty
D.AWS Config
E.AWS CloudTrail
AnswersA, D

Security Hub aggregates findings from AWS Config and other services, providing a compliance dashboard and automated reporting.

Why this answer

AWS Security Hub is correct because it provides a comprehensive view of security alerts and compliance status across multiple AWS accounts, aggregating findings from various AWS services and third-party tools. AWS Config is correct because it continuously monitors and records AWS resource configurations, enabling you to define rules (e.g., IAM least privilege policies) and automatically evaluate resource compliance, triggering notifications or remediation actions for non-compliant resources. Together, Security Hub can ingest AWS Config rule compliance results as findings, allowing centralized reporting and automated response to IAM role violations.

Exam trap

The trap here is that candidates often confuse AWS Config (resource compliance evaluation) with AWS CloudTrail (API activity logging) or Amazon GuardDuty (threat detection), failing to recognize that only AWS Config can directly assess IAM role configurations against least privilege rules and automatically report non-compliance.

605
MCQeasy

Which IAM entity can be used to delegate permissions to an AWS service to perform actions on your behalf?

A.Service role
B.Service-linked role
C.Instance profile
D.Permissions boundary
AnswerA

A service role allows an AWS service to assume it and perform actions.

Why this answer

A service role is an IAM role that a service assumes to perform actions on your behalf. Option A is correct. Option B is wrong because a service-linked role is a special type of service role, but not all service roles are service-linked.

Option C is wrong because an instance profile is used for EC2. Option D is wrong because a permissions boundary is used to set maximum permissions.

606
MCQmedium

A security engineer is investigating a potential data exfiltration incident. The engineer needs to determine whether an IAM user in account A accessed an S3 bucket in account B. The engineer has access to both accounts. Which combination of steps should the engineer take to identify the cross-account access?

A.Enable S3 server access logging on the bucket in account B and check the logs.
B.Enable CloudTrail in account B and check the S3 event history for the bucket.
C.Enable CloudTrail in account A and check the S3 event history.
D.Enable CloudWatch Logs in account A and check the S3 access logs.
AnswerB

CloudTrail in the bucket owner account records all S3 API calls, including cross-account access, with the full IAM user ARN.

Why this answer

Option C is correct because CloudTrail logs in the bucket owner account (account B) will record cross-account access with the user ARN. Option A is wrong because the accessing account's CloudTrail does not record cross-account S3 operations. Option B is wrong because S3 server access logs do not include IAM user details.

Option D is wrong because CloudWatch Logs does not store S3 access logs by default.

607
Multi-Selecthard

Which THREE are best practices for managing IAM roles?

Select 3 answers
A.Set the trust policy to allow any AWS account to assume the role.
B.Use IAM roles instead of IAM users for applications running on EC2.
C.Rotate role credentials automatically by using temporary credentials from STS.
D.Use service control policies (SCPs) to restrict permissions at the organizational level.
E.Grant broad permissions to roles to avoid frequent updates.
AnswersB, C, D

Roles are more secure than storing access keys on instances.

Why this answer

Options B, C, and D are correct. Option A is wrong because roles should be granted the least privilege, not broad access. Option E is wrong because trust policies should be scoped to specific accounts or principals.

608
MCQhard

A large enterprise has multiple AWS accounts managed via AWS Organizations. The security team wants to enforce that all IAM roles in all accounts must have a maximum session duration of 1 hour. They create an SCP that denies creating or updating roles if the MaxSessionDuration is greater than 3600 seconds. The SCP is attached to the root OU. After applying the SCP, the development team reports that they cannot create any new IAM roles, even with a session duration of 1 hour. They are using CloudFormation to create roles. What is the MOST likely reason for the failure?

A.The SCP cannot be attached to the root OU; it must be attached to individual accounts.
B.The SCP is not effective; the issue is with the IAM permissions boundary.
C.The SCP denies role creation when MaxSessionDuration is not explicitly set, even if it defaults to 1 hour.
D.CloudFormation does not support creating IAM roles.
AnswerC

Condition may not match when parameter absent.

Why this answer

Option C is correct. CloudFormation uses a service role (or the user's role) to create resources. If the SCP denies the creation of roles, CloudFormation itself may be denied if the service role does not have an explicit allow.

The SCP might deny the cloudformation:CreateStack action if it includes creating a role. However, the more likely issue is that the SCP uses a condition that does not account for the case when MaxSessionDuration is not specified; if not specified, the default is 1 hour, but the condition might still deny if it checks for the absence of the parameter. Option A is wrong because the SCP does not block CloudFormation overall.

Option B is wrong because SCPs are the likely cause. Option D is wrong because an SCP can be attached to the root OU.

609
MCQmedium

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application uses a custom header X-Auth-Token to authenticate requests. The security team wants to use AWS WAF to block requests that do not contain this header or contain an invalid token. The WAF is associated with the ALB. The team creates a rule with a match condition that checks for the presence of the X-Auth-Token header and a regex pattern for the token value. However, the rule is not blocking any requests. What is the most likely cause?

A.AWS WAF is not supported for Application Load Balancers; it only supports CloudFront.
B.AWS WAF cannot inspect custom headers; it can only inspect standard HTTP headers.
C.The regex pattern for the token is too complex for AWS WAF to process.
D.There is an allow rule with a higher priority that allows all requests before the block rule is evaluated.
AnswerD

Rules are evaluated in priority order; a higher priority allow rule would override the block rule.

Why this answer

Option D is correct. AWS WAF evaluates rules in order, and if a rule with a higher priority allows the request, it will not be blocked by a lower priority rule. The team may have an allow rule with higher priority that allows all requests.

Option A is incorrect because WAF can inspect headers. Option B is incorrect because WAF can be used with ALB. Option C is incorrect because WAF can handle regex.

610
MCQhard

During incident response, a security engineer needs to capture network traffic from an EC2 instance for forensic analysis. The instance is part of an Auto Scaling group. Which action preserves the most evidence while minimizing disruption?

A.Enable VPC Flow Logs for the subnet and analyze the logs.
B.Take an EBS snapshot and analyze network logs from the snapshot.
C.Use AWS Traffic Mirroring to mirror traffic to a monitoring appliance.
D.Terminate the instance and launch a new one to capture network logs.
AnswerA

Flow logs capture network metadata without performance impact.

Why this answer

Option A is correct because VPC Flow Logs capture metadata (IP addresses, ports, protocols, packet sizes) of all traffic to/from the EC2 instance at the subnet level, preserving a forensic record without any disruption to the running instance or Auto Scaling group. This approach avoids stopping, terminating, or modifying the instance, ensuring the incident environment remains intact for further investigation.

Exam trap

The trap here is that candidates confuse 'capturing network traffic' with needing packet-level inspection (e.g., Traffic Mirroring) and overlook that VPC Flow Logs provide sufficient forensic metadata for most incident response scenarios without disrupting the instance.

How to eliminate wrong answers

Option B is wrong because an EBS snapshot captures disk state, not network traffic; analyzing network logs from a snapshot is impossible since network logs are not stored on the volume by default. Option C is wrong because AWS Traffic Mirroring requires stopping the instance to attach a mirror target or may introduce latency, and it disrupts the production traffic flow by duplicating packets, which can alter the incident environment. Option D is wrong because terminating the instance destroys volatile evidence (e.g., running processes, memory, active network connections) and disrupts the Auto Scaling group, potentially losing critical forensic data.

611
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. The security team wants to create a subnet for a legacy application that requires 2000 IP addresses. What is the smallest subnet CIDR that meets this requirement?

A.10.0.0.0/24
B.10.0.0.0/20
C.10.0.0.0/22
D.10.0.0.0/19
AnswerB

/20 gives 4096 addresses, sufficient and smallest.

Why this answer

Option C is correct because a /20 subnet provides 4096 IP addresses (minus 5 reserved), which is the smallest that can accommodate 2000. Option A /24 provides 256 IPs, too small. Option B /22 provides 1024 IPs, too small.

Option D /19 provides 8192 IPs, larger than needed.

612
MCQhard

Refer to the exhibit. An IAM policy allows running EC2 instances. A developer tries to launch a t2.micro instance but receives an 'AccessDenied' error. What is the most likely reason?

A.The policy does not grant permissions for other required resources such as images or security groups.
B.The developer is trying to launch a different instance type.
C.The region in the policy does not match the developer's region.
D.The policy has an explicit deny elsewhere.
AnswerA

RunInstances requires permissions on multiple resource types; the policy only grants on instance, not on image, network, etc.

Why this answer

Option C is correct because the policy only allows the instance resource, but RunInstances also requires permissions for other resources like images, security groups, etc. Option A is wrong because the condition is on instance type, not on region. Option B is wrong because the condition matches, so that is not the issue.

Option D is wrong because the action is allowed, but missing resource permissions cause denial.

