CCNA Management and Security Governance Questions

75 of 262 questions · Page 2/4 · Management and Security Governance · Answers revealed

76
MCQmedium

Refer to the exhibit. A company uses this CloudFormation template. What security best practice is being violated?

A.The instance type is too small for production workloads.
B.The security group allows SSH access from all IP addresses.
C.The AMI ID is not specified as a parameter.
D.The EBS volume is not encrypted.
AnswerB

Allowing SSH from 0.0.0.0/0 is a security risk.

Why this answer

Option C is correct because the security group allows SSH from anywhere (0.0.0.0/0), which is a security risk. Option A is wrong because the instance type is not inherently a security issue. Option B is wrong because the AMI ID is not necessarily a vulnerability.

Option D is wrong because there is no encryption setting; the EBS volume has Encrypted: false, which is a best practice violation, but the most critical is the open SSH.

77
Multi-Selecthard

Which TWO AWS services can be used to enforce that specific resource types (e.g., EC2 instances) are tagged with a 'CostCenter' tag? (Choose two.)

Select 2 answers
A.AWS Organizations tag policies
B.AWS Service Catalog
C.AWS Config
D.AWS CloudFormation
E.AWS IAM
AnswersA, C

Can enforce tags across accounts in the organization.

Why this answer

AWS Config can evaluate resource tagging and AWS Organizations can use tag policies. IAM is for permissions, not enforcement; CloudFormation can be used but not for existing resources; Service Catalog is for provisioning, not enforcement.

78
MCQeasy

What is the purpose of an AWS Service Control Policy (SCP) in AWS Organizations?

A.To grant specific permissions to users in member accounts.
B.To restrict only the root user of each member account.
C.To monitor and log API activity across the organization.
D.To set permission guardrails that restrict what actions accounts in the organization can perform.
AnswerD

SCPs define the maximum permissions for accounts.

Why this answer

Option A is correct: SCPs are used to centrally control the maximum available permissions for all accounts in an organization. Option B is wrong because SCPs do not grant permissions. Option C is wrong because SCPs apply to all users and roles, not just root.

Option D is wrong because SCPs are not for monitoring.

79
MCQhard

A company uses AWS KMS to encrypt sensitive data. The security team wants to ensure that KMS keys can only be used by specific IAM roles and that key usage is logged. Which combination of actions should the team take? (Choose the best answer.)

A.Create an SCP to restrict KMS key usage and enable CloudWatch Logs.
B.Attach an IAM policy that allows kms:Encrypt and kms:Decrypt to the roles.
C.Configure the key policy to allow the root user and enable CloudTrail.
D.Configure the key policy to specify the IAM roles as key users and enable CloudTrail.
AnswerD

Key policy grants permissions directly, CloudTrail logs usage.

Why this answer

Option D is correct because key policies define who can use the key, and CloudTrail logs all KMS API calls. Option A is wrong because an SCP can only deny, not grant permissions. Option B is wrong because IAM policies alone are not enough; the key policy must allow IAM access.

Option C is wrong because the key policy must specify the IAM roles.

80
MCQeasy

A company wants to automate the enforcement of security best practices across all AWS accounts. Which AWS service provides pre-built rules for security compliance?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Security Hub
D.AWS Config
AnswerC

Security Hub provides automated security checks and compliance standards.

Why this answer

AWS Security Hub is the correct answer because it provides a comprehensive view of security alerts and compliance status across AWS accounts, and it includes pre-built security standards and automated compliance checks based on frameworks such as the AWS Foundational Security Best Practices (FSBP), CIS AWS Foundations Benchmark, and PCI DSS. These pre-built rules allow you to automate the enforcement of security best practices without manual configuration.

Exam trap

The trap here is that candidates often confuse AWS Config's managed rules (which evaluate resource configurations) with Security Hub's pre-built security compliance standards, but Security Hub is specifically designed for aggregating and automating security best practices across accounts, while Config is a configuration auditing tool without built-in security compliance frameworks.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior using machine learning and threat intelligence, but it does not provide pre-built rules for security compliance or automated compliance checks. Option B is wrong because Amazon Inspector is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, but it does not offer pre-built compliance rules or enforce security best practices across accounts. Option D is wrong because AWS Config is a service that evaluates your resource configurations against desired configurations using custom or managed rules, but it does not provide pre-built security compliance standards or a consolidated dashboard for security best practices across accounts; it focuses on resource configuration auditing rather than security compliance enforcement.

