CCNA Infrastructure Security Questions

75 of 328 questions · Page 3/5 · Infrastructure Security · Answers revealed

151
MCQhard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The security team wants to inspect all traffic between VPCs before it reaches its destination. Which architecture should be used?

A.Use a VPN CloudHub to connect VPCs and inspect traffic at the VPN endpoint.
B.Use AWS Direct Connect to connect VPCs and inspect traffic on-premises.
C.Use a Transit Gateway with a central inspection VPC that hosts security appliances and route all inter-VPC traffic through it.
D.Use VPC Peering and configure security groups on each VPC to allow only necessary traffic.
AnswerC

This allows centralized traffic inspection.

Why this answer

Option B is correct because Transit Gateway supports centralised inspection by routing traffic through a security appliance in a dedicated VPC. Option A is wrong because VPC Peering does not support central inspection. Option C is wrong because Direct Connect is for on-premises, not VPC-to-VPC.

Option D is wrong because VPN CloudHub is for connecting multiple VPNs, not for inspection.

152
MCQhard

A company is deploying a new web application on AWS. The application runs on EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic between the ALB and the EC2 instances be encrypted using TLS. The ALB uses a certificate from AWS Certificate Manager (ACM). The EC2 instances are Linux-based and have a self-signed certificate installed. The security engineer configured the ALB target group to use HTTPS on port 443, and the EC2 security group allows inbound traffic on port 443 from the ALB security group. However, when testing, the application returns a 502 Bad Gateway error. The ALB health checks are failing. What is the likely cause?

A.The EC2 instances are not running a web server listening on port 443.
B.The ALB is configured to verify the certificate on the backend instances, and the self-signed certificate is not trusted.
C.The security group for the EC2 instances does not allow inbound traffic from the ALB on the health check port.
D.The target group health check is configured to use the same port as the traffic port (443), but the health check path is incorrect.
AnswerB

ALB by default verifies backend certificates; self-signed certs cause health check failure.

Why this answer

The ALB performs health checks to the target group. If the target group uses HTTPS, the health check also uses HTTPS. The self-signed certificate on the EC2 instances is not trusted by the ALB, causing the health check to fail.

The ALB does not validate backend certificates by default, but the health check must succeed. The issue is that the health check path or port may be incorrect, but more likely the backend is not responding on the health check path. However, the most common issue is that the health check is not configured correctly.

Since the question states the health checks are failing, and the ALB returns 502, the likely cause is that the backend is not responding on the health check endpoint. But given the information, the self-signed certificate should work because ALB does not validate backend certificates. Actually, ALB can be configured to ignore certificate validation.

The default is to verify the certificate, but it can be disabled. So if the security team did not disable verification, the self-signed cert would cause failure. The correct answer is to disable certificate verification on the target group or use a trusted certificate.

The best action is to configure the target group to use protocol HTTP instead of HTTPS or disable certificate verification.

153
Multi-Selecthard

A company is designing a security group for a web server that must allow HTTP (80) and HTTPS (443) traffic from the internet. The server also needs to make outbound connections to an Amazon RDS database on port 3306 and to the internet for software updates. Which THREE rules should be included in the security group? (Select THREE.)

Select 3 answers
A.Inbound: MySQL (3306) from the VPC CIDR block
B.Outbound: MySQL (3306) to the VPC CIDR block
C.Inbound: HTTPS (443) from 0.0.0.0/0
D.Outbound: HTTP (80) to the VPC CIDR block
E.Inbound: HTTP (80) from 0.0.0.0/0
.Outbound: HTTPS (443) to 0.0.0.0/0
AnswersC, E

Allows secure web traffic from the internet.

Why this answer

Option A (inbound HTTP from 0.0.0.0/0) and Option B (inbound HTTPS from 0.0.0.0/0) are correct for web traffic. Option E (outbound HTTPS to 0.0.0.0/0) is correct for software updates. Option C is wrong because outbound to RDS should be to the database security group, not VPC CIDR.

Option D is wrong because inbound MySQL from VPC CIDR is not needed; the web server initiates. Option F is wrong because outbound HTTP to VPC CIDR is not needed.

154
MCQhard

A healthcare company runs a HIPAA-compliant application on AWS. The application consists of an Application Load Balancer (ALB) in front of a fleet of EC2 instances behind an Auto Scaling group. The EC2 instances store sensitive patient data in an S3 bucket encrypted with SSE-KMS. The security team recently enabled AWS CloudTrail and Amazon GuardDuty. During a routine audit, they notice that an EC2 instance is making repeated API calls to the S3 bucket from an IP address outside the corporate network. The security team suspects the instance is compromised. What is the MOST effective immediate step to contain the potential breach while maintaining availability of the application?

A.Revoke the IAM role attached to the instance by removing the S3 permissions from the role.
B.Remove the security group that allows outbound traffic from the instance.
C.Stop the EC2 instance and detach it from the Auto Scaling group.
D.Terminate the EC2 instance immediately.
AnswerA

This instantly stops the instance's ability to access S3 while keeping the instance running for forensic analysis.

Why this answer

Option C is correct because revoking the instance's IAM role permissions will immediately stop its access to S3 without terminating the instance. Option A is wrong because terminating the instance reduces capacity. Option B is wrong because removing the security group may affect network connectivity but does not stop API calls.

Option D is wrong because stopping the instance may disrupt the application but is less granular than revoking permissions.

155
MCQmedium

A company's security team discovers that an Amazon EC2 instance has been compromised and is sending outbound traffic to a known malicious IP address. The instance is in a VPC with a security group that allows all outbound traffic. What is the FASTEST way to stop the outbound traffic without affecting other instances?

A.Modify the network ACL of the subnet to deny outbound traffic to the malicious IP.
B.Change the route table of the subnet to route traffic to a blackhole.
C.Terminate the compromised EC2 instance immediately.
D.Modify the security group attached to the instance to revoke all outbound rules.
AnswerD

Security group changes apply immediately to the instance and do not affect others.

Why this answer

Option D is correct because modifying the security group to deny outbound traffic will immediately affect that specific instance. Option A is wrong because terminating the instance is drastic and may cause data loss. Option B is wrong because modifying a network ACL affects all instances in the subnet.

Option C is wrong because changing the route table affects all instances in the subnet.

156
MCQmedium

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to protect the application from common web exploits such as SQL injection and cross-site scripting. Which AWS service should they use?

A.AWS Network Firewall
B.AWS WAF
C.AWS Firewall Manager
D.AWS Shield Advanced
AnswerB

AWS WAF can filter and monitor HTTP(S) requests for common attacks.

Why this answer

AWS WAF is a web application firewall that can protect against common web exploits. Option A is correct. Option B is for network firewall.

Option C is for DDoS protection at layer 3/4. Option D is for traffic inspection at the network level.

157
Multi-Selecteasy

Which TWO AWS services can be used to encrypt data at rest in an Amazon S3 bucket? (Choose two.)

Select 2 answers
A.SSL/TLS
B.Client-side encryption
C.SSE-KMS
D.SSE-S3
E.AWS Shield
AnswersC, D

AWS KMS provides managed keys for encryption.

Why this answer

Options A and B are correct. Server-Side Encryption with S3-Managed Keys (SSE-S3) and Server-Side Encryption with AWS KMS (SSE-KMS) are both options for encrypting data at rest. Option C (Client-side encryption) is also valid but is not an AWS service; it's done by the client.

Option D (SSL/TLS) is for transit. Option E (AWS Shield) is for DDoS protection.

158
MCQhard

A company has a VPC with multiple subnets and uses VPC Flow Logs to capture network traffic. The security team notices that some expected traffic is not appearing in the logs. What is a likely cause?

A.Flow Logs are published to an S3 bucket instead of CloudWatch Logs.
B.The traffic uses UDP protocol.
C.The traffic is blocked by a security group rule.
D.The traffic is to or from the Amazon DNS server (169.254.169.253).
AnswerD

By default, Flow Logs do not record traffic to the Amazon DNS server.

Why this answer

Option B is correct because Flow Logs do not capture traffic to the Amazon DNS server (unless you specifically enable that). Option A is wrong because Flow Logs can be published to CloudWatch Logs. Option C is wrong because Flow Logs capture accepted traffic even if it is rejected later.

Option D is wrong because Flow Logs capture all IP traffic, not just TCP.

159
Multi-Selectmedium

A company uses AWS Organizations and wants to restrict the use of specific instance types across all accounts. Which TWO actions should be taken to enforce this restriction?

Select 2 answers
A.Restrict instance types at the VPC level using network ACLs.
B.Use AWS CloudTrail to monitor instance launches and send alerts.
C.Apply a Service Control Policy (SCP) that denies ec2:RunInstances with noncompliant instance types.
D.Create an IAM role that denies launch of noncompliant instances.
E.Use AWS Config rules to detect and automatically stop noncompliant instances.
AnswersC, E

SCPs centrally deny actions across accounts.