613
MCQhard

A company uses AWS CloudHSM to store encryption keys for a custom database encryption application. The application runs on Amazon EC2 instances and uses the PKCS#11 library to communicate with the HSM. Recently, the application started failing with 'CKR_SESSION_HANDLE_INVALID' errors. Which of the following is the most likely cause?

A.The client certificate used for mutual TLS authentication has expired
B.The security group for the HSM does not allow inbound traffic from the EC2 instance
C.The application is not closing sessions properly, causing the HSM to reach the maximum number of open sessions
D.The HSM's firmware version is incompatible with the PKCS#11 library
AnswerC

Exhausting sessions causes invalid handle errors.

Why this answer

CloudHSM partitions have a limit on the number of open sessions. If the application does not properly close sessions, it can exhaust the limit, causing invalid session handle errors. Option C identifies this.

Option A would cause different errors, B is about connectivity, D is about certificates.

614
MCQhard

A security engineer runs the get-account-authorization-details command and sees the exhibit output. The engineer wants to ensure that the 'admin' user does not have administrative access. Which steps should be taken?

A.Delete the 'admin' user and create a new user with limited permissions.
B.Modify the AdministratorAccess policy to deny all actions.
C.Detach the AdministratorAccess policy from the 'admin' user and attach a custom policy with read-only permissions.
D.Attach a permissions boundary that denies all actions.
AnswerC

This directly removes the administrative access and grants limited permissions.

Why this answer

The 'admin' user has the AdministratorAccess policy attached. To remove administrative access, the engineer should detach this policy and attach a more restrictive policy. Option A is wrong because deleting the user is unnecessary.

Option B is wrong because a permissions boundary does not remove the existing policy. Option C is wrong because the policy itself needs to be removed.

615
Multi-Selectmedium

Which TWO of the following are valid sources for Amazon CloudWatch Logs? (Select TWO.)

Select 2 answers
A.Amazon RDS for MySQL logs
B.VPC Flow Logs delivered to S3
C.Amazon S3 access logs
D.On-premises servers via the CloudWatch agent
E.AWS CloudTrail log file delivery
AnswersD, E

The CloudWatch agent can send logs from on-premises to CloudWatch Logs.

Why this answer

On-premises servers can send logs to Amazon CloudWatch Logs by installing and configuring the CloudWatch agent. The agent collects system and application logs from the server and forwards them to CloudWatch Logs for centralized monitoring, alerting, and storage. This is a valid and common hybrid monitoring pattern.

Exam trap

The trap here is that candidates often assume all AWS service logs (like RDS logs, S3 access logs, or VPC Flow Logs) are automatically sent to CloudWatch Logs, when in fact many require explicit configuration or are delivered to S3 by default, requiring additional steps to ingest into CloudWatch Logs.

616
MCQhard

A company is using AWS CloudHSM to store encryption keys for a custom application. The application needs high availability across two AWS Regions. What is the MOST secure and cost-effective approach to synchronize key material between the HSMs in each Region?

A.Use AWS KMS multi-Region keys with custom key store backed by CloudHSM
B.Create a backup of the source HSM and restore it to the target HSM in the second region
C.Export the key material from the source HSM using the encrypt/decrypt API and import into the target HSM
D.Use the AWS CloudHSM client to replicate the key material automatically across regions
AnswerB

Backup and restore is the recommended method for cross-region key synchronization.

Why this answer

CloudHSM does not automatically sync key material across clusters. The best practice is to back up the HSM from one Region and restore to the other using the same backup. Option C is correct because backup and restore in the same account provides secure key synchronization.

Option A is incorrect because CloudHSM does not support cross-region replication natively. Option B is incorrect because manual key export via API introduces security risks. Option D is incorrect because KMS does not directly integrate with CloudHSM for key sync across regions.

617
MCQmedium

A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to capture network traffic to and from the instance for analysis. Which method should be used to capture this traffic without installing any software on the instance?

A.Enable VPC Flow Logs for the subnet.
B.Configure AWS Network Firewall in the VPC.
C.Install the Amazon CloudWatch agent on the instance.
D.Use VPC Traffic Mirroring.
AnswerD

Captures full network packets without installing software.

Why this answer

VPC Traffic Mirroring allows capturing network traffic from an EC2 instance without installing agents. Option D is correct. Option A is wrong because the agent must be installed on the instance.

Option B is wrong because VPC Flow Logs only capture metadata, not the full packet payload. Option C is wrong because AWS Network Firewall does not capture traffic; it filters it.

618
MCQmedium

A company has enabled AWS Config to record resource changes. The security team needs to be notified when a security group is modified to allow inbound SSH from 0.0.0.0/0. Which AWS service should be used to evaluate the Config rules and trigger notifications?

A.AWS Lambda
B.AWS Security Hub
C.Amazon GuardDuty
D.AWS CloudTrail
E.AWS Config with a custom rule that triggers an SNS notification
AnswerE

AWS Config rules evaluate configurations and can invoke SNS.

Why this answer

Option B is correct because AWS Config rules evaluate resource configurations and can trigger SNS notifications. Option A is wrong because CloudTrail logs API calls but does not evaluate rules. Option C is wrong because Lambda can be used as a remediation action but not the trigger itself.

Option D is wrong because GuardDuty is for threat detection. Option E is wrong because Security Hub centralizes findings but does not directly evaluate Config rules.

619
MCQeasy

A company wants to allow a Lambda function to read objects from an S3 bucket in the same account. What should be done?

A.Store IAM user access keys in the Lambda function's environment variables.
B.Create an IAM role with an S3 read policy and attach it to the Lambda function.
C.Add a bucket policy allowing s3:GetObject for the Lambda service principal.
D.Configure the S3 bucket to be public.
AnswerB

Lambda assumes the role to get temporary credentials.

Why this answer

Option B is correct because Lambda functions require an IAM role (execution role) to obtain temporary AWS credentials via the AWS Security Token Service (STS). Attaching a policy with s3:GetObject permissions to this role grants the Lambda function the necessary access to read objects from the S3 bucket without hardcoding long-term credentials.

Exam trap

The trap here is that candidates confuse the Lambda service principal (lambda.amazonaws.com) with the Lambda execution role, incorrectly assuming that a bucket policy can grant access directly to the Lambda service rather than to the IAM role that the Lambda function assumes.

How to eliminate wrong answers

Option A is wrong because storing IAM user access keys in environment variables violates security best practices (long-term credentials are exposed and must be rotated manually), and Lambda natively supports temporary credentials via an execution role. Option C is wrong because a bucket policy that grants s3:GetObject to the Lambda service principal (lambda.amazonaws.com) does not work—the service principal cannot be used as a grantee in a resource-based policy; instead, you must specify the IAM role ARN or the AWS account root user. Option D is wrong because making the S3 bucket public exposes all objects to the internet, which is a severe security risk and unnecessary when a properly scoped IAM role can grant access only to the Lambda function.

620
MCQmedium

A security engineer is troubleshooting an issue where Amazon GuardDuty is not generating findings for a specific EC2 instance that is known to be compromised. The instance is in a VPC with VPC Flow Logs enabled. What could be the reason for the lack of findings?

A.CloudTrail is not enabled in the account.
B.AWS Config is not enabled for the EC2 instance.
C.VPC Flow Logs are only enabled for the subnet, not the instance's ENI.
D.VPC Flow Logs are not being delivered to CloudWatch Logs.
AnswerD

GuardDuty analyzes VPC Flow Logs data from CloudWatch Logs; without delivery, it cannot generate findings.

Why this answer

Option C is correct because GuardDuty requires VPC Flow Logs to be enabled and delivered to CloudWatch Logs to analyze network traffic. Option A is wrong because CloudTrail logs management events, not network traffic. Option B is wrong because subnet flow logs are not a concept; flow logs are at the VPC, subnet, or ENI level.

Option D is wrong because GuardDuty does not require AWS Config to be enabled.

621
MCQhard

A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that a KMS key has been deleted accidentally, causing data loss. The company wants to implement a solution to prevent accidental key deletion and enable recovery. What should the security team do?

A.Enable the key's 'Disable key' option and set a deletion waiting period of 7 days.
B.Enable automatic key rotation for the KMS key.
C.Create a multi-Region key and enable automatic key rotation.
D.Use AWS CloudHSM to store the key material and create a backup in another Region.
AnswerC

Multi-Region keys provide a replica in another region for recovery, and automatic rotation improves security.

Why this answer

Option C is correct because enabling key rotation does not prevent deletion; however, the correct answer is to enable multi-Region keys? Actually, to prevent deletion, you should use a multi-Region key? Wait, the best practice is to enable automatic key rotation and also use a backup key. But the correct answer here is to use CloudHSM? No. The correct answer is to create a backup of the key material and enable key rotation.

However, among options, D is correct because KMS supports key material import and you can have a backup. But the best answer is to enable automatic key rotation and create a multi-Region key? Let's think: Option D is correct because you can create a multi-Region key with a replica in another region, and enable automatic key rotation. Option A is wrong because disabling deletion does not prevent accidental deletion; you can still delete after disabling.