81
MCQhard

A company has a requirement that all access keys for IAM users must be rotated every 90 days. A security engineer needs to implement an automated solution to identify and disable keys that are older than 90 days. Which approach meets the requirement with the least operational overhead?

A.Use AWS Trusted Advisor to check key age and send notifications.
B.Use AWS CloudTrail to monitor CreateAccessKey events and trigger a Lambda function to check key age.
C.Use IAM Access Analyzer to generate findings for unused keys and manually disable them.
D.Use an AWS Config rule with auto-remediation to disable keys older than 90 days.
AnswerD

Correct: Config rule evaluates and auto-remediation disables keys.

Why this answer

Option D is correct because AWS Config has a managed rule 'access-keys-rotated' that checks key age and can trigger auto-remediation via a Systems Manager automation document to disable old keys. Option A is wrong because IAM Access Analyzer does not manage key rotation. Option B is wrong because CloudTrail does not enforce rotation.

Option C is wrong because AWS Trusted Advisor only provides recommendations, not enforcement.

82
MCQeasy

A company wants to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. Which AWS service can be used to enforce this requirement?

A.AWS Organizations
B.AWS Config
C.AWS Identity and Access Management (IAM)
D.Amazon Cognito
AnswerC

Correct: IAM policies can require MFA.

Why this answer

Option B is correct because IAM policies can include a condition that requires MFA. Option A is wrong because AWS Organizations manages accounts, not user MFA. Option C is wrong because AWS Config can check compliance but cannot enforce.

Option D is wrong because Amazon Cognito is for external identity.

83
Matchingmedium

Match each AWS security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateful firewall at instance level

Stateless firewall at subnet level

Centralized management of firewall rules

Managed firewall for VPCs

Why these pairings

These are network security controls in AWS.

84
MCQhard

A security engineer needs to ensure that all new IAM users are created with a strong password policy enforced. Which action should be taken?

A.Set a custom IAM password policy in the account
B.Use AWS Config to automatically delete users with weak passwords
C.Create a Lambda function that checks password strength on user creation
D.Use AWS Secrets Manager to generate passwords
AnswerA

Account password policy enforces minimum requirements for all IAM users.

Why this answer

IAM password policy is set at the account level and applies to all users. Custom password policies cannot be per-user; the account policy enforces strength for all.

85
MCQeasy

A company needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record these changes?

A.Amazon S3
B.Amazon CloudWatch Logs
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail logs all API calls, including IAM policy modifications.

Why this answer

AWS CloudTrail records API calls, including IAM policy changes. Option B is correct because CloudTrail logs all IAM policy modifications. Option A is wrong because AWS Config records resource state changes but not API calls.

Option C is wrong because CloudWatch Logs stores logs but does not record API calls. Option D is wrong because S3 is a storage service.

86
MCQhard

A company uses AWS Organizations with a management account and several member accounts. The security team wants to restrict the use of specific AWS services (e.g., EC2, Lambda) in certain accounts based on the account's environment (dev, test, prod). Which approach should be used to implement this requirement?

A.Use AWS CloudTrail to monitor API calls and revoke access after the fact.
B.Create IAM roles in each account with policies that deny access to services.
C.Use AWS Organizations to tag accounts (e.g., Environment=Dev) and use SCPs with conditions to deny access to services based on tags.
D.Use AWS Config rules to detect and alert when restricted services are used.
AnswerC

Tag-based SCPs allow fine-grained control across accounts.

Why this answer

Option A is correct because tagging accounts in Organizations and using SCPs with conditions allows granular control based on account tags. Option B is wrong because IAM roles are per-user, not per-account service restrictions. Option C is wrong because Config rules detect usage but do not prevent it.

Option D is wrong because CloudTrail logs but does not enforce restrictions.

87
MCQeasy

A company wants to grant cross-account access to an S3 bucket owned by Account A to a user in Account B. The bucket policy in Account A allows access from Account B. What additional configuration is required?

A.The IAM user in Account B must have a policy that allows access to the S3 bucket.
B.Nothing; the bucket policy is sufficient.
C.The bucket must be configured with ACLs.
D.An SCP must allow the s3:GetObject action.
AnswerA

Correct: Both resource-based and identity-based policies are needed.

