CCNA Infrastructure Security Questions

75 of 328 questions · Page 1/5 · Infrastructure Security · Answers revealed

1
MCQeasy

Which AWS service can be used to centrally manage VPC security groups and network ACLs across multiple accounts in AWS Organizations?

A.AWS Firewall Manager
B.AWS Shield
C.AWS Config
D.AWS WAF
AnswerA

Firewall Manager centrally manages security groups and NACLs.

Why this answer

AWS Firewall Manager is the service for centrally managing security rules across accounts. Option C is correct. AWS Config (A) is for compliance, not management.

AWS Shield (B) is for DDoS protection. AWS WAF (D) is for web application firewalls, not security groups.

2
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team requires that all security groups restrict SSH access to only the company's VPN public IP address range (203.0.113.0/24). A developer creates a stack that includes a security group with SSH open to 0.0.0.0/0. The stack deploys successfully. Which action should the security team take to prevent this in the future?

A.Create an AWS CloudFormation stack policy to block security groups with SSH open to 0.0.0.0/0.
B.Use an AWS Config managed rule to detect security groups with unrestricted SSH access and trigger an automatic remediation.
C.Implement a service control policy (SCP) to deny the ec2:AuthorizeSecurityGroupIngress action for port 22 from 0.0.0.0/0.
D.Add an IAM policy to deny the ec2:AuthorizeSecurityGroupIngress action for port 22 from 0.0.0.0/0.
AnswerB

AWS Config can evaluate security group rules and trigger remediation via Systems Manager Automation.

Why this answer

Using AWS CloudFormation Stack Policies allows you to define which stack resources can be updated or deleted, but not to enforce security rules. AWS Config rules can evaluate resources against desired configurations and trigger remediation or notifications. Service control policies (SCPs) are for AWS Organizations and cannot block resource creation at the account level.

IAM permissions can prevent users from creating security groups with open SSH, but that requires careful management and does not cover all cases. Option B is the correct answer because an AWS Config managed rule can detect security groups with unrestricted SSH access and trigger an automatic remediation action via AWS Systems Manager Automation.

3
Multi-Selecthard

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to allow only HTTP and HTTPS traffic from the internet to the ALB, and only HTTP traffic from the ALB to the EC2 instances. Which THREE security group configurations are required? (Choose three.)

Select 3 answers
A.ALB security group: inbound rule allowing HTTP from 0.0.0.0/0.
B.EC2 security group: inbound rule allowing HTTP from 0.0.0.0/0.
C.EC2 security group: inbound rule allowing HTTP from ALB security group.
D.EC2 security group: inbound rule allowing HTTPS from ALB security group.
E.ALB security group: inbound rule allowing HTTPS from 0.0.0.0/0.
AnswersA, C, E

Allows HTTP traffic from internet to ALB.

Why this answer

Options A, C, and D are correct. Option A is correct for allowing HTTPS to ALB. Option C is correct for allowing HTTP to ALB.

Option D is correct for allowing HTTP from ALB to EC2. Option B is wrong because HTTPS should not be terminated on EC2 if ALB handles SSL. Option E is wrong because it restricts from internet directly to EC2, bypassing ALB.

4
MCQhard

A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow all EC2 actions except deleting volumes in the Production environment. However, the user reports being able to delete volumes that are tagged with Environment=Production. What is the reason for this behavior?

A.The policy is not attached to the correct IAM entity.
B.The Deny statement should use iam:ResourceTag instead of ec2:ResourceTag.
C.The condition in the Deny statement uses StringNotEquals, which denies deletion for non-Production volumes, not Production volumes.
D.The Allow statement uses a wildcard for the action, which overrides the Deny statement.
AnswerC

The condition StringNotEquals denies when the tag is not equal to Production, so it denies non-Production volumes, allowing Production volumes to be deleted.

Why this answer

Option C is correct because the Deny statement denies delete volume only when the tag is NOT Production, meaning it denies deleting non-Production volumes, but allows deleting Production volumes. The condition should be StringEquals to deny Production volumes. Option A is wrong because wildcard does not affect this.

Option B is wrong because the policy is for EC2, not IAM. Option D is wrong because the policy is attached to the user.

5
MCQhard

A company uses AWS Shield Advanced to protect its web application from DDoS attacks. The security team wants to receive real-time notifications when a DDoS attack is detected. Which configuration should be used?

A.Use Amazon CloudWatch Events to trigger an AWS Lambda function that sends an Amazon SNS notification when a Shield Advanced event occurs.
B.Enable VPC Flow Logs and create a CloudWatch alarm for high traffic volume.
C.Subscribe an SNS topic to Shield Advanced notifications directly.
D.Enable AWS CloudTrail and create a metric filter for DDoS events.
AnswerA

Shield Advanced publishes events to CloudWatch Events.

Why this answer

Option B is correct because Shield Advanced sends events to CloudWatch Events, which can trigger a Lambda function to send notifications. Option A is wrong because CloudTrail does not capture DDoS events. Option C is wrong because VPC Flow Logs are for network traffic, not DDoS events.

Option D is wrong because Shield Advanced does not directly integrate with SNS; it uses CloudWatch Events.

6
MCQhard

A company uses AWS WAF to protect its web application from common web exploits. The security team wants to block requests that contain SQL injection or cross-site scripting (XSS) in the query string. Which rule type should be used?

A.Custom regex pattern set
B.Managed rule group for SQL injection and XSS
C.Rate-based rule
D.Geographic match rule
AnswerB

AWS provides managed rule groups for common threats.

Why this answer

Option B is correct because AWS WAF has managed rule groups for SQL injection and XSS. Option A is wrong because rate-based rules are for rate limiting. Option C is wrong because geographic rules are for location-based blocking.

Option D is wrong because regex patterns are custom, but managed rules are more comprehensive.

7
MCQhard

A company has a security group that allows inbound SSH from a specific IP range. A security engineer notices that the security group rule is not being applied to a newly launched EC2 instance. What is the most likely cause?

A.The new EC2 instance was not launched with the correct security group
B.The security group is using the default VPC security group
C.The security group is configured as stateless
D.The network ACL is blocking SSH traffic to the subnet
AnswerA

Each instance must have the desired security group assigned.

Why this answer

Option B is correct because security groups are attached at the instance level; a new instance must have the security group assigned. Option A is wrong because security groups are stateful. Option C is wrong because NACLs are subnet-level, not instance-level.

Option D is wrong because the default security group does not automatically include custom rules.

8
Drag & Dropmedium

Drag and drop the steps to set up AWS Certificate Manager (ACM) for a custom domain in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ACM certificate requires request, DNS validation, issuance, association, and automatic renewal.

9
MCQeasy

A security engineer needs to audit all changes to AWS resources in an account. Which AWS service should be enabled?

A.Amazon Inspector
B.AWS CloudTrail
C.AWS Config
D.Amazon GuardDuty
AnswerB

CloudTrail logs all API calls for auditing and compliance.

Why this answer

AWS CloudTrail is the correct service because it records API activity and changes to AWS resources as events, providing an audit log of who made what change, when, and from where. This directly meets the requirement to audit all changes, as every AWS API call (e.g., CreateInstance, ModifySecurityGroup) is captured in a CloudTrail event history or delivered to an S3 bucket for long-term analysis.

Exam trap

The trap here is that candidates confuse AWS Config's configuration tracking (which shows what changed) with CloudTrail's API audit trail (which shows who changed it and how), leading them to pick AWS Config when the question explicitly asks for auditing all changes, which requires the API-level logging only CloudTrail provides.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and unintended network exposure, not a change audit service. Option C is wrong because AWS Config evaluates resource configurations against desired rules and tracks configuration changes over time, but it does not capture who made the change or the API call details—it focuses on resource state, not the API audit trail. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, not a service that audits all resource changes.

10
MCQmedium

A company is using AWS CloudTrail to log API calls. The security team needs to ensure that log files are not tampered with and can be used to verify integrity. Which feature should be enabled?

A.Enable MFA delete on the log bucket.
B.Enable log file integrity validation in CloudTrail.
C.Enable server-side encryption with AWS KMS on the log bucket.
D.Enable S3 versioning on the log bucket.
AnswerB

Integrity validation uses hash chains to detect tampering.

Why this answer

Option C is correct because CloudTrail log file integrity validation uses hash chains to verify that log files have not been modified. Option A is wrong because S3 versioning protects against overwrites but does not provide cryptographic verification. Option B is wrong because MFA delete protects against accidental deletion but does not verify integrity.

Option D is wrong because KMS encryption protects confidentiality, not integrity.

11
MCQmedium

A company hosts a web application on EC2 instances behind an Application Load Balancer. The security team wants to ensure that only traffic from the ALB can reach the EC2 instances. Which configuration should be applied?

A.Configure the instances' security group to allow traffic from the ALB's security group.
B.Configure the instances' security group to allow traffic from the client's source IP addresses.
C.Configure a network ACL on the subnet to allow traffic from the ALB's private IP addresses.
D.Assign an IAM role to the instances that allows traffic only from the ALB.
AnswerA

This ensures only traffic that passes through the ALB can reach the instances.