Option B is wrong because CloudHSM does not integrate with S3 SSE-KMS directly. Option C is wrong because key rotation does not prevent deletion; it only creates new backing keys. Option D is correct because using multi-Region keys with a replica provides a backup, and automatic key rotation helps with key hygiene but not deletion prevention.

Actually, the best answer is to use key policies to prevent deletion via IAM? But the question says to prevent accidental deletion and enable recovery. The correct AWS best practice is to create a multi-Region key so that if one Region's key is deleted, the other Region's key can be used. Also, enable automatic key rotation to ensure that the key material is rotated, but deletion prevention is not achieved by rotation.

The correct answer is D: Create a multi-Region key and enable automatic key rotation. This provides a backup in another region and the key material is rotated. Option A is wrong because disabling key deletion is not a direct KMS feature; you can only set a waiting period.

Option B is wrong because CloudHSM does not support S3 SSE-KMS. Option C is wrong because key rotation does not prevent deletion. So D is correct.

622
MCQmedium

An organization wants to enforce multi-factor authentication (MFA) for all IAM users who perform sensitive actions. Which condition key should be used in an IAM policy to require MFA?

A.aws:SourceIp
B.aws:MultiFactorAuthPresent
C.aws:UserAgent
D.aws:CurrentTime
AnswerB

This condition checks if MFA was used.

Why this answer

Option B is correct: aws:MultiFactorAuthPresent is the condition key. Option A is wrong because it checks the time. Option C is wrong because it checks the user agent.

Option D is wrong because it checks the source IP.

623
MCQeasy

A security engineer is investigating a potential data breach. The engineer needs to identify which IAM user accessed a specific S3 object and when. Which AWS service should the engineer use?

A.AWS Config
B.Amazon S3 server access logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records API calls with user identity, including S3 data events.

Why this answer

AWS CloudTrail is the correct service because it records API activity for all AWS services, including S3 object-level operations such as GetObject, PutObject, and DeleteObject. By enabling data events on the specific S3 bucket, CloudTrail logs the IAM user, source IP, timestamp, and the exact object key accessed, providing the precise identity and time needed for breach investigation.

Exam trap

The trap here is that candidates confuse S3 server access logs (which show HTTP-level requests but lack IAM user identity) with CloudTrail (which captures the full IAM user context via the AWS API), leading them to incorrectly select Amazon S3 server access logs.

How to eliminate wrong answers

Option A is wrong because AWS Config evaluates resource configurations and compliance rules, not API-level access logs; it cannot show which user accessed a specific S3 object or when. Option B is wrong because Amazon S3 server access logs record HTTP requests to the bucket at the object level, but they log the requester's AWS account ID or anonymous identifier, not the IAM user ARN, making it impossible to tie the access to a specific IAM user. Option D is wrong because Amazon CloudWatch Logs is a centralized log storage and monitoring service, not a source of API activity logs; it can ingest CloudTrail logs but does not generate the access records itself.

624
Multi-Selectmedium

A security engineer is investigating a potential data exfiltration incident. The engineer suspects that an EC2 instance is sending data to an external IP address. Which TWO AWS services can provide evidence of outbound data transfer? (Select TWO.)

Select 2 answers
A.S3 server access logs
B.AWS Config
C.VPC Flow Logs
D.AWS CloudTrail
E.AWS Trusted Advisor
AnswersA, C

If data is exfiltrated from S3, server access logs show object access details.

Why this answer

S3 server access logs provide detailed records of requests made to an S3 bucket, including the source IP address, request type, and bytes transferred. If the EC2 instance is exfiltrating data to an external IP by first uploading it to an S3 bucket, these logs can reveal the instance's private or public IP, the amount of data sent, and the target bucket. This makes them a valid source of evidence for outbound data transfer from the EC2 instance to S3.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with VPC Flow Logs (which log network traffic), leading them to incorrectly select CloudTrail as a source for evidence of data transfer.

625
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM user. The user reports that they can upload objects to the S3 bucket but cannot list the contents of the bucket. Which statement explains this behavior?

A.The policy does not include the s3:ListBucket action.
B.The policy includes s3:ListBucket but is missing the bucket ARN.
C.The policy denies the s3:ListBucket action.
D.The policy explicitly denies s3:ListBucket.
AnswerA

The policy only allows PutObject and GetObject, not ListBucket.

Why this answer

Option A is correct because the policy only grants s3:PutObject and s3:GetObject actions, but does not grant s3:ListBucket. The ListBucket action is required to list objects in the bucket. Option B is wrong because the policy allows PutObject and GetObject, not Deny.

Option C is wrong because the policy does not include s3:ListBucket. Option D is wrong because the policy does not explicitly deny ListBucket; it just does not allow it.

626
MCQmedium

A company uses Amazon GuardDuty for threat detection. The security team wants to automatically isolate an EC2 instance that is communicating with a known malicious IP address. Which combination of services should be used?

A.GuardDuty -> AWS Config -> Lambda -> modify security group
B.GuardDuty -> CloudWatch Alarm -> Lambda -> modify security group
C.GuardDuty -> EventBridge -> Lambda -> modify security group
D.GuardDuty -> AWS Shield -> modify security group
E.GuardDuty -> AWS Systems Manager -> modify security group
AnswerC

EventBridge can receive GuardDuty findings and trigger Lambda.

Why this answer

Option B is correct because GuardDuty findings can be sent to EventBridge, which triggers a Lambda function to modify the security group. Option A is wrong because CloudWatch Alarms do not directly process GuardDuty findings. Option C is wrong because AWS Config is for configuration management.

Option D is wrong because Systems Manager is for patch management. Option E is wrong because AWS Shield is for DDoS protection.

627
Multi-Selectmedium

A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet the following requirements: 1) Logs from all accounts must be stored in a centralized S3 bucket. 2) The logs must be encrypted at rest using AWS KMS. 3) Access to the logs must be logged and monitored. Which TWO services should be used to meet the requirements? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Macie
D.S3 server access logs
E.AWS Config
AnswersB, D

CloudTrail can deliver logs from multiple accounts to a centralized S3 bucket.

Why this answer

Option B is correct because AWS CloudTrail can be configured to deliver logs from multiple accounts to a centralized S3 bucket. Option C is correct because S3 server access logs record requests made to the bucket, providing access logging. Option A is wrong because Amazon Macie is for sensitive data discovery, not centralizing logs.

Option D is wrong because AWS Config tracks resource configurations, not log delivery. Option E is wrong because Amazon GuardDuty provides threat detection, not centralized logging.

628
Multi-Selectmedium

Which TWO actions can be performed using AWS IAM? (Choose two.)

Select 2 answers
A.Change the instance type of an RDS database
B.Create a CloudFront distribution
C.Define a password policy for IAM users
D.Create an IAM role with a trust policy for EC2
E.Configure a VPC peering connection
AnswersC, D

IAM allows setting account password policies.

Why this answer

Option C is correct because AWS IAM allows you to define a password policy for IAM users, which enforces complexity requirements, rotation periods, and reuse prevention. This is a core IAM feature that helps secure user credentials without relying on external identity providers.

Exam trap

The trap here is that candidates confuse IAM's authorization capabilities (granting permissions) with the ability to directly perform resource operations, leading them to select options like A, B, or E that are actual AWS actions but are not performed by IAM itself.

629
MCQeasy

A company wants to protect data in transit between an on-premises data center and AWS over the internet. Which AWS service should they use to create a dedicated, encrypted connection?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.AWS Client VPN
AnswerC

Site-to-Site VPN uses IPsec to encrypt data in transit over the internet.

Why this answer

AWS Site-to-Site VPN provides an encrypted tunnel over the internet between on-premises and AWS. AWS Direct Connect provides a dedicated connection but is not encrypted by default; IPsec can be added. AWS Transit Gateway is a network transit hub, not a connection type.

AWS Client VPN is for individual clients. Option B is correct.

630
MCQeasy

A company wants to allow an external auditor to read all objects in a specific S3 bucket for a limited time. What is the most secure way to grant this access?

A.Generate pre-signed URLs for the objects the auditor needs to read, with an expiration time.
B.Use a bucket policy that allows access only from the auditor's IP address.
C.Make the bucket public and restrict access via IP address in the bucket policy.
D.Create an IAM user for the auditor with read-only access to the bucket and share the access keys.
AnswerA

Pre-signed URLs provide time-limited access without sharing credentials.

Why this answer

Option C is correct because a pre-signed URL can grant temporary access to specific objects, and the URL can have an expiration time. Option A is wrong because making the bucket public is not secure. Option B is wrong because creating an IAM user for the auditor and sharing credentials is not ideal for external parties.

Option D is wrong because a bucket policy with a condition for a specific IP address is an option but requires the auditor's IP and may not be as granular.

