CCNA Infrastructure Security Questions

75 of 328 questions · Page 2/5 · Infrastructure Security · Answers revealed

76
Multi-Selectmedium

A security engineer is configuring a VPC for a web application. The VPC has public and private subnets. The web servers are in public subnets and the database servers are in private subnets. The engineer wants to ensure that the database servers are not accessible from the internet. Which two actions should the engineer take?

Select 2 answers
A.Place the database instances in a public subnet with a NAT gateway.
B.Assign public IP addresses to the database instances.
C.Ensure the route table for the database subnets does not have a default route to an Internet Gateway.
D.Create a security group for the database instances that allows inbound traffic only from the web servers' security group.
E.Configure a network ACL on the database subnets to deny all inbound traffic.
AnswersC, D

This prevents direct internet access to the database subnets.

Why this answer

Option A and Option D are correct. The database subnets should not have a route to the Internet Gateway, and their security group should only allow traffic from the web servers' security group. Option B is unnecessary; network ACLs are stateless and can be used, but security groups are sufficient.

Option C is incorrect because assigning public IPs would expose them. Option E is incorrect because a NAT gateway is for outbound internet access, not inbound.

77
MCQhard

A company has a VPC with a public subnet and a private subnet. An Amazon RDS instance is in the private subnet, and an application server is in the public subnet. The security team needs to allow the application server to connect to the RDS instance on port 3306 (MySQL). Which configuration will meet this requirement securely?

A.Add an inbound rule to the RDS security group that allows traffic from the VPC CIDR on port 3306.
B.Add an inbound rule to the RDS security group that allows traffic from the security group of the application server on port 3306.
C.Add an inbound rule to the RDS security group that allows traffic from the subnet CIDR of the application server on port 3306.
D.Add an inbound rule to the RDS security group that allows traffic from 0.0.0.0/0 on port 3306.
AnswerB

This restricts access to only the application server's security group.

Why this answer

Security groups are stateful; you can allow inbound traffic from the security group of the application server. Option A is correct. Option B is less secure because it allows all traffic from the subnet.

Option C is incorrect because it allows all traffic from the VPC. Option D is incorrect because it allows traffic from the internet.

78
MCQmedium

A security engineer is reviewing the security group rules for a web server. The security group currently has the following inbound rules: allow HTTP from 0.0.0.0/0, allow HTTPS from 0.0.0.0/0, and allow SSH from 0.0.0.0/0. Which change should the engineer make to improve security?

A.Remove the HTTP rule and keep only HTTPS.
B.Change the SSH rule to allow from the VPC CIDR only.
C.Change the SSH rule to allow from a specific IP range used by the company's administrators.
D.Add a rule to allow ICMP from 0.0.0.0/0.
AnswerC

This limits SSH access to authorized users.

Why this answer

Option D is correct. SSH should be restricted to specific IPs (e.g., corporate network) to prevent unauthorized access. Option A is unnecessary if the rules already exist.

Option B would break functionality. Option C is not sufficient; SSH should be restricted.

79
MCQmedium

A company uses AWS WAF to protect a web application. The security team wants to block requests that contain SQL injection patterns. Which WAF rule type should be used?

A.IP set rule
B.Geographic match rule
C.Rate-based rule
D.SQL injection match rule
AnswerD

SQL injection match rules inspect request parameters for SQL-like patterns.

Why this answer

Option D is correct because AWS WAF provides a dedicated SQL injection match rule that inspects incoming requests for SQL injection patterns in the URI, query string, or body. This rule uses a set of predefined SQL-like patterns (e.g., 'OR 1=1', 'UNION SELECT') to detect and block malicious input, directly addressing the security team's requirement.

Exam trap

The trap here is that candidates may confuse a rate-based rule (which controls request volume) with a content-based rule (which inspects payloads), leading them to pick Option C instead of the correct SQL injection match rule.

How to eliminate wrong answers

Option A is wrong because an IP set rule matches requests based on source IP addresses, not on content patterns like SQL injection. Option B is wrong because a geographic match rule filters traffic based on the country of origin, not on request payload content. Option C is wrong because a rate-based rule limits the number of requests from a single IP over a time window, which is used for DDoS mitigation, not for detecting SQL injection patterns.

80
MCQeasy

A Security Engineer needs to block SSH traffic (port 22) from the internet to all EC2 instances in a VPC. Which approach is the most secure and scalable?

A.Add a security group rule to deny inbound traffic on port 22 from 0.0.0.0/0.
B.Add a network ACL rule to deny inbound traffic on port 22 from 0.0.0.0/0 at the subnet level.
C.Add a network ACL rule to allow inbound traffic on port 22 from 0.0.0.0/0 and then add a deny rule for the same traffic.
D.Add a security group rule to block inbound traffic on port 22 from 0.0.0.0/0 at the VPC level.
AnswerB

Network ACLs can deny traffic and are applied at the subnet boundary.

Why this answer

Option A is correct because a network ACL at the subnet level blocks all traffic to port 22 from the internet before it reaches instances. Option B is wrong because you cannot deny rules in security groups; you can only allow. Option C is wrong because NACLs are stateless and require explicit outbound rules; however, the question asks to block inbound SSH, which a NACL can do.

Option D is wrong because security groups are not applied at the VPC level.

81
MCQmedium

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centrally manage VPC security group rules across all accounts. Which AWS service should they use?

A.AWS Network Firewall
B.AWS Firewall Manager
C.AWS Config
D.Amazon Route 53 Resolver DNS Firewall
AnswerB

Firewall Manager provides central management of security group rules across accounts.

Why this answer

AWS Firewall Manager can centrally configure and manage security group rules across accounts. Option A is correct. Option B is for network firewall management.

Option C is for configuration compliance. Option D is for DNS firewalling.

82
MCQmedium

A security engineer needs to ensure that all Amazon S3 buckets in an AWS account have server-side encryption (SSE) enabled. The engineer wants to automatically remediate any bucket that is created without SSE. Which solution should the engineer implement?

A.Use S3 bucket policies to deny access to objects without encryption.
B.Apply an IAM policy that requires SSE for all S3 actions.
C.Use AWS Config with a managed rule (s3-bucket-server-side-encryption-enabled) and an automatic remediation action.
D.Create a service control policy (SCP) that denies creation of buckets without encryption.
AnswerC

AWS Config can detect and automatically remediate non-compliant resources.

Why this answer

Option A is correct because AWS Config rules can be used to detect non-compliant buckets and trigger remediation actions. Option B is wrong because SCPs can deny creation of buckets without encryption but require careful policy writing. Option C is wrong because IAM policies enforce on principals, not buckets.

Option D is wrong because bucket policies can require encryption but only for access, not creation.

83
MCQhard

A company is designing a network architecture for a critical application that must meet strict compliance requirements. The application consists of Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The instances need to access an Amazon RDS database in a different VPC. The company wants to minimize exposure to the internet. Which solution should the company use?

A.Use a site-to-site VPN connection between the VPCs.
B.Use a NAT gateway in the database VPC and route traffic through it.
C.Use a VPC Peering connection between the two VPCs.
D.Use an internet gateway and route traffic over the internet with security groups.
AnswerC

VPC Peering provides private connectivity using AWS infrastructure.

Why this answer

Option D is correct because VPC Peering provides a private network connection between VPCs without internet exposure. Option A is wrong because a NAT gateway is for outbound internet from private subnets. Option B is wrong because an internet gateway exposes traffic to the internet.

Option C is wrong because a VPN connection is typically used for on-premises connectivity and adds complexity.

84
Multi-Selectmedium

A security engineer is designing a network architecture for a multi-tier application. The web servers must be accessible from the internet, while the application servers must only be accessible from the web servers. Which TWO configurations should be used? (Choose TWO.)

Select 2 answers
A.Configure a NAT gateway in the private subnet for the application servers.
B.Place the web servers in a public subnet with a route to an internet gateway.
C.Use a network ACL on the application subnet to allow inbound traffic from the web subnet's IP range.
D.Place the application servers in a public subnet with a route to an internet gateway.
E.Configure the application servers' security group to allow traffic only from the web servers' security group.
AnswersB, E

This allows internet traffic to reach the web servers.

Why this answer

Placing web servers in a public subnet with an internet gateway allows internet access. Application servers in a private subnet with a security group that only allows traffic from the web servers' security group ensures isolation. Internet gateway on private subnet would defeat purpose; NAT gateway is for outbound only.

85
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. Security engineers need to ensure that traffic between VPCs is inspected by a third-party firewall appliance deployed in a centralized inspection VPC. Which architecture should be used?

A.Use security groups in each VPC to allow only traffic from the firewall appliance's IP.
B.Establish VPC Peering connections between each VPC and the inspection VPC.
C.Configure Network ACLs in each VPC to deny traffic that does not originate from the inspection VPC.
D.Create a central inspection VPC with the firewall appliance. Configure Transit Gateway route tables to route traffic between VPCs through the inspection VPC.
AnswerD

Transit Gateway supports centralized routing for inspection.

Why this answer

Option B is correct because Transit Gateway route tables can be used to force traffic through the inspection VPC by attaching the firewall appliance to a VPC and using blackhole routes or specific routing. Option A is wrong because Network ACLs are stateless and cannot perform deep packet inspection. Option C is wrong because VPC Peering does not support transitive routing.

Option D is wrong because security groups are stateful but do not provide advanced firewall capabilities.

86
MCQeasy

A company is using AWS CloudFormation to deploy a web application. The template includes an EC2 instance with a security group that allows inbound HTTP traffic from 0.0.0.0/0. The security team wants to ensure that this security group is never used in production. Which AWS service can automatically remediate this noncompliant configuration?