Why this answer

Options B and D are correct. SCPs can deny actions based on instance type, and AWS Config can detect noncompliant instances. Option A is wrong because IAM roles do not restrict resource types.

Option C is wrong because CloudTrail does not enforce. Option E is wrong because VPC does not relate to instance types.

160
Multi-Selecthard

A company wants to encrypt data at rest for an Amazon RDS for MySQL DB instance. Which THREE options can be used to achieve this? (Choose THREE.)

Select 3 answers
A.Take a snapshot of the unencrypted instance, copy it with encryption, and restore.
B.Modify the DB instance to enable encryption after creation.
C.Create a read replica with encryption enabled, even if the source is unencrypted.
D.Enable encryption on an existing read replica of an encrypted source.
E.Enable encryption when creating the DB instance.
AnswersA, D, E

This is a valid method to encrypt an existing database.

Why this answer

RDS encryption at rest is enabled at launch using AWS KMS. You can also encrypt a copy of an unencrypted snapshot. Read replicas can have different encryption if you encrypt the snapshot.

However, you cannot enable encryption on an existing unencrypted instance directly; you must take a snapshot, copy it with encryption, and restore. Also, you can enable encryption on a read replica only if the source is encrypted. So three correct: enable encryption at launch, encrypt a snapshot copy, and encrypt a read replica if the source is encrypted? Actually, read replica of an unencrypted instance cannot be encrypted.

So options:

161
Multi-Selecthard

A security engineer is designing a secure VPC architecture for a web application that must be accessible from the internet. The application runs on EC2 instances in private subnets. Which THREE components are required to provide secure internet connectivity?

Select 3 answers
A.Public subnets with routes to the IGW
B.NAT Gateway in a public subnet
C.Virtual Private Gateway (VGW)
D.Transit Gateway
E.Internet Gateway (IGW) attached to the VPC
AnswersA, B, E

Public subnets host the NAT Gateway and possibly an ALB.

Why this answer

Options A, C, and D are correct. An Internet Gateway is needed for public subnets, a NAT Gateway in a public subnet provides outbound access for private instances, and public subnets host the NAT Gateway and potentially an ALB. Option B is wrong because a Virtual Private Gateway is for VPN connections.

Option E is wrong because a Transit Gateway is not required.

162
Multi-Selecthard

A security engineer is configuring an AWS WAF web ACL for an Application Load Balancer. The engineer wants to block requests that contain cross-site scripting (XSS) and also limit the rate of requests from a single IP. Which THREE rule groups should be added?

Select 3 answers
A.AWS Managed Rules - IP reputation rule group
B.Rate-based rule
C.AWS Managed Rules - SQL injection rule group
D.AWS Managed Rules - Cross-site scripting (XSS) rule group
E.Geographic match rule
AnswersB, C, D

Rate-based rules limit the number of requests from an IP over a time period.

Why this answer

Options A, C, and E are correct. The AWS Managed Rules for XSS (A) and Rate-based rules (C) address the requirements, and the SQL injection rule group (E) is commonly included for comprehensive protection. Option B is wrong because an IP set rule allows/denies specific IPs, not rate limiting.

Option D is wrong because geographic match rules are for location-based blocking, not behavior.

163
MCQeasy

A security engineer needs to ensure that all traffic to an EC2 instance in a VPC is inspected by a network firewall appliance. The firewall is deployed in a separate subnet. What is the MOST secure and scalable way to route traffic through the firewall?

A.Configure a NAT gateway in the firewall subnet and route all traffic through it.
B.Use a Gateway Load Balancer with a Gateway Load Balancer endpoint in each subnet.
C.Use an Application Load Balancer in front of the firewall.
D.Create a transit gateway and route traffic through the firewall subnet.
AnswerB

Gateway Load Balancer transparently forwards traffic to the firewall appliance and supports scaling.

Why this answer

Option B is correct because a Gateway Load Balancer with a Gateway Load Balancer endpoint in each subnet allows scaling and transparent inspection. Option A is wrong because a NAT gateway only handles outbound traffic. Option C is wrong because an ALB is for load balancing at layer 7, not for traffic inspection routing.

Option D is wrong because a transit gateway is for connecting VPCs, not for routing traffic through a firewall.

164
MCQhard

A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The security team wants to allow only traffic from the ALB to reach the EC2 instances. Which security group configuration should be used?

A.Allow inbound traffic from the ALB's private IP addresses on the EC2 security group.
B.Allow inbound traffic from the VPC CIDR block on the EC2 security group.
C.Allow inbound traffic from the ALB's security group ID on the EC2 security group.
D.Allow inbound HTTP traffic from 0.0.0.0/0 on the EC2 security group.
AnswerC

Security group ID reference ensures traffic only from ALB.

Why this answer

Option C is correct because security groups can reference each other by ID, allowing you to create a rule on the EC2 security group that permits inbound traffic only from the ALB's security group. This ensures that only traffic that has passed through the ALB can reach the EC2 instances, regardless of the ALB's IP addresses, which can change due to scaling or replacement.

Exam trap

The trap here is that candidates often assume ALBs have fixed private IP addresses and choose Option A, not realizing that ALB IPs are dynamic and that security group referencing is the AWS-recommended method for this pattern.

How to eliminate wrong answers

Option A is wrong because ALBs do not have static private IP addresses; they use elastic network interfaces that can change, making IP-based rules unreliable and requiring constant updates. Option B is wrong because allowing traffic from the entire VPC CIDR block would permit any resource in the VPC (including compromised instances or unauthorized services) to reach the EC2 instances, bypassing the ALB. Option D is wrong because allowing HTTP traffic from 0.0.0.0/0 would expose the EC2 instances directly to the internet, defeating the purpose of using an ALB for traffic control and security.

165
MCQmedium

A security engineer is designing a network ACL for a public subnet containing an Application Load Balancer. The subnet must allow inbound HTTPS traffic from the internet and outbound traffic to the internet for patches. Which inbound rule should be added?

A.Allow TCP port 1024-65535 from 0.0.0.0/0
B.Allow UDP port 443 from 0.0.0.0/0
C.Allow all traffic from 0.0.0.0/0
D.Allow TCP port 443 from 0.0.0.0/0
AnswerD

HTTPS uses TCP port 443.

Why this answer

Option B is correct because HTTPS uses TCP port 443. Option A is wrong because HTTPS does not use UDP. Option C is wrong because the ALB should not allow all inbound traffic.

Option D is wrong because ephemeral ports are for outbound, not inbound.

166
MCQmedium

A company is designing a VPC with public and private subnets in two Availability Zones. They need to ensure that instances in the private subnets can access the internet for software updates but cannot be directly accessed from the internet. Which AWS service or feature should be used to meet this requirement?

A.NAT Gateway
B.VPC Peering
C.AWS VPN
D.Internet Gateway
AnswerA

A NAT Gateway enables outbound internet access from private subnets while blocking inbound connections.

Why this answer

Option B is correct because a NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Option A is wrong because an Internet Gateway is used for public subnets and allows inbound traffic. Option C is wrong because a VPN connection is for site-to-site connectivity, not internet access.

Option D is wrong because a VPC Peering connection connects VPCs, not to the internet.

167
Multi-Selectmedium

A company is considering using AWS Shield Advanced to protect against DDoS attacks. Which three features are included with AWS Shield Advanced? (Choose THREE.)

Select 3 answers
A.Cost protection against DDoS-related scaling charges
B.Dedicated IP addresses for EC2 instances
C.AWS Site-to-Site VPN
D.Integration with AWS WAF for web ACLs
E.24/7 access to the AWS DDoS Response Team (DRT)
AnswersA, D, E

Shield Advanced includes cost protection.

Why this answer

Options A, C, and E are correct. AWS Shield Advanced includes 24/7 access to the DDoS Response Team (DRT), cost protection against scaling charges, and integration with AWS WAF for web ACLs. Option B is incorrect because AWS Shield Advanced does not include a VPN.

Option D is incorrect because dedicated IP addresses are not a feature of Shield Advanced.

168
MCQeasy

A company wants to encrypt data at rest in an Amazon S3 bucket. Which AWS service can centrally manage the encryption keys?

A.AWS CloudHSM
B.AWS Certificate Manager (ACM)
C.AWS Key Management Service (AWS KMS)
D.AWS Secrets Manager
AnswerC

AWS KMS is a managed service for creating and controlling encryption keys.

Why this answer

Option B is correct because AWS KMS is the managed service for creating and controlling encryption keys used to encrypt data. Option A is wrong because AWS CloudHSM provides hardware security modules but not central key management. Option C is wrong because AWS Secrets Manager is for managing secrets, not encryption keys for S3.

Option D is wrong because AWS Certificate Manager manages SSL/TLS certificates, not encryption keys for data at rest.