631
MCQeasy

A security engineer notices that an IAM role used by an EC2 instance is generating a large number of API calls to an S3 bucket that is not part of the company's account. Which AWS service should be used to detect and alert on this suspicious activity?

A.AWS CloudTrail
B.Amazon Inspector
C.AWS Config
D.Amazon GuardDuty
AnswerD

GuardDuty uses machine learning to detect unusual API activity across accounts.

Why this answer

Amazon GuardDuty is the correct service because it uses machine learning and anomaly detection to analyze AWS CloudTrail management and data events, VPC Flow Logs, and DNS logs. It can detect unusual API calls, such as an EC2 instance role making a high volume of requests to an S3 bucket outside the company's account, which is a classic indicator of compromised credentials or data exfiltration. GuardDuty generates findings and can integrate with Amazon CloudWatch Events to trigger alerts or automated remediation.

Exam trap

The trap here is that candidates often confuse CloudTrail (which logs the activity) with GuardDuty (which analyzes and alerts on the activity), leading them to select CloudTrail because they think logging alone is sufficient for detection, but GuardDuty is the service specifically designed for threat detection and alerting.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a logging service that records API calls, but it does not perform real-time detection, analysis, or alerting on suspicious activity; it only provides raw logs that require separate monitoring and analysis. Option B is wrong because Amazon Inspector is a vulnerability management service that assesses EC2 instances for software vulnerabilities and unintended network exposure, not for detecting anomalous API call patterns or cross-account data access. Option C is wrong because AWS Config is a resource inventory and compliance service that evaluates resource configurations against rules, but it does not analyze API call patterns or detect anomalous behavior like unusual S3 access from an IAM role.

632
MCQmedium

A company is migrating its on-premises file server to Amazon EFS. The data includes sensitive financial records. The security team requires encryption at rest and in transit. The team plans to mount the EFS file system on EC2 instances using the NFS client. They have enabled encryption at rest on the EFS file system. However, they are unsure how to enforce encryption in transit. What should they do to ensure all data transferred between the EC2 instance and EFS is encrypted?

A.Mount the EFS file system using the `mount -t nfs4 -o tls` command on the EC2 instance.
B.Enable encryption in transit in the EFS file system policy and rely on the default NFS client behavior.
C.Set up a VPN connection between the VPC and the on-premises network to encrypt all traffic.
D.Use AWS Certificate Manager to issue a certificate for the EFS file system.
AnswerA

The tls option forces the NFS client to use TLS for encryption in transit.

Why this answer

Option B is correct. To enforce encryption in transit for EFS, you must use the `mount` command with the `tls` option. This ensures the NFS client uses TLS encryption.

Option A is wrong because enabling encryption in transit in the EFS console only allows it, but the client must also request it. Option C is wrong because VPC Peering does not encrypt traffic. Option D is wrong because AWS Certificate Manager is not used for EFS encryption in transit.

633
MCQeasy

A security analyst wants to receive a notification whenever a new security group is created in their AWS account. Which AWS service should they use to trigger an SNS notification based on the CloudTrail event?

A.Amazon GuardDuty
B.AWS Config
C.Amazon EventBridge (CloudWatch Events)
D.AWS Lambda
AnswerC

EventBridge can filter CloudTrail events and invoke SNS topics.

Why this answer

Amazon EventBridge (formerly CloudWatch Events) can match events from CloudTrail (e.g., CreateSecurityGroup) and route them to targets like SNS.

634
MCQmedium

A security engineer needs to ensure that an Amazon S3 bucket blocks all public access. Which S3 block public access settings should be enabled?

A.Block public access to buckets and objects granted through new public bucket policies
B.Block public access to buckets and objects granted through new access control lists (ACLs)
C.Block public access to buckets and objects granted through any access control lists (ACLs)
D.Block all public access
AnswerD

This setting blocks all public access, including both ACLs and bucket policies.

Why this answer

The correct answer is D because enabling all four block public access settings provides the most restrictive public access controls. Option A is wrong because it only blocks access that is granted to the public via bucket policies or ACLs, but not all public access. Option B is wrong because it only blocks access that is granted to the public via ACLs.

Option C is wrong because it only blocks access that is granted to the public via bucket policies.

635
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team wants to centralize threat detection across all accounts. They enable Amazon GuardDuty in the management account and intend to use delegated administrator functionality. However, they find that GuardDuty is not detecting threats in member accounts. What is the most likely cause?

A.GuardDuty requires an S3 bucket in each account to store findings.
B.GuardDuty is not enabled in the member accounts. The security team must invite member accounts or use the delegated administrator to enable GuardDuty in all accounts.
C.GuardDuty only monitors the management account's resources, not member accounts.
D.GuardDuty does not support delegated administrator for AWS Organizations.
AnswerB

GuardDuty must be enabled in each account. The delegated administrator can enable it for all accounts, but it requires explicit action.

Why this answer

Option B is correct because Amazon GuardDuty must be enabled in each member account to detect threats in those accounts. When using the delegated administrator model, the security team can enable GuardDuty across all accounts programmatically via the delegated administrator API, but they must explicitly perform this action. Simply enabling GuardDuty in the management account does not automatically activate it in member accounts, which is why no threats are detected in those accounts.

Exam trap

The trap here is that candidates assume enabling GuardDuty in the management account automatically propagates to all member accounts, but AWS requires an explicit delegated administrator action to enable the service across the organization.

How to eliminate wrong answers

Option A is wrong because GuardDuty does not require an S3 bucket in each account to store findings; findings are stored centrally in the GuardDuty service and can be exported to a single S3 bucket if configured. Option C is wrong because GuardDuty, when properly enabled via delegated administrator, monitors resources across all member accounts, not just the management account. Option D is wrong because GuardDuty fully supports delegated administrator for AWS Organizations, allowing a designated account to manage GuardDuty across the organization.

636
MCQeasy

Refer to the exhibit. A security engineer creates this CloudWatch Logs metric filter on a CloudTrail log group to detect root account usage. However, no metrics are generated. What is the most likely issue?

A.The log group does not exist
B.CloudTrail is not enabled for the account
C.The metric namespace is invalid
D.The metric filter pattern is incorrectly formatted
AnswerD

The pattern should not have backslashes and proper parentheses.

Why this answer

The filter pattern syntax is incorrect. CloudWatch Logs filter patterns for JSON use a different syntax, e.g., { ($.userIdentity.type = "Root") }. The backslashes are not needed.

637
MCQmedium

During a security incident, a forensic investigator needs to capture the memory of a running EC2 instance without shutting it down. Which AWS feature should be used?

A.Amazon CloudWatch agent
B.EC2 Rescue for Linux or Systems Manager Run Command with a memory dump script
C.AWS CloudTrail
D.Amazon EBS snapshot
AnswerB

These tools can capture memory without stopping the instance.

Why this answer

Option B is correct because EC2 Rescue for Linux (via Systems Manager Run Command) includes a built-in script that can capture a full memory dump from a running EC2 instance without requiring a shutdown. This is essential for forensic analysis to preserve volatile data like running processes, network connections, and kernel structures. The script leverages the Linux 'vmcore' or 'LiME' (Linux Memory Extractor) tool to safely extract memory contents while the instance remains operational.

Exam trap

The trap here is that candidates often confuse capturing volatile memory with taking a disk snapshot (Option D), not realizing that memory is stored in RAM and is not preserved by EBS snapshots, which only capture persistent storage.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Agent is designed for collecting metrics, logs, and performance data, not for capturing raw memory dumps; it cannot access or dump physical memory. Option C is wrong because AWS CloudTrail records API activity and management events, not the volatile memory state of an EC2 instance; it provides no mechanism for memory acquisition. Option D is wrong because an Amazon EBS snapshot captures the persistent disk state (block-level storage), not the contents of RAM; memory is volatile and not stored on EBS volumes.

638
MCQmedium

An organization wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which policy should be used?

A.A policy that allows all actions and denies when aws:MultiFactorAuthPresent is true.
B.A policy that allows all actions except ConsoleLogin unless MFA is present.
C.A policy that allows all actions when aws:MultiFactorAuthPresent is true.
D.A policy that denies all actions unless aws:MultiFactorAuthPresent is true.
AnswerD

This explicitly denies access if MFA is not present, enforcing MFA.

Why this answer

Option D is correct because it uses an IAM policy with a Deny effect on all actions when `aws:MultiFactorAuthPresent` is false (or not true). This ensures that any IAM user attempting to perform any action, including ConsoleLogin, must have authenticated with MFA; otherwise, the request is denied. This is the standard approach to enforce MFA for all AWS Management Console access.

Exam trap

The trap here is that candidates often confuse the condition key evaluation — thinking a policy that 'allows when MFA is present' is sufficient, but without an explicit Deny for when MFA is absent, other policies could still grant access, making the enforcement incomplete.