A.AWS Identity and Access Management (IAM)
B.AWS Config
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerB

AWS Config can evaluate rules and auto-remediate.

Why this answer

Option D is correct because AWS Config can evaluate rules and trigger auto-remediation via Systems Manager Automation or Lambda. Option A is wrong because IAM is for access control, not resource configuration. Option B is wrong because CloudTrail logs API calls but does not remediate.

Option C is wrong because GuardDuty is a threat detection service, not configuration compliance.

87
MCQhard

Refer to the exhibit. A security engineer runs the command above and sees that the flow log status is ACTIVE. However, the engineer notices that no logs are appearing in the CloudWatch log group. What is the most likely cause?

A.The TrafficType is set to ALL, which captures too much data and causes throttling.
B.The IAM role specified in DeliverLogsPermissionArn does not have permissions to PutLogEvents.
C.The flow log is attached to an ENI instead of a subnet.
D.The flow log destination is set to CloudWatch Logs but the log group is encrypted with KMS.
AnswerB

Without proper permissions, logs cannot be delivered.

Why this answer

Option B is correct. If the flow logs are ACTIVE but no logs appear, the IAM role may not have sufficient permissions to publish logs to CloudWatch Logs. Option A is incorrect because the flow log is attached to an ENI, not a subnet.

Option C is incorrect because the flow log can capture all traffic, but that would generate logs, not prevent them. Option D is incorrect because flow logs do not require encryption.

88
MCQmedium

A security engineer is designing a network architecture for a three-tier web application. The web tier must be accessible from the internet, but the application and database tiers must not. Which VPC configuration should be used?

A.Place web and app tiers in public subnets, database in private subnet.
B.Place web tier in public subnets, app and database tiers in private subnets.
C.Place all tiers in private subnets and use a VPN for external access.
D.Place all tiers in public subnets with security groups restricting access.
AnswerB

This isolates app and database from internet.

Why this answer

Option D is correct because public subnets for web tier and private subnets for app and database tiers meet the requirements. Option A is wrong because all public subnets expose all tiers. Option B is wrong because all private subnets block internet access to web tier.

Option C is wrong because public subnets for app and database expose them.

89
MCQhard

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic between the ALB and the EC2 instances be encrypted. Which configuration should the engineer implement?

A.Configure the ALB listener with HTTP protocol and the target group with HTTP protocol, then use a security group to restrict traffic.
B.Configure the ALB listener with HTTPS protocol and the target group with HTTP protocol.
C.Configure the ALB listener with TCP protocol and the target group with TCP protocol, then install SSL certificates on the EC2 instances.
D.Configure the ALB listener with HTTPS protocol and the target group with HTTPS protocol, and install SSL certificates on the EC2 instances.
AnswerD

This encrypts both frontend and backend traffic.

Why this answer

Option D is correct. To encrypt traffic between ALB and EC2, you must use HTTPS listeners on both sides: the ALB listener for frontend and the target group protocol for backend. Option A uses TCP, which is not encrypted.

Option B only encrypts the frontend. Option C uses HTTP, not encrypted.

90
MCQeasy

A company wants to allow its developers to SSH into EC2 instances only from the corporate network IP range (203.0.113.0/24). Which configuration should be used to enforce this restriction?

A.Configure a network ACL on the subnet to allow inbound SSH from the corporate range and deny all other inbound traffic.
B.Use AWS Systems Manager Session Manager to connect to instances instead of SSH.
C.Add an IAM policy that allows `ec2:RunInstances` only if the request includes the corporate IP.
D.Add a security group rule that allows inbound SSH (port 22) from the corporate IP range.
AnswerD

Security groups are stateful and can restrict inbound traffic to a specific source.

Why this answer

Option C is correct because a security group rule can restrict inbound SSH to the specific IP range. Option A is wrong because IAM policies do not control network access. Option B is wrong because NACLs are stateless and require separate inbound and outbound rules.

Option D is wrong because Systems Manager Session Manager does not use SSH.

91
MCQeasy

A company is using an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances in private subnets. The security team wants to ensure that only traffic from the ALB can reach the EC2 instances. Which security group configuration should be applied to the EC2 instances?

A.Allow inbound HTTP/HTTPS from the security group attached to the ALB.
B.Configure the network ACL to allow traffic from the ALB's private IP addresses.
C.Allow inbound HTTP/HTTPS from 0.0.0.0/0.
D.Allow inbound HTTP/HTTPS from the VPC CIDR block.
AnswerA

This ensures only traffic originating from the ALB is allowed.

Why this answer

Option B is correct because referencing the ALB's security group as the source ensures only traffic originating from the ALB can reach the EC2 instances. Option A is wrong because allowing traffic from the VPC CIDR would permit any instance in the VPC to access the EC2 instances, not just the ALB. Option C is wrong because allowing traffic from 0.0.0.0/0 would expose the instances to the internet.

Option D is wrong because a network ACL is stateless and does not use security group references.

92
Multi-Selecthard

A security engineer is designing a network architecture in AWS. The engineer needs to ensure that all outbound traffic from a VPC goes through a centrally managed NAT device for logging and filtering. The VPC has multiple private subnets. Which TWO steps are required to accomplish this? (Choose TWO.)

Select 2 answers
A.Deploy an HTTP forward proxy in the public subnet.
B.Create a route table for the private subnets with a default route (0.0.0.0/0) pointing to the NAT device.
C.Set up a transit gateway and attach the VPC to it.
D.Create a gateway endpoint for Amazon S3.
E.Place the NAT device in a public subnet with a route to an internet gateway.
AnswersB, E

This routes outbound traffic from private subnets to the NAT device.

Why this answer

Option B and D are correct. Configuring the route tables to point to the NAT device ensures traffic goes through it. Placing the NAT device in a public subnet with an internet gateway allows it to reach the internet.

Option A is wrong because a transit gateway is not needed. Option C is wrong because a proxy is not required. Option E is wrong because a gateway endpoint is for S3/DynamoDB, not internet traffic.

93
MCQmedium

A company has an Amazon S3 bucket that stores sensitive data. The security team wants to ensure that all access to the bucket is made only via HTTPS. Which policy should be used?

A.Enable CloudFront with HTTPS-only viewer protocol policy.
B.Use a VPC endpoint for S3 with a bucket policy that restricts access to the VPC endpoint.
C.Enable 'Block public access' on the bucket.
D.Add a bucket policy that denies access when aws:SecureTransport is false.
AnswerD

This explicitly denies non-HTTPS requests.

Why this answer

Option D is correct because a bucket policy with a condition that denies access if aws:SecureTransport is false ensures HTTPS only. Option A is wrong because CloudFront does not enforce HTTPS for S3 origin. Option B is wrong because S3 does not have an HTTPS-only bucket policy setting; it requires a custom policy.

Option C is wrong because a VPC endpoint does not enforce HTTPS.

94
Multi-Selecthard

A company needs to enforce that all Amazon S3 buckets are encrypted at rest. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Enable AWS CloudTrail to log S3 API calls.
B.Use bucket policies to deny write operations without encryption.
C.Enable default encryption on each S3 bucket.
D.Create a KMS key and apply it to all buckets.
E.Use a service control policy (SCP) to deny the s3:PutBucketPublicAccessBlock action.
AnswersC, E

Default encryption encrypts new objects.

Why this answer

Option A is correct because enabling default encryption ensures all new objects are encrypted. Option D is correct because an SCP can deny creation of unencrypted buckets. Option B is wrong because bucket policies cannot enforce encryption on existing objects.

Option C is wrong because CloudTrail logs do not enforce encryption. Option E is wrong because KMS keys are used for encryption but do not enforce the policy.

95
Multi-Selecthard

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. Which combination of components provides a highly available, managed solution? (Select TWO.)

Select 2 answers
A.Add a route to the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway.
B.Launch a NAT instance in a public subnet.
C.Create a VPC endpoint for Amazon S3.
D.Create a NAT gateway in each Availability Zone.
E.Attach an internet gateway to the VPC.
AnswersA, D

Routes traffic from private subnet to NAT gateway.

Why this answer

Option A is correct because a NAT gateway enables outbound internet access for instances in a private subnet while preventing inbound connections from the internet. It is a managed AWS service that automatically scales and is highly available within a single Availability Zone. By adding a route for 0.0.0.0/0 to the NAT gateway in the private subnet's route table, traffic destined for the internet is forwarded to the NAT gateway, which then uses an internet gateway to reach the internet.

Exam trap

The trap here is that candidates often think a single NAT gateway is sufficient for high availability, but AWS requires one NAT gateway per Availability Zone to survive an AZ failure, and they may also confuse a VPC endpoint for S3 as a general internet access solution.

96
Multi-Selectmedium

A company has an Amazon S3 bucket with a bucket policy that restricts access to a specific VPC endpoint. However, users are still able to access the bucket from outside the VPC. Which THREE steps should the security engineer take to troubleshoot this issue? (Choose THREE.)

Select 3 answers
A.Verify that the security group associated with the VPC endpoint allows inbound traffic.
B.Check the VPC endpoint policy to ensure it allows the actions the users are performing.
C.Check that the route table for the subnets has a route to the VPC endpoint.
D.Ensure the VPC endpoint is in the same region as the S3 bucket.
E.Verify that the bucket policy includes a condition that denies access if the source VPC endpoint is not the specified one.
AnswersB, C, E

The endpoint policy might be restrictive.

Why this answer

Option A is correct because the bucket policy must explicitly deny access from outside the VPC endpoint. Option C is correct because the VPC endpoint policy must allow the required actions. Option E is correct because the route table must include a route to the S3 endpoint.

Option B is wrong because the VPC endpoint must be in the same region. Option D is wrong because security groups are not required for S3 endpoint access.