Why this answer

Option B is correct because cross-account access requires both a resource-based policy (bucket policy) and an identity-based policy (IAM user/role policy) in the trusted account. Option A is wrong because the IAM role is not needed, but the user must have permissions. Option C is wrong because SCPs affect all accounts in an organization but are not required.

Option D is wrong because the user's permissions are needed.

88
MCQhard

A company has a requirement that all IAM users must use strong passwords. The security engineer needs to enforce a password policy that requires minimum 12 characters, at least one uppercase letter, and at least one number. The engineer sets the password policy in IAM. However, existing users with weak passwords are not forced to change them. What should the engineer do to enforce the policy for existing users?

A.Manually reset each user's password to a strong password.
B.Enable 'Allow users to change their own password' in the policy.
C.Re-apply the password policy to each user.
D.Set the password expiration period to 0 to force immediate password change.
AnswerD

Setting expiration to 0 forces users to change passwords on next login.

Why this answer

Option D is correct because setting the password policy to expire existing passwords will force users to change them on next login. Option A is wrong because the policy is already set; users are not forced to change. Option B is wrong because allowing users to change passwords does not enforce the policy.

Option C is wrong because resetting passwords manually is not scalable and not required.

89
Multi-Selectmedium

A company is using AWS Organizations to manage multiple accounts. The security team wants to prevent the creation of Amazon EC2 instances with public IP addresses in all accounts. Which TWO actions should the team take to implement this control using Service Control Policies (SCPs)?

Select 2 answers
A.Use the condition key 'ec2:LaunchTemplate' to deny public IPs.
B.Create an SCP that adds an IAM policy to deny ec2:RunInstances.
C.Create an SCP with a Deny effect for ec2:RunInstances where the request parameter ec2:AssociatePublicIpAddress is true.
D.Attach the SCP to the root organizational unit.
E.Create an SCP that requires the tag 'PublicIP' to be set to 'false'.
AnswersC, D

This condition denies launching instances with public IPs.

Why this answer

Options B and D are correct. The SCP must deny the ec2:RunInstances action when the parameter for public IP is set to true (B), and it must be attached to the root organizational unit (D) to cover all accounts. Option A is wrong because SCPs cannot modify IAM permissions; they can only deny or allow actions.

Option C is wrong because SCPs cannot enforce tagging; they can deny actions based on tags. Option E is wrong because the condition key for public IP is ec2:AssociatePublicIpAddress.

90
MCQeasy

A security team wants to audit all changes to IAM policies in the AWS account. Which AWS service should be used to track these changes?

A.AWS Config
B.AWS Trusted Advisor
C.AWS CloudTrail
D.AWS CloudWatch Logs
AnswerC

Records all API calls, including PutUserPolicy, PutRolePolicy, etc.

Why this answer

AWS CloudTrail records all API calls, including IAM policy changes. Config records resource configuration changes but CloudTrail provides detailed event history.

91
MCQhard

Refer to the exhibit. An organization applies this SCP to an OU containing a developer account. A developer in that account tries to launch an m5.large instance using the AWS Management Console. What is the outcome?

A.The instance launches successfully because the SCP only applies to StartInstances, not RunInstances.
B.The launch fails because the SCP denies RunInstances for instance types other than t2.micro and t2.small.
C.The instance launches successfully because the SCP does not explicitly allow any actions.
D.The launch fails only if the developer's IAM policy also denies the action.
AnswerB

Condition StringNotEquals matches m5.large, so Deny applies.

Why this answer

The SCP explicitly denies the ec2:RunInstances action when the condition key ec2:InstanceType does not match t2.micro or t2.small. Since m5.large is not in the allowed list, the deny effect applies, and the launch fails regardless of any IAM policy that might allow it. SCPs act as a guardrail that overrides IAM permissions, so even if the developer has full IAM access, the SCP blocks the operation.

Exam trap

The trap here is that candidates confuse SCPs with IAM policies, thinking an explicit allow in IAM can override an SCP deny, but SCPs act as a boundary that cannot be bypassed by any IAM permission.

How to eliminate wrong answers

Option A is wrong because the SCP explicitly denies ec2:RunInstances, not just ec2:StartInstances; the exhibit shows 'Deny' for RunInstances with a condition on instance type. Option C is wrong because SCPs do not need to explicitly allow actions; they default to allowing all actions unless a deny is applied, and here a deny is applied for non-compliant instance types. Option D is wrong because SCPs are evaluated before IAM policies; a deny in an SCP cannot be overridden by an IAM allow, so the launch fails regardless of the developer's IAM policy.