Why this answer

Using the ALB's security group as the source in the instance's security group is the best practice. Network ACLs are stateless and less granular, IAM roles do not control network traffic, and source IP from the client would include direct traffic.

12
MCQeasy

A company wants to encrypt data at rest for an Amazon S3 bucket. Which action should be taken?

A.Use client-side encryption before uploading objects.
B.Enable default encryption on the S3 bucket.
C.Enable SSL/TLS for the bucket.
D.Use AWS CloudHSM to encrypt the bucket.
AnswerB

Default encryption ensures all objects are encrypted at rest.

Why this answer

Enabling default encryption on the S3 bucket ensures that all objects stored in the bucket are automatically encrypted at rest using server-side encryption (SSE-S3, SSE-KMS, or SSE-C). This meets the requirement for encrypting data at rest without requiring any client-side changes, as the encryption is applied by S3 upon write.

Exam trap

The trap here is confusing encryption at rest (server-side encryption) with encryption in transit (SSL/TLS), leading candidates to select Option C, which only protects data during transfer, not while stored.

How to eliminate wrong answers

Option A is wrong because client-side encryption encrypts data before upload, which is a valid approach but not the action the question asks for—it requires client-side changes and does not leverage S3's native server-side encryption. Option C is wrong because SSL/TLS encrypts data in transit between the client and S3, not data at rest within the bucket. Option D is wrong because AWS CloudHSM provides hardware security modules for key storage and cryptographic operations, but it does not directly encrypt an S3 bucket; you would need to integrate it with AWS KMS (via custom key store) to use it for S3 server-side encryption, and even then the action is to enable default encryption with SSE-KMS, not to use CloudHSM directly.

13
MCQmedium

A security engineer is configuring a Network ACL for a public subnet that hosts a web server. The web server must accept HTTPS (TCP 443) traffic from the internet and respond. It must also be able to initiate outbound connections to the internet for software updates (HTTPS). What is the MINIMUM set of rules required for the inbound and outbound Network ACL?

A.Inbound: allow TCP 443 from 0.0.0.0/0 and TCP 22 from a management IP; Outbound: allow all traffic to 0.0.0.0/0.
B.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 443 to a specific software update server IP.
C.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow all traffic to 0.0.0.0/0.
D.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 1024-65535 to 0.0.0.0/0 (for return traffic) and allow TCP 443 to 0.0.0.0/0 (for updates).
AnswerD

This is the minimal set: inbound HTTPS, outbound ephemeral ports for return, and outbound HTTPS for updates.

Why this answer

Option A is correct because inbound allows HTTPS from anywhere (0.0.0.0/0) and outbound allows ephemeral ports for return traffic and destination 0.0.0.0/0 for the outbound updates. Option B is wrong because it allows all inbound traffic. Option C is wrong because it allows all outbound traffic, which is not minimal but acceptable, but it also allows inbound SSH, which is not needed.

Option D is wrong because it restricts outbound to only the update server, which may be too restrictive.

14
MCQeasy

A company wants to use AWS WAF to protect its web application from common web exploits. Which AWS service must be integrated with AWS WAF to provide this protection?

A.Security Groups
B.Application Load Balancer or Amazon CloudFront
C.Amazon Route 53
D.Network ACLs
AnswerB

WAF can be attached to ALB or CloudFront.

Why this answer

Option B is correct because AWS WAF is integrated with CloudFront and ALB to filter requests. Option A is wrong because Network ACLs are stateless and not application-layer. Option C is wrong because Security Groups are stateful firewalls at the instance level.

Option D is wrong because Route 53 is DNS, not a web traffic endpoint.

15
MCQmedium

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all Amazon S3 buckets created by CloudFormation are encrypted by default. Which approach should be taken?

A.Configure an IAM policy that requires all S3 operations to use encryption.
B.Set a bucket policy in the CloudFormation template that denies all actions unless encryption is enabled.
C.Enable AWS Config rule s3-bucket-server-side-encryption-enabled to enforce encryption.
D.Use a bucket policy with a condition that denies s3:PutObject if the x-amz-server-side-encryption header is not present.
AnswerD

This policy enforces encryption on object uploads.

Why this answer

Option B is correct because adding a bucket policy that denies PutObject if encryption is not set enforces encryption at the object level. Option A is wrong because CloudFormation does not have a global bucket policy setting. Option C is wrong because S3 default encryption is set on individual buckets, not globally via IAM.

Option D is wrong because enabling AWS Config rules only detects non-compliance; it does not enforce encryption.

16
Multi-Selectmedium

A security engineer is tasked with securing an Amazon RDS for MySQL database. The database must be accessible only from a specific set of EC2 instances. Which THREE steps should the engineer take?

Select 3 answers
A.Disable encryption at rest to improve performance.
B.Enable encryption at rest for the RDS instance.
C.Launch the RDS instance in a private subnet.
D.Create a security group that allows inbound traffic on port 3306 from the EC2 instances' security group.
E.Associate the RDS instance with a public subnet for easier access.
AnswersB, C, D

Encryption at rest protects data on disk.

Why this answer

Option A is correct because launching the DB in a private subnet prevents direct internet access. Option B is correct because using a security group to allow inbound traffic from the EC2 instances' security group restricts access. Option D is correct because enabling encryption at rest protects data.

Option C is wrong because a public subnet would expose the DB to the internet. Option E is wrong because disabling encryption is not a security measure.

17
MCQeasy

A company has an AWS Direct Connect connection to its on-premises data center. The company wants to ensure that all traffic between the data center and AWS is encrypted. Which solution meets this requirement?

A.Use a Site-to-Site VPN connection over the internet.
B.Use a Direct Connect gateway with a public virtual interface and an IPsec VPN.
C.Use AWS PrivateLink with TLS termination.
D.Use Direct Connect as is because it is already encrypted.
AnswerB

This encrypts traffic over the Direct Connect connection.

Why this answer

Option C is correct because IPsec VPN over Direct Connect provides encryption for the traffic. Option A is wrong because Direct Connect is a private connection but not encrypted by default. Option B is wrong because Site-to-Site VPN over the internet does not use Direct Connect.

Option D is wrong because TLS is for application-level encryption, not for the network layer.

18
MCQeasy

A company wants to block traffic from a specific IP address range from accessing an Application Load Balancer (ALB). Which AWS feature should be used?

A.Network ACL
B.Security Group for the ALB
C.Route53
D.AWS WAF
AnswerD

Web application firewall that can filter by IP.

Why this answer

Option B is correct because AWS WAF can be associated with an ALB to filter traffic based on IP addresses. Option A is wrong because security groups cannot be associated with ALBs in the same way as EC2. Option C is wrong because Network ACLs operate at the subnet level, not directly on the ALB.

Option D is wrong because Route53 does not filter traffic.

19
MCQhard

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be used?

A.Enable encryption on the Direct Connect virtual interface
B.Use VPC Peering with encryption
C.Set up an IPsec VPN over the Direct Connect connection
D.Configure TLS on all applications
AnswerC

IPsec VPN provides encryption over Direct Connect.

Why this answer

Option B is correct because IPsec VPN over Direct Connect provides encryption. Option A is wrong because Direct Connect alone does not provide encryption. Option C is wrong because VPC Peering is for VPC-to-VPC.

Option D is wrong because TLS is for application layer, not for the network connection.

20
MCQmedium

A company has multiple AWS accounts and wants to centralize VPC flow log analysis. Flow logs are enabled for all VPCs and are published to Amazon S3 buckets in each account. A security engineer needs to aggregate these logs into a single S3 bucket in the centralized logging account. What should the security engineer do?

A.Create an S3 bucket policy on the centralized bucket that allows the source accounts to write objects.
B.Set up VPC peering between each account and the centralized logging account, then configure flow logs to write directly to the centralized bucket.
C.Configure S3 Replication between each account's flow log bucket and the centralized bucket.
D.Use Amazon CloudWatch Logs to stream flow logs to the centralized S3 bucket.
AnswerA

A bucket policy with cross-account permissions allows direct writes from source accounts to the centralized bucket.

Why this answer

Option D is correct because S3 bucket policies can be used to grant cross-account permissions. Option A is wrong because VPC peering does not allow cross-account S3 access. Option B is wrong because CloudWatch Logs can route to S3 but requires additional configuration.

Option C is wrong because S3 replication automatically copies objects but requires source and destination buckets in different accounts with proper permissions.

21
MCQeasy

A security engineer needs to ensure that an EC2 instance can only be accessed using SSH key pairs, not passwords. Which configuration is required?

A.Use EC2 Instance Connect instead of SSH
B.Set 'PasswordAuthentication no' in /etc/ssh/sshd_config on the EC2 instance
C.Attach an IAM role to the instance that denies password-based access
D.Configure the security group to allow SSH only from specific IP addresses
AnswerB

This disables password-based SSH login, enforcing key-based authentication.