97
MCQeasy

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. Which AWS service should be used to allow this without assigning a public IP address to the instance?

A.Internet Gateway
B.VPC Endpoint
C.NAT Gateway
D.VPN Connection
AnswerC

Allows outbound internet for private instances.

Why this answer

Option C is correct because a NAT Gateway allows instances in a private subnet to connect to the internet while preventing inbound traffic from the internet. Option A is wrong because an Internet Gateway alone does not allow outbound-only for private instances. Option B is wrong because a VPN connection is for hybrid connectivity, not internet access.

Option D is wrong because a VPC Endpoint is for private access to AWS services.

98
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to inspect all traffic between VPCs using a third-party firewall appliance. Which architecture should be used?

A.Set up AWS Direct Connect and route all traffic through the on-premises firewall.
B.Use Transit Gateway with appliance mode and route tables to direct traffic through a firewall appliance in a central VPC.
C.Create VPC peering connections between each VPC and the firewall VPC.
D.Configure network ACLs in each VPC to block traffic unless it comes from the firewall.
AnswerB

This allows centralized inspection and scales well.

Why this answer

Centralized inspection using a Transit Gateway with appliance mode and appropriate route tables allows traffic to be forwarded to the firewall VPC for inspection. VPC peering does not support central inspection, and network ACLs are not suitable for inter-VPC traffic. Direct Connect alone does not provide inspection.

99
MCQmedium

A company uses Network Load Balancer (NLB) in front of a fleet of EC2 instances in private subnets. Security team requires that the source IP addresses of clients be preserved in the access logs of the backend instances. Which configuration should the security engineer verify?

A.Configure proxy protocol v2 on the target group
B.Ensure the NLB is configured with a subnet from each Availability Zone and the targets are in the same subnets
C.Enable target group stickiness
D.Enable cross-zone load balancing on the NLB
AnswerB

NLB preserves source IP by default; no special configuration is needed.

Why this answer

NLB preserves source IP by default, so no special configuration is needed. Option C is correct. Option A is wrong because NLB uses the client IP directly.

Option B is wrong because proxy protocol is an alternative but not required for NLB. Option D is wrong because target group stickiness does not affect source IP preservation.

100
MCQeasy

A company has a requirement to block traffic from specific IP addresses known to be malicious. The company has an Application Load Balancer (ALB) that fronts a web application. The security engineer needs to implement a solution that can block these IP addresses at the edge before they reach the ALB. Which AWS service should be used?

A.Configure security groups on the ALB to deny traffic from those IP addresses.
B.Enable AWS Shield Advanced and configure rate-based rules.
C.Add a network ACL rule to the ALB's subnet to deny the IP addresses.
D.Use AWS WAF with an IP set rule to block the malicious IP addresses.
AnswerD

WAF can block IPs at the edge before reaching the ALB.

Why this answer

Option B is correct. AWS WAF can be attached to an ALB and can block traffic based on IP addresses using IP match conditions. Option A (Security groups) are for instance-level and cannot be attached to ALB.

Option C (Network ACLs) are for subnets, not ALB. Option D (AWS Shield Advanced) provides DDoS protection but not IP-based blocking.

101
Multi-Selectmedium

Which TWO actions can be taken to protect an S3 bucket from accidental public access? (Choose 2.)

Select 2 answers
A.Enable S3 Block Public Access at the account level
B.Use a bucket policy that denies s3:PutBucketPolicy unless the request comes from a specific VPC
C.Enable default encryption for the bucket
D.Enable MFA Delete on the bucket
E.Use an IAM policy that requires MFA for all S3 actions
AnswersA, B

Blocks all public access to S3 buckets.

Why this answer

Options B and C are correct. Enabling S3 Block Public Access at the account level prevents any public access. Using bucket policies with conditions that require encryption does not directly prevent public access.

Option A is wrong because MFA delete protects against accidental deletion, not public access. Option D is wrong because encryption does not prevent public access. Option E is wrong because requiring MFA for access does not prevent public access.

102
Multi-Selecthard

A security engineer needs to enable VPC Flow Logs to capture traffic metadata. Which THREE components are required to create a VPC Flow Log?

Select 3 answers
A.A CloudWatch Logs log group to publish the flow logs.
B.A VPC, subnet, or network interface to monitor.
C.An S3 bucket to store the flow logs.
D.An Amazon Kinesis Data Firehose delivery stream.
E.An IAM role that grants permissions to publish logs.
AnswersA, B, E

Flow logs are published to CloudWatch Logs.

Why this answer

A CloudWatch Logs log group is required because VPC Flow Logs publish traffic metadata to CloudWatch Logs as the default destination. The flow logs are stored as log streams within the specified log group, enabling querying and monitoring via CloudWatch Logs Insights. Without a log group, there is no destination for the flow log records to be sent to.

Exam trap

The trap here is that candidates often assume S3 is mandatory because it is a common storage service, but VPC Flow Logs require either CloudWatch Logs or S3 as a destination, and the question specifies the three required components, making S3 optional and thus incorrect.

103
MCQmedium

A security engineer is designing a network architecture for a web application that must be highly available and secure. The application uses an Application Load Balancer (ALB) in front of EC2 instances. Which architecture meets these requirements?

A.Place both the ALB and EC2 instances in private subnets across two Availability Zones.
B.Place the ALB in private subnets and EC2 instances in public subnets across two Availability Zones.
C.Place the ALB in public subnets and EC2 instances in private subnets across two Availability Zones.
D.Place both the ALB and EC2 instances in public subnets across two Availability Zones.
AnswerC

ALB handles internet traffic, instances are protected.

Why this answer

Placing ALB in public subnets and EC2 instances in private subnets provides security (instances not directly exposed) and high availability across AZs. Option C is correct. All in public (A) exposes instances.

All in private (B) blocks internet traffic. ALB in private (D) cannot receive internet traffic.

104
MCQhard

Refer to the exhibit. A developer receives an 'UnauthorizedOperation' error when launching an EC2 instance with the specified security group. The developer has permissions to use ec2:RunInstances. What is the most likely cause?

A.The security group contains an inbound rule with a source of 0.0.0.0/0 for port 80, which is too permissive and triggers a service control policy (SCP) that denies launching instances with overly permissive rules.
B.The security group allows inbound HTTPS from the entire RFC 1918 address space, but the instance is in a public subnet.
C.The security group allows outbound all traffic, which violates the principle of least privilege.
D.The instance type t2.micro is not available in the specified subnet's Availability Zone.
AnswerA

SCPs can deny actions based on resource tags or conditions, but security group rules themselves do not cause launch failures. However, SCPs can deny RunInstances if the security group has rules that violate policy. The error indicates a permissions issue, likely due to an SCP that denies launching instances with 0.0.0.0/0 inbound rules.

Why this answer

The 'UnauthorizedOperation' error indicates an IAM or SCP permissions issue. Since the developer has ec2:RunInstances permissions, an SCP likely denies the action when the security group has a rule allowing 0.0.0.0/0. Option C is the most plausible given the exhibit.

105
Multi-Selectmedium

A company wants to ensure that all Amazon S3 bucket policies comply with a security baseline that prohibits public read access. Which TWO methods can be used to detect non-compliant buckets? (Choose TWO.)

Select 2 answers
A.Enable AWS CloudTrail to monitor GetPublicAccessBlock calls.
B.Use IAM Access Analyzer to review bucket policies for public access.
C.Use Amazon Inspector to scan bucket policies.
D.Use AWS Config with the s3-bucket-public-read-prohibited managed rule.
E.Use AWS Trusted Advisor to check S3 bucket permissions.
AnswersB, D

Access Analyzer can analyze resource policies to identify public access.

Why this answer

AWS Config has managed rules for S3 bucket public read access. IAM Access Analyzer can identify buckets that are publicly accessible. CloudTrail is for logging API calls, not for detecting public access.

Trusted Advisor checks S3 bucket permissions but is at the account level, not per bucket? Actually, Trusted Advisor can check for public buckets. But the question says TWO, and the options include Trusted Advisor. Let's include both Config and Trusted Advisor? But IAM Access Analyzer is also valid.

However, typical exam answer: AWS Config and IAM Access Analyzer. Trusted Advisor is often considered a best practice check but not as granular. I'll go with Config and Access Analyzer.

106
MCQmedium

A security engineer needs to ensure that all traffic between two EC2 instances in different subnets is encrypted in transit. What is the most secure and efficient solution?

A.Configure network ACLs to allow traffic
B.Use VPC Peering
C.Set up an IPsec VPN between the instances
D.Configure security groups to allow traffic
AnswerC

IPsec encrypts all IP traffic between the endpoints.

Why this answer

Option A is correct because an IPSec VPN provides encryption in transit. Option B is wrong because VPC Peering does not encrypt traffic. Option C is wrong because security groups do not encrypt.

Option D is wrong because NACLs do not encrypt.

107
Multi-Selectmedium

A Security Engineer is configuring a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to download patches from the internet. Which TWO actions should the Engineer take to allow the web server internet access without exposing the database to the internet?

Select 2 answers
A.Create a bastion host in the public subnet and configure the web server to use it as a proxy.
B.Create a VPC endpoint for Amazon S3.
C.Create a NAT Gateway in the public subnet.
D.Attach an Internet Gateway to the VPC and add a route to the Internet Gateway in the private subnet's route table.
E.Add a route in the private subnet's route table that points 0.0.0.0/0 to the NAT Gateway.
AnswersC, E

NAT Gateway enables outbound internet access for instances in private subnets.

Why this answer

Option A (NAT Gateway) and Option C (route table update) are correct because a NAT Gateway in the public subnet allows instances in private subnets to initiate outbound traffic to the internet, and updating the private subnet route table directs internet-bound traffic to the NAT Gateway. Option B is wrong because an Internet Gateway is used for public subnets, not private. Option D is wrong because a VPC endpoint for S3 is for accessing S3 privately, not for general internet access.