92
Multi-Selectmedium

A security engineer is designing a governance framework for a multi-account AWS environment. The engineer needs to ensure that all accounts comply with the principle of least privilege for IAM roles and that any non-compliant resources are automatically reported. Which two AWS services should the engineer use together to achieve this? (Choose TWO.)

Select 2 answers
A.AWS Security Hub
B.AWS Service Catalog
C.Amazon GuardDuty
D.AWS Config
E.AWS CloudTrail
AnswersA, D

Security Hub aggregates findings from AWS Config and other services, providing a compliance dashboard and automated reporting.

Why this answer

AWS Security Hub is correct because it provides a comprehensive view of security alerts and compliance status across multiple AWS accounts, aggregating findings from various AWS services and third-party tools. AWS Config is correct because it continuously monitors and records AWS resource configurations, enabling you to define rules (e.g., IAM least privilege policies) and automatically evaluate resource compliance, triggering notifications or remediation actions for non-compliant resources. Together, Security Hub can ingest AWS Config rule compliance results as findings, allowing centralized reporting and automated response to IAM role violations.

Exam trap

The trap here is that candidates often confuse AWS Config (resource compliance evaluation) with AWS CloudTrail (API activity logging) or Amazon GuardDuty (threat detection), failing to recognize that only AWS Config can directly assess IAM role configurations against least privilege rules and automatically report non-compliance.

93
MCQhard

A security engineer runs the get-account-authorization-details command and sees the exhibit output. The engineer wants to ensure that the 'admin' user does not have administrative access. Which steps should be taken?

A.Delete the 'admin' user and create a new user with limited permissions.
B.Modify the AdministratorAccess policy to deny all actions.
C.Detach the AdministratorAccess policy from the 'admin' user and attach a custom policy with read-only permissions.
D.Attach a permissions boundary that denies all actions.
AnswerC

This directly removes the administrative access and grants limited permissions.

Why this answer

The 'admin' user has the AdministratorAccess policy attached. To remove administrative access, the engineer should detach this policy and attach a more restrictive policy. Option A is wrong because deleting the user is unnecessary.

Option B is wrong because a permissions boundary does not remove the existing policy. Option C is wrong because the policy itself needs to be removed.

94
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot upload files to the S3 bucket 'example-bucket' using the AWS CLI with HTTPS. What is the most likely reason?

A.The bucket requires server-side encryption and the user did not specify it.
B.The policy denies all S3 actions when using HTTPS.
C.The user does not have an explicit allow for s3:PutObject.
D.The bucket name is incorrect in the policy.
AnswerC

The policy only denies; without an allow, the default deny blocks the upload.

Why this answer

Option B is correct because the policy denies s3:* actions on objects in the bucket when SecureTransport is false, meaning it denies only HTTP requests. However, the user is using HTTPS, so the deny should not apply. But the policy also implicitly denies all other actions not explicitly allowed? Actually, an explicit deny overrides any allow, but the condition only denies when SecureTransport is false.

Since the user uses HTTPS, the condition is not met, so the deny does not apply. But the user might have no allow for s3:PutObject, which is the issue. Option B is correct because there is no explicit allow for s3:PutObject, and the default implicit deny applies.

Option A is wrong because the condition does not apply. Option C is wrong because the AccessDenied error indicates permissions, not bucket name. Option D is wrong because the error is not about encryption.

95
Multi-Selectmedium

A security engineer is configuring AWS Config to track changes to security groups in a VPC. The engineer wants to be notified when a security group is modified. Which TWO steps are required to achieve this?

Select 2 answers
A.Configure an SNS topic and subscribe to it to receive notifications when the Config rule triggers.
B.Enable AWS CloudTrail to log security group changes.
C.Enable Amazon GuardDuty to detect security group modifications.
D.Create an AWS Config rule that monitors security group changes.
E.Enable VPC Flow Logs to capture security group activity.
AnswersA, D

SNS can send notifications on Config rule compliance changes.

Why this answer

Options A and B are correct. Option A: AWS Config rule with a custom or managed rule can track security group changes. Option B: Config rule can trigger a Lambda function via SNS to send notifications.

Option C is wrong because CloudTrail is not needed for Config. Option D is wrong because VPC Flow Logs are for network traffic. Option E is wrong because GuardDuty is for threat detection.