Why this answer

Option B is correct because disabling password authentication in the SSH daemon configuration ensures only key-based authentication is allowed. Option A is wrong because security groups control network access, not authentication method. Option C is wrong because IAM roles do not affect SSH authentication.

Option D is wrong because EC2 Instance Connect is an alternative, not a method to enforce key-only.

22
MCQeasy

A company wants to securely store and manage SSL/TLS certificates for use with CloudFront. Which AWS service should be used?

A.AWS Identity and Access Management (IAM)
B.AWS Key Management Service (AWS KMS)
C.AWS Certificate Manager (ACM)
D.AWS CloudHSM
AnswerC

ACM provisions and manages SSL/TLS certificates.

Why this answer

AWS Certificate Manager (ACM) is the correct service because it is specifically designed to provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services like CloudFront. ACM integrates directly with CloudFront to automatically renew certificates before expiration, eliminating manual renewal overhead. It also handles the complex certificate chain and private key management securely, ensuring HTTPS termination at CloudFront edge locations.

Exam trap

The trap here is that candidates often confuse AWS KMS or IAM Server Certificate Store as viable options for CloudFront, but ACM is the only service that provides automatic renewal and native integration with CloudFront, and certificates must be in us-east-1.

How to eliminate wrong answers

Option A is wrong because AWS Identity and Access Management (IAM) is a service for managing user identities, permissions, and access control, not for storing or managing SSL/TLS certificates; while IAM can store server certificates for use with Elastic Load Balancers (ELBs) via the IAM Server Certificate Store, it does not support CloudFront and lacks automatic renewal features. Option B is wrong because AWS Key Management Service (AWS KMS) is a managed service for creating and controlling encryption keys used to encrypt data at rest, not for managing SSL/TLS certificates; KMS does not handle certificate issuance, renewal, or integration with CloudFront. Option D is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for cryptographic key storage and operations, but it is not designed for SSL/TLS certificate lifecycle management; using CloudHSM for certificates would require custom development and manual renewal, and it does not natively integrate with CloudFront.

23
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). They have an Application Load Balancer in the public subnets and EC2 instances in the private subnets. The EC2 instances need to access the internet for updates. The security engineer has set up a NAT gateway in each public subnet. The route table for the private subnets has a default route pointing to the NAT gateway in the same Availability Zone. However, the EC2 instances are unable to reach the internet. What is the most likely cause?

A.The route tables for the public subnets do not have a default route (0.0.0.0/0) to the Internet Gateway.
B.The security groups for the EC2 instances do not allow outbound traffic.
C.The NAT gateways do not have route propagation enabled.
D.The NAT gateways are in the same Availability Zone.
AnswerA

NAT gateways need a route to IGW to reach the internet.

Why this answer

Option C is correct. Each NAT gateway must be in a public subnet with a route to the Internet Gateway. If the route table for the public subnet where the NAT gateway resides does not have a default route to the IGW, the NAT gateway cannot forward traffic.

Option A is incorrect because each NAT gateway can be in a different AZ. Option B is incorrect because route propagation is for VPN. Option D is incorrect because security groups allow outbound by default.

24
MCQmedium

A company is designing a VPC for a three-tier web application that must be accessible from the internet only via HTTPS. The web servers must be able to initiate outbound connections to the internet for software updates, but the database servers must have no direct internet access. Which architecture meets these requirements?

A.Web servers in private subnets, database servers in public subnets, both behind an Application Load Balancer
B.Web servers in public subnets, database servers in private subnets with a route to a NAT Gateway in a public subnet
C.Web servers in private subnets with a route to a NAT Gateway, database servers in private subnets with no route to the NAT Gateway, both behind an Application Load Balancer in public subnets
D.Web servers in public subnets with Elastic IPs, database servers in private subnets with a route to an internet gateway
AnswerC

Web servers can reach the internet via NAT, database servers have no internet access, and the ALB handles HTTPS traffic.

Why this answer

Option D is correct because it uses a public subnet for the NAT Gateway and the ALB, private subnets for web servers (with a route to NAT for outbound) and database servers (no route to NAT). Option A is wrong because it gives database servers a route to NAT. Option B is wrong because it places web servers in public subnets with direct internet access, which is less secure.

Option C is wrong because it places database servers in public subnets.

25
MCQhard

A security engineer is reviewing AWS CloudTrail logs and notices repeated `UnauthorizedOperation` errors for `ec2:RunInstances` from a specific IAM user. The user has a policy that allows `ec2:RunInstances` with a condition `aws:RequestedRegion` set to `us-east-1`. The engineer confirms the user is launching instances in `us-east-1`. What is the most likely cause of the error?

A.The user does not have a service-linked role for EC2.
B.The IAM policy lacks a `Resource` element specifying which instances can be launched.
C.The user is trying to launch an instance type that is not supported in us-east-1.
D.The user is using an AWS CLI command that does not include the `--region` parameter, causing the request to go to a global endpoint.
AnswerD

The condition key checks the requested region; without specifying region, it may default to a global endpoint.

Why this answer

Option B is correct because the condition key `aws:RequestedRegion` checks the region endpoint used, but if the user is using a global endpoint or the request includes a different region parameter, it may fail. Option A is wrong because even if the instance type is not supported, the error would be different. Option C is wrong because service-linked roles do not affect RunInstances authorization.

Option D is wrong because the user already has a policy; an additional policy is not needed.

26
Multi-Selecthard

Which THREE of the following are best practices for securing an Amazon RDS database instance? (Select THREE.)

Select 3 answers
A.Enable encryption at rest using AWS KMS
B.Place the RDS instance in a private subnet
C.Use strong passwords and rotate them regularly
D.Enable public accessibility for ease of management
E.Use the default database port
AnswersA, B, C

Encryption at rest protects data if storage is compromised.

Why this answer

Options A, B, and E are correct because encryption at rest, private subnet, and strong passwords are security best practices. Option C is wrong because public accessibility should be disabled. Option D is wrong because default ports should be changed or firewalled, but this is not a primary best practice compared to the others.

27
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is configured to terminate SSL/TLS and forward traffic to the instances over HTTP. The security team wants to ensure that the instances only accept traffic from the ALB, not from any other source. How can this be achieved?

A.Configure the instance security group to allow HTTP traffic only from the VPC CIDR block.
B.Configure the instance security group to allow HTTP traffic only from the ALB's security group.
C.Configure the network ACL on the instance's subnet to allow HTTP traffic only from the ALB's private IP address.
D.Configure the instance security group to allow HTTP traffic only from the subnet CIDR block where the ALB resides.
AnswerB

Security group referencing ensures traffic only from the ALB.

Why this answer

Option C is correct because using the ALB's security group as the source in the instance security group ensures traffic only from the ALB. Option A is wrong because using the VPC CIDR would allow traffic from any resource in the VPC. Option B is wrong because using the subnet CIDR would allow traffic from any instance in that subnet.

Option D is wrong because using a network ACL would affect all instances in the subnet and cannot differentiate by source.

28
Multi-Selecthard

A company has a VPC with a single public subnet and a single private subnet. The private subnet contains an RDS MySQL database that should not be accessible from the internet. The public subnet contains a bastion host that is used for SSH access to the database instance. The security team wants to ensure that the database can only be accessed from the bastion host. Which two security group rules should be configured? (Choose TWO.)

Select 2 answers
A.Database security group: Allow inbound MySQL from the public subnet CIDR.
B.Database security group: Allow inbound MySQL from the bastion security group.
C.Bastion security group: Allow inbound SSH from a limited corporate IP range.
D.Database security group: Allow inbound MySQL from 0.0.0.0/0.
E.Bastion security group: Allow inbound SSH from 0.0.0.0/0.
AnswersB, C

This restricts database access to the bastion.

Why this answer

Options A and B are correct. The database security group should allow inbound MySQL from the bastion security group. The bastion security group should allow inbound SSH from a limited IP range (e.g., corporate IP).

Option C is wrong because allowing SSH from 0.0.0.0/0 is insecure. Option D is wrong because allowing MySQL from the public subnet CIDR would allow any instance in that subnet. Option E is wrong because allowing MySQL from 0.0.0.0/0 is insecure.

29
MCQeasy

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to an S3 bucket. What does this policy allow?

A.Allows a role from another account to describe, start, and stop EC2 instances in the current account.
B.Allows a role to describe, start, and stop EC2 instances in the account.
C.Allows all IAM users in the account to view EC2 instances.
D.Allows an IAM user to list and manage objects in the S3 bucket.
AnswerB

The policy grants EC2 actions to the specified role.

Why this answer

Option C is correct because the policy allows ec2:DescribeInstances, ec2:StartInstances, and ec2:StopInstances actions. The resource is '*', so all EC2 instances in the account are affected. Option A is wrong because the actions are not S3.

Option B is wrong because the policy allows start and stop. Option D is wrong because the principal is a role, not all users.