How to eliminate wrong answers

Option A is wrong because it denies actions when `aws:MultiFactorAuthPresent` is true, which would block users who have authenticated with MFA, defeating the purpose. Option B is wrong because it allows all actions except ConsoleLogin unless MFA is present, but it does not deny other actions (like API calls) when MFA is absent, leaving a security gap. Option C is wrong because it allows all actions when MFA is present but does not explicitly deny actions when MFA is absent, meaning a user without MFA could still access resources if another policy grants access.

639
MCQmedium

A company is storing sensitive customer data in Amazon S3. The security team requires that all data be encrypted at rest using a key that is rotated automatically every year. Which solution meets these requirements with the LEAST operational overhead?

A.Use SSE-C with an AWS-managed key
B.Use SSE-S3
C.Use SSE-KMS with automatic key rotation
D.Use client-side encryption with a custom key
AnswerB

SSE-S3 automatically rotates keys with no customer effort.

Why this answer

Option D is correct because SSE-S3 uses Amazon S3-managed keys that are automatically rotated. Option A is wrong because SSE-KMS requires manual key rotation or enabling automatic key rotation. Option B is wrong because client-side encryption adds operational overhead.

Option C is wrong because SSE-C requires the customer to manage keys.

640
MCQhard

A company uses Amazon S3 to store sensitive documents. The security policy requires that all objects be encrypted using server-side encryption with customer-provided keys (SSE-C). An application fails when trying to read an object with the error 'The request includes an invalid header.' What is the MOST likely cause?

A.The application did not specify an encryption context in the request.
B.The KMS key used for encryption has been disabled.
C.The application did not include the x-amz-server-side-encryption-customer-key header in the GET request.
D.The S3 bucket does not have versioning enabled.
AnswerC

SSE-C requires the customer-provided key in every request.

Why this answer

Option A is correct because SSE-C requires the encryption key to be provided in the request headers; if the key is missing or incorrect, the request fails with an invalid header error. Option B is wrong because SSE-C does not involve KMS keys. Option C is wrong because SSE-C does not require an encryption context.

Option D is wrong because SSE-C does not require bucket versioning.

641
MCQeasy

Refer to the exhibit. An EC2 instance is launched with an instance profile that references this role. The application on the instance tries to list objects in 'my-bucket' but receives an AccessDenied error. What is the most likely cause?

A.The trust policy does not allow the EC2 service to assume the role.
B.The policy does not grant s3:GetObject permission.
C.The S3 bucket has a bucket policy that denies access.
D.The role does not have any permissions policy attached.
AnswerC

An explicit deny in the bucket policy would override the role's allow.

Why this answer

Option C is correct because the policy only allows s3:ListBucket on the bucket, but to list objects, the action s3:ListBucket is correct, but the resource arn:aws:s3:::my-bucket does not include the objects. To list objects, you also need s3:ListBucket on the bucket ARN and s3:GetObject on the objects? Actually, s3:ListBucket is for listing bucket contents, and it requires the bucket ARN. The error might be because the policy does not allow s3:GetObject for the objects, but the question says 'list objects' - that's s3:ListBucket.

However, the policy allows s3:ListBucket on the bucket, so that should work. Option A is wrong because the trust policy allows EC2. Option B is wrong because the role has a policy.

Option D is wrong because bucket policy is not mentioned. Actually, the most likely cause is that the bucket policy denies the access. So option D is correct.

642
Multi-Selecthard

A company uses AWS KMS to encrypt data in Amazon S3. The security team wants to detect any attempts to use a KMS key that has been disabled. Which THREE steps should the team take to achieve this? (Select THREE.)

Select 3 answers
A.Enable AWS CloudTrail trails for the account to log KMS events.
B.Configure the CloudWatch Events rule to send a notification to an SNS topic.
C.Configure automatic KMS key rotation to generate daily events.
D.Create a CloudWatch Events rule that matches the 'DisableKey' event from KMS.
E.Disable key rotation to prevent key material changes.
AnswersA, B, D

CloudTrail logs all KMS API calls, including attempts to use a disabled key.

Why this answer

Options A, D, and E are correct. Enabling CloudTrail trails (A) captures KMS API calls. Creating a CloudWatch Events rule for 'KMS KeyDisabled' (D) triggers on the event.

Configuring an SNS notification (E) sends alerts. Option B is wrong because KMS key rotation does not generate an event. Option C is wrong because disabling key rotation does not detect key usage.

643
Multi-Selecthard

A company is migrating a legacy application to AWS. The application stores sensitive data and must comply with PCI DSS. The security team needs to ensure that data is encrypted at rest using keys that are rotated every 12 months. Which THREE steps should the team take?

Select 3 answers
A.Enable AWS CloudTrail to log all KMS key usage
B.Ensure the application uses envelope encryption to encrypt data with a data key
C.Use AWS CloudHSM to generate and store keys, and manually rotate them every 12 months
D.Use AWS KMS customer managed keys with automatic rotation enabled
E.Use S3 bucket policy to enforce SSE-C3 encryption
AnswersA, B, D

CloudTrail provides audit logs required for compliance.

Why this answer

Options A, C, and D are correct. Using AWS KMS with automatic annual rotation (A) meets the requirement. Ensuring the application uses envelope encryption (C) is a best practice.

Configuring CloudTrail (D) provides audit trail for key usage. Option B is incorrect because CloudHSM requires manual key rotation. Option E is incorrect because SSE-C3 is not a valid encryption type; SSE-C uses customer-provided keys, which do not rotate automatically.

644
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot upload files to the S3 bucket 'example-bucket' using the AWS CLI with HTTPS. What is the most likely reason?

A.The bucket requires server-side encryption and the user did not specify it.
B.The policy denies all S3 actions when using HTTPS.
C.The user does not have an explicit allow for s3:PutObject.
D.The bucket name is incorrect in the policy.
AnswerC

The policy only denies; without an allow, the default deny blocks the upload.

Why this answer

Option B is correct because the policy denies s3:* actions on objects in the bucket when SecureTransport is false, meaning it denies only HTTP requests. However, the user is using HTTPS, so the deny should not apply. But the policy also implicitly denies all other actions not explicitly allowed? Actually, an explicit deny overrides any allow, but the condition only denies when SecureTransport is false.

Since the user uses HTTPS, the condition is not met, so the deny does not apply. But the user might have no allow for s3:PutObject, which is the issue. Option B is correct because there is no explicit allow for s3:PutObject, and the default implicit deny applies.

Option A is wrong because the condition does not apply. Option C is wrong because the AccessDenied error indicates permissions, not bucket name. Option D is wrong because the error is not about encryption.

645
MCQeasy

A company wants to receive real-time notifications when specific API calls are made in their AWS account, such as IAM user creation or S3 bucket policy changes. Which AWS service should be used to trigger notifications based on these API events?

A.Amazon CloudWatch Events (Amazon EventBridge)
B.Amazon GuardDuty
C.Amazon Simple Notification Service (SNS)
D.AWS Config
AnswerA

EventBridge can filter CloudTrail events and trigger actions.

Why this answer

Option A is correct because Amazon CloudWatch Events (now Amazon EventBridge) can match CloudTrail API events and trigger notifications via SNS or Lambda. Option B is wrong because Amazon SNS is a notification service but cannot directly filter API events. Option C is wrong because AWS Config evaluates resource configurations, not API calls.

Option D is wrong because Amazon GuardDuty detects threats but does not provide custom event filtering for API calls.

646
MCQhard

A company has an S3 bucket with versioning enabled. They want to ensure that all deleted objects are retained for 90 days before permanent deletion. Which S3 feature should be used?

A.S3 Lifecycle policy with NoncurrentVersionExpiration
B.S3 Replication
C.S3 Object Lock
D.MFA Delete
AnswerA

This action deletes noncurrent versions after a specified number of days, effectively retaining deleted objects for that period.

Why this answer

S3 Object Lock with retention mode Compliance or Governance can protect objects from deletion, but the question asks for a retention period after deletion. S3 Lifecycle policies can expire current versions after a period, but for deleted objects (noncurrent versions), a lifecycle rule with NoncurrentVersionExpiration can delete them after a specified number of days. Option B is correct.

S3 Replication is for copying objects; MFA Delete adds an extra layer but does not set a retention period.

647
Multi-Selectmedium

A company wants to monitor for suspicious IAM activity, such as a user creating access keys without authorization. Which THREE AWS services can be used together to detect and alert on this activity in real-time? (Choose THREE.)

Select 3 answers
A.Amazon CloudWatch Logs
B.Amazon Inspector
C.AWS CloudTrail
D.AWS Trusted Advisor
E.Amazon Simple Notification Service (SNS)
AnswersA, C, E

CloudWatch Logs can filter CloudTrail events and trigger alarms.

Why this answer

Options A, D, and E are correct. AWS CloudTrail logs the API call (CreateAccessKey). Amazon CloudWatch Logs can receive CloudTrail logs, and a metric filter can detect the specific event.