96
MCQmedium

A security engineer discovers that an IAM user has a policy that allows them to delete any S3 bucket in the account. The engineer wants to audit all delete actions performed by this user. Which AWS service should be used?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records API calls for auditing.

Why this answer

AWS CloudTrail logs all API calls, including S3 bucket deletions. Option D is correct. Option A (Config) records resource changes but not API calls.

Option B (CloudWatch Logs) stores logs but does not capture API calls by default. Option C (GuardDuty) detects threats but does not log all actions.

97
MCQeasy

A company is using AWS Organizations and wants to delegate the management of IAM policies to a specific member account without granting full administrative access. Which AWS feature allows the management account to delegate policy management to another account?

A.AWS Resource Access Manager
B.AWS CloudFormation StackSets
C.AWS Single Sign-On
D.IAM cross-account roles
AnswerD

The management account can create a role in the member account and grant permissions to manage IAM policies.

Why this answer

IAM cross-account roles allow the management account to assume a role in the member account with permissions to manage IAM policies. Option A is wrong because RAM shares resources, not IAM management. Option B is wrong because SSO is for user authentication and authorization.

Option D is wrong because StackSets automate resource deployment, not delegation.

98
Multi-Selectmedium

A company uses AWS Config to record resources. Which TWO actions can be taken to automatically remediate non-compliant resources detected by AWS Config rules?

Select 2 answers
A.Configure AWS Config rules to invoke an AWS Lambda function for remediation
B.Configure AWS Config rules to send notifications to an SNS topic
C.Use AWS Systems Manager Automation documents as remediation actions
D.Use AWS CloudTrail to log non-compliant events
E.Use Amazon CloudWatch Events to trigger an AWS Step Functions state machine
AnswersA, C

Lambda can be used for custom remediation.

Why this answer

Option A is correct because AWS Config rules can be configured with remediation actions that invoke an AWS Lambda function. When a resource is evaluated as non-compliant, the rule triggers the Lambda function, which can execute custom logic to modify or fix the resource, such as adjusting security group rules or enabling encryption. This provides automated, programmable remediation directly integrated with AWS Config's evaluation lifecycle.

Exam trap

The trap here is that candidates often confuse notification-based responses (like SNS or CloudWatch Events) with actual automated remediation, forgetting that AWS Config's native remediation actions are limited to Lambda functions and Systems Manager Automation documents, not generic event-driven workflows.

99
MCQmedium

A company has multiple AWS accounts managed through AWS Organizations. The security team needs to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI). Which governance control should be implemented?

A.Use a service control policy (SCP) that denies ec2:RunInstances unless the AMI ID is in an approved list.
B.Deploy an AWS Config rule that triggers a Lambda function to terminate non-compliant instances.
C.Use AWS CloudTrail to monitor instance launches and alert the security team.
D.Use an IAM policy that restricts ec2:RunInstances to approved AMIs.
AnswerA

SCPs can enforce restrictions across all accounts in the organization.

Why this answer

A service control policy (SCP) is the correct governance control because it operates at the AWS Organizations level, allowing the security team to enforce a deny on ec2:RunInstances across all member accounts unless the AMI ID matches an approved list. SCPs are account permission boundaries that cannot be overridden by IAM policies within the account, ensuring that no user or role can launch an EC2 instance with an unapproved AMI, even if they have full administrative privileges. This provides a preventive control that blocks non-compliant actions before they occur, which is more robust than detective or reactive measures.

Exam trap

The trap here is that candidates often confuse IAM policies with SCPs, assuming that an IAM policy can enforce organization-wide controls, but SCPs are the only mechanism that applies as a permission boundary across all accounts in an AWS Organization and cannot be overridden by account administrators.

How to eliminate wrong answers

Option B is wrong because an AWS Config rule with a Lambda function to terminate non-compliant instances is a detective and reactive control, not a preventive governance control; it only acts after the instance is launched, incurring potential cost and security exposure. Option C is wrong because AWS CloudTrail is a logging and monitoring service that records API calls but does not prevent the launch; it only alerts the security team after the fact, leaving a window for non-compliant instances to run. Option D is wrong because an IAM policy that restricts ec2:RunInstances to approved AMIs can be bypassed by users with higher privileges (e.g., an administrator) or by modifying the policy within the account, whereas an SCP applies as a boundary that cannot be overridden by account-level IAM policies.

100
MCQmedium

Refer to the exhibit. A role has two policies attached. The custom policy includes an Allow for s3:PutObject. An IAM user assumes this role and tries to upload a file to S3. What happens?