30
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage VPC security group rules across all accounts. Which solution should be used?

A.Use AWS Firewall Manager to define security group policies and enforce them across accounts.
B.Use AWS Organizations Service Control Policies to restrict security group modifications.
C.Use AWS Config rules to automatically remediate non-compliant security groups.
D.Use AWS Network Firewall to inspect traffic and block unauthorized connections.
AnswerA

Firewall Manager is designed for centralized security group management.

Why this answer

Option B is correct because AWS Firewall Manager allows centralized management of security group rules across accounts and resources. Option A is wrong because AWS Config can evaluate compliance but not enforce rules. Option C is wrong because Service Control Policies (SCPs) control permissions at the account level, not network rules.

Option D is wrong because AWS Network Firewall is for network traffic inspection, not security group management.

31
Multi-Selecteasy

A Security Engineer is designing a secure VPC architecture. Which THREE components are essential for creating a public subnet that can host a web server accessible from the internet?

Select 3 answers
A.VPN connection to on-premises
B.Route table with a default route (0.0.0.0/0) pointing to the IGW
C.Security group allowing inbound HTTP/HTTPS from 0.0.0.0/0
D.NAT Gateway
E.Internet Gateway (IGW)
AnswersB, C, E

Routes internet-bound traffic from the subnet to the IGW.

Why this answer

Option B is correct because a public subnet requires a route table that directs traffic destined for 0.0.0.0/0 to an Internet Gateway (IGW). Without this default route, instances in the subnet cannot send or receive traffic from the internet, even if they have public IP addresses. The IGW acts as the target for this route, enabling bidirectional communication between the VPC and the internet.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with an Internet Gateway, mistakenly thinking a NAT Gateway can provide inbound internet access to a public subnet, when in fact it only supports outbound traffic from private subnets.

32
MCQhard

Refer to the exhibit. A security engineer runs the describe-instances command for an EC2 instance. The instance has a public IP address. The security group "allow-ssh-http" has inbound rules that allow SSH from 0.0.0.0/0 and HTTP from 0.0.0.0/0. The engineer wants to block SSH access from the internet while keeping HTTP access. Which change should be made?

A.Remove the inbound rule that allows SSH from 0.0.0.0/0 from the security group.
B.Add a network ACL rule to deny SSH inbound from 0.0.0.0/0.
C.Disassociate the public IP address from the instance.
D.Modify the security group to add a deny rule for SSH from 0.0.0.0/0.
AnswerA

This will block SSH from the internet, as security groups are allow-only.

Why this answer

To block SSH from the internet, you should remove the inbound rule that allows SSH from 0.0.0.0/0. You could also modify the source IP range to a specific range, but the simplest is to remove the rule. Adding a deny rule is not possible in security groups; they are allow-only.

Changing the network ACL would affect the entire subnet. Removing the public IP would also block HTTP, which is not desired.

33
MCQeasy

A company wants to allow an EC2 instance to access a DynamoDB table without traversing the internet. Which AWS feature should be used?

A.VPC Peering
B.ClassicLink
C.NAT Gateway
D.VPC Gateway Endpoint for DynamoDB
AnswerD

Gateway Endpoint provides private access to DynamoDB.

Why this answer

Option A is correct because VPC Gateway Endpoint for DynamoDB allows private connectivity. Option B is wrong because VPC Peering is for VPC-to-VPC. Option C is wrong because NAT Gateway is for internet access.

Option D is wrong because ClassicLink is for EC2-Classic, deprecated.

34
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group across multiple Availability Zones. The application uses an Application Load Balancer (ALB) to distribute traffic. The security team has implemented a security group for the ALB that allows inbound HTTPS from 0.0.0.0/0 and a security group for the EC2 instances that allows inbound HTTP from the ALB's security group. Recently, the company experienced a security incident where an attacker exploited a vulnerability in the application to gain access to an EC2 instance and then moved laterally to the database. The database is in a private subnet and uses a security group that allows inbound traffic from the EC2 instance security group on port 3306 (MySQL). The security team wants to prevent lateral movement in the future. Which of the following is the MOST effective course of action?

A.Use VPC peering to isolate the database subnet from the application subnet.
B.Deploy AWS WAF in front of the ALB to block known malicious IPs.
C.Create a network ACL for the private subnet that denies outbound traffic from the EC2 instances to the database subnet.
D.Implement a host-based firewall on each EC2 instance to restrict outbound connections to only the database endpoint.
AnswerD

This provides fine-grained control over outbound traffic from the application.

Why this answer

Option C is correct because implementing a host-based firewall (e.g., AWS Systems Manager Agent with a firewall policy) on each EC2 instance can restrict outbound connections from the application to only necessary destinations, preventing lateral movement. Option A (network ACLs) can block traffic at the subnet level but are not as granular for individual instances. Option B (VPC peering) is not relevant.

Option D (AWS WAF) protects against web exploits but does not prevent lateral movement after compromise.

35
MCQhard

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The connection is set up with a private VIF to a VPC using a virtual private gateway. The security team wants to encrypt all traffic between on-premises and the VPC. Which solution should be implemented?

A.Configure TLS on the applications
B.Set up an IPsec VPN over the Direct Connect private VIF
C.Use a site-to-site VPN over the internet instead of Direct Connect
D.Enable encryption on the Direct Connect private VIF
AnswerB

Creates an encrypted tunnel over the private connection.

Why this answer

Option B (IPsec VPN over Direct Connect) is correct because it encrypts the traffic over the private VIF. Option A is wrong because Direct Connect itself does not encrypt. Option C is wrong because using a VPN over the internet is less secure and not over Direct Connect.

Option D is wrong because TLS is for application layer, not network layer.

36
Multi-Selecteasy

Which TWO actions can help protect against DDoS attacks at the network layer?

Select 2 answers
A.Configure security groups to restrict inbound traffic.
B.Configure network ACLs to deny all inbound traffic.
C.Use AWS WAF to filter malicious requests.
D.Subscribe to AWS Shield Advanced.
E.Use VPC peering to distribute traffic.
AnswersC, D

WAF can block common DDoS patterns.

Why this answer

AWS Shield Advanced (A) provides DDoS protection, and using AWS WAF (B) helps filter malicious traffic. Option A and B are correct. Security groups (C) are stateful firewalls, not DDoS protection.

NACLs (D) are stateless firewalls. VPC peering (E) is for connectivity.

37
MCQeasy

A company wants to block SSH access (port 22) to all EC2 instances from the internet, but allow SSH from a specific management VPN IP range (10.0.0.0/16). Which configuration should be used?

A.Configure a security group to allow inbound SSH from 10.0.0.0/16 only.
B.Use an IAM policy to restrict SSH access to the management IP range.
C.Configure a network ACL to allow inbound SSH from 10.0.0.0/16 and deny from 0.0.0.0/0.
D.Configure a security group to allow inbound SSH from 0.0.0.0/0 and deny from 10.0.0.0/16.
AnswerA

The default deny all rule will block other traffic.

Why this answer

Security groups are stateful and can be used to allow inbound SSH from the management IP range while denying all other traffic. Network ACLs are stateless and require separate inbound/outbound rules. IAM does not control network access.

38
Multi-Selecteasy

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can download objects. Which combination of actions should the company take? (Choose TWO.)

Select 2 answers
A.Attach an Internet gateway to the VPC and route traffic through it.
B.Attach a security group to the S3 bucket.
C.Create an S3 bucket policy that allows access only from the VPC using the aws:SourceVpc condition.
D.Create a NAT gateway in the VPC for outbound traffic.
E.Create a VPC endpoint for Amazon S3 in the VPC.
AnswersC, E

This restricts access to the specified VPC.

Why this answer

Option A (S3 bucket policy with aws:SourceVpc condition) and Option C (VPC endpoint for S3) are correct. The bucket policy with the aws:SourceVpc condition restricts access to requests originating from the specified VPC, and the VPC endpoint allows private connectivity to S3 from that VPC. Option B (Internet gateway) would allow public access.

Option D (NAT gateway) is for outbound traffic. Option E (Security group on S3) is not applicable.

39
MCQhard

Refer to the exhibit. A user assumes the role and tries to terminate an instance, but gets an error. The instance i-12345678 has a tag 'Environment' with value 'dev'. What is the most likely reason for the failure?

A.The role policy has an implicit deny because the 'ec2:TerminateInstances' action is not allowed on the specific resource ARN due to missing account ID or region mismatch, or the session credentials have expired.
B.The role policy has a condition that requires the instance to have the tag 'Environment' set to 'dev', but the condition is evaluated against the principal, not the resource.
C.The role policy includes 'ec2:Describe*' which grants permission to describe all resources, but that does not include terminate. The condition on TerminateInstances requires the tag, but the user may not have passed the tag condition correctly.
D.The policy uses 'ec2:TerminateInstances' with a resource ARN that includes the region and account, but the instance may be in a different region or account.
AnswerA

The error is 'UnauthorizedOperation'. While the policy allows TerminateInstances with a condition, there may be an explicit deny elsewhere or the resource ARN might not match if the instance is in a different region/account. However, the most common cause is that the session credentials have expired (the expiration time is 01:00:00Z, and if the current time is after that, the credentials are invalid). Option D points to expiration, which is plausible.