169
MCQhard

Refer to the exhibit. A security engineer is reviewing this IAM policy attached to a user. The user reports that they are able to stop and start instances, but they cannot terminate instances. However, the engineer notices that there is no explicit deny for termination. Why is the user unable to terminate instances?

A.The policy does not include an explicit Allow for ec2:TerminateInstances.
B.The second statement's Resource is set to '*' but the Action list does not include termination.
C.The first statement's Resource element is too restrictive and does not include the termination API call.
D.The policy has a syntax error that prevents termination from being evaluated.
AnswerA

Without an explicit Allow, the action is implicitly denied.

Why this answer

Option B is correct. The policy only allows specific actions. Since there is no 'ec2:TerminateInstances' action allowed, the user is implicitly denied the ability to terminate instances.

AWS IAM defaults to implicit deny, so an explicit allow is required. Option A is incorrect because the resource in the first statement is 'instance/*' which covers termination if allowed. Option C is incorrect because termination is a separate action not included.

Option D is incorrect because the policy is valid JSON and would be evaluated.

170
MCQeasy

A company has a VPC with multiple subnets. The security team wants to control traffic between subnets using a stateful firewall that can automatically allow return traffic. Which AWS service should be used?

A.Network ACLs
B.AWS Firewall Manager
C.AWS WAF
D.Security groups
AnswerD

Security groups are stateful and can be used for subnet-level traffic control.

Why this answer

Option B is correct because security groups are stateful and can be used to control traffic between subnets when attached to ENIs. Option A is wrong because network ACLs are stateless. Option C is wrong because AWS WAF is for web traffic at the application layer.

Option D is wrong because AWS Firewall Manager is a policy management service, not a firewall itself.

171
MCQhard

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The security engineer has set up a NAT gateway in a public subnet and updated the route tables accordingly. However, instances in the private subnets cannot reach the internet. The engineer checks the security group for the NAT gateway and finds that it allows all outbound traffic. What is the most likely cause of the issue?

A.The route table for the private subnet does not have a default route (0.0.0.0/0) pointing to the NAT gateway.
B.The NAT gateway does not have an Elastic IP address assigned.
C.The security group for the NAT gateway does not allow inbound traffic from the private subnets.
D.The network ACL for the private subnet does not allow inbound HTTP/HTTPS traffic.
AnswerC

The NAT gateway's security group must allow inbound traffic from the private subnets to forward responses.

Why this answer

Option D is correct because the NAT gateway's security group must allow inbound traffic from the private subnets to receive return traffic. Option A is incorrect because the NAT gateway automatically responds. Option B is incorrect because network ACLs are stateless and require inbound rules for return traffic.

Option C is incorrect because the private subnets' route table must have a route to the NAT gateway.

172
Multi-Selecthard

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. The bucket policy must deny all requests that do not come from the VPC endpoint. Which TWO statements are true for this configuration?

Select 2 answers
A.Use the aws:SourceIp condition key to restrict IP addresses.
B.Set the Principal to the VPC endpoint ID.
C.Use the aws:SourceVpce condition key in the bucket policy.
D.Set the Effect to Deny and include a condition for the VPC endpoint.
E.Ensure the bucket policy has an explicit Allow for the VPC endpoint.
AnswersC, D

This key restricts access to a specific VPC endpoint.

Why this answer

The aws:SourceVpce condition key restricts requests to a specific VPC endpoint. The Principal must be '*' to apply to all principals, and the Effect Deny ensures non-VPC endpoint requests are blocked.

173
Multi-Selectmedium

A company is designing a VPC with multiple subnets. The security team wants to ensure that traffic between the application tier and database tier is encrypted in transit. Which TWO actions should be taken?

Select 2 answers
A.Attach an internet gateway to the database subnet
B.Enable encryption on the database connections using TLS/SSL
C.Use security group rules to restrict traffic to the database port
D.Configure the application to use an encrypted protocol when connecting to the database
E.Use VPC Peering to connect the subnets
AnswersB, D

TLS/SSL encrypts data between application and database.

Why this answer

Options A and C are correct. Using TLS/SSL for database connections encrypts data in transit, and ensuring the application uses an encrypted protocol is fundamental. Option B is wrong because VPC Peering does not encrypt traffic.

Option D is wrong because security groups do not encrypt. Option E is wrong because an internet gateway does not provide encryption.

174
MCQmedium

A company is running a critical application on EC2 instances behind an Application Load Balancer. The security team wants to ensure that only traffic from the ALB reaches the EC2 instances. How can this be achieved?

A.Use the ALB's private IP address in the EC2 security group.
B.Configure a Network ACL to allow only the ALB's subnet.
C.Reference the ALB's security group in the EC2 security group inbound rule.
D.Use the ALB's public IP address in the EC2 security group.
AnswerC

Securely restricts traffic to the ALB.

Why this answer

Option D is correct because referencing the ALB's security group in the EC2 security group ensures only traffic from the ALB is allowed. Option A is wrong because the ALB's private IP can change. Option B is wrong because public IPs are not used.

Option C is wrong because a Network ACL would affect all instances in the subnet.

175
MCQmedium

Refer to the exhibit. A security engineer is investigating a potential compromise. What is the most critical finding?

A.The root user does not have MFA enabled, as indicated by AccountMFAEnabled being 1 (true) but that means MFA is enabled? Actually, the summary shows AccountMFAEnabled: 1, which means MFA is enabled for the root account? Wait, the key is "AccountMFAEnabled" which indicates if the account (root) has MFA enabled. 1 means true. So MFA is enabled. But there are access keys present. The critical finding is that the root user has access keys.
B.The root user's console login succeeded, which indicates that the root account password is weak.
C.The root user logged in successfully from an unknown IP address.
D.The IP address 203.0.113.5 is not from the company's trusted IP range.
AnswerA

The get-account-summary shows AccountAccessKeysPresent: 2, meaning the root account has two access keys. Root access keys are a security risk and should be removed.

Why this answer

AWS best practice is to delete root user access keys and enable MFA. The exhibit shows the root account has two access keys (AccountAccessKeysPresent: 2), which is a significant security risk. Option B correctly identifies this.

176
Multi-Selecthard

A company wants to enforce encryption in transit for all traffic between its VPC and on-premises data center over AWS Direct Connect. Which TWO configurations can achieve this?

Select 2 answers
A.Use a public virtual interface with Direct Connect and configure an IPsec VPN over it.
B.Use a Site-to-Site VPN connection over the internet.
C.Use a Direct Connect Gateway and configure an IPsec VPN over the private virtual interface.
D.Use a Transit VPC architecture with VPN attachments.
E.Use a private virtual interface with Direct Connect.
AnswersA, C

This provides encryption over the Direct Connect connection.

Why this answer

Option B (IPsec VPN over public VIF) and Option D (IPsec VPN over private VIF using Direct Connect Gateway) are correct. Option A is wrong because Direct Connect private virtual interface does not encrypt traffic by default. Option C is wrong because a Site-to-Site VPN over the internet does not use Direct Connect.

Option E is wrong because Transit VPC is a network topology, not an encryption method.

177
MCQhard

An organization has a VPC with public and private subnets. A NAT Gateway is deployed in a public subnet to allow instances in private subnets to access the internet. The security team notices that instances in a private subnet can reach the internet, but cannot initiate connections to an on-premises network connected via AWS Direct Connect. The on-premises network advertises a specific route. What is the most likely cause?

A.The security group assigned to the instances does not allow outbound traffic to the on-premises network.
B.The network ACL on the private subnet is blocking inbound traffic from the on-premises network.
C.The private subnet route table has a route for the on-premises CIDR pointing to the NAT Gateway.
D.The internet gateway is not attached to the VPC.
AnswerC

The NAT Gateway route may override the Direct Connect route.

Why this answer

Option A is correct because a more specific route to the on-premises network via the NAT Gateway may override the Direct Connect route in the route table. Option B is wrong because Security Groups do not affect outbound traffic initiated by instances. Option C is wrong because NACLs are stateless but would affect both directions.

Option D is wrong because the internet gateway is not involved in Direct Connect traffic.

178
Multi-Selectmedium

A company has an S3 bucket that stores sensitive data. The security team wants to ensure that all objects in the bucket are encrypted at rest. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Use an SCP to deny the s3:PutObject action unless the request includes the x-amz-server-side-encryption header.
B.Use AWS KMS to create a customer master key and assign it to the bucket.
C.Enable AWS CloudTrail to log S3 API calls.
D.Enable default encryption on the S3 bucket using SSE-S3 or SSE-KMS.
E.Add a bucket policy that denies s3:PutObject if the object is not encrypted.
AnswersA, D

This enforces encryption for new objects across the account.

Why this answer

Option B and D are correct. Enabling default encryption ensures new objects are encrypted. Using SCPs can enforce that objects are encrypted.