Option E is wrong because a bastion host is for SSH access, not for internet access.

108
MCQmedium

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application uses a custom header X-Auth-Token to authenticate requests. The security team wants to use AWS WAF to block requests that do not contain this header or contain an invalid token. The WAF is associated with the ALB. The team creates a rule with a match condition that checks for the presence of the X-Auth-Token header and a regex pattern for the token value. However, the rule is not blocking any requests. What is the most likely cause?

A.AWS WAF is not supported for Application Load Balancers; it only supports CloudFront.
B.AWS WAF cannot inspect custom headers; it can only inspect standard HTTP headers.
C.The regex pattern for the token is too complex for AWS WAF to process.
D.There is an allow rule with a higher priority that allows all requests before the block rule is evaluated.
AnswerD

Rules are evaluated in priority order; a higher priority allow rule would override the block rule.

Why this answer

Option D is correct. AWS WAF evaluates rules in order, and if a rule with a higher priority allows the request, it will not be blocked by a lower priority rule. The team may have an allow rule with higher priority that allows all requests.

Option A is incorrect because WAF can inspect headers. Option B is incorrect because WAF can be used with ALB. Option C is incorrect because WAF can handle regex.

109
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. The security team wants to create a subnet for a legacy application that requires 2000 IP addresses. What is the smallest subnet CIDR that meets this requirement?

A.10.0.0.0/24
B.10.0.0.0/20
C.10.0.0.0/22
D.10.0.0.0/19
AnswerB

/20 gives 4096 addresses, sufficient and smallest.

Why this answer

Option C is correct because a /20 subnet provides 4096 IP addresses (minus 5 reserved), which is the smallest that can accommodate 2000. Option A /24 provides 256 IPs, too small. Option B /22 provides 1024 IPs, too small.

Option D /19 provides 8192 IPs, larger than needed.

110
MCQmedium

A security engineer needs to ensure that an Amazon S3 bucket blocks all public access. Which S3 block public access settings should be enabled?

A.Block public access to buckets and objects granted through new public bucket policies
B.Block public access to buckets and objects granted through new access control lists (ACLs)
C.Block public access to buckets and objects granted through any access control lists (ACLs)
D.Block all public access
AnswerD

This setting blocks all public access, including both ACLs and bucket policies.

Why this answer

The correct answer is D because enabling all four block public access settings provides the most restrictive public access controls. Option A is wrong because it only blocks access that is granted to the public via bucket policies or ACLs, but not all public access. Option B is wrong because it only blocks access that is granted to the public via ACLs.

Option C is wrong because it only blocks access that is granted to the public via bucket policies.

111
MCQeasy

A company wants to allow a user to assume a role in another AWS account to access resources. Which AWS service should be used to create and manage the trust relationship between the accounts?

A.IAM roles with a trust policy that allows the external account.
B.AWS Security Token Service (STS) to generate tokens.
C.IAM users in the source account with cross-account permissions.
D.AWS Organizations service control policies.
AnswerA

Trust policies define who can assume the role.

Why this answer

Option C is correct. IAM roles have trust policies that define which accounts or users can assume the role. Option A (IAM users) are for individuals, not cross-account access.

Option B (AWS Organizations) can help manage multiple accounts but does not directly create trust relationships. Option D (AWS STS) is used to request temporary credentials, but the trust policy is defined in the role itself.

112
MCQeasy

A company wants to restrict access to an Amazon S3 bucket so that only users from a specific AWS account can upload objects. Which policy mechanism should be used?

A.Create a bucket policy with a condition that checks the aws:SourceAccount condition key.
B.Attach an IAM policy to the bucket that denies access to all users except those from the allowed account.
C.Generate a pre-signed URL for each upload request.
D.Configure the bucket ACL to grant access only to the allowed account's canonical user ID.
AnswerA

This policy ensures that only requests from the specified account are allowed.

Why this answer

Option D is correct because a bucket policy with a condition that checks the aws:SourceAccount condition key ensures that only requests originating from the specified account are allowed. Option A is wrong because IAM policies are attached to users/groups/roles, not to the bucket itself. Option B is wrong because S3 access control lists (ACLs) can grant access to other AWS accounts but do not support condition keys to restrict based on source account.

Option C is wrong because a pre-signed URL grants time-limited access but does not restrict to a specific account.

113
MCQmedium

A security engineer sees the above security group configuration for an EC2 instance. The instance hosts a web application that should only be accessible from the internal network (10.0.0.0/8) over HTTPS, and SSH should not be open to the internet. What is the security issue with this configuration?

A.The outbound rule allows all traffic to all destinations.
B.The inbound HTTPS rule is too permissive.
C.The inbound SSH rule is too permissive.
D.There is no security issue; the configuration is correct.
AnswerA

The outbound rule allows all traffic to 0.0.0.0/0, which is overly permissive and could allow data exfiltration.

Why this answer

Option C is correct because the outbound rule allows all traffic to all destinations, which is overly permissive. Option A is wrong because SSH is restricted to internal network, not internet. Option B is wrong because HTTPS is open to all (0.0.0.0/0), but the requirement says it should be restricted to internal network.

However, the question asks for the security issue; the issue is the outbound rule. Actually, both A and C are issues, but the most critical security issue is the outbound rule allowing all traffic. The stem says 'What is the security issue?' The exhibit shows inbound SSH from internal, inbound HTTPS from anywhere, and outbound all traffic.

The requirement is that web app should only be accessible from internal network over HTTPS, so HTTPS should be restricted to 10.0.0.0/8. But option B points that out. However, the explanation says option C is correct.

Let's re-evaluate: The question says 'The instance hosts a web application that should only be accessible from the internal network (10.0.0.0/8) over HTTPS, and SSH should not be open to the internet.' The exhibit shows HTTPS open to 0.0.0.0/0, which violates the requirement. But option B says 'The inbound HTTPS rule is too permissive', which is correct. However, the answer key says option C is correct.

Maybe the question is about the most critical issue? Actually, the outbound rule allows all traffic, which could allow data exfiltration. But the stem says 'What is the security issue with this configuration?' The most obvious is that HTTPS is open to the internet, but SSH is properly restricted. However, the outbound rule is also a concern.

I'll stick with option C as per the generated explanation.

114
Multi-Selecteasy

Which TWO AWS services are designed to provide DDoS protection? (Choose 2.)

Select 2 answers
A.VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.AWS WAF
E.AWS Shield Standard
AnswersD, E

Protects against application-layer DDoS attacks.

Why this answer

Options A and D are correct. AWS Shield Standard provides automatic DDoS protection. AWS WAF provides application-layer DDoS protection.

Option B is wrong because VPC Flow Logs are for logging traffic. Option C is wrong because AWS Config is for configuration management. Option E is wrong because CloudTrail is for API logging.

115
Multi-Selectmedium

A security engineer is designing a VPC with public and private subnets. The private subnets will host databases that should not have direct internet access. Which three components are required to provide outbound internet access for these databases? (Choose THREE.)

Select 3 answers
A.AWS WAF attached to the NAT gateway.
B.An internet gateway attached to the VPC.
C.Route tables in the private subnets with a default route (0.0.0.0/0) pointing to the NAT gateway.
D.A VPC gateway endpoint for S3.
E.A NAT gateway in a public subnet.
AnswersB, C, E

The internet gateway provides internet access for the public subnet where the NAT gateway resides.

Why this answer

Options A, B, and E are correct. A NAT gateway or NAT instance in a public subnet provides outbound internet access. Route tables in private subnets must have a default route pointing to the NAT device.

An internet gateway is needed to provide internet connectivity to the public subnet. Option C is wrong because a VPC gateway endpoint is for S3/DynamoDB, not general internet. Option D is wrong because AWS WAF is a web application firewall.

116
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. A security requirement states that no security group should allow inbound SSH access from 0.0.0.0/0. What is the best way to enforce this policy?

A.Create an IAM policy that denies the ec2:AuthorizeSecurityGroupIngress action if the CIDR is 0.0.0.0/0.
B.Use AWS Config with a managed rule to detect and automatically remediate non-compliant security groups.
C.Add an AWS::IAM::Policy resource in the CloudFormation template to deny the rule.
D.Use a service control policy (SCP) that denies the CreateStack action if the template contains SSH from 0.0.0.0/0.
AnswerB

AWS Config can automatically remediate.

Why this answer

Option D is correct because AWS Config can evaluate security group rules and trigger remediation. Option A is wrong because IAM policies cannot prevent resource creation based on configuration. Option B is wrong because SCPs cannot control CloudFormation template parameters.

Option C is wrong because CloudFormation does not have built-in security checks.

117
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team must enforce that all Amazon S3 buckets across all accounts are encrypted with AWS KMS. The team has enabled S3 default encryption for new buckets, but existing buckets may not be encrypted. They need to automatically remediate any non-compliant buckets. The team has AWS Config and AWS Lambda available. What is the MOST operationally efficient solution?

A.Manually review all buckets using the S3 console and enable encryption for those that are not encrypted.
B.Write a script that runs daily on an EC2 instance to list all buckets and enable encryption on any that are not encrypted.
C.Use AWS Config with the s3-bucket-server-side-encryption-enabled rule and configure an AWS Systems Manager Automation document to remediate non-compliant buckets.
D.Use AWS Trusted Advisor to check for unencrypted buckets and send an SNS notification to the security team to manually remediate.
AnswerC

Correct: Config detects non-compliance and SSM Automation remediates automatically.