Why this answer

The assumed role credentials have an expiration time. If the terminate-instances command is run after expiration, it will fail with UnauthorizedOperation. Alternatively, if the instance is not in the specified region or account, it would also fail.

Given the exhibit shows expiration time, option D is most likely.

40
MCQhard

Refer to the exhibit. A security engineer runs the iptables command on an EC2 instance in a VPC. The instance has a security group that allows all outbound traffic and inbound SSH from 0.0.0.0/0, HTTP from 0.0.0.0/0, and HTTPS from 0.0.0.0/0. A user from IP 203.0.113.5 tries to connect to the instance over HTTP. What will happen?

A.The connection succeeds because the security group allows HTTP.
B.The connection succeeds because iptables allows HTTP from anywhere.
C.The connection is dropped by iptables.
D.The connection is dropped by the security group.
AnswerC

Iptables drops the packet because the source IP is not in the allowed range.

Why this answer

Option B is correct because the iptables INPUT chain has a default DROP policy. The rules only allow HTTP (port 80) from the 10.0.0.0/16 subnet, but the user's IP is 203.0.113.5, which is not in that range. Therefore, the packet is dropped by iptables.

Option A is wrong because even though the security group allows HTTP, iptables drops it. Option C is wrong because SSH is allowed only from anywhere, but the request is HTTP. Option D is wrong because the security group allows HTTP, but iptables overrides.

41
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The security team wants to ensure that the containers can only communicate with specific external APIs and not with other containers in the same task. Which security control should be applied?

A.Configure network ACLs on the subnets where the tasks run.
B.Apply an IAM policy to the task execution role to restrict API calls.
C.Attach a security group to the ECS task with outbound rules allowing only the specific API endpoints.
D.Use VPC endpoints to restrict traffic to specific APIs.
AnswerC

When using awsvpc network mode, tasks get their own security groups that can filter traffic.

Why this answer

Option D is correct because security groups for ECS tasks in awsvpc mode can control inbound/outbound traffic. Option A is wrong because IAM policies control API calls, not network traffic. Option B is wrong because network ACLs are stateless and applied at subnet level, not per task.

Option C is wrong because VPC endpoints are for accessing AWS services, not for container communication.

42
MCQhard

A security engineer is investigating a potential breach. The engineer notices that an EC2 instance's security group allows inbound SSH (port 22) from 0.0.0.0/0. The instance is in a public subnet and has a public IP address. However, the engineer finds that SSH access is only possible from a specific IP address. What is the most likely explanation?

A.The network ACL allows inbound SSH from 0.0.0.0/0
B.The security group rule is being overridden by a more restrictive security group attached to the same instance
C.The security group rule is being evaluated but the instance's operating system firewall is blocking SSH
D.The network ACL denies inbound SSH from all IPs except the specific IP
AnswerD

NACLs are stateless and can override security group rules by denying traffic at the subnet level.

Why this answer

Option D is correct because a network ACL (NACL) can override security group rules if it denies inbound traffic. Option A is wrong because security groups are stateful; the inbound rule would allow traffic. Option B is wrong because if the NACL allowed traffic, it wouldn't explain the restriction.

Option C is wrong because security group rules are evaluated; the rule allowing all traffic would still apply.

43
MCQmedium

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. The VPC has a VPC endpoint for S3 configured. Which policy should be attached to the bucket?

A.{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringEquals":{"aws:SourceVpce":"vpce-11111111"}}}
B.{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringEquals":{"aws:VpcSourceIp":"10.0.0.0/16"}}}
C.{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringEquals":{"aws:SourceVpc":"vpc-12345678"}}}
D.{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"IpAddress":{"aws:SourceIp":"10.0.0.0/16"}}}
AnswerA

This condition restricts access to traffic coming through the specified VPC endpoint.

Why this answer

Option C is correct because a VPC endpoint policy with aws:SourceVpce condition key restricts access to traffic coming through the specified VPC endpoint. Option A is wrong because aws:SourceVpc does not restrict to a specific endpoint. Option B is wrong because aws:SourceIp does not apply to VPC endpoint traffic.

Option D is wrong because aws:VpcSourceIp is not a valid condition key for VPC endpoints.

44
MCQmedium

A security engineer is troubleshooting connectivity issues between two EC2 instances in the same VPC but different subnets. Both instances have security groups that allow all traffic from each other's security group. However, traffic is still blocked. What is the most likely cause?

A.The instances are in different VPCs.
B.The network ACL for one or both subnets is blocking the traffic.
C.The route tables do not have a route between the subnets.
D.VPC Flow Logs are not enabled.
AnswerB

Network ACLs are stateless and can block traffic even if security groups allow it.

Why this answer

Option C is correct because network ACLs are stateless and must allow both inbound and outbound traffic for the connection. Even if security groups allow traffic, a network ACL can block it. Option A is wrong because route tables handle routing, not filtering.

Option B is wrong because VPC flow logs only monitor traffic, not block it. Option D is wrong because the default VPC has a default network ACL that allows all traffic, but custom ACLs may have restrictive rules.

45
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets in the organization are encrypted with server-side encryption (SSE-S3) and that no public access is allowed. The team has created an SCP that denies the s3:PutBucketPublicAccessBlock action and also denies s3:PutBucketPolicy if the policy would grant public access. However, the team discovers that some buckets in the production account still have public access enabled. The SCP is applied to the root OU, which includes the production account. What is the most likely reason that the SCP is not being enforced?

A.The SCP does not have an explicit allow for the actions it denies; SCPs require an explicit allow to take effect.
B.The SCP only applies to IAM users and roles, not to the root user.
C.The production account is the management account of the organization, and SCPs do not affect the management account.
D.The SCP is not attached to the production account's OU; it is attached to the root OU.
AnswerC

Management account is not affected by SCPs.

Why this answer

Option C is correct. SCPs do not affect the management account; they only apply to member accounts. If the production account is the management account, SCPs will not apply.

Option A is incorrect because SCPs don't require explicit allow; they deny by default if not allowed. Option B is incorrect because SCPs affect all IAM principals in the account. Option D is incorrect because SCPs can be applied to OUs.

46
MCQmedium

A security engineer is troubleshooting why an EC2 instance in a private subnet cannot access the internet through a NAT gateway. The route table for the private subnet has a default route pointing to the NAT gateway. The NAT gateway is in a public subnet with a route to an internet gateway. What is the most likely cause of the issue?

A.The NAT gateway does not have an Elastic IP address associated.
B.The EC2 instance's security group is blocking outbound traffic.
C.The NAT gateway's security group is blocking outbound traffic.
D.The NAT gateway does not have a route to the internet gateway in its route table.
AnswerA

A NAT gateway requires an Elastic IP for outbound traffic.

Why this answer

Option C is correct because the NAT gateway must have an associated Elastic IP to communicate with the internet. Option A is wrong because the security group of the NAT gateway must allow outbound traffic, but the default is permissive. Option B is wrong because the NAT gateway itself does not need a route to the internet gateway; its public subnet does.

Option D is wrong because security groups are not applied to NAT gateways in the same way; they are applied to the ENI.

47
Multi-Selectmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all S3 buckets created by CloudFormation have encryption enabled by default. Which TWO approaches can achieve this?

Select 2 answers
A.Create an AWS Config rule that checks for S3 bucket encryption and auto-remediates
B.Enable S3 Block Public Access at the account level
C.Attach a service control policy (SCP) to the root OU that denies S3 bucket creation without encryption
D.Attach an IAM role to the CloudFormation service that grants permissions to encrypt buckets
E.Use a CloudFormation stack policy to deny creation of S3 buckets without encryption
AnswersA, E

Config rules can enforce encryption and trigger remediation actions.

Why this answer

Options B and D are correct. A CloudFormation Stack Policy (B) can enforce encryption settings. AWS Config rules (D) can detect and remediate non-compliant buckets.

Option A is wrong because S3 Block Public Access does not enforce encryption. Option C is wrong because SCPs apply to accounts, not CloudFormation stacks. Option E is wrong because IAM roles do not enforce encryption on S3 buckets.

48
MCQmedium

A company is migrating its on-premises data center to AWS. The company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect its on-premises network (192.168.0.0/16) to the VPC using an AWS Site-to-Site VPN. The security engineer has configured the virtual private gateway (VGW) and the customer gateway (CGW) with the correct settings. The VPN tunnel status is UP, but the on-premises servers cannot ping the EC2 instances in the VPC. The EC2 instances have security groups that allow ICMP traffic from the on-premises network. The VPC route table has a route for the on-premises network pointing to the VGW. What is the most likely cause of the issue?