Option A is wrong because bucket policies cannot directly enforce encryption at rest; they can only require it via conditions but not prevent uploads without encryption if the user has permissions. Option C is wrong because CloudTrail does not enforce encryption. Option E is wrong because KMS keys do not automatically encrypt objects.

179
MCQmedium

A security team notices that an S3 bucket containing sensitive data is publicly accessible. The bucket policy is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" } ] } Which step should be taken to secure the bucket while maintaining access for authorized users?

A.Use AWS Config to automatically block all public access.
B.Create an IAM role with S3 access and assign it to the bucket.
C.Add a Deny statement for any IP address outside the corporate network.
D.Delete the public bucket policy and attach a new policy that allows access only through a VPC Endpoint.
AnswerD

Restricts access to the VPC endpoint.

Why this answer

Option B is correct because removing the public access and using a VPC Endpoint with a bucket policy that restricts access to the endpoint ensures only authorized users within the VPC can access the bucket. Option A is wrong because an IAM role alone does not prevent public access. Option C is wrong because the bucket policy already allows public access.

Option D is wrong because blocking all public access prevents even authorized users if they are not in the VPC.

180
MCQhard

A company has a VPC with multiple subnets across multiple Availability Zones. The security team wants to inspect all traffic between subnets for malicious activity. Which AWS service should be used?

A.VPC Flow Logs
B.AWS Network Firewall
C.AWS WAF
D.Security groups
AnswerB

Network Firewall provides stateful inspection and threat detection across VPC traffic.

Why this answer

Option D is correct because AWS Network Firewall can inspect traffic between subnets and provide intrusion prevention. Option A is wrong because VPC Flow Logs only provide metadata, not inspection. Option B is wrong because security groups are stateful firewalls but not for inspection.

Option C is wrong because AWS WAF is for web application traffic, not for network-layer inspection.

181
MCQeasy

A company wants to ensure that all Amazon EC2 instances in a VPC can only be accessed via SSH from a specific IP address range (203.0.113.0/24). Which VPC component should be used to enforce this restriction?

A.Security group
B.Route table
C.Network ACL
D.Internet gateway
AnswerC

Network ACLs are stateless and can deny traffic from IP ranges not in the allowed range.

Why this answer

Option A is correct because a network ACL is a stateless firewall that controls inbound and outbound traffic at the subnet level, and can restrict SSH access to a specific IP range. Option B is wrong because security groups are stateful and cannot deny traffic by IP in a single rule (they only allow). Option C is wrong because an internet gateway is not a security control.

Option D is wrong because a route table only controls traffic routing, not filtering.

182
MCQeasy

A company uses Amazon CloudFront to distribute content from an S3 bucket. The security team wants to ensure that only CloudFront can access the S3 bucket. Which configuration should be used?

A.Set the bucket policy to allow all principals and rely on CloudFront to restrict access.
B.Configure the bucket policy to allow access only from CloudFront's IP addresses.
C.Create an Origin Access Identity (OAI) and grant it read access to the S3 bucket.
D.Use CloudFront trusted signers to restrict access to the S3 bucket.
AnswerC

OAI is the standard way to restrict access to CloudFront only.

Why this answer

Option A is correct because an Origin Access Identity (OAI) allows CloudFront to access S3. Option B is wrong because a bucket policy allowing CloudFront's IPs is not recommended as IPs can change. Option C is wrong because trusted signers are for signed URLs, not for origin access.

Option D is wrong because a bucket policy allowing all principals is too permissive.

183
MCQmedium

Refer to the exhibit. A security engineer applies the IAM policy to a user, and then successfully runs the CLI command. Later, the user attempts to upload an object without specifying the ACL. What will happen?

A.The upload fails because the Deny statement explicitly denies any PutObject that does not have the ACL set to bucket-owner-full-control.
B.The upload succeeds because the bucket policy allows it.
C.The upload succeeds because the Allow statement allows PutObject without condition.
D.The upload fails because the bucket policy requires ACL to be bucket-owner-full-control.
AnswerA

The Deny statement covers all PutObject actions where the ACL is not bucket-owner-full-control. If no ACL is specified, the condition matches (StringNotEquals), and the Deny takes effect.

Why this answer

The IAM policy explicitly denies PutObject when the ACL is not set to bucket-owner-full-control. Since the user does not specify an ACL, the condition 'StringNotEquals' evaluates to true, triggering the Deny.

184
MCQhard

A company is using AWS CloudFormation to deploy a multi-tier application. The security team requires that the database tier (RDS) be deployed in private subnets that are not directly routable from the application tier (EC2). The application tier must communicate with the database using an internal network path. Which solution meets these requirements?

A.Place the RDS instance in the same subnet as the application tier and use security groups
B.Use ClassicLink to connect the application tier to the RDS instance
C.Use a NAT Gateway in the application subnet to route traffic to the RDS instance
D.Deploy the RDS instance in private subnets and use an RDS VPC Endpoint (Interface) in the application subnets
AnswerD

Allows private connectivity without direct routing.

Why this answer

Option C (VPC Endpoint for RDS) is correct because it provides private connectivity without routing through subnets. Option A is wrong because direct routing would require routes. Option B is wrong because ClassicLink is legacy.

Option D is wrong because a proxy is not needed.

185
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team needs to ensure that all CloudFormation stacks include a specific tag with a value that complies with corporate policies. Which AWS service can enforce this requirement?

A.AWS Config
B.AWS Identity and Access Management (IAM)
C.AWS Service Catalog
D.AWS CloudTrail
AnswerC

Service Catalog can enforce tagging policies on stacks.

Why this answer

Option A is correct because AWS Service Catalog can enforce tag requirements on provisioned products. Option B is wrong because AWS Config can detect but not enforce. Option C is wrong because IAM policies can require tags but not specific values.

Option D is wrong because CloudTrail logs API calls but does not enforce.

186
Multi-Selectmedium

A company wants to automate security assessments of its AWS environment. Which TWO AWS services can be used to perform vulnerability scanning and compliance checks?

Select 2 answers
A.AWS Shield
B.Amazon Inspector
C.AWS Security Hub
D.AWS WAF
E.AWS Config
AnswersB, C

Amazon Inspector scans for vulnerabilities and deviations from best practices.

Why this answer

Option A (Amazon Inspector) is correct for vulnerability scanning. Option D (AWS Security Hub) is correct for compliance checks. Option B (AWS Config) tracks resource changes but does not scan vulnerabilities.

Option C (AWS Shield) is for DDoS protection. Option E (AWS WAF) is for web application firewall.

187
MCQhard

A company is designing a shared services VPC architecture with multiple VPCs connected via a transit gateway. The security engineer needs to ensure that all traffic between VPCs is inspected by a centralized firewall appliance deployed in the shared services VPC. What configuration is required?

A.Create VPC peering connections between each VPC and the shared services VPC.
B.Configure transit gateway route tables to route all inter-VPC traffic through the firewall appliance.
C.Use security groups to route traffic through the firewall.
D.Deploy a Gateway Load Balancer (GWLB) in the shared services VPC and register the firewall as a target.
AnswerB

Transit gateway route tables can send traffic to a network appliance in the shared services VPC for inspection.

Why this answer

Option D is correct because transit gateway route tables can be used to route traffic to the firewall appliance for inspection. Option A is wrong because VPC peering would bypass the firewall. Option B is wrong because a GWLB can be used but it is not the only way; transit gateway route tables can also do it.

Option C is wrong because security groups are not for routing.

188
MCQhard

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that only traffic from the ALB reaches the EC2 instances, and that instances cannot initiate outbound connections to the internet. Which combination of security group rules should be implemented? (Select TWO.)

A.Inbound rule: Allow HTTP/HTTPS from 0.0.0.0/0.
B.Inbound rule: Allow HTTP/HTTPS from the ALB's security group.
C.Outbound rule: Allow all traffic to the ALB's security group only.
D.Outbound rule: Deny all traffic to 0.0.0.0/0.
E.Outbound rule: Allow all traffic to 0.0.0.0/0.
AnswerB, D

This ensures only ALB traffic reaches the instances.

Why this answer

Option A is correct because allowing inbound traffic from the ALB's security group ensures only ALB traffic reaches the instances. Option D is correct because blocking all outbound traffic to 0.0.0.0/0 prevents instances from initiating internet connections. Option B is wrong because allowing inbound from 0.0.0.0/0 would permit direct access to instances.

Option C is wrong because allowing outbound to 0.0.0.0/0 would allow internet connections. Option E is wrong because allowing outbound only to the ALB does not prevent instances from reaching the internet via other paths.