A.The upload succeeds because the custom policy allows s3:PutObject
B.The upload fails because the managed policy only allows read
C.The upload is denied by default because no explicit allow
D.The upload fails because the managed policy overrides the custom policy
AnswerA

The custom policy grants write access.

Why this answer

The upload succeeds because IAM evaluates policies in a default-deny environment, and the custom policy attached to the role explicitly allows s3:PutObject. When a user assumes the role, the effective permissions are the union of all attached policies; the managed policy's read-only restriction does not block the explicit allow for s3:PutObject. Since there is no explicit deny for s3:PutObject, the allow from the custom policy grants the action.

Exam trap

The trap here is that candidates mistakenly believe a more restrictive policy (managed read-only) overrides a less restrictive one (custom allow), but IAM never overrides policies; it only denies if an explicit deny exists, and allows if any explicit allow exists.

How to eliminate wrong answers

Option B is wrong because the managed policy's read-only restriction does not override an explicit allow; IAM uses an allow-list model where any explicit allow permits the action unless there is an explicit deny. Option C is wrong because the custom policy provides an explicit allow for s3:PutObject, so the action is not denied by default. Option D is wrong because no policy overrides another in IAM; the effective permissions are the union of all allows minus any explicit denies, and the managed policy does not contain a deny for s3:PutObject.

101
MCQeasy

A company uses AWS Organizations and wants to centrally manage CloudTrail trails across all accounts. Which feature should be enabled?

A.CloudTrail organization trail
B.Cross-account CloudTrail
C.Service Control Policy for CloudTrail
D.AWS Config aggregator
AnswerA

An organization trail logs events for all accounts in the organization.

Why this answer

Option B is correct because CloudTrail organization trails allow a single trail to log events for all accounts in the organization. Option A is wrong because CloudTrail does not support cross-account trails without organization trails. Option C is wrong because SCPs are for permissions, not logging.

Option D is wrong because Config aggregators are for configuration compliance, not logging.

102
MCQhard

A security engineer runs the above CloudTrail lookup command to investigate a change to the S3 bucket policy. The command only returns one event, but the engineer knows that the bucket policy was changed multiple times. What is the most likely reason?

A.The bucket policy changes were made through the AWS Management Console, which is not logged.
B.The event is not logged because PutBucketPolicy is not supported by CloudTrail.
C.The command is filtering by the wrong attribute.
D.The command is limiting results to one event.
AnswerD

Max results parameter limits output.

Why this answer

Option C is correct because the command uses --max-results 1, limiting output to one event. Option A is wrong because the query is for ResourceName. Option B is wrong because the event is shown.

Option D is wrong because the console uses the same CloudTrail data.

103
Multi-Selecthard

A security engineer is designing a solution to automatically remediate noncompliant EC2 security groups. The company uses AWS Organizations with multiple accounts. The engineer wants to deploy an AWS Config rule and a custom Lambda function in a central security account to evaluate and remediate security groups across all accounts. Which combination of steps is REQUIRED to allow the Lambda function to modify security groups in member accounts? (Choose TWO.)

Select 2 answers
A.Create an IAM role in each member account that allows the central security account to assume it.
B.Use AWS CloudFormation StackSets to deploy the Lambda function to all member accounts.
C.Configure an AWS Config remediation action that invokes the Lambda function in the central account.
D.Attach a resource-based policy to the Lambda function granting access to Config from all member accounts.
E.Create the Lambda function in each member account and configure Config rules in each account.
AnswersA, C

This enables cross-account access for the Lambda function to modify security groups.

Why this answer

The correct approach is to use AWS Config aggregated rules with remediation actions that invoke Lambda cross-account. Option A is required to allow the central account to assume a role in member accounts; Option C is required to invoke the Lambda function from Config. Option B (same account) is not cross-account.

Option D is not required because Config aggregates can work with individual accounts. Option E is redundant.

104
Multi-Selecthard

A company is implementing a data classification policy using AWS. The policy requires that all S3 objects containing personally identifiable information (PII) be automatically tagged and encrypted. Which THREE services should be used together to meet this requirement?

Select 3 answers
A.Amazon Macie
B.Amazon S3 default encryption
C.AWS Config
D.AWS Lambda
E.AWS CloudTrail
AnswersA, B, D

Macie discovers and classifies PII in S3.