An alarm can then trigger an SNS notification. Option B is wrong because Amazon Inspector is for vulnerability assessment. Option C is wrong because AWS Trusted Advisor provides recommendations, not real-time alerting.

648
MCQhard

A company uses AWS Organizations with SCPs. The SCP for the production OU denies all actions on DynamoDB. An IAM policy attached to a user in that OU allows dynamodb:PutItem. What is the effective access?

A.The user can perform PutItem because the IAM policy allows it.
B.The user cannot perform PutItem because the SCP denies all DynamoDB actions and IAM allows are overridden.
C.The user cannot perform PutItem because the SCP applies only to the root account.
D.The user can perform PutItem only if the SCP has an explicit allow.
AnswerB

SCP deny takes precedence over IAM allow.

Why this answer

Option D is correct because SCPs are deny-by-default; they override any allow in IAM policies. Option A is wrong because SCPs apply to all principals. Option B is wrong because explicit deny in SCP overrides allow.

Option C is wrong because the SCP applies to the user.

649
MCQeasy

A company wants to detect and alert on changes to IAM roles and policies in their AWS account. Which combination of AWS services should they use?

A.Amazon GuardDuty and AWS Shield
B.Amazon CloudWatch Logs and AWS Lambda
C.AWS CloudTrail and Amazon EventBridge (CloudWatch Events)
D.AWS Config and Amazon Inspector
AnswerC

CloudTrail records IAM API calls, and EventBridge can create rules to match specific events and send alerts via SNS.

Why this answer

CloudTrail logs all IAM API calls, and CloudWatch Events (now Amazon EventBridge) can filter for specific events (e.g., PutRolePolicy) and trigger an SNS notification or Lambda function.

650
Multi-Selectmedium

Which TWO of the following are valid ways to grant an IAM user permissions to access an S3 bucket? (Choose 2.)

Select 2 answers
A.Assign an instance profile to the user.
B.Create a VPC endpoint policy.
C.Attach an IAM policy to the user.
D.Add the user to an IAM group with a policy.
E.Use an SCP to allow access.
AnswersC, D

IAM policies attached to users grant permissions.

Why this answer

IAM policies can be attached to users, and S3 bucket policies can grant access to specific users.

651
MCQmedium

Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs. However, log delivery is failing. What is the most likely cause?

A.The bucket is not in the same region as the trail
B.The bucket policy does not specify a condition
C.The bucket is encrypted with SSE-KMS
D.The bucket policy does not allow s3:GetBucketAcl
AnswerD

CloudTrail needs GetBucketAcl to verify bucket ownership.

Why this answer

CloudTrail requires s3:GetBucketAcl to verify bucket ownership. The bucket policy must also grant that action. The other options are not missing.

652
MCQeasy

A company wants to allow a user to assume a role in another AWS account to access resources. Which AWS service should be used to create and manage the trust relationship between the accounts?

A.IAM roles with a trust policy that allows the external account.
B.AWS Security Token Service (STS) to generate tokens.
C.IAM users in the source account with cross-account permissions.
D.AWS Organizations service control policies.
AnswerA

Trust policies define who can assume the role.

Why this answer

Option C is correct. IAM roles have trust policies that define which accounts or users can assume the role. Option A (IAM users) are for individuals, not cross-account access.

Option B (AWS Organizations) can help manage multiple accounts but does not directly create trust relationships. Option D (AWS STS) is used to request temporary credentials, but the trust policy is defined in the role itself.

653
MCQeasy

A company wants to restrict access to an Amazon S3 bucket so that only users from a specific AWS account can upload objects. Which policy mechanism should be used?

A.Create a bucket policy with a condition that checks the aws:SourceAccount condition key.
B.Attach an IAM policy to the bucket that denies access to all users except those from the allowed account.
C.Generate a pre-signed URL for each upload request.
D.Configure the bucket ACL to grant access only to the allowed account's canonical user ID.
AnswerA

This policy ensures that only requests from the specified account are allowed.

Why this answer

Option D is correct because a bucket policy with a condition that checks the aws:SourceAccount condition key ensures that only requests originating from the specified account are allowed. Option A is wrong because IAM policies are attached to users/groups/roles, not to the bucket itself. Option B is wrong because S3 access control lists (ACLs) can grant access to other AWS accounts but do not support condition keys to restrict based on source account.

Option C is wrong because a pre-signed URL grants time-limited access but does not restrict to a specific account.

654
MCQmedium

A security engineer needs to protect data in transit between an EC2 instance and an RDS database. The RDS database uses SSL/TLS certificates. What is the MOST secure way to ensure that the connection is encrypted?

A.Configure the EC2 instance to use a self-signed certificate for SSL connections.
B.Enable encryption at rest on the RDS instance to automatically encrypt in-transit traffic.
C.Download the RDS CA certificate to the EC2 instance and configure the database client to use SSL and verify the certificate.
D.Create an IAM policy that requires SSL connections to the RDS endpoint.
AnswerC

This provides strong encryption and server identity verification.

Why this answer

Option B is correct because downloading the RDS CA certificate and requiring SSL on the client side ensures the connection is encrypted and verifies the server identity. Option A is wrong because using a self-signed certificate without verification can lead to MITM attacks. Option C is wrong because encryption in transit is not automatic; the client must initiate SSL.

Option D is wrong because an IAM policy cannot enforce SSL on the database connection.

655
MCQmedium

A security engineer sees the above security group configuration for an EC2 instance. The instance hosts a web application that should only be accessible from the internal network (10.0.0.0/8) over HTTPS, and SSH should not be open to the internet. What is the security issue with this configuration?

A.The outbound rule allows all traffic to all destinations.
B.The inbound HTTPS rule is too permissive.
C.The inbound SSH rule is too permissive.
D.There is no security issue; the configuration is correct.
AnswerA

The outbound rule allows all traffic to 0.0.0.0/0, which is overly permissive and could allow data exfiltration.

Why this answer

Option C is correct because the outbound rule allows all traffic to all destinations, which is overly permissive. Option A is wrong because SSH is restricted to internal network, not internet. Option B is wrong because HTTPS is open to all (0.0.0.0/0), but the requirement says it should be restricted to internal network.

However, the question asks for the security issue; the issue is the outbound rule. Actually, both A and C are issues, but the most critical security issue is the outbound rule allowing all traffic. The stem says 'What is the security issue?' The exhibit shows inbound SSH from internal, inbound HTTPS from anywhere, and outbound all traffic.

The requirement is that web app should only be accessible from internal network over HTTPS, so HTTPS should be restricted to 10.0.0.0/8. But option B points that out. However, the explanation says option C is correct.

Let's re-evaluate: The question says 'The instance hosts a web application that should only be accessible from the internal network (10.0.0.0/8) over HTTPS, and SSH should not be open to the internet.' The exhibit shows HTTPS open to 0.0.0.0/0, which violates the requirement. But option B says 'The inbound HTTPS rule is too permissive', which is correct. However, the answer key says option C is correct.

Maybe the question is about the most critical issue? Actually, the outbound rule allows all traffic, which could allow data exfiltration. But the stem says 'What is the security issue with this configuration?' The most obvious is that HTTPS is open to the internet, but SSH is properly restricted. However, the outbound rule is also a concern.

I'll stick with option C as per the generated explanation.

656
Multi-Selectmedium

A security engineer is configuring AWS Config to track changes to security groups in a VPC. The engineer wants to be notified when a security group is modified. Which TWO steps are required to achieve this?

Select 2 answers
A.Configure an SNS topic and subscribe to it to receive notifications when the Config rule triggers.
B.Enable AWS CloudTrail to log security group changes.
C.Enable Amazon GuardDuty to detect security group modifications.
D.Create an AWS Config rule that monitors security group changes.
E.Enable VPC Flow Logs to capture security group activity.
AnswersA, D

SNS can send notifications on Config rule compliance changes.

Why this answer

Options A and B are correct. Option A: AWS Config rule with a custom or managed rule can track security group changes. Option B: Config rule can trigger a Lambda function via SNS to send notifications.

Option C is wrong because CloudTrail is not needed for Config. Option D is wrong because VPC Flow Logs are for network traffic. Option E is wrong because GuardDuty is for threat detection.

657
MCQmedium

A company uses AWS KMS to encrypt data in Amazon S3. The security team notices that some KMS key usage is not being logged in AWS CloudTrail. What is the most likely reason for this?

A.CloudTrail is not enabled in the region where the KMS key is used.
B.The KMS key has automatic rotation enabled.
C.CloudTrail log file validation is disabled.
D.Only successful KMS operations are logged.
AnswerA

CloudTrail must be enabled in each region to record events in that region.

Why this answer

Option A is correct because CloudTrail does not log KMS key usage if the key is used in an AWS region where CloudTrail is not enabled. Option B is wrong because CloudTrail logs KMS operations regardless of whether they succeed. Option C is wrong because KMS key rotation generates new backing keys but does not affect logging.