189
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team needs to ensure that all Amazon S3 buckets across all accounts are encrypted with AWS KMS customer managed keys (CMKs). They have implemented a service control policy (SCP) that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header with value aws:kms. Additionally, they have an SCP that denies s3:CreateBucket unless the bucket is configured with default encryption using KMS. Despite these policies, a developer in the production account reports that they were able to upload a sensitive object to an existing bucket without encryption. The developer used the AWS CLI with the command: aws s3 cp sensitive.txt s3://my-bucket/. The bucket does not have default encryption enabled. The SCPs are attached to the root organizational unit (OU) and are in effect. What is the MOST likely reason the upload succeeded?

A.The SCP does not apply to the management account of the organization.
B.The SCP uses the wrong condition key; it should use s3:x-amz-server-side-encryption instead.
C.The SCP was not attached to the production account's OU.
D.The developer used an IAM role that bypasses SCPs.
AnswerA

SCPs are not effective for the management account, so actions from that account are not restricted.

Why this answer

The SCP denies PutObject without the encryption header, but the command did not specify the header. However, SCPs do not affect the root user? No, root user is not used here. The developer used an IAM role.

SCPs apply to all IAM principals. The issue might be that the SCP uses a condition key that is not evaluated properly? Another common issue: SCPs cannot deny actions that are performed by the AWS service itself? No. The most likely reason is that the SCP was not applied to the production account because it was attached to the root OU, but the production account might be in a different OU that does not inherit the SCP? Or the SCP might have been disabled? Or the developer might be using an IAM role that has a service-linked role? Actually, a known limitation: SCPs do not affect the management account.

If the production account is the management account, SCPs do not apply. That is a classic gotcha. The question says "multi-account AWS environment using AWS Organizations" but does not specify that the production account is the management account.

But it's plausible. Another possibility: The SCP denies s3:PutObject without the header, but the CLI command might automatically add the header if the bucket has default encryption? No, bucket does not have default encryption. The SCP should deny.

So the most likely cause is that the production account is the management account of the organization, and SCPs do not apply to the management account.

190
MCQeasy

A company is designing a multi-tier web application. The web servers must be accessible from the internet, but the application servers must only be accessible from the web servers. Which AWS feature should be used to meet these requirements?

A.Use security groups with rules that allow inbound traffic to the web servers from the internet, and allow inbound traffic to the application servers only from the web server security group.
B.Use a VPC peering connection between the web tier and application tier subnets.
C.Use network ACLs to allow inbound traffic to the web tier from the internet and to the application tier only from the web tier.
D.Use a VPN connection to isolate the application tier from the web tier.
AnswerA

Security groups support referencing another security group as a source, making this straightforward.

Why this answer

The correct answer is B because security groups act as a virtual firewall for instances, and you can reference another security group as a source. Option A is wrong because a NACL is stateless and applied at the subnet level; it can be used but security groups are simpler for instance-level control. Option C is wrong because a VPC peering is for connecting VPCs.

Option D is wrong because a VPN connection is for hybrid connectivity.

191
Multi-Selecthard

Which THREE components are required to set up a client VPN for remote access to a VPC? (Choose 3.)

Select 3 answers
A.Client VPN endpoint
B.Virtual Private Gateway
C.Customer Gateway
D.Authorization rule
E.Target network association
AnswersA, D, E

The VPN server component.

Why this answer

Options A, C, and E are correct. A Client VPN endpoint is the VPN server. A target network association connects the endpoint to subnets.

An authorization rule grants access to specific network paths. Option B is wrong because a Virtual Private Gateway is used for site-to-site VPN. Option D is wrong because a Customer Gateway is for site-to-site VPN.

192
Multi-Selecthard

Which THREE are benefits of using AWS Systems Manager Session Manager to connect to EC2 instances? (Choose THREE.)

Select 3 answers
A.It allows closing inbound SSH and RDP ports on the instance.
B.It automatically rotates SSH keys on the instance.
C.It eliminates the need for a bastion host or jump box.
D.It requires an internet gateway or NAT gateway for the instance to communicate with the Session Manager service.
E.It provides session logging to AWS CloudTrail for auditing.
AnswersA, C, E

No open ports are needed for Session Manager.

Why this answer

Options A, C, and D are correct. Session Manager eliminates the need for a bastion host, does not require opening SSH or RDP ports, and logs sessions to CloudTrail for auditing. Option B is wrong because Session Manager does not require an internet gateway or NAT gateway for connectivity; it uses the SSM agent.

Option E is wrong because it does not automatically rotate SSH keys; it uses IAM for access control.

193
MCQeasy

A company has a security group rule that allows inbound traffic from 0.0.0.0/0 on port 22. The security engineer wants to restrict SSH access to only the company's public IP range (203.0.113.0/24). What is the correct way to update the security group rule?

A.Remove the existing inbound rule and do not add any new rule; SSH access will be denied by default.
B.Modify the existing inbound rule to change the source from 0.0.0.0/0 to 203.0.113.0/24.
C.Add a new inbound rule with source 203.0.113.0/24 and the security group will automatically deny all other traffic.
D.Change the outbound rules to restrict traffic.
AnswerB

You can edit the CIDR of an existing rule.

Why this answer

Option A is correct because you can modify the CIDR of an existing rule. Option B is wrong because security groups don't have a default deny rule; you need to remove the old rule. Option C is wrong because security groups are stateful.

Option D is wrong because removing the rule without adding a new one would block all SSH.

194
MCQhard

A company has a VPC with multiple subnets. An EC2 instance in a private subnet needs to access an S3 bucket. Which configuration provides the most secure and efficient access?

A.Create an Interface VPC Endpoint for S3.
B.Create a Gateway VPC Endpoint for S3 and update the route table.
C.Route the traffic through a NAT Gateway to the internet.
D.Assign a public IP address to the EC2 instance and allow it to access S3 via internet.
AnswerB

Private and secure access to S3.

Why this answer

Option B is correct because a Gateway VPC Endpoint for S3 allows private access to S3 without going through the internet or NAT Gateway, and it is more secure. Option A is wrong because it goes through the internet. Option C is wrong because Interface Endpoints are more costly and complex for S3.

Option D is wrong because internet access still goes through the internet.

195
MCQeasy

A company wants to ensure that all data transmitted between its EC2 instances and an Application Load Balancer (ALB) is encrypted. Which configuration should be applied?

A.Install SSL certificates on each EC2 instance and configure the ALB to use TCP passthrough.
B.Configure the ALB with an HTTPS listener and a target group that uses HTTPS as the protocol.
C.Use a Network Load Balancer with TLS listeners and target groups.
D.Configure security groups to allow only HTTPS traffic.
AnswerB

This ensures traffic between ALB and instances is encrypted.

Why this answer

Option D is correct because the ALB can terminate HTTPS and use HTTPS with the target group to encrypt traffic to instances. Option A is wrong because security groups do not encrypt traffic. Option B is wrong because SSL certificates are for the listener, not the target group.

Option C is wrong because Network Load Balancer does not support HTTPS termination natively.

196
MCQmedium

A company is using AWS CloudTrail to monitor API activity in their account. They have enabled CloudTrail in all regions and are logging to an S3 bucket. The security team wants to ensure that log files are not tampered with after delivery. They enable CloudTrail log file integrity validation. Which additional step must be taken to verify the integrity of the log files?

A.Enable S3 versioning on the log bucket.
B.Configure the S3 bucket to use server-side encryption with AWS KMS.
C.Enable S3 Object Lock on the log bucket.
D.Use the AWS CLI to run the validate-logs command against the log files.
AnswerD

This command checks the digest files to verify integrity.

Why this answer

Option A is correct. CloudTrail log file integrity validation uses digital signatures (SHA-256 hashing and signing with a private key). To verify, you must use the AWS CLI command 'aws cloudtrail validate-logs' or download the public key and verify manually.

Option B (enable S3 versioning) helps with object versioning but does not verify integrity. Option C (use KMS to encrypt logs) protects confidentiality but not integrity. Option D (use S3 Object Lock) prevents deletion but not tampering detection.

197
MCQmedium

A company is using Amazon EC2 instances in a VPC with a security group that allows inbound SSH from 0.0.0.0/0. A security engineer needs to restrict SSH access to only the company's public IP range (203.0.113.0/24) while maintaining all other existing rules. What is the MOST efficient way to accomplish this?

A.Disable SSH and use AWS Systems Manager Session Manager to connect to instances.
B.Create a network ACL with an inbound rule allowing SSH from 203.0.113.0/24 and deny all other traffic.
C.Modify the existing security group rule to change the source from 0.0.0.0/0 to 203.0.113.0/24.
D.Create a new security group rule allowing SSH from 203.0.113.0/24 and keep the existing rule.
AnswerC

Modifying the existing rule directly updates the source to the required CIDR, removing the open access.

Why this answer

Option B is correct because modifying the existing security group rule to change the source CIDR is the most direct method. Option A is wrong because adding a new rule doesn't remove the open rule. Option C is wrong because NACLs are stateless and would require additional rules.