Why this answer

Options A, B, and D are correct. Option A: Amazon Macie can automatically discover and classify PII in S3. Option B: AWS Lambda can process Macie findings and apply tags.

Option D: S3 default encryption ensures objects are encrypted. Option C is wrong because AWS Config does not classify data. Option E is wrong because CloudTrail is for logging.

105
Multi-Selecthard

A security engineer is designing a solution to detect and alert on any S3 bucket that is publicly accessible. Which THREE services can be used together to achieve this?

Select 3 answers
A.AWS Security Hub
B.Amazon S3 Block Public Access settings
C.AWS Config
D.AWS CloudTrail
E.Amazon VPC Flow Logs
AnswersA, C, D

Aggregates findings from Config and other services.

Why this answer

Option A is correct: CloudTrail logs S3 bucket policy changes. Option B is correct: AWS Config can evaluate bucket policies against a rule for public access. Option D is correct: S3 itself can block public access via account-level settings, but that is not detection.

Option C is correct: Security Hub aggregates findings from Config. Option E is wrong: VPC Flow Logs do not deal with S3 bucket policies.

106
Multi-Selectmedium

A security engineer is reviewing the following IAM policy attached to a role. Which TWO actions are allowed by this policy? (Choose two.)

Select 2 answers
A.s3:ListBucket
B.ec2:TerminateInstances
C.iam:CreateUser
D.kms:Decrypt
E.s3:GetObject
AnswersA, E

Explicitly allowed.

Why this answer

Options A and D are correct because the policy allows s3:GetObject and s3:ListBucket. Option B is wrong because ec2:TerminateInstances is not allowed. Option C is wrong because iam:CreateUser is not allowed.

Option E is wrong because kms:Decrypt is not allowed.

107
MCQhard

A security engineer is reviewing an SCP that denies access to a specific AWS service. The engineer notices that the SCP has an Effect of 'Deny' for 's3:PutObject' but the condition block uses 'StringEquals' with 'aws:SourceIp' set to an IP range. Users in the account are still able to upload objects to S3 from IP addresses outside the range. What is the most likely reason?

A.The SCP condition key 'aws:SourceIp' is not supported for SCPs; SCPs only support conditions that are resource-based.
B.The SCP only applies to IAM users and groups, not to the root user.
C.The SCP condition key 'aws:SourceIp' is not available for use in SCPs; SCPs only support condition keys that are global and listed in the AWS Global Condition Context Keys documentation for SCPs.
D.The SCP is evaluated after IAM policies, so an IAM policy allowing the action overrides the SCP.
AnswerC

The 'aws:SourceIp' condition key is not supported in SCPs, so the condition is ignored, and the deny does not apply.

Why this answer

Option D is correct because SCPs do not support the aws:SourceIp condition key; they only support condition keys that are global in the context of the service control policy. Option A is wrong because SCPs are not limited to IAM users and groups; they apply to all principals in the account. Option B is wrong because SCPs support conditions, but not all condition keys are available.

Option C is wrong because SCPs are evaluated before IAM policies and can deny actions.

108
MCQmedium

A company uses AWS Key Management Service (KMS) to encrypt data. The security team needs to ensure that KMS keys cannot be deleted accidentally. Which action should be taken?

A.Apply an SCP that denies kms:ScheduleKeyDeletion for all accounts.
B.Create an IAM policy that denies kms:ScheduleKeyDeletion for the key.
C.Enable automatic key rotation.
D.Enable deletion protection on the key.
AnswerB

This prevents authorized users from scheduling key deletion.

Why this answer

Enabling key rotation does not prevent deletion; disabling and scheduling deletion is the way to delete. To prevent accidental deletion, you must disable the option to schedule key deletion via an IAM policy or use a multi-region key? The best practice is to use an IAM policy that denies kms:ScheduleKeyDeletion for specific keys or to use a CloudWatch alarm. Among the options, setting a CloudWatch alarm on the deletion event is a detective control, but the question asks to prevent accidental deletion.

The correct answer is to use an IAM policy to deny the schedule key deletion action. Option B (enabling deletion protection) does not exist for KMS. Option A (rotation) does not prevent deletion.

Option D (SCP) can help but at org level. The best is IAM policy.

109
MCQeasy

A security team needs to centrally manage permissions for multiple AWS accounts. Which AWS service should they use?

A.AWS IAM
B.AWS Config
C.AWS Organizations with service control policies (SCPs)
D.AWS CloudTrail
AnswerC

Organizations centrally manage accounts and permissions.