A.The customer gateway is not configured with the correct public IP address of the VGW.
B.The VPN tunnel is not configured with the correct pre-shared key.
C.The security group for the EC2 instances does not allow inbound ICMP from the on-premises network.
D.The VPC route table does not have a route for the on-premises CIDR (192.168.0.0/16) pointing to the virtual private gateway.
AnswerD

Without this route, traffic from the VPC to on-premises is dropped.

Why this answer

Option A is correct. The VPC route table needs a route for the on-premises CIDR pointing to the VGW. If this route is missing, traffic from the VPC to on-premises will not be routed correctly.

Option B is incorrect because security groups are stateful and allow return traffic. Option C is not required if the VPN is configured correctly. Option D is incorrect because the VGW is the correct target.

49
MCQmedium

Refer to the exhibit. A security engineer runs the CLI command and receives the output shown. The engineer expects to see flow logs for a specific subnet, but the output shows the resource ID as a VPC. What is the most likely reason?

A.The flow log is not active; it shows ACTIVE, so that's not the issue.
B.The flow log is configured to deliver to CloudWatch, but the log group name is incorrect.
C.The IAM role does not have permissions to deliver logs for subnets.
D.The flow log was created at the VPC level, not at the subnet level.
AnswerD

The resource ID in the output is the VPC ID, indicating the flow log is for the VPC.

Why this answer

Option A is correct because the filter is by log group name, and the flow log created is for the entire VPC, not a subnet. The engineer may have created the flow log at the VPC level. Option B is wrong because the CLI command shows the flow log status as ACTIVE.

Option C is wrong because the role is valid. Option D is wrong because the flow log is delivering to CloudWatch Logs, which is a valid destination.

50
MCQhard

A security engineer notices that an Amazon EC2 instance has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. The instance is a bastion host. What is a more secure alternative to this configuration?

A.Change the SSH port to a non-standard port to avoid automated attacks.
B.Restrict the inbound SSH rule to a single IP address from the corporate network.
C.Replace the security group rule with a network ACL that allows SSH from 0.0.0.0/0.
D.Remove the inbound SSH rule and use AWS Systems Manager Session Manager to access the instance.
AnswerD

Session Manager provides secure access without inbound ports, using IAM for authentication and authorization.

Why this answer

The correct answer is C because using AWS Systems Manager Session Manager allows SSH access without opening any inbound ports, and it uses IAM policies for access control. Option A is wrong because a NACL is stateless and would still require an inbound rule; also, NACLs are not a replacement for security group configuration. Option B is wrong because changing the port does not improve security; attackers scan all ports.

Option D is wrong because restricting to a single IP is better than open to all, but Session Manager is more secure as it eliminates inbound ports entirely.

51
MCQmedium

A security engineer is designing a VPC with public and private subnets in two Availability Zones. The company requires that all outbound traffic from private subnets to the internet must go through a single, centrally managed NAT gateway. Which combination of resources and route table entries should be used?

A.A single NAT gateway in a public subnet, and a default route (0.0.0.0/0) in each private subnet route table pointing to that NAT gateway.
B.A single NAT gateway in a private subnet, and a default route in each private subnet pointing to the NAT gateway.
C.One NAT gateway per private subnet, each with a route to an internet gateway.
D.One NAT gateway per Availability Zone, with routes to the internet gateway.
AnswerA

This provides centralized outbound internet access.

Why this answer

Option C is correct because placing a single NAT gateway in a public subnet and adding a default route to the NAT gateway in the private subnet route tables achieves the requirement. Option A is wrong because each private subnet needs its own route entry. Option B is wrong because using multiple NAT gateways defeats central management.

Option D is wrong because NAT gateways cannot be placed in private subnets.

52
Multi-Selecteasy

A security engineer needs to protect an S3 bucket that contains sensitive data. Which two methods should the engineer use?

Select 2 answers
A.Use Amazon CloudFront to serve the content.
B.Enable VPC Flow Logs on the bucket.
C.Apply an S3 bucket policy that restricts access to specific IAM users or roles.
D.Use IAM policies to grant permissions to users and roles.
E.Enable S3 object ACLs.
AnswersC, D

Bucket policies define who can access the bucket.

Why this answer

Option C is correct because an S3 bucket policy is a resource-based policy that can explicitly restrict access to specific IAM users or roles, providing a direct mechanism to control who can access the bucket and its objects. This is essential for protecting sensitive data by ensuring only authorized principals can perform actions like s3:GetObject or s3:PutObject, regardless of other permissions.

Exam trap

The trap here is that candidates often confuse resource-based policies (bucket policies) with identity-based policies (IAM policies) and may think only one is sufficient, but the question asks for two methods, and both C and D are correct because they work together to enforce least-privilege access.

53
Multi-Selectmedium

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that the logs are protected from unauthorized access and deletion. Which TWO actions should be taken?

Select 2 answers
A.Enable server-side encryption using AWS KMS (SSE-KMS) on the S3 bucket.
B.Use S3 bucket ACLs to restrict access.
C.Enable CloudTrail log file validation.
D.Enable S3 Versioning on the bucket.
E.Enable multi-factor authentication (MFA) for CloudTrail.
AnswersA, C

SSE-KMS encrypts the logs at rest.

Why this answer

Option A (enable log file validation) ensures integrity, and Option C (enable SSE-KMS) ensures encryption at rest. Option B is wrong because MFA is not a native CloudTrail feature. Option D is wrong because S3 Versioning helps but does not prevent deletion of the bucket.

Option E is wrong because S3 ACLs are not the best practice; bucket policies are preferred.

54
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that no sensitive data, such as database passwords, is exposed in plaintext in the CloudFormation templates. What is the MOST secure way to handle secrets?

A.Use AWS KMS to encrypt the secrets and include the ciphertext in the template.
B.Use AWS Systems Manager Parameter Store or AWS Secrets Manager with dynamic references in the template.
C.Store the secrets in an encrypted S3 bucket and include the S3 URL in the template.
D.Pass the secrets as plaintext parameters to the stack at launch time.
AnswerB

Dynamic references allow CloudFormation to retrieve secrets at runtime without exposing them.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store or AWS Secrets Manager can securely store secrets and reference them in CloudFormation using dynamic references. Option A is wrong because secrets should not be stored in plaintext. Option C is wrong because AWS KMS encrypts but the encrypted secret would still be visible in the template.

Option D is wrong because secrets should not be passed as plaintext parameters.

55
Multi-Selectmedium

Which TWO actions are valid ways to restrict access to an Amazon S3 bucket using a bucket policy? (Choose two.)

Select 2 answers
A.Use the aws:SourceIp condition key to allow access only from a specific IP range.
B.Use the iam:RoleName condition key to allow access only from a specific IAM role.
C.Use the aws:Referer condition key to allow access only from a specific HTTP referer.
D.Use the aws:SourceVpce condition key to allow access only from a specific VPC.
E.Use the kms:EncryptionContext condition key to require that objects are encrypted with a specific KMS key.
AnswersA, C

The aws:SourceIp condition key can be used in bucket policies to restrict based on the requester's IP address.

Why this answer

The correct answers are A and C. Option A is correct because you can use the aws:SourceIp condition key to restrict by IP address. Option C is correct because you can use the aws:Referer condition key to restrict by HTTP referer.

Option B is wrong because aws:SourceVpce is for VPC endpoints, but it is used in bucket policies to restrict access to a specific VPC endpoint, not a VPC ID. Option D is wrong because IAM roles are not used directly in bucket policies; you use the IAM role's ARN with the aws:PrincipalArn condition, but not with kms:EncryptionContext. Option E is wrong because kms:EncryptionContext is used in KMS key policies, not S3 bucket policies.

56
MCQmedium

A security engineer runs the above AWS CLI command. The engineer notices that the security group has no outbound rules. What is the implication of this configuration?

A.The EC2 instances in this security group cannot initiate outbound connections
B.The EC2 instances cannot receive inbound HTTP traffic
C.The security group allows all outbound traffic by default
D.Outbound traffic is allowed because security groups are stateful
AnswerA

Without outbound rules, all outbound traffic is denied.

Why this answer

Option A is correct because a security group without outbound rules will block all outbound traffic by default (since security groups are stateful and default deny egress). Option B is wrong because security groups are stateful; the inbound rule allows return traffic. Option C is wrong because the inbound rule allows HTTP from anywhere, but outbound is missing.

Option D is wrong because the security group does allow inbound HTTP.

57
MCQhard

A company has a VPC with a public subnet and a private subnet. The public subnet hosts a NAT instance (Amazon Linux) that provides internet access to instances in the private subnet. The security team notices that the NAT instance is receiving high inbound traffic on port 22 from an external IP address. The team wants to block this traffic at the network layer without affecting other traffic. What is the most effective solution?

A.Move the NAT instance to a private subnet and use a NAT gateway instead.
B.Modify the security group attached to the NAT instance to block inbound SSH from the specific IP.
C.Use AWS WAF to block the IP address.
D.Add a network ACL rule on the public subnet to deny inbound traffic from the specific IP on port 22.
AnswerD

Network ACLs support deny rules and are stateless.