Option D is wrong because System Manager Session Manager does not replace the need for SSH restrictions.

198
MCQmedium

A security engineer is designing a web application that will run on EC2 instances behind an Application Load Balancer (ALB). The application must be protected from common web exploits like SQL injection and cross-site scripting. Which AWS service should be used to provide this protection?

A.AWS WAF
B.Network ACLs
C.Security Groups
D.AWS Shield Advanced
AnswerA

AWS WAF filters and monitors HTTP requests to protect against web exploits.

Why this answer

Option B is correct because AWS WAF is a web application firewall that protects against common web exploits. Option A is wrong because Shield Advanced provides DDoS protection, not application-layer attacks. Option C is wrong because Network ACLs are stateless firewalls at the subnet level.

Option D is wrong because Security Groups are stateful firewalls at the instance level.

199
MCQeasy

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which component should be added to the VPC to enable this?

A.Internet gateway
B.VPN connection
C.VPC peering connection
D.NAT gateway
AnswerD

A NAT gateway enables outbound internet access for private subnets.

Why this answer

The correct answer is A because a NAT gateway allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Option B is wrong because an internet gateway is for public subnets. Option C is wrong because a VPC peering connects VPCs.

Option D is wrong because a VPN connection is for hybrid connectivity.

200
MCQhard

A security engineer is investigating a potential data exfiltration from an Amazon S3 bucket. The bucket policy allows access to a specific IAM role, but the engineer suspects that the role has been compromised. The engineer wants to quickly block all access to the bucket without deleting the bucket or the policy. What is the BEST course of action?

A.Delete the IAM role that is allowed access to the bucket.
B.Use AWS WAF to block the IP addresses of the compromised role.
C.Modify the bucket policy to deny all principals.
D.Add a bucket policy statement that denies access unless the request comes from a specific IP address that does not exist.
AnswerD

A deny condition with an impossible IP address blocks all access effectively.

Why this answer

Option C is correct because adding a deny condition with a source IP that doesn't exist effectively blocks all access. Option A is wrong because deleting the role would affect other resources. Option B is wrong because modifying the bucket policy might be reverted if the role has permissions.

Option D is wrong because blocking at the network layer does not prevent access from within AWS.

201
MCQhard

A security engineer is designing a VPC with private subnets for an application that must access the internet for software updates. The VPC has a NAT gateway in a public subnet. The private subnet route table has a default route (0.0.0.0/0) pointing to the NAT gateway. Which additional security measure should be implemented to ensure that only the application instances can use the NAT gateway, and not any other resources in the VPC?

A.Enable VPC Flow Logs on the NAT gateway to detect unauthorized usage.
B.Create an IAM policy that allows only the application instances to use the NAT gateway.
C.Configure a security group for the NAT gateway that allows only the application instances' security group as source.
D.Configure a network ACL on the private subnet to allow outbound traffic only to the NAT gateway's private IP address.
AnswerD

A network ACL stateless rule can restrict outbound traffic to the NAT gateway's IP, preventing other traffic.

Why this answer

Option D is correct because using a VPC endpoint for the NAT gateway is not possible; a network ACL on the private subnet can restrict outbound traffic to the NAT gateway's IP, ensuring only that traffic can exit. Option A is wrong because security groups cannot reference the NAT gateway as a destination; they control inbound/outbound traffic based on IP/CIDR. Option B is wrong because there is no IAM policy for NAT gateway usage.

Option C is wrong because a flow log does not block traffic; it only monitors.

202
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The company has a VPC with public and private subnets. The security team wants to ensure that all traffic between on-premises and the VPC goes through a set of security appliances (firewalls) deployed in the VPC. The appliances are in separate subnets. Currently, traffic is routed directly via the virtual private gateway. What is the MOST secure and scalable way to force traffic through the security appliances?

A.Place the security appliances in a public subnet and route traffic through a NAT gateway.
B.Create a transit gateway and attach the Direct Connect virtual interface to it. Then route traffic through the appliance subnets.
C.Deploy a Gateway Load Balancer and create Gateway Load Balancer endpoints in each subnet. Update the route tables to point to the endpoints.
D.Set up a VPN connection from on-premises to the VPC and route traffic through the appliance subnets.
AnswerC

Gateway Load Balancer transparently forwards traffic to the firewall appliances and scales automatically.

Why this answer

Option A is correct because using a Gateway Load Balancer with Gateway Load Balancer endpoints in each subnet allows transparent traffic inspection and scaling. Option B is wrong because a transit gateway does not force traffic through appliances; it requires additional routing. Option C is wrong because a NAT gateway only handles outbound traffic.

Option D is wrong because a VPN connection does not route through VPC appliances.

203
MCQhard

A security engineer notices that an EC2 instance in a private subnet can reach the internet, even though there is no NAT gateway or instance in the route table. What is the most likely cause?

A.An internet gateway is attached to the VPC and a default route points to it.
B.A VPC endpoint for S3 is configured.
C.A NAT gateway is configured in a different availability zone.
D.An egress-only internet gateway is used for IPv6 traffic.
AnswerD

Egress-only internet gateway allows outbound IPv6 traffic without inbound.

Why this answer

An egress-only internet gateway allows IPv6 traffic to the internet but not inbound. If the instance has an IPv6 address and the route table points to an egress-only internet gateway, it can reach the internet. Option D is correct.

NAT gateways (A) are for IPv4. Internet gateway (B) would allow inbound. VPC endpoint (C) does not provide internet access.

204
MCQeasy

A security engineer is configuring a new VPC with public and private subnets. The application servers in the private subnet need to download patches from the internet. Which component is required?

A.VPC endpoint
B.Direct Connect
C.Internet gateway
D.NAT gateway
AnswerD

A NAT gateway in a public subnet enables outbound internet access for private subnet instances.

Why this answer

A NAT gateway or NAT instance in a public subnet allows instances in private subnets to initiate outbound traffic to the internet and receive responses. Internet gateway alone is for public subnets. VPC endpoints are for specific services, not general internet access.

205
MCQhard

A company runs a multi-tier web application on AWS. The web tier uses an Application Load Balancer (ALB) in a public subnet, and the application tier runs on EC2 instances in private subnets. The security team recently ran a vulnerability scan and found that the application instances are accessible from the internet on port 8080. The EC2 instances have a security group that allows inbound traffic on port 8080 from the ALB's security group only. However, the ALB's security group allows inbound traffic on port 8080 from 0.0.0.0/0. The architecture also includes a NAT Gateway for outbound internet access from private subnets. The security engineer needs to ensure that only the ALB can communicate with the application instances on port 8080, and that the application instances cannot be directly accessed from the internet. What should the security engineer do?

A.Change the EC2 instance security group to allow inbound traffic on port 8080 from 0.0.0.0/0, and rely on the subnet network ACL to block traffic.
B.Add a rule to the EC2 security group that denies inbound traffic from 0.0.0.0/0 on port 8080.
C.Modify the ALB security group to remove the inbound rule for port 8080 from 0.0.0.0/0, and configure the ALB listener to forward traffic from port 80/443 to port 8080 on the target group.
D.Place the EC2 instances in a public subnet and use a network ACL to block inbound traffic on port 8080 from the internet.
AnswerC

This correctly restricts internet access to the ALB on standard ports and allows the ALB to forward to port 8080.

Why this answer

The ALB's security group should not allow inbound from 0.0.0.0/0 on the application port. Instead, the ALB should listen on port 80/443 from the internet and forward to port 8080 on the instances. The ALB security group rule should be removed, and the listener should be configured on standard ports.

The EC2 security group is already correct.

206
Multi-Selectmedium

A company is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security engineer needs to protect the application from common web exploits such as SQL injection and cross-site scripting. Which TWO services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.AWS Shield Advanced
C.Network ACLs
D.AWS WAF
E.Amazon CloudFront
AnswersB, D

Shield Advanced provides advanced DDoS protection and integrates with WAF.

Why this answer

Option A and D are correct. AWS WAF can be associated with ALB to filter web requests. AWS Shield Advanced provides enhanced protection against DDoS attacks.

Option B is wrong because CloudFront itself does not provide WAF rules. Option C is wrong because NACLs are not designed for web application layer filtering. Option E is wrong because GuardDuty is for threat detection, not inline prevention.

207
MCQeasy

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which AWS service or feature should be used to achieve this?

A.AWS Key Management Service (KMS)
B.Amazon S3 server-side encryption
C.RDS encryption feature
D.SSL/TLS certificates
AnswerA

KMS provides encryption keys for RDS encryption.

Why this answer

Option A is correct. AWS KMS is used to manage encryption keys for RDS encryption at rest. Option B (SSL/TLS) is for data in transit.

Option C (RDS encryption) is a feature but uses KMS. Option D (S3 server-side encryption) is for S3, not RDS.