Why this answer

Using AWS Config with a managed rule (s3-bucket-server-side-encryption-enabled) to detect non-compliant buckets and triggering a Lambda function via EventBridge to enable encryption is the most efficient. This is automated and serverless.

118
MCQhard

A security engineer is reviewing the following IAM policy attached to an S3 bucket: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": "10.0.0.0/8" } } } ] } The bucket contains sensitive data and should only be accessible from the corporate network (CIDR 10.0.0.0/8). However, the engineer is concerned that this policy might not be effective. What is the primary security concern with this policy?

A.The bucket policy does not include a Deny statement for requests outside the IP range, so the default allow might still permit access from other IPs.
B.The policy grants public access to the bucket because the Principal is "*", allowing anyone from the specified IP range to access objects.
C.The condition key aws:SourceIp only evaluates the IP address of the client, but if the request comes through a proxy, the IP might not match.
D.The policy uses s3:GetObject but does not include s3:ListBucket, so users cannot see the object list, but they can guess object keys.
AnswerB

Any user from the allowed IP range can access the bucket, which is essentially public access to that network.

Why this answer

Option B is correct because the policy allows anonymous access; any user from the specified IP range can access objects. Option A is wrong because the condition does restrict by IP. Option C is wrong because the bucket policy does not block public access if the bucket policy explicitly allows it.

Option D is wrong because the policy does not open the entire bucket; it only allows GetObject.

119
Multi-Selecthard

A company is migrating a legacy application to AWS. The application requires two-way communication between the web servers and the database servers using TCP port 3306. The security team wants to follow the principle of least privilege. Which TWO actions should be taken to secure the traffic?

Select 2 answers
A.Create a security group for the web servers that allows outbound traffic on port 3306 to the database security group.
B.Create a security group for the database servers that allows inbound traffic on port 3306 from the web subnet CIDR.
C.Place the database servers in a public subnet for easier connectivity.
D.Configure the network ACL for the database subnet to allow inbound traffic on port 3306 from the web subnet CIDR.
E.Create a security group for the database servers that allows inbound traffic on port 3306 from the web security group ID.
AnswersA, E

Security groups are stateful and will allow return traffic automatically.

Why this answer

Option A is correct because security groups are stateful, so allowing outbound traffic on port 3306 from the web servers to the database security group automatically permits the corresponding return traffic. This adheres to the principle of least privilege by specifying the destination as the database security group ID rather than a broad CIDR range, ensuring only the intended web servers can initiate the connection.

Exam trap

The trap here is that candidates often confuse security groups (stateful, instance-level) with network ACLs (stateless, subnet-level) and incorrectly assume that a subnet CIDR-based rule in a security group is equivalent to using a security group ID, when in fact the latter provides stricter least-privilege control by limiting access to only the specific instances in the web security group.

120
MCQhard

A company has a VPC with public and private subnets. The private sub host Amazon RDS instances. To allow the RDS instances to access the internet for software updates without exposing them to inbound internet traffic, what should be configured?

A.Use a VPN connection to an on-premises network that has internet access.
B.Set up a VPC peering connection to a VPC with internet access.
C.Create a NAT gateway in a public subnet and add a route to the NAT gateway in the private subnet route table.
D.Attach an internet gateway to the private subnet route table.
AnswerC

NAT gateway allows outbound internet, blocks inbound.

Why this answer

Option B is correct because a NAT gateway allows outbound internet traffic from private subnets while blocking inbound. Option A is wrong because an internet gateway in a private subnet would expose the instance. Option C is wrong because VPC peering is for connecting VPCs, not internet access.

Option D is wrong because a VPN does not provide internet access.

121
MCQeasy

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. Which security mechanism should be used?

A.Use an S3 bucket policy with a condition that restricts access to the VPC endpoint ID.
B.Assign an IAM role to the S3 bucket.
C.Attach a security group to the S3 bucket.
D.Configure a network ACL on the VPC subnet to allow traffic to S3.
AnswerA

This allows only traffic originating from the specified VPC endpoint.

Why this answer

An S3 bucket policy with a condition that limits access to the VPC endpoint ID is the correct approach. Network ACLs do not apply to S3, security groups are not used for S3, and IAM roles alone cannot restrict by network path.

122
MCQeasy

A security engineer needs to ensure that all data stored in an Amazon S3 bucket is encrypted at rest. The bucket must use server-side encryption with a key managed by the customer (SSE-C). What must the engineer include in the PUT request to enforce this?

A.x-amz-server-side-encryption-customer-algorithm and x-amz-server-side-encryption-customer-key
B.x-amz-server-side-encryption: AES256
C.x-amz-server-side-encryption: aws:kms
D.x-amz-server-side-encryption-bucket-key-enabled: true
AnswerA

These headers are required for SSE-C to provide the encryption key.

Why this answer

Option B is correct because SSE-C requires the encryption key to be provided in the request headers. Option A is wrong because SSE-S3 uses AWS-managed keys. Option C is wrong because SSE-KMS uses KMS keys.

Option D is wrong because bucket policies can enforce encryption but the key must still be provided in the request.

123
MCQmedium

A security engineer is tasked with implementing network segmentation for a multi-tier application. The web tier must be accessible from the internet, but the application tier must only be accessible from the web tier. The database tier must only be accessible from the application tier. All tiers are in the same VPC. Which design meets these requirements?

A.Create a security group for each tier. Configure inbound rules to allow traffic only from the preceding tier's security group.
B.Use a single security group for all instances and use IAM policies to restrict access.
C.Place each tier in separate subnets and use network ACLs with CIDR blocks to allow traffic between tiers.
D.Place all instances in public subnets and restrict access using security groups.
AnswerA

Security group references provide granular control.

Why this answer

Option B is correct because security groups can be referenced in inbound rules of other security groups, allowing the web tier SG to allow inbound from the ALB SG, the app tier SG to allow inbound from the web tier SG, and the database tier SG to allow inbound from the app tier SG. Option A is wrong because using CIDR blocks is less granular and does not scale. Option C is wrong because public subnets expose the application tier to the internet.

Option D is wrong because NACLs are stateless and require more rules.

124
MCQhard

A company wants to deploy a web application that must be accessible over HTTPS only. The application runs behind an Application Load Balancer (ALB). The security team wants to enforce HTTP Strict Transport Security (HSTS) to prevent downgrade attacks. Which configuration achieves this?

A.Use AWS CloudFront with a custom header that enforces HSTS
B.Configure the ALB to redirect HTTP traffic to HTTPS and have the application set the Strict-Transport-Security header in the response
C.Configure the ALB listener to use HTTPS only and set a custom header via a listener rule
D.Enable HSTS on the ALB via the AWS Management Console
AnswerB

HSTS is set by the application; ALB can redirect HTTP.

Why this answer

Option C (Configure ALB to redirect HTTP to HTTPS and set the Strict-Transport-Security header) is correct. Option A is wrong because HSTS is a header, not a listener rule. Option B is wrong because HSTS is not a CloudFront feature.

Option D is wrong because ALB can add custom headers.

125
MCQeasy

A company is using AWS WAF to protect its Application Load Balancer (ALB). The security team wants to block requests that do not contain a valid API key in the HTTP header 'X-API-Key'. Which WAF rule type should be used?

A.String match condition
B.Regex pattern set
C.Rate-based rule
D.IP set
AnswerB

Can define a pattern for valid API keys and block invalid ones.

Why this answer

A regex pattern set rule is the correct choice because it allows you to define a regular expression pattern that matches the expected format of valid API keys in the 'X-API-Key' header. AWS WAF regex pattern sets can be used in a rule to inspect the header value and block requests that do not match the pattern, providing flexible and precise validation beyond simple string matching.

Exam trap

The trap here is that candidates often confuse string match conditions with regex pattern sets, assuming that a simple 'contains' or 'starts with' string match is sufficient for validating structured data like API keys, when in fact regex provides the necessary pattern flexibility.

How to eliminate wrong answers

Option A is wrong because a string match condition can only check for exact or substring matches, not complex patterns like varying alphanumeric formats or specific character sequences typical of API keys. Option C is wrong because a rate-based rule is designed to block IPs based on request rate thresholds, not to inspect header content for a valid API key. Option D is wrong because an IP set rule blocks or allows traffic based on source IP addresses, not on the presence or validity of an API key in a header.

126
MCQhard

A financial services company runs a critical application on Amazon EC2 instances in a VPC. The application processes sensitive financial data and must meet strict compliance requirements. The security team recently discovered that an EC2 instance was compromised due to an unpatched vulnerability. The attacker used the instance's IAM role to access an S3 bucket containing customer data and exfiltrated the data. The security team needs to prevent such incidents in the future. They have implemented the following controls: - All EC2 instances are launched in private subnets. - The IAM roles used by EC2 instances follow the principle of least privilege. - Security groups restrict inbound and outbound traffic. - AWS Systems Manager Patch Manager is used to patch instances. - AWS CloudTrail is enabled and logs are sent to a centralized S3 bucket. - Amazon GuardDuty is enabled. Despite these controls, the team is concerned about the blast radius if an instance is compromised again. Which additional measure would MOST effectively limit the blast radius of a compromised EC2 instance?

A.Enable VPC Flow Logs to monitor traffic to S3.
B.Use S3 VPC Endpoints with a bucket policy that only allows access from the VPC endpoint, and use Systems Manager Session Manager instead of SSH.
C.Deploy AWS WAF in front of the S3 bucket.
D.Create an AWS Config rule to detect S3 access from EC2 instances.
AnswerB

This restricts S3 access to the VPC and reduces the attack surface for data exfiltration.