Why this answer

Option D is correct because a network ACL on the public subnet can explicitly deny inbound SSH from the specific IP address while allowing all other traffic. Option A is wrong because modifying the security group of the NAT instance to deny the IP would require a deny rule, but security groups only support allow rules; blocking SSH from all sources would prevent legitimate access. Option B is wrong because moving the NAT instance to a private subnet would break internet connectivity.

Option C is wrong because AWS WAF is for web application layer (HTTP/HTTPS), not SSH.

58
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer. The security team suspects that a DDoS attack is targeting the application. Which AWS service can be used to absorb and mitigate the attack at the network layer before traffic reaches the ALB?

A.AWS WAF
B.AWS Identity and Access Management (IAM)
C.Network ACLs
D.AWS Shield Advanced
AnswerD

Shield Advanced provides network and transport layer DDoS protection.

Why this answer

Option C is correct because AWS Shield Advanced provides enhanced DDoS mitigation for ALB. Option A is wrong because IAM is for access management. Option B is wrong because WAF is for application layer.

Option D is wrong because NACLs are stateless and not designed for DDoS mitigation.

59
MCQmedium

A company wants to securely store secrets used by an application running on EC2 instances. The secrets include database credentials and API keys. What is the MOST secure and manageable approach?

A.Store the secrets in the EC2 instance user data and retrieve them from the metadata service.
B.Embed the secrets in the application code and encrypt the code with a KMS key.
C.Use AWS Secrets Manager and attach an IAM role to the EC2 instance with permission to access the secrets.
D.Use AWS Systems Manager Parameter Store with a SecureString parameter and reference it in the application code.
AnswerC

Secrets Manager provides secure storage, automatic rotation, and IAM-based access control.

Why this answer

Option A is correct because AWS Secrets Manager integrates with IAM roles for access and can rotate secrets. Option B is wrong because storing secrets in the instance metadata is insecure. Option C is wrong because parameter store with encrypt parameter is secure but has fewer features than Secrets Manager.

Option D is wrong because embedding in code is not secure.

60
MCQeasy

A security engineer needs to ensure that an Amazon RDS database instance is not accessible from the internet. Which configuration step will achieve this?

A.Deploy the DB instance in a multi-AZ configuration.
B.Set the DB instance to be publicly accessible and restrict security group inbound rules.
C.Set the DB instance to be not publicly accessible and place it in a private subnet.
D.Use the default VPC security group for the DB instance.
AnswerC

This prevents internet access.

Why this answer

Option C is correct because setting a DB instance to be not publicly accessible ensures that it does not receive a public IP address, and placing it in a private subnet (one without a route to an internet gateway) prevents any direct inbound or outbound traffic from the internet. This combination guarantees that the RDS instance is isolated from the public internet, aligning with the security requirement.

Exam trap

The trap here is that candidates often assume security group rules alone can fully control internet access, overlooking the critical distinction between public and private IP assignment and subnet routing that determines actual internet reachability.

How to eliminate wrong answers

Option A is wrong because deploying in a multi-AZ configuration provides high availability and failover support, but does not affect network accessibility; the DB instance can still be publicly accessible if configured otherwise. Option B is wrong because setting the DB instance to be publicly accessible assigns a public IP address, and while restricting security group inbound rules can limit traffic, the instance itself remains reachable from the internet, violating the requirement. Option D is wrong because using the default VPC security group does not inherently prevent internet access; the default security group typically allows all outbound traffic and may have permissive inbound rules, and the instance could still be publicly accessible if placed in a public subnet.

61
Multi-Selectmedium

Which TWO actions can be taken to improve the security of an Amazon RDS for MySQL database instance? (Choose TWO.)

Select 2 answers
A.Place the RDS instance in a private subnet and restrict inbound traffic to the application security group.
B.Disable automated backups to reduce storage costs.
C.Enable Multi-AZ deployment for fault tolerance.
D.Assign a public IP address to the RDS instance for easier access from the internet.
E.Enable encryption at rest using AWS KMS.
AnswersA, E

Network isolation improves security.

Why this answer

Options A and D are correct. Enabling encryption at rest protects data, and using a VPC security group restricts network access. Option B is wrong because disabling automated backups reduces durability but does not directly improve security.

Option C is wrong because Multi-AZ is for high availability, not security. Option E is wrong because assigning a public IP address increases exposure.

62
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic between the ALB and EC2 instances be encrypted. Which configuration ensures this requirement is met?

A.Use an HTTPS listener on the ALB and configure the target group with HTTPS.
B.Use a TCP listener on the ALB and a TCP target group.
C.Configure security group inbound rules to allow only HTTPS traffic.
D.Use an HTTP listener on the ALB and HTTP on the target group.
AnswerA

HTTPS ensures encryption from ALB to instances.

Why this answer

Option D is correct because HTTPS listeners on the ALB terminate the client's TLS connection and establish a new TLS connection to the target group, ensuring encryption. Option A is wrong because HTTP does not encrypt traffic. Option B is wrong because security group rules do not enforce encryption.

Option C is wrong because TCP listeners do not provide encryption.

63
MCQhard

A company is deploying a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The security team wants to protect the application from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used?

A.AWS WAF.
B.AWS Network Firewall.
C.AWS Shield Advanced.
D.AWS Security Hub.
AnswerA

AWS WAF can inspect HTTP requests and block SQL injection and XSS.

Why this answer

Option A is correct because AWS WAF is a web application firewall that can protect against common web exploits. Option B is wrong because Shield Advanced provides DDoS protection, not application-layer exploits. Option C is wrong because Network Firewall is for network-level filtering, not application-layer.

Option D is wrong because Security Hub is a security posture management service, not a protection service.

64
Multi-Selectmedium

A security engineer is designing a VPC with private and public subnets. Which TWO actions improve network security? (Choose two.)

Select 2 answers
A.Use a single subnet for all resources to simplify network rules.
B.Use security groups to restrict traffic to the database from only the application tier.
C.Place database instances in a public subnet for easier management.
D.Use a NAT gateway in a public subnet for outbound traffic from private subnets.
E.Place an internet gateway in a private subnet.
AnswersB, D

Security groups provide stateful firewall rules for instance-level security.

Why this answer

Options A and D are correct. Option A is correct because a NAT gateway in a public subnet allows outbound internet for private instances without inbound access. Option D is correct because a security group on the RDS database allows fine-grained control.

Option B is wrong because an internet gateway in a private subnet would expose instances. Option C is wrong because a public subnet allows direct internet access. Option E is wrong because a single subnet defeats isolation.

65
MCQeasy

A company wants to ensure that all traffic to an Amazon S3 bucket is encrypted in transit. Which bucket policy condition should be used?

A.aws:SourceVpce
B.aws:SecureTransport
C.s3:x-amz-server-side-encryption
D.aws:SourceIp
AnswerB

This condition key checks if the request was sent using SSL/TLS.

Why this answer

Option B is correct because it uses the aws:SecureTransport condition to enforce HTTPS. Option A is wrong because it enforces server-side encryption, not transit. Option C is wrong because aws:SourceIp restricts IP addresses.

Option D is wrong because it refers to a VPC endpoint condition.

66
MCQeasy

Which AWS service can be used to create a private network connection between a VPC and an on-premises data center over dedicated physical lines?

A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.AWS Direct Connect
D.VPC Peering
AnswerC

Direct Connect provides dedicated physical connection.

Why this answer

AWS Direct Connect is the correct service because it establishes a dedicated, private network connection from an on-premises data center to a VPC using physical Ethernet cables routed through an AWS Direct Connect location. This bypasses the public internet entirely, providing consistent latency, higher bandwidth, and a more reliable connection than internet-based options.

Exam trap

The trap here is that candidates confuse AWS Site-to-Site VPN with a dedicated connection, but VPNs always traverse the public internet and do not provide the physical isolation or consistent performance of Direct Connect.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself provide the physical dedicated lines; it requires an underlying connection like Direct Connect or VPN to attach to. Option B is wrong because AWS Site-to-Site VPN creates an encrypted tunnel over the public internet, not over dedicated physical lines, so it does not meet the requirement for a private connection over dedicated infrastructure. Option D is wrong because VPC Peering connects two VPCs within AWS using the AWS global network, but it cannot connect to an on-premises data center and does not involve dedicated physical lines.

67
MCQeasy

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no resources can be created in a specific AWS Region except for the us-east-1 Region. Which policy type should the security team use?

A.IAM permissions boundary
B.IAM policy applied to the root user
C.Resource-based policy
D.Service control policy (SCP)
AnswerD

SCPs allow you to deny actions in specific Regions across all accounts in the organization.

Why this answer

Option A is correct because SCPs can restrict actions at the account level. Option B is wrong because IAM policies apply to users/roles, not accounts. Option C is wrong because resource-based policies apply to specific resources.