208
MCQmedium

A company has an AWS Lambda function that needs to access an Amazon RDS database. The database is in a private subnet. Which configuration will allow the Lambda function to securely access the database without traversing the internet?

A.Create a VPC peering connection between the Lambda VPC and the RDS VPC.
B.Place the Lambda function in a public subnet and use a NAT gateway to access the RDS database.
C.Configure the Lambda function to run in the same VPC as the RDS database, in the same private subnet.
D.Use a VPC endpoint for Lambda to connect to the RDS database.
AnswerC

Attaching the Lambda function to the VPC allows it to access resources in private subnets directly.

Why this answer

The correct answer is D because Lambda functions can be attached to a VPC to access resources in private subnets. Option A is wrong because a NAT gateway is used for outbound internet access, not for inbound access to RDS. Option B is wrong because VPC peering is used to connect VPCs, not for Lambda access.

Option C is wrong because a VPC endpoint for Lambda does not exist; Lambda uses VPC endpoints for other services, but to access RDS you attach the function to the VPC.

209
MCQeasy

A company uses AWS Systems Manager Session Manager to manage EC2 instances without opening inbound ports. Which IAM policy is required for an EC2 instance to allow Session Manager to connect?

A.AmazonSSMFullAccess
B.AmazonEC2FullAccess
C.AdministratorAccess
D.AmazonSSMManagedInstanceCore
AnswerD

This policy allows the instance to register with Systems Manager and receive commands.

Why this answer

Option C is correct because SSM Agent requires the AmazonSSMManagedInstanceCore policy to communicate with Systems Manager. Option A is wrong because it is for admin users. Option B is wrong because it allows EC2 actions, not SSM.

Option D is wrong because it allows full SSM access, which is excessive.

210
MCQhard

A company is designing a hybrid cloud architecture with an AWS Direct Connect connection. The company wants to ensure that traffic to and from the VPC goes through the Direct Connect connection and not over the internet. Which configuration should be used?

A.Create a VPC Endpoint for each AWS service.
B.Set up a VPN connection over the internet as a backup.
C.Attach a Virtual Private Gateway to the VPC and update the route tables to point to the Direct Connect virtual interface.
D.Configure the Direct Connect connection and assign public IPs to instances.
AnswerC

Forces traffic through Direct Connect.

Why this answer

Option A is correct because using a Virtual Private Gateway and updating route tables to point to the Direct Connect virtual interface ensures traffic is routed through Direct Connect. Option B is wrong because a VPN connection still uses the internet. Option C is wrong because a VPC Endpoint is for AWS service access.

Option D is wrong because Direct Connect alone does not enforce routing.

211
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. A security engineer needs to ensure that all CloudFormation stacks use a specific AWS KMS key for encrypting resources that support encryption. Which approach should be used?

A.Use a CloudFormation template that includes the KMS key ID as a hardcoded value.
B.Use a CloudFormation parameter to accept the KMS key ID and validate it with a rule.
C.Use AWS CloudFormation StackSets with a service-managed permission model to deploy stacks from a centrally managed template that includes the KMS key.
D.Use an AWS Organizations service control policy (SCP) to deny all CloudFormation actions unless a specific KMS key is used.
AnswerC

StackSets allow central management and enforcement of template content, including the KMS key.

Why this answer

The correct answer is D because AWS CloudFormation StackSets can be used with a service-managed permission model to centrally manage stacks across accounts and enforce policies. Option A is wrong because you cannot enforce encryption at the template level; users can modify templates. Option B is wrong because a service control policy (SCP) can deny actions, but CloudFormation does not have a direct condition key to enforce KMS key usage for all resources.

Option C is wrong because while you can use a parameter, users can override it with a different key.

212
MCQeasy

A company configures a Route 53 alias record to point to a CloudFront distribution. The security team wants to ensure that users can only access the website via CloudFront and not directly via the S3 bucket origin. What additional configuration is needed?

A.Create an Origin Access Control (OAC) for the S3 bucket origin
B.Create a Route 53 health check to verify CloudFront availability
C.Configure CloudFront signed URLs to restrict access
D.Attach a security group to the S3 bucket
AnswerA

OAC ensures only CloudFront can access the S3 bucket.

Why this answer

Option C is correct because an Origin Access Control (OAC) prevents direct access to the S3 bucket. Option A is wrong because the alias record already points to CloudFront. Option B is wrong because CloudFront signed URLs are for user authentication, not origin access.

Option D is wrong because security groups are for EC2, not S3.

213
MCQmedium

A company has an Amazon S3 bucket that stores sensitive data. The security team needs to ensure that all access to the bucket is encrypted in transit. Which condition should be added to the bucket policy?

A.aws:SecureTransport
B.aws:SourceIp
C.s3:x-amz-server-side-encryption
D.aws:UserAgent
AnswerA

This condition ensures the request is made over SSL/TLS.

Why this answer

Option B is correct because the condition aws:SecureTransport checks whether the request was sent using SSL/TLS. Option A is wrong because aws:SourceIp checks IP address, not encryption. Option C is wrong because s3:x-amz-server-side-encryption checks encryption at rest, not in transit.

Option D is wrong because aws:UserAgent checks the user agent string.

214
MCQmedium

A security engineer is designing a VPC with a public subnet and a private subnet. The private subnet will host a database instance that should only be accessible from the application instances in the public subnet. The application instances use an Auto Scaling group. Which configuration ensures that only the application instances can access the database?

A.Allow inbound database port from the security group attached to the application instances in the public subnet.
B.Allow inbound database port from 0.0.0.0/0 in the database security group.
C.Configure a network ACL on the private subnet to allow the database port from the public subnet CIDR.
D.Allow inbound database port from the public subnet CIDR block in the database security group.
AnswerA

This dynamically allows traffic from all application instances.

Why this answer

Option B is correct because referencing the application security group as the source allows dynamic scaling. Option A is wrong because referencing the public subnet CIDR would allow any instance in that subnet, not just the application. Option C is wrong because allowing 0.0.0.0/0 would expose the database.

Option D is wrong because network ACLs are stateless and cannot reference security groups.

215
MCQhard

Refer to the exhibit. A security engineer reviews this CloudFormation template snippet. What is the security concern with this configuration?

A.The AMI ID is hardcoded.
B.The template does not specify a VPC.
C.The instance type is too small.
D.The security group allows SSH access from any IP address.
AnswerD

SSH should be restricted to specific IP ranges.

Why this answer

The security group allows SSH from anywhere (0.0.0.0/0), which is a security risk. Option A is correct. Option B is incorrect because the AMI is not necessarily public.

Option C is incorrect because the instance type is not a security concern. Option D is incorrect because the template is valid.

216
Multi-Selectmedium

A company wants to restrict access to an S3 bucket so that only objects with specific tags can be accessed by a certain IAM role. Which THREE steps are required to implement this?

Select 3 answers
A.Use S3 Inventory to list objects and their tags.
B.Enable S3 object-level logging in CloudTrail.
C.Attach an IAM policy to the role that uses the s3:ExistingObjectTag condition.
D.Create a bucket policy with a condition based on the s3:ExistingObjectTag key.
E.Set a bucket policy that denies access if the object does not have the required tag.
AnswersC, D, E

IAM policies can also use condition keys to restrict access based on tags.

Why this answer

Option A (Enable S3 object-level logging) is not required for access control. Option B (Create a bucket policy with a condition based on s3:ExistingObjectTag) is correct. Option C (Attach an IAM policy to the role with condition) is correct.

Option D (Set S3 bucket policy to deny untagged objects) is correct. Option E (Use S3 inventory) is for reporting, not access control.

217
MCQmedium

A company uses AWS Systems Manager Session Manager to manage EC2 instances. The security team wants to ensure that all SSH sessions are logged and that commands are recorded. What should be configured?

A.Enable session logging in the Session Manager preferences to send logs to Amazon S3 and CloudWatch Logs
B.Configure the security group to allow inbound SSH from the Session Manager service
C.Enable AWS CloudTrail to log Systems Manager API calls
D.Create an IAM policy that allows ssm:StartSession and attach it to the instance role
AnswerA

Session Manager preferences allow logging of session activities and command recording.

Why this answer

Option C is correct because Session Manager can log session activity to Amazon S3 and CloudWatch Logs, and enable command recording. Option A is wrong because an IAM policy only controls permissions to start sessions, not logging. Option B is wrong because security groups control network access, not logging.

Option D is wrong because CloudTrail logs API calls, not the commands run within a session.

218
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy type should be used?

A.IAM policy
B.Network ACL
C.VPC Endpoint policy
D.S3 bucket policy with aws:SourceVpc condition
AnswerD

This condition restricts access to requests originating from a specific VPC.