Why this answer

Option B is correct because using an S3 VPC endpoint with a bucket policy that restricts access exclusively to that endpoint ensures that compromised EC2 instances can only reach S3 through the VPC endpoint, preventing data exfiltration over the internet. Additionally, replacing SSH with Systems Manager Session Manager eliminates the need for open inbound SSH ports and provides fine-grained access control through IAM, reducing the attack surface and blast radius.

Exam trap

The trap here is that candidates may choose VPC Flow Logs (Option A) thinking it provides active protection, but it is only a monitoring tool that does not reduce the blast radius; the key is to implement network-level and access-level restrictions that prevent data exfiltration even if an instance is compromised.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs only provide visibility into traffic patterns and do not actively limit the blast radius or prevent data exfiltration. Option C is wrong because AWS WAF is a web application firewall designed to protect web-facing resources like ALB or CloudFront, not S3 buckets directly; it cannot restrict access from EC2 instances to S3. Option D is wrong because an AWS Config rule is a detective control that can detect non-compliant access after it occurs, but it does not proactively limit the blast radius or prevent exfiltration in real time.

127
MCQmedium

A company has a security group that allows inbound SSH from 0.0.0.0/0. The security team wants to restrict access to only the company's public IP range 203.0.113.0/24. What change should be made?

A.Add a network ACL rule to deny SSH from 0.0.0.0/0.
B.Modify the inbound SSH rule in the security group to source 203.0.113.0/24.
C.Add a network ACL rule to allow SSH from 203.0.113.0/24.
D.Remove the inbound SSH rule from the security group.
AnswerB

Directly restricts SSH to company IP range.

Why this answer

Option B is correct because security groups are stateful and act as a virtual firewall for instances. To restrict inbound SSH access from 0.0.0.0/0 to only the company's public IP range, you must modify the existing inbound rule's source CIDR from 0.0.0.0/0 to 203.0.113.0/24. This change directly updates the allowed source IP range, and since security groups evaluate all rules before making a decision, the more specific allowed range will take effect without needing additional rules.

Exam trap

The trap here is that candidates often confuse the stateless behavior of network ACLs with the stateful behavior of security groups, leading them to incorrectly believe that adding a deny rule in a network ACL can override a security group's allow rule for the same traffic.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and operate at the subnet level, not at the instance level; adding a deny rule in a network ACL would not override the security group's allow rule for SSH, and it would also require an explicit allow rule for return traffic due to statelessness. Option C is wrong because adding a network ACL rule to allow SSH from 203.0.113.0/24 does not change the security group's existing inbound SSH rule that allows 0.0.0.0/0, so SSH from any IP would still be permitted by the security group. Option D is wrong because removing the inbound SSH rule entirely would block all SSH access, including from the company's intended IP range, which is not the desired outcome.

128
Multi-Selectmedium

A security engineer is designing a secure VPC architecture. Which THREE components should be used to implement defense in depth? (Choose three.)

Select 3 answers
A.VPN connection
B.Internet gateway
C.Security groups
D.Network ACLs
E.VPC Flow Logs
AnswersC, D, E

Instance-level firewall.

Why this answer

Security groups (C) are stateful virtual firewalls that control inbound and outbound traffic at the instance level. They operate at the network interface (ENI) level, allowing only explicitly permitted traffic and automatically allowing return traffic for permitted sessions. This provides a critical layer of host-level defense within the VPC.

Exam trap

The trap here is that candidates often confuse connectivity components (VPN, Internet gateway) with security controls, or they overlook that VPC Flow Logs are a detective control (not preventive) but still a valid part of defense in depth, leading them to select A or B instead of the correct trio of security groups, network ACLs, and VPC Flow Logs.

129
MCQmedium

A company has an AWS Direct Connect connection to its on-premises data center. The security team wants to ensure that traffic between the VPC and the data center is encrypted. Which solution should they use?

A.Set up an IPsec VPN connection over the Direct Connect virtual interface.
B.Enable encryption on the Direct Connect virtual interface.
C.Use AWS Site-to-Site VPN over the internet.
D.Use VPC Peering to connect the VPC to the data center.
AnswerA

This encrypts traffic between on-premises and AWS.

Why this answer

AWS Direct Connect does not encrypt traffic by default. To encrypt, you can use IPsec VPN over Direct Connect or encrypt the data at the application layer. Option A is correct.

Option B is not possible because VPC Peering is for VPC-to-VPC. Option C is for internet-based VPN. Option D is not for encryption.

130
Multi-Selectmedium

A company is designing a network architecture for a critical application that must be highly available and secure. Which TWO actions should be taken to ensure high availability of the network infrastructure?

Select 2 answers
A.Deploy resources across multiple Availability Zones.
B.Use Elastic IP addresses for failover between instances.
C.Use a single internet gateway for the VPC.
D.Use a single Availability Zone for all resources to reduce complexity.
E.Place all instances in a public subnet for easy access.
AnswersA, B

Multi-AZ deployment provides fault isolation.

Why this answer

Deploying resources across multiple Availability Zones (A) and using Elastic IP addresses for failover (C) improve availability. Option A and C are correct. Single AZ (B) is not high availability.

Internet gateway (D) is a single point of failure if not redundant. Public subnet (E) doesn't guarantee availability.

131
MCQhard

Refer to the exhibit. A security engineer finds the above IAM policy attached to an IAM group. The policy is intended to allow all EC2 actions only from the corporate network (10.0.0.0/8). However, users report that they can perform EC2 actions from outside the corporate network. What is the MOST likely reason?

A.The IAM group has an additional policy that allows all EC2 actions without conditions.
B.The policy allows access to all EC2 actions, but the condition only applies to the ec2:* actions, which includes all EC2 actions.
C.The aws:SourceIp condition key does not apply to API calls made through the AWS Management Console; the console uses AWS IP addresses.
D.The policy should use a NotIpAddress condition instead of IpAddress.
AnswerC

Correct: Console API calls originate from AWS IPs, not the user's client IP, so the condition is ineffective.

Why this answer

Option C is correct because the `aws:SourceIp` condition key does not evaluate the source IP of requests made through the AWS Management Console. When a user signs in to the console, the console makes API calls on their behalf using AWS service endpoints, which have AWS-owned IP addresses, not the user's corporate IP. Therefore, the condition `IpAddress` fails, and the policy denies console-based EC2 actions from the corporate network, but the policy actually allows all EC2 actions (since the default effect is Allow) when the condition is not met? Wait—the policy has an Allow effect with a condition; if the condition is not met, the Allow does not apply, but there is no explicit Deny, so other policies or the default implicit Deny would block the action.

However, the question states users can perform EC2 actions from outside the corporate network, meaning the policy is not blocking them. The most likely reason is that the console uses AWS IP addresses, so the condition never matches, and the Allow never applies, but users are still able to perform actions because they are using the console? Actually, the console uses AWS IPs, so the condition `IpAddress` would not match, and the Allow would not apply, leading to implicit Deny—but users report they can perform actions. This indicates that the policy is not the only one; perhaps there is another policy allowing EC2 actions without conditions (Option A).

But the question asks for the MOST likely reason given the exhibit and the intent. The trap is that the `aws:SourceIp` condition does not work for console-based API calls because the console uses AWS IP addresses, so the condition is effectively ignored for console users, allowing them to bypass the intended restriction. This is a well-known limitation documented by AWS.

Exam trap

The trap here is that candidates assume `aws:SourceIp` works universally for all API calls, but AWS explicitly documents that it does not apply to requests made through the AWS Management Console because the console uses AWS service IPs, not the user's client IP.

How to eliminate wrong answers

Option A is wrong because while an additional permissive policy could override the intended restriction, the question asks for the MOST likely reason based on the exhibit and typical misconfiguration; the exhibit shows only one policy, and the most common mistake is misunderstanding how `aws:SourceIp` works with the console. Option B is wrong because the condition applies to all `ec2:*` actions, which includes all EC2 actions, so the condition is correctly scoped; the issue is not the action coverage but the condition key's behavior with the console. Option D is wrong because using `NotIpAddress` would allow all IPs except the corporate network, which is the opposite of the intended effect; the policy intends to allow only from corporate network, so `IpAddress` is correct—the problem is not the condition type but the fact that the console does not pass the user's source IP.

132
MCQmedium

An application running on EC2 instances needs to access an S3 bucket. The Security Engineer wants to ensure that the EC2 instances do not have access keys and that the access is restricted to only the required bucket. What is the most secure way to provide this access?

A.Generate an access key for an IAM user with permissions to the S3 bucket and store it in the EC2 instance.
B.Create an S3 bucket policy that allows the EC2 instance's public IP address to access the bucket.
C.Create an IAM role with a policy that allows access to the specific S3 bucket, and attach the role to the EC2 instance profile.
D.Use the root user's access keys to configure the application.
AnswerC

This uses temporary credentials and least privilege.

Why this answer

Option A is correct because an IAM role with a policy that grants access to the specific bucket and attached to an instance profile is the most secure and scalable method. Option B is wrong because storing access keys in the instance is insecure. Option C is wrong because using the root user's credentials is highly insecure.

Option D is wrong because a bucket policy alone does not grant access to EC2 instances; the instances need credentials to sign requests.

133
MCQmedium

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy element should be used in the S3 bucket policy?

A.aws:Referer
B.aws:SourceVpce
C.aws:SourceVpc
D.aws:SourceIp
AnswerB

SourceVpce restricts by VPC endpoint ID.

Why this answer

The aws:SourceVpce condition key limits access to requests originating from a specific VPC endpoint. Option C is correct. Option A (aws:SourceIp) is for IP addresses, not VPC endpoints.

Option B (aws:SourceVpc) is for entire VPCs, not specific endpoints. Option D (aws:Referer) is for HTTP referer headers.

134
MCQhard

Refer to the exhibit. An application running on EC2 behind an ALB is unreachable from the internet. The ALB health checks are failing. What is the most likely cause?