Option D is wrong because service control policies are the correct mechanism, not IAM permissions boundaries.

68
MCQmedium

A company has an EC2 instance that needs to access an S3 bucket. The security team wants to use the principle of least privilege. Which method should be used to grant access?

A.Use a security group to allow outbound traffic to S3.
B.Store AWS access keys on the instance and use them in the application.
C.Create an IAM role with an S3 access policy and attach it to the EC2 instance profile.
D.Create a bucket policy that grants access to the EC2 instance ID.
AnswerC

This is the secure and recommended method.

Why this answer

Option D is correct because an IAM role assigned to the EC2 instance is the best practice. Option A is wrong because access keys stored on the instance are less secure. Option B is wrong because a bucket policy with a principal of the instance ID is not possible; bucket policies use IAM principals.

Option C is wrong because security groups do not grant access to S3.

69
MCQmedium

A security engineer is designing a multi-tier web application. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The engineer needs to ensure that the EC2 instances only accept traffic from the ALB and not from any other source. Which security group configuration should the engineer use?

A.Allow inbound HTTP traffic from the ALB's public IP address on the EC2 instances' security group.
B.Allow inbound HTTP traffic from the VPC CIDR range on the EC2 instances' security group.
C.Allow inbound HTTP traffic from the ALB's security group on the EC2 instances' security group.
D.Allow inbound HTTP traffic from 0.0.0.0/0 on the EC2 instances' security group.
AnswerC

This restricts traffic to only the ALB.

Why this answer

Option B is correct because referencing the ALB's security group as the source allows inbound traffic only from the ALB. Option A allows all HTTP traffic. Option C uses the VPC CIDR, which is too broad.

Option D uses the ALB's public IP, which is not static and not recommended.

70
Multi-Selecteasy

Which TWO are valid methods to secure data at rest in Amazon S3? (Choose TWO.)

Select 2 answers
A.Enabling default encryption on the S3 bucket.
B.Enabling MFA Delete.
C.Enabling S3 Versioning.
D.Configuring an S3 bucket policy to restrict access to specific IP addresses.
E.Using S3 Block Public Access settings.
AnswersA, E

Default encryption ensures objects are encrypted at rest.

Why this answer

Options B and D are correct. Server-side encryption (SSE-S3, SSE-KMS, SSE-C) and S3 Block Public Access are both methods to secure data at rest. Option A is wrong because bucket policies control access but do not encrypt data.

Option C is wrong because versioning helps with data recovery, not encryption. Option E is wrong because MFA Delete adds protection for deletion, not encryption.

71
MCQhard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The Security Engineer needs to ensure that traffic between VPCs is inspected by a central network appliance. Which architecture should the Engineer implement?

A.Use Transit Gateway with appliance mode enabled on the attachments to the inspection VPC, and route inter-VPC traffic through the inspection VPC.
B.Use VPC Peering connections between all VPCs and route traffic through the inspection VPC.
C.Place the network appliance in a public subnet of the inspection VPC and use internet gateways for routing.
D.Use Transit Gateway with route tables that point to the network appliance's ENI for all inter-VPC traffic.
AnswerA

Appliance mode allows Transit Gateway to send traffic to the appliance even if the return traffic takes a different path.

Why this answer

Option D is correct because Transit Gateway supports appliance mode on attachments, which enables asymmetric routing for inspection. Option A is wrong because VPC Peering does not support central inspection. Option B is wrong because placing the appliance in a public subnet is not secure and does not leverage Transit Gateway.

Option C is wrong because route tables alone do not force traffic to the appliance if asymmetric routing is not handled.

72
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is associated with a security group that allows outbound HTTPS (port 443) to 0.0.0.0/0. The private subnet route table has a default route (0.0.0.0/0) pointing to a NAT Gateway in the public subnet. The NAT Gateway's security group allows inbound HTTPS from the private subnet CIDR. However, the instance cannot download patches. What is the most likely cause?

A.The network ACL for the private subnet is blocking outbound traffic
B.The NAT Gateway's security group is blocking outbound traffic to the internet
C.The private subnet route table does not have a route to the NAT Gateway
D.The security group attached to the EC2 instance is blocking inbound traffic
AnswerB

NAT Gateway's security group must allow outbound HTTPS to 0.0.0.0/0.

Why this answer

NAT Gateway's security group must allow inbound HTTPS from the private subnet CIDR. The problem statement says it does, so that is not the issue. The most likely issue is that the NAT Gateway's security group must also allow outbound HTTPS to 0.0.0.0/0 for the return traffic.

Option D is correct. Option A is wrong because NACL is stateless but default NACL allows all. Option B is wrong because the security group allows outbound.

Option C is wrong because the route is present.

73
MCQmedium

A security engineer needs to restrict outbound traffic from a VPC to only allow HTTPS traffic to specific domains (e.g., api.example.com). The VPC has a NAT gateway in a public subnet. What is the most secure way to implement this restriction?

A.Configure security group egress rules to allow HTTPS to 0.0.0.0/0.
B.Deploy an AWS Network Firewall in the VPC and configure domain filtering rules.
C.Configure network ACL outbound rules to allow HTTPS to the IP addresses of the allowed domains.
D.Create a VPC endpoint for Amazon S3 and route traffic through it.
AnswerB

Network Firewall can filter outbound traffic by domain name with TLS inspection.

Why this answer

Option D is correct. Using an AWS Network Firewall or a third-party firewall appliance allows stateful inspection of traffic and can filter by domain name. Option A (security group egress rules) cannot filter by domain name.

Option B (NACL) is stateless and cannot inspect domain names. Option C (VPC endpoint for S3) is for S3, not general HTTPS.

74
MCQhard

A security engineer is troubleshooting connectivity issues from an EC2 instance in a private subnet to an S3 bucket. The instance has a security group allowing outbound HTTPS (443) to 0.0.0.0/0, and the subnet's network ACL allows outbound HTTPS to 0.0.0.0/0. However, requests to S3 are timing out. Which additional configuration is most likely required?

A.Attach an IAM role to the EC2 instance with S3 permissions
B.Modify the security group to allow traffic to the S3 region-specific IP range
C.Add a VPC Gateway Endpoint for S3 and update the route table
D.Configure a TLS termination proxy
AnswerC

A Gateway Endpoint provides a route to S3 without internet access.

Why this answer

Option C is correct because S3 endpoints are accessed via a prefix list in route tables; without a VPC Gateway Endpoint for S3, traffic goes through a NAT Gateway or Internet Gateway, but the private subnet lacks a route to the internet. Option A is wrong because S3 supports HTTPS without TLS termination. Option B is wrong because S3 is a global service and does not require a specific region endpoint configuration at the VPC level.

Option D is wrong because S3 does not require an IAM role for connectivity; that is for access permissions.

75
MCQmedium

A security engineer notices that an EC2 instance in a private subnet is able to make outbound connections to the internet. The instance does not have a public IP, and there is no NAT gateway or instance in the VPC. What is the most likely cause?

A.The VPC has an egress-only internet gateway for IPv6 traffic.
B.The instance has a public IP assigned automatically via Auto-assign Public IP.
C.The instance is using a VPC endpoint (Gateway type) for S3.
D.The subnet's route table has a default route (0.0.0.0/0) pointing to an internet gateway.
AnswerD

This would make the subnet effectively public, allowing outbound internet access.

Why this answer

An egress-only internet gateway is for IPv6, not IPv4. A VPC endpoint (Gateway type) for S3 or DynamoDB does not provide general internet access. The only remaining possibility is that the subnet's route table has a default route (0.0.0.0/0) pointing to an internet gateway, but the instance is in a private subnet? Actually, if it's a private subnet, there is no direct IGW.

The most likely cause is an AWS managed NAT gateway? But the question says no NAT gateway. Another possibility: the instance has a public IP assigned? But it says no public IP. Let's re-evaluate: The stem says no public IP and no NAT gateway/instance.

Possibly the VPC has a transit gateway or VPN? The answer might be that the VPC has an internet gateway attached and the subnet's route table has a default route to that IGW, but that would mean the subnet is public. However, the instance is in a private subnet (no direct route to IGW). The only way to get outbound internet without NAT is via an AWS service like a VPC endpoint for S3 or DynamoDB, but that's not general internet.

The correct answer is likely: The instance is using an AWS managed NAT gateway (but the question says no NAT gateway). Hmm, maybe the instance has an Elastic IP? But no public IP. Let's think differently: Possibly the instance is behind a Network Load Balancer with internet-facing? No.

The correct answer is: The VPC has an internet gateway and the subnet's route table has a default route to a NAT device that is not a NAT gateway (e.g., an EC2 NAT instance), but the question says no NAT instance. I think the intended answer is that the subnet's route table has a default route to an internet gateway (making it a public subnet), but the question says private subnet. Actually, the explanation should indicate that the subnet is actually public, but the engineer mistakenly thinks it's private.

However, the answer options: Let's provide plausible options.

Page 1 of 5 · 328 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Infrastructure Security questions.