Why this answer

Option B is correct because an S3 bucket policy with a condition for aws:SourceVpc can restrict access to a VPC. Option A is wrong because IAM policies grant permissions to users, not network restrictions. Option C is wrong because VPC Endpoint policies control actions on the endpoint, not the bucket.

Option D is wrong because NACLs are for subnets, not S3.

219
MCQmedium

A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?

A.Place all tiers in public subnets and use security groups to restrict traffic.
B.Place the web tier in a public subnet with an internet gateway, and the app and database tiers in private subnets. Use separate security groups for each tier, allowing only necessary traffic.
C.Place the web and app tiers in public subnets and the database in a private subnet.
D.Place all tiers in private subnets and use a single security group to allow traffic between them.
AnswerB

This ensures isolation and encryption can be applied at the application layer.

Why this answer

Option B is correct because it places the web tier in a public subnet with an Internet Gateway (IGW) for internet-facing access, while the application and database tiers reside in private subnets with no direct internet path. Separate security groups enforce least-privilege: the web tier security group allows inbound HTTP/HTTPS (ports 80/443) from 0.0.0.0/0, the app tier security group allows inbound traffic only from the web tier security group (using a security group reference), and the database tier security group allows inbound traffic only from the app tier security group. This ensures encryption (e.g., TLS for web-to-app, and database-native encryption like TLS or AWS RDS encryption in transit) and complete isolation of the internal tiers.

Exam trap

The trap here is that candidates assume security groups alone can isolate tiers in public subnets, ignoring that public subnets have a direct route to the internet via the IGW, which bypasses security group restrictions for inbound traffic from the internet.

How to eliminate wrong answers

Option A is wrong because placing all tiers in public subnets exposes the application and database tiers directly to the internet, violating the isolation requirement; security groups alone cannot prevent the public routing path. Option C is wrong because placing the app tier in a public subnet exposes it to the internet, contradicting the requirement that the application tier be isolated and only accessible by the web tier. Option D is wrong because placing all tiers in private subnets makes the web tier inaccessible from the internet (no IGW or NAT device for inbound traffic), and using a single security group fails to enforce tier-specific access controls.

220
MCQhard

A security engineer is designing a network segmentation strategy for a VPC that hosts sensitive data. The engineer needs to ensure that EC2 instances in a private subnet can communicate with an RDS database in a different private subnet, but cannot communicate with any other resources in the same VPC. Which configuration should be used?

A.Create a VPC peering connection between the subnets.
B.Configure security groups for the EC2 instances that only allow outbound traffic to the RDS security group, and RDS security group allows inbound from the EC2 security group.
C.Assign the same security group to both the EC2 instances and the RDS database.
D.Use network ACLs with deny rules for all traffic except between the two subnets.
AnswerB

Security groups provide instance-level granularity and stateful filtering.

Why this answer

Option D is correct because a combination of security groups and network ACLs can enforce least-privilege rules. Option A is wrong because VPC peering is for cross-VPC. Option B is wrong because a single security group shared would allow broader communication.

Option C is wrong because NACLs alone are not enough for instance-level granularity.

221
MCQmedium

A company uses an AWS Network Firewall to inspect traffic between subnets in a VPC. The security team wants to ensure that all traffic from the web tier to the database tier passes through the firewall. The web servers are in subnet A, and the database servers are in subnet B. What routing configuration is required?

A.Add a route in the route table associated with subnet A that sends all traffic to the firewall endpoint.
B.Add a route in the route table for subnet A with destination subnet B CIDR and target the firewall endpoint. Add a similar route in subnet B's route table with destination subnet A CIDR and target the firewall endpoint.
C.Add a route in the route table associated with subnet B that sends all traffic to the firewall endpoint.
D.Associate both subnets with the same route table and add a route to the firewall endpoint for all traffic.
AnswerB

This ensures both directions go through the firewall.

Why this answer

Option C is correct because you need a route table for subnet A that sends traffic destined for subnet B to the firewall endpoint, and a route table for subnet B that sends return traffic to the firewall. Options A and B are wrong because they don't route return traffic properly. Option D is wrong because you need two route tables.

222
MCQmedium

A company is using AWS CloudFormation to deploy infrastructure. Which method ensures that sensitive data, such as database passwords, is not exposed in the template or outputs?

A.Use the 'NoEcho' property on the password parameter.
B.Store the password in the template outputs.
C.Hardcode the password in the template and use the 'NoEcho' property.
D.Use a dynamic reference to a Systems Manager Parameter Store parameter.
AnswerD

Dynamic references retrieve secrets securely.

Why this answer

Using dynamic references to AWS Systems Manager Parameter Store or Secrets Manager keeps secrets out of templates. Option B is correct. Hardcoding (A) exposes secrets.

Outputs (C) are visible. NoEcho (D) hides in console but not from API.

223
MCQmedium

A company has deployed a multi-tier web application on AWS. The web servers are in a public subnet, and the application servers are in a private subnet. The security team wants to ensure that the application servers cannot initiate outbound connections to the internet. What should the team do?

A.Add a deny rule for all outbound traffic in the network ACL of the private subnet.
B.Modify the security group of the application servers to deny all outbound traffic.
C.Remove the default route (0.0.0.0/0) pointing to an internet gateway or NAT gateway from the private subnet's route table.
D.Attach an egress-only internet gateway to the private subnet.
AnswerC

Without a route to an internet gateway or NAT, outbound internet traffic is blocked.

Why this answer

Option C is correct because a route table with only a local route and no internet gateway or NAT gateway prevents outbound internet traffic. Option A is wrong because security groups are stateful and allowing inbound traffic may inadvertently allow outbound responses. Option B is wrong because network ACLs are stateless and need explicit deny rules, but a route-based approach is simpler.

Option D is wrong because an egress-only internet gateway is for IPv6, not IPv4.

224
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which S3 bucket policy condition key should be used?

A.aws:VpcSourceIp
B.aws:SourceVpc
C.aws:SourceVpce
D.aws:SourceIp
AnswerC

Restricts access to a specific VPC endpoint.

Why this answer

To restrict access to an S3 bucket so that only requests originating from a specific VPC endpoint are allowed, you must use the `aws:SourceVpce` condition key in the S3 bucket policy. This key evaluates the VPC endpoint ID (e.g., `vpce-1a2b3c4d`) of the request, ensuring that only traffic routed through that specific endpoint is granted access. The `aws:SourceVpc` key is used to restrict access based on the VPC ID, not the endpoint ID, and `aws:SourceIp` and `aws:VpcSourceIp` are not valid condition keys for VPC endpoint-based restrictions.

Exam trap

The trap here is that candidates often confuse `aws:SourceVpc` (which restricts by VPC ID) with `aws:SourceVpce` (which restricts by VPC endpoint ID), leading them to select the wrong condition key when the requirement is specifically to allow only traffic from a particular VPC endpoint.

How to eliminate wrong answers

Option A is wrong because `aws:VpcSourceIp` is not a valid AWS condition key; the correct key for source IP is `aws:SourceIp`, and it does not restrict based on VPC endpoint. Option B is wrong because `aws:SourceVpc` restricts access based on the VPC ID (e.g., `vpc-12345678`), not the specific VPC endpoint ID, so it would allow any traffic from within that VPC, not just through the endpoint. Option D is wrong because `aws:SourceIp` restricts based on the client's IP address, which is not suitable for VPC endpoint-based access control since the endpoint uses private IPs and the condition key cannot enforce endpoint-specific restrictions.

225
MCQmedium

A company has a multi-tier web application hosted on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an Amazon RDS MySQL database. The security team has implemented security groups and network ACLs. Recently, a vulnerability scan revealed that the RDS database is accessible from the internet. The security engineer investigates and finds that the database security group allows inbound traffic on port 3306 from 0.0.0.0/0. The engineer also checks the network ACLs and finds that inbound rules allow traffic on port 3306 from 0.0.0.0/0, and outbound rules allow all traffic. The database is in a private subnet. Which combination of steps should the engineer take to remediate the issue while maintaining application functionality?

A.Update the network ACL inbound rule to allow traffic only from the ALB security group. The security group is already correctly configured.
B.Update the database security group to allow inbound traffic on port 3306 only from the ALB security group. Update the network ACL inbound rule to allow traffic from the ALB security group.
C.Update the database security group to allow inbound traffic on port 3306 from the VPC CIDR range. No changes to network ACL are needed.
D.Move the database to a public subnet and restrict the security group to the ALB security group.
AnswerB

Restricting both layers to the ALB security group ensures only the ALB can reach the database.

Why this answer

Option A is correct because it restricts both security group and network ACL to only the ALB security group, which is the proper source for database traffic. Option B is wrong because it only changes network ACL, not security group. Option C is wrong because allowing the VPC CIDR is too broad.

Option D is wrong because it suggests public subnet for database, which is insecure.

← PreviousPage 3 of 5 · 328 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Infrastructure Security questions.