A.The security group inbound rule allows HTTP from 0.0.0.0/0, but it should only allow traffic from the ALB's security group.
B.The network ACL outbound rules deny all traffic, so the instance cannot send responses back to the ALB.
C.The security group outbound rule allows all traffic, which is too permissive and causes the ALB to reject the instance as unhealthy.
D.The network ACL inbound rule only allows traffic from 10.0.0.0/16 on ports 80 and 443, but the ALB is in a different subnet (public subnet) with a different CIDR (e.g., 10.0.2.0/24). The ALB's traffic to the instance must come from its private IP, which is in the same VPC but may not be within 10.0.0.0/16 if the VPC CIDR is not /16.
AnswerD

The network ACL allows only from 10.0.0.0/16. If the VPC CIDR is, for example, 10.0.0.0/20, the ALB's private IP could be outside that range. Also, the ALB's traffic originates from its private IP, so if the subnet CIDR is not within 10.0.0.0/16, traffic is denied.

Why this answer

The network ACL inbound rules only allow traffic from 10.0.0.0/16 on HTTP/HTTPS. If the ALB's private IP is not within that CIDR (e.g., VPC is 10.0.0.0/20, ALB subnet is 10.0.2.0/24, which is within 10.0.0.0/16 if /16 covers all 10.0.x.x. Actually, 10.0.0.0/16 covers 10.0.0.0 to 10.0.255.255, so 10.0.2.0/24 is within.

However, if the VPC CIDR is different, it might not. The most common mistake is network ACL not allowing the ALB's source IP. Option B is correct.

135
Multi-Selectmedium

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that the logs are encrypted at rest and that access to the logs is controlled. Which actions should be taken? (Choose two.)

Select 2 answers
A.Enable CloudTrail log file validation
B.Enable default encryption on the S3 bucket where CloudTrail logs are stored
C.Attach an S3 bucket policy that restricts access to the CloudTrail logs to authorized principals
D.Use AWS KMS to encrypt the CloudTrail log files
E.Store logs in Amazon CloudWatch Logs with encryption enabled
AnswersB, C

Encrypts logs at rest using SSE-S3 or SSE-KMS.

Why this answer

Option A (Enable S3 Server-Side Encryption) and Option B (Use S3 bucket policy to restrict access) are correct. Option C is wrong because CloudTrail does not support KMS per trail; it uses S3 SSE. Option D is wrong because CloudTrail does not support bucket policies for delivery.

Option E is wrong because CloudWatch Logs can be encrypted but not the primary method for S3.

136
Multi-Selectmedium

Which TWO actions should a security engineer take to protect an Amazon EC2 instance from unauthorized access? (Choose two.)

Select 2 answers
A.Place the instance in a public subnet and rely solely on security groups.
B.Disable termination protection so the instance can be easily terminated if compromised.
C.Configure security groups to allow only necessary inbound traffic.
D.Place the instance in a private subnet and use a bastion host for administrative access.
E.Enable detailed billing to monitor instance usage.
AnswersC, D

Minimizing inbound traffic reduces attack surface.

Why this answer

Options A and C are correct. Using security groups to restrict inbound traffic to necessary ports and placing the instance in a private subnet without direct internet access are fundamental security best practices. Option B (disabling termination protection) does not prevent unauthorized access.

Option D (using a public subnet) increases exposure. Option E (enabling detailed billing) is cost-related, not security.

137
Multi-Selecteasy

A security engineer is configuring a VPC with a public subnet for web servers and a private subnet for databases. The web servers need to download patches from the internet. Which TWO components are required to allow the web servers to access the internet while keeping the database servers isolated?

Select 2 answers
A.Internet gateway attached to the VPC.
B.VPC endpoint for Amazon S3.
C.Transit gateway between the public and private subnets.
D.NAT gateway in the public subnet.
E.Virtual private gateway attached to the VPC.
AnswersA, D

Internet gateway enables communication between the VPC and the internet.

Why this answer

Option A is correct because an internet gateway is needed for the public subnet to reach the internet. Option C is correct because a NAT gateway in the public subnet allows the private subnet instances to initiate outbound traffic to the internet (for patches) while preventing inbound traffic from the internet. Option B is wrong because a virtual private gateway is for VPN connections.

Option D is wrong because a transit gateway is for connecting multiple VPCs. Option E is wrong because a VPC endpoint is for accessing AWS services privately, not internet.

138
MCQhard

A company is designing a network architecture for a multi-tier web application. The application consists of a public-facing ALB, web servers in private subnets, and an RDS database in isolated subnets. The security team requires that the web servers have no direct internet access. Which VPC configuration meets this requirement?

A.Public subnets with an Internet Gateway.
B.Isolated subnets with no route to the internet.
C.Private subnets with a NAT Gateway in a public subnet.
D.Private subnets with a VPN connection to the corporate network.
AnswerC

Private subnets have no direct inbound internet, but NAT enables outbound.

Why this answer

Option B is correct because private subnets with a NAT Gateway allow outbound internet access for updates while preventing inbound internet traffic. Option A is wrong because public subnets have direct internet access. Option C is wrong because isolated subnets cannot access the internet even for updates.

Option D is wrong because a VPN does not provide internet access.

139
MCQhard

A company wants to allow cross-account access to an S3 bucket. The bucket owner (Account A) wants to grant read-only access to users in Account B. Which combination of policies is required?

A.A bucket ACL in Account A granting READ access to Account B
B.A bucket policy in Account A granting s3:GetObject to Account B and an IAM policy in Account B allowing s3:GetObject
C.An IAM policy in Account A that allows s3:GetObject
D.An IAM role in Account B that grants s3:GetObject to Account A
AnswerB

Both policies are needed: the bucket policy allows cross-account access, and the IAM policy allows the user to perform the action.

Why this answer

Option A is correct because cross-account access requires both a bucket policy granting access and an IAM policy in the accessing account allowing the action. Option B is wrong because an IAM role in Account A would require users to assume the role. Option C is wrong because a bucket ACL is not the recommended method and does not work with IAM policies alone.

Option D is wrong because the accessing account must have an IAM policy to allow the action.

140
Multi-Selecthard

A company is using AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises network to a VPC. The security team wants to encrypt traffic over the Direct Connect connection. Which TWO options can be used? (Choose TWO.)

Select 2 answers
A.Use AWS KMS to encrypt the traffic.
B.Use AWS Certificate Manager to issue certificates for the connection.
C.Enable MACsec on the Direct Connect connection.
D.Use SSL/TLS to encrypt the traffic between on-premises and AWS.
E.Establish an IPsec VPN tunnel over the Direct Connect connection.
AnswersC, E

MACsec provides encryption at the data link layer.

Why this answer

Option A is correct because IPsec VPN can be established over the private VIF to encrypt traffic. Option B is correct because MACsec can be enabled at the physical layer for encryption. Option C is wrong because SSL/TLS is application-level encryption, not for the link.

Option D is wrong because AWS KMS does not encrypt network traffic. Option E is wrong because AWS Certificate Manager does not encrypt traffic.

141
MCQhard

Refer to the exhibit. A security engineer attaches this bucket policy to an S3 bucket. A user from IP address 203.0.113.10 tries to download an object using HTTP (not HTTPS). What will happen?

A.The request is allowed because the IP address matches the allow statement.
B.The request is denied because the IP is not in the allowed range.
C.The request is denied because HTTP is used.
D.The request is allowed because the user is using a valid IP.
AnswerC

The deny statement blocks any request using HTTP.

Why this answer

Option D is correct because the first statement denies all S3 actions when HTTPS is not used. Since the request uses HTTP, the condition aws:SecureTransport is false, so the request is denied. The second statement allows GetObject from the specified IP, but the deny statement takes precedence.

Option A is wrong because the deny applies. Option B is wrong because the deny overrides the allow. Option C is wrong because the condition is evaluated correctly.

142
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have encryption enabled. Which approach is MOST effective and scalable?

A.Use an S3 bucket policy in each account to deny PutObject without encryption.
B.Use AWS Config rules to mark non-compliant buckets and automatically remediate.
C.Enable CloudTrail and monitor for buckets without encryption.
D.Apply a service control policy (SCP) that denies s3:CreateBucket unless the bucket has encryption enabled.
AnswerD

SCPs can enforce this across all accounts in the organization.

Why this answer

A service control policy (SCP) can deny the creation of S3 buckets without encryption at the organization level, which is the most effective and scalable. S3 bucket policies require per-bucket management, CloudTrail is detective, and Config rules are reactive.

143
MCQhard

A security engineer is configuring a VPC for a highly sensitive application. The VPC must not have a route to the internet, but the application needs to periodically download security patches from a specific domain (patches.example.com). Which solution meets these requirements with minimal operational overhead?

A.Launch a proxy server in a public subnet and configure the application to use the proxy.
B.Use a VPC endpoint for Amazon S3 and DynamoDB to download patches.
C.Create a VPC interface endpoint for AWS Systems Manager and use Systems Manager Patch Manager to apply patches.
D.Deploy a NAT gateway in a public subnet and add a route to the NAT gateway for the private subnet.
AnswerC

Systems Manager can manage patches without internet access via VPC endpoints, and Patch Manager supports custom patch baselines.

Why this answer

Option C is correct because VPC endpoints for S3 and DynamoDB are for specific services, not general internet access. Option A is wrong because a NAT gateway requires an internet gateway and a route to the internet. Option B is wrong because a proxy would still need outbound internet access.

Option D is correct because a VPC interface endpoint for AWS Systems Manager allows outbound-only communication to download patches without internet access.