Option D is wrong because disabling CloudTrail log file validation does not stop logging.

658
MCQmedium

A security engineer discovers that an IAM user has a policy that allows them to delete any S3 bucket in the account. The engineer wants to audit all delete actions performed by this user. Which AWS service should be used?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records API calls for auditing.

Why this answer

AWS CloudTrail logs all API calls, including S3 bucket deletions. Option D is correct. Option A (Config) records resource changes but not API calls.

Option B (CloudWatch Logs) stores logs but does not capture API calls by default. Option C (GuardDuty) detects threats but does not log all actions.

659
Multi-Selecthard

Which TWO steps should a security engineer take when responding to a confirmed security incident involving a compromised EC2 instance? (Choose 2.)

Select 2 answers
A.Reimage the instance from a clean AMI immediately
B.Delete all CloudTrail logs related to the instance
C.Isolate the instance by changing its security group to deny all traffic
D.Take a snapshot of the instance's EBS volumes for forensic analysis
E.Immediately terminate the instance to stop the attack
AnswersC, D

Isolation prevents further damage while preserving the instance.

Why this answer

Preserving the instance (snapshot) and isolating it (security group change) are key steps. Terminating immediately destroys evidence. Deleting logs is wrong.

Reimaging without investigation destroys evidence.

660
MCQmedium

A security engineer is configuring VPC Flow Logs for a VPC that hosts a web application. The engineer wants to capture all traffic to and from the internet. Which of the following is the most appropriate configuration?

A.Configure Flow Logs at the VPC level and publish to CloudWatch Logs with a log group name.
B.Configure Flow Logs at the subnet level and set the traffic type to 'Reject'.
C.Configure Flow Logs at the VPC level and set the traffic type to 'All'.
D.Configure Flow Logs at the subnet level and set the traffic type to 'Accepted'.
AnswerA

VPC-level Flow Logs capture all traffic, and CloudWatch Logs is a valid destination.

Why this answer

Option C is correct because VPC Flow Logs can capture all traffic types, including accepted and rejected traffic. Option A is incorrect because Flow Logs can capture both accepted and rejected traffic. Option B is incorrect because Flow Logs can be published to CloudWatch Logs or S3.

Option D is incorrect because Flow Logs are not real-time; they are published periodically.

661
MCQhard

An IAM policy is attached to a user. The user is trying to change their own password in the IAM console but receives an 'Access Denied' error. The user has an MFA device configured and is logged in with MFA. Why is the password change failing?

A.The Allow statement for iam:ChangePassword is not sufficient because the Deny statement explicitly denies all actions.
B.The Deny statement uses 'BoolIfExists' which evaluates to true if the condition key is not present. In the IAM console, the 'aws:MultiFactorAuthPresent' key may not be set, causing the Deny to apply even when the user has MFA.
C.The Deny statement denies all actions unconditionally, so the Allow statement cannot override it.
D.The user does not have permission to change their own password because the Allow statement is not specific enough.
AnswerB

BoolIfExists returns true if the key does not exist, so the Deny applies, blocking all actions including password change.

Why this answer

Option B is correct because the Deny statement uses the `BoolIfExists` condition operator with the `aws:MultiFactorAuthPresent` key. In the IAM console, the `aws:MultiFactorAuthPresent` key may not be present in the request context (e.g., during the initial password change flow before MFA is re-validated), causing `BoolIfExists` to evaluate to true when the key is absent. This triggers the Deny even though the user has an MFA device and is logged in with MFA, blocking the `iam:ChangePassword` action.

Exam trap

The trap here is that candidates assume `BoolIfExists` behaves like `Bool` and that MFA presence is always indicated in the request context, but `BoolIfExists` treats a missing key as true, causing the Deny to apply when the key is absent, such as in the IAM console's password change flow.

How to eliminate wrong answers

Option A is wrong because the Deny statement does not explicitly deny all actions; it only denies actions when the condition evaluates to true, so the Allow statement could be sufficient if the condition were not met. Option C is wrong because the Deny statement is not unconditional; it includes a condition (`BoolIfExists`), so it only applies when the condition is true, not to all actions. Option D is wrong because the Allow statement is specific enough (it allows `iam:ChangePassword` for the user's own account), but the Deny overrides it due to the condition evaluation.

662
Multi-Selecteasy

Which TWO AWS services are designed to provide DDoS protection? (Choose 2.)

Select 2 answers
A.VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.AWS WAF
E.AWS Shield Standard
AnswersD, E

Protects against application-layer DDoS attacks.

Why this answer

Options A and D are correct. AWS Shield Standard provides automatic DDoS protection. AWS WAF provides application-layer DDoS protection.

Option B is wrong because VPC Flow Logs are for logging traffic. Option C is wrong because AWS Config is for configuration management. Option E is wrong because CloudTrail is for API logging.

663
MCQeasy

A company is using AWS Organizations and wants to delegate the management of IAM policies to a specific member account without granting full administrative access. Which AWS feature allows the management account to delegate policy management to another account?

A.AWS Resource Access Manager
B.AWS CloudFormation StackSets
C.AWS Single Sign-On
D.IAM cross-account roles
AnswerD

The management account can create a role in the member account and grant permissions to manage IAM policies.

Why this answer

IAM cross-account roles allow the management account to assume a role in the member account with permissions to manage IAM policies. Option A is wrong because RAM shares resources, not IAM management. Option B is wrong because SSO is for user authentication and authorization.

Option D is wrong because StackSets automate resource deployment, not delegation.

664
Multi-Selectmedium

A security engineer is designing a VPC with public and private subnets. The private subnets will host databases that should not have direct internet access. Which three components are required to provide outbound internet access for these databases? (Choose THREE.)

Select 3 answers
A.AWS WAF attached to the NAT gateway.
B.An internet gateway attached to the VPC.
C.Route tables in the private subnets with a default route (0.0.0.0/0) pointing to the NAT gateway.
D.A VPC gateway endpoint for S3.
E.A NAT gateway in a public subnet.
AnswersB, C, E

The internet gateway provides internet access for the public subnet where the NAT gateway resides.

Why this answer

Options A, B, and E are correct. A NAT gateway or NAT instance in a public subnet provides outbound internet access. Route tables in private subnets must have a default route pointing to the NAT device.

An internet gateway is needed to provide internet connectivity to the public subnet. Option C is wrong because a VPC gateway endpoint is for S3/DynamoDB, not general internet. Option D is wrong because AWS WAF is a web application firewall.

665
MCQeasy

A company wants to ensure that data at rest in Amazon EBS volumes is encrypted. What is the simplest way to achieve this?

A.Enable EBS encryption by default in the AWS account.
B.Use AWS KMS to create a custom key and attach it to each volume.
C.Encrypt each volume manually using the AWS Management Console.
D.Use an operating system-level encryption tool like LUKS.
AnswerA

Enabling default encryption ensures all new EBS volumes are encrypted automatically.

Why this answer

Option B is correct because enabling EBS encryption by default in the account encrypts all new volumes. Option A is incorrect because each volume does not need manual encryption. Option C is incorrect because encryption is not applied at the OS level.

Option D is incorrect because KMS is used for key management, but the simplest is to enable default encryption.

666
MCQeasy

A company uses Amazon GuardDuty and receives a finding of type 'Backdoor:EC2/C&CActivity.B!DNS' for an EC2 instance. What does this finding indicate?

A.The instance is being targeted by an SSH brute force attack.
B.The instance is communicating with a known command and control server.
C.The instance is exfiltrating data to an S3 bucket.
D.The instance is being used in a DDoS attack.
AnswerB

The finding name indicates C&C activity detected via DNS.

Why this answer

The finding 'Backdoor:EC2/C&CActivity.B!DNS' indicates that GuardDuty has detected DNS queries from the EC2 instance to a domain associated with known command and control (C&C) infrastructure. This is based on GuardDuty's threat intelligence feeds that map DNS request patterns to known malicious domains, signaling that the instance may be compromised and communicating with an attacker's server.

Exam trap

The trap here is that candidates may confuse 'Backdoor:EC2/C&CActivity.B!DNS' with generic network anomalies or other attack types, but the key differentiator is the DNS-specific indicator that pinpoints communication with a known command and control server, not the attack vector or data exfiltration method.

How to eliminate wrong answers

Option A is wrong because SSH brute force attacks are detected by GuardDuty findings such as 'UnauthorizedAccess:EC2/SSHBruteForce', not by DNS-based C&C activity. Option C is wrong because data exfiltration to an S3 bucket would typically be detected by findings like 'Policy:IAMUser/RootCredentialUsage' or S3-specific findings, not by DNS query analysis for C&C domains. Option D is wrong because DDoS attack participation is indicated by findings such as 'Backdoor:EC2/DenialOfService' or 'Behavior:EC2/NetworkOutboundDenialOfService', which analyze traffic volume and patterns, not DNS queries to C&C servers.