144
MCQhard

A company runs a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) in a public subnet, EC2 instances in private subnets for the web tier, and an RDS MySQL database in a private subnet. The security team has noticed that the EC2 instances are receiving traffic from unexpected IP addresses on port 22 (SSH). The instances were launched with a default security group that allowed SSH from 0.0.0.0/0. The security engineer has corrected the security group to allow SSH only from the company's bastion host security group. However, the engineer also wants to implement defense-in-depth by adding a network ACL to the private subnet to block SSH from all sources except the bastion host's private IP (10.0.1.10). The private subnet's current network ACL allows all inbound and outbound traffic. The engineer creates a new network ACL with the following rules: Inbound: Rule 100: Allow SSH from 10.0.1.10/32; Rule 200: Deny SSH from 0.0.0.0/0; Rule *: Deny all. Outbound: Rule 100: Allow all. After associating this new NACL with the private subnet, the engineer finds that SSH connections from the bastion host are still being blocked. What is the most likely cause?

A.The outbound rule of the network ACL does not allow ephemeral ports for return traffic.
B.The new network ACL was not associated with the private subnet.
C.The security group on the EC2 instances still allows SSH from 0.0.0.0/0.
D.The network ACL rules are out of order; the deny rule should be before the allow rule.
AnswerB

If the NACL is not associated, the default NACL (which allows all) is in effect. But the engineer associated it; however, maybe they associated it with the wrong subnet. This is a common oversight.

Why this answer

Option B is correct. Network ACLs are stateless, meaning that return traffic must be explicitly allowed. The outbound rule only allows all traffic, but the inbound rule denies SSH from 0.0.0.0/0, which would block the return traffic for the SSH session because the source of the response is the instance, not the bastion host.

Actually, the issue is that the inbound rule denies SSH from all, but the allow rule for the bastion host should work. However, because NACLs are stateless, the response from the instance to the bastion host would be considered outbound traffic, which is allowed. The real issue is that the NACL rules are evaluated in order; the deny rule (200) might block the bastion host if the allow rule (100) is not matched correctly.

But the more likely cause is that the network ACL does not allow ephemeral ports for the return traffic. When the bastion host initiates SSH (source port 22, destination port 22), the response from the instance uses an ephemeral port (1024-65535) as source. The outbound rule allows all traffic, so that should be fine.

However, the inbound rule for the ephemeral ports is missing. But the question says the inbound rule denies all SSH, which would block the initial connection from the bastion host? Wait, the inbound rule allows SSH from 10.0.1.10/32, so that should work. The deny rule would block other SSH.

The problem might be that the network ACL is not associated correctly. But the most common mistake is forgetting that NACLs are stateless and need rules for ephemeral ports. However, the outbound rule allows all, so that should not be an issue.

Let's think: The inbound rule allows SSH from bastion host; the outbound rule allows all. So why would it be blocked? Possibly because the inbound deny rule for SSH from 0.0.0.0/0 also matches the bastion host if the allow rule is not evaluated first? But NACLs are evaluated in order; rule 100 is evaluated before rule 200. So the allow should take precedence.

Maybe the issue is that the network ACL is not associated with the subnet, or the bastion host's IP is not exactly 10.0.1.10. However, the most plausible answer among the options is that the network ACL is not associated with the subnet, but the question says the engineer associated it. Option B says the network ACL is not associated with the subnet, which could be the case if the engineer forgot to associate it.

Option A (security group still allows SSH from 0.0.0.0/0) would not cause blocking. Option C (outbound rule denies ephemeral ports) is incorrect because outbound is allow all. Option D (NACL rules are out of order) is plausible but the order is correct.

Given typical exam logic, the most common mistake is forgetting to associate the NACL. So I'll go with B.

145
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all Amazon S3 buckets across the organization are configured to block public access. Which solution should be used to centrally enforce this requirement?

A.Enable AWS Trusted Advisor to automatically remediate public buckets.
B.Use a service control policy (SCP) to deny the s3:PutBucketPublicAccessBlock action at the organization root.
C.Create an IAM role in each account that denies the s3:PutBucketPublicAccessBlock action.
D.Apply a bucket policy to each bucket that blocks public access.
AnswerB

SCPs can centrally deny actions across accounts.

Why this answer

Option B is correct because SCPs can be applied at the OU or account level to deny actions that allow public access to S3 buckets. Option A is wrong because IAM roles are for permissions within an account, not for cross-account enforcement. Option C is wrong because bucket policies are per-bucket and cannot be centrally enforced.

Option D is wrong because Trusted Advisor provides recommendations but does not enforce policies.

146
MCQeasy

A security engineer is configuring a VPC with public and private subnets. The engineer needs to allow instances in the private subnet to download software updates from the internet. Which component should be added to the VPC?

A.VPN connection to on-premises.
B.VPC endpoint for Amazon S3.
C.Bastion host in a public subnet.
D.NAT gateway in a public subnet.
AnswerD

NAT gateway provides outbound internet connectivity for private subnets.

Why this answer

Option A is correct because a NAT gateway allows outbound internet access from private subnets. Option B is wrong because a bastion host is for SSH/RDP access, not internet access. Option C is wrong because a VPC endpoint is for private access to AWS services.

Option D is wrong because a VPN connection is for hybrid networking.

147
Multi-Selecteasy

Which TWO of the following are valid methods to secure data at rest in Amazon S3? (Choose two.)

Select 2 answers
A.Use S3 server-side encryption with customer-provided keys (SSE-C).
B.Enable S3 Object Lock.
C.Use client-side encryption before uploading objects to S3.
D.Enable S3 Transfer Acceleration.
E.Use S3 server-side encryption with S3-managed keys (SSE-S3).
AnswersA, E

SSE-C encrypts data at rest in S3 using keys provided by the customer.

Why this answer

The correct answers are A and C. Option A is correct because S3 SSE-S3 uses server-side encryption with Amazon S3-managed keys. Option C is correct because S3 SSE-C uses customer-provided encryption keys.

Option B is wrong because client-side encryption is done before uploading, but it is not a server-side encryption method; however, it is a valid method to secure data at rest, but the question asks for methods to secure data at rest in S3, and client-side encryption is done before data reaches S3. Option D is wrong because S3 Transfer Acceleration is for faster uploads, not encryption. Option E is wrong because S3 Object Lock is for write-once-read-many (WORM) protection, not encryption.

148
Multi-Selectmedium

A security engineer is designing a VPC with public and private subnets. The VPC will host web servers in public subnets and database servers in private subnets. The web servers need to send traffic to the database servers, and the database servers must not have direct internet access. Which TWO configurations should the engineer implement?

Select 2 answers
A.Use network ACLs to block all inbound traffic to the private subnets.
B.Configure security group rules to allow inbound traffic from the web server security group to the database security group.
C.Do not add a route to an internet gateway in the route table for the private subnets.
D.Attach an internet gateway to the VPC and route the private subnets to it.
E.Add a NAT gateway in the public subnet and route the private subnets to it.
AnswersB, C

This allows targeted traffic between web and database servers.

Why this answer

Option A is correct because security group rules can allow traffic between web and database servers based on the security group ID. Option D is correct because a NAT gateway is not needed for private subnets that don't need internet access; however, the database servers must not have internet access, so a NAT gateway should not be used. Actually, the correct combination is A and C: Use security group rules (A) and ensure no route to an internet gateway for private subnets (C).

Option E is also correct? No, E is about NAT gateway which would give internet access. So correct: A and C.

149
Multi-Selectmedium

A security engineer is configuring a VPC for a new application. Which TWO actions will improve network security? (Choose two.)

Select 2 answers
A.Configure VPC endpoints to connect to AWS services privately.
B.Deploy a NAT gateway to allow outbound internet access.
C.Use network ACLs to allow or deny traffic at the subnet level.
D.Enable VPC Flow Logs to analyze traffic patterns.
E.Use security groups to control traffic at the instance level.
AnswersC, E

Network ACLs act as a firewall for subnets.

Why this answer

Option C is correct because network ACLs (NACLs) operate at the subnet level as a stateless firewall, allowing you to explicitly allow or deny inbound and outbound traffic based on rules (e.g., source/destination IP, port, protocol). This provides a critical layer of defense at the subnet boundary, complementing security groups. Option E is correct because security groups act as a stateful virtual firewall at the instance (ENI) level, controlling traffic based on allow rules only, which is essential for granular per-instance security.

Exam trap

The trap here is that candidates often confuse detective controls (like VPC Flow Logs) or connectivity mechanisms (like NAT gateways or VPC endpoints) with direct security controls that enforce traffic filtering, leading them to select options that improve visibility or connectivity rather than security posture.

150
MCQhard

An organization has a multi-account AWS environment using AWS Organizations. The security team needs to ensure that no Amazon EC2 instances are launched without an IAM instance profile that includes a specific role. Which preventive control should be implemented?

A.Create an SCP that denies ec2:RunInstances when the condition iam:InstanceProfile is not set to the required profile ARN.
B.Attach an IAM policy to all users that denies ec2:RunInstances unless an instance profile is specified.
C.Create an SCP that denies ec2:RunInstances when the condition ec2:InstanceProfile is not set.
D.Use AWS Config rule ec2-instance-profile-attached to detect non-compliant instances and automatically terminate them.
AnswerA

SCPs apply to all accounts in the organization and can deny actions based on conditions.

Why this answer

Option C is correct because a service control policy (SCP) can deny the ec2:RunInstances action if the iam:InstanceProfile condition key is not set to the required profile. Option A is wrong because an IAM policy attached to users does not prevent root users or other accounts from launching instances. Option B is wrong because AWS Config is detective, not preventive.

Option D is wrong because the condition key is iam:InstanceProfile, not ec2:InstanceProfile.

← PreviousPage 2 of 5 · 328 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Infrastructure Security questions.