667
Matchingmedium

Match each AWS KMS key type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed by AWS for use with specific services

Managed by customer with full control

Used internally by AWS, not visible to customers

Key store backed by AWS CloudHSM

Why these pairings

KMS offers different key types with varying levels of control.

668
MCQhard

Refer to the exhibit. A security engineer runs the AWS CLI command shown and receives an AccessDenied error. The IAM user Alice has a policy that grants kms:Decrypt on all resources. What is the most likely cause of the error?

A.The KMS key policy does not grant kms:Decrypt to the IAM user Alice.
B.The IAM user policy does not allow kms:Decrypt.
C.The command uses the wrong key ID.
D.The ciphertext blob is corrupted.
AnswerA

KMS requires both IAM policy and key policy to grant access; key policy may deny.

Why this answer

The KMS key policy likely restricts access to specific principals. Even if IAM allows, the key policy can deny. Option C is correct.

The command syntax (Option A) is correct. The key ID (Option B) is valid. IAM policy (Option D) is not the issue since it grants Decrypt.

669
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. A security requirement states that no security group should allow inbound SSH access from 0.0.0.0/0. What is the best way to enforce this policy?

A.Create an IAM policy that denies the ec2:AuthorizeSecurityGroupIngress action if the CIDR is 0.0.0.0/0.
B.Use AWS Config with a managed rule to detect and automatically remediate non-compliant security groups.
C.Add an AWS::IAM::Policy resource in the CloudFormation template to deny the rule.
D.Use a service control policy (SCP) that denies the CreateStack action if the template contains SSH from 0.0.0.0/0.
AnswerB

AWS Config can automatically remediate.

Why this answer

Option D is correct because AWS Config can evaluate security group rules and trigger remediation. Option A is wrong because IAM policies cannot prevent resource creation based on configuration. Option B is wrong because SCPs cannot control CloudFormation template parameters.

Option C is wrong because CloudFormation does not have built-in security checks.

670
Multi-Selectmedium

Which TWO AWS services can be used to centrally collect and analyze logs from multiple AWS accounts? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.Amazon Kinesis Data Firehose
D.Amazon Athena
E.Amazon S3
AnswersA, E

CloudWatch Logs can aggregate logs via cross-account subscriptions.

Why this answer

Option A is correct because Amazon S3 can serve as a central log repository. Option C is correct because Amazon CloudWatch Logs can aggregate logs from multiple accounts using cross-account subscriptions. Option B is wrong because Amazon Athena is a query service, not a collector.

Option D is wrong because AWS CloudTrail is a log generator, not a central collector. Option E is wrong because Amazon Kinesis Data Firehose is a delivery service, not a storage/analysis service.

671
Multi-Selectmedium

A company is designing a secure data sharing solution with a third party. The company needs to share sensitive files stored in an S3 bucket with the third party, ensuring that the files are encrypted at rest and in transit, and that the third party can only access specific files. The company also wants to rotate the access credentials every 30 days. Which TWO actions should the company take? (Select TWO.)

Select 2 answers
A.Create an IAM role in the company's account that the third party can assume, and attach a policy that grants access to the specific files.
B.Use S3 Cross-Region Replication to replicate the files to a bucket in the third party's account.
C.Configure an S3 bucket policy that denies access unless the request includes a specific KMS key ID.
D.Generate presigned URLs for the specific files and email them to the third party.
E.Use a KMS key policy that grants the third party's AWS account permission to use the key for decrypt operations.
AnswersC, E

Enforces that only objects encrypted with the specified key can be accessed.

Why this answer

Options A and D are correct. Using a KMS key policy to grant decrypt permission to the third party's AWS account allows them to decrypt objects. Using S3 bucket policy with a condition on the KMS key ensures they only access objects encrypted with that key.

Option B is wrong because presigned URLs can be shared, but they don't enforce encryption key control. Option C is wrong because cross-account roles require the third party to assume a role, not rotate credentials every 30 days. Option E is wrong because using a separate bucket with replication does not enforce key-specific access.

672
MCQeasy

A security team wants to automatically revoke public access to an S3 bucket when Amazon GuardDuty detects a suspicious API call from a known malicious IP address. Which AWS service should be used to orchestrate this automated response?

A.AWS Config
B.AWS Lambda
C.AWS Systems Manager Automation
D.AWS CloudTrail
AnswerC

Systems Manager Automation runbooks can remediate S3 bucket policies.

Why this answer

AWS Systems Manager Automation can run a runbook to change the S3 bucket policy. GuardDuty can send findings to Amazon EventBridge, which triggers the automation. Option A (Lambda) is possible but Systems Manager is more structured for runbooks.

Option B (Config) is reactive. Option D (CloudTrail) is logging.

673
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team needs to centrally monitor all root user API activity across all accounts and receive alerts within minutes. What is the MOST efficient solution?

A.Create an organization trail in CloudTrail that logs all accounts. Use CloudWatch Logs metric filters and alarms to detect root login events.
B.Enable CloudTrail in each account and aggregate logs to a centralized S3 bucket. Use Athena queries to detect root activity and send alerts via SNS.
C.Use AWS Lambda functions in each account to poll CloudTrail logs and send root activity to a central SQS queue.
D.Enable AWS Config rules in each account to detect root user activity and send notifications to a central SNS topic.
AnswerA

An organization trail logs all accounts centrally. CloudWatch Logs metric filters can detect root activity and trigger alarms in near real-time.

Why this answer

Option A is correct because an organization trail in AWS CloudTrail logs API activity for all accounts in AWS Organizations from a single point, eliminating the need to manage per-account trails. By sending these logs to CloudWatch Logs, you can create metric filters to detect root user login events (e.g., the 'RootLogin' event) and configure CloudWatch Alarms to trigger SNS notifications within minutes, meeting the requirement for centralized monitoring and rapid alerts.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing per-account setups (B, C, D) instead of leveraging the native AWS Organizations integration with CloudTrail, which provides a single, centralized trail for all accounts.

How to eliminate wrong answers

Option B is wrong because while aggregating logs to a centralized S3 bucket is possible, using Athena queries to detect root activity is not efficient for real-time alerts within minutes; Athena is designed for ad-hoc querying of historical data, not for streaming or low-latency alerting. Option C is wrong because using Lambda functions in each account to poll CloudTrail logs introduces unnecessary complexity, latency, and cost; CloudTrail can deliver logs directly to CloudWatch Logs without polling, and a centralized solution is more efficient. Option D is wrong because AWS Config rules are designed for evaluating resource configurations against desired policies, not for monitoring API activity like root user logins; Config does not natively capture CloudTrail events and cannot provide real-time alerts for root API activity.

674
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team must enforce that all Amazon S3 buckets across all accounts are encrypted with AWS KMS. The team has enabled S3 default encryption for new buckets, but existing buckets may not be encrypted. They need to automatically remediate any non-compliant buckets. The team has AWS Config and AWS Lambda available. What is the MOST operationally efficient solution?

A.Manually review all buckets using the S3 console and enable encryption for those that are not encrypted.
B.Write a script that runs daily on an EC2 instance to list all buckets and enable encryption on any that are not encrypted.
C.Use AWS Config with the s3-bucket-server-side-encryption-enabled rule and configure an AWS Systems Manager Automation document to remediate non-compliant buckets.
D.Use AWS Trusted Advisor to check for unencrypted buckets and send an SNS notification to the security team to manually remediate.
AnswerC

Correct: Config detects non-compliance and SSM Automation remediates automatically.

Why this answer

Using AWS Config with a managed rule (s3-bucket-server-side-encryption-enabled) to detect non-compliant buckets and triggering a Lambda function via EventBridge to enable encryption is the most efficient. This is automated and serverless.

675
MCQhard

A company uses AWS CloudTrail to log all management events and data events for S3. The security team wants to detect any PutObject API calls that upload objects with server-side encryption disabled. Which solution is MOST efficient?

A.Use Amazon GuardDuty to detect unencrypted uploads.
B.Use Amazon Macie to scan S3 objects for missing encryption.
C.Enable S3 server access logs and parse them with Amazon Athena.
D.Enable CloudTrail data events for S3 and create a CloudWatch metric filter to alert on PutObject calls without the x-amz-server-side-encryption header.
AnswerD

CloudTrail logs the encryption header, and CloudWatch alarms can alert.

Why this answer

Option C is correct because CloudTrail data events log S3 PutObject calls, and a CloudWatch Logs metric filter can parse the requestParameters for x-amz-server-side-encryption header to detect missing encryption. Option A is wrong because S3 server access logs are text-based and not as easy to filter. Option B is wrong because GuardDuty does not check encryption headers.

Option D is wrong because Macie detects sensitive data, not encryption status.

Page 8

Page 9 of 24

Page 10