Why this answer

AWS Organizations with service control policies (SCPs) is the correct choice because SCPs allow you to centrally manage permissions across multiple AWS accounts by defining maximum permissions for member accounts. Unlike IAM policies that are attached to users or roles within a single account, SCPs act as a guardrail at the organization or organizational unit (OU) level, restricting what actions accounts and their IAM principals can perform, even if the account's own IAM policies allow more.

Exam trap

The trap here is that candidates often confuse AWS IAM (which manages permissions within a single account) with the need for cross-account permission management, leading them to select IAM instead of recognizing that AWS Organizations with SCPs is the correct service for central governance across multiple accounts.

How to eliminate wrong answers

Option A is wrong because AWS IAM manages permissions for users, groups, and roles within a single AWS account, not across multiple accounts centrally. Option B is wrong because AWS Config is a service for evaluating resource configurations against rules and tracking compliance, not for managing permissions. Option D is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not enforce or manage permissions.

110
MCQeasy

A company wants to log all API calls made in their AWS account for auditing. Which AWS service should be enabled to capture these logs?

A.VPC Flow Logs
B.Amazon CloudWatch Logs
C.Amazon S3 server access logs
D.AWS CloudTrail
AnswerD

CloudTrail records all API calls for auditing.

Why this answer

Option B is correct because AWS CloudTrail records API activity. Option A is wrong because VPC Flow Logs capture network traffic. Option C is wrong because CloudWatch Logs stores logs, not captures API calls.

Option D is wrong because S3 is storage.

111
MCQmedium

A security engineer has attached the above IAM policy to a user. The user reports that they cannot upload objects to the S3 bucket from their office, which has a public IP address of 198.51.100.50. What is the MOST likely reason for the failure?

A.The policy does not specify the bucket resource for the PutObject action.
B.The policy is not attached to the user.
C.The policy restricts access to the 10.0.0.0/8 IP range, but the user's IP is outside that range.
D.The policy does not allow the s3:PutObject action.
AnswerC

The condition requires the source IP to be in 10.0.0.0/8.

Why this answer

Option D is correct because the policy only allows access from the 10.0.0.0/8 IP range, but the user's office IP is 198.51.100.50, which is outside that range. Option A is wrong because the policy allows s3:PutObject. Option B is wrong because the policy applies to the user.

Option C is wrong because the bucket is not specified as the resource for the action s3:PutObject, but the resource is the bucket contents (*).

112
MCQmedium

A security team needs to centralize audit logs from multiple AWS accounts into a single S3 bucket. The solution must be scalable and support future account additions. Which approach meets these requirements?

A.Use Amazon CloudWatch Logs to stream logs from each account to a central account.
B.Use AWS Trusted Advisor to collect logs from all accounts.
C.Configure CloudTrail in each account to deliver logs to the same S3 bucket.
D.Use AWS Organizations to create a CloudTrail trail that applies to all accounts in the organization.
AnswerD

Correct: Centralized logging via organization trail.

Why this answer

Option A is correct because AWS Organizations with CloudTrail allows creating a trail that logs all accounts in the organization, delivering to a single bucket. Option B is wrong because it requires manual configuration per account. Option C is wrong because CloudWatch Logs is not for cross-account log delivery.

Option D is wrong because Trusted Advisor does not collect logs.

113
MCQhard

A company is using AWS Organizations with SCPs. The management account has an SCP that denies access to all EC2 actions. A developer in a member account tries to launch an EC2 instance but receives an authorization error. The developer has an IAM policy that allows ec2:RunInstances. What is the most likely cause of the error?

A.The IAM policy does not include the ec2:RunInstances permission.
B.The IAM policy is applied before the SCP.
C.The SCP denies the action, overriding the IAM policy.
D.The SCP is applied only to the root user.
AnswerC

SCPs act as a filter; if denied, the action is blocked.

Why this answer

Option C is correct because SCPs take precedence over IAM policies; if an SCP denies an action, even if the IAM policy allows it, the action is denied. Option A is wrong because SCPs do not override IAM only; they are evaluated together. Option B is wrong because SCPs apply to all users in the account, including the root user.

Option D is wrong because SCPs apply to all principals, not just the root.

114
MCQhard

A company's security team is implementing a data classification policy for S3 objects using S3 Object Tags. They need to ensure that any object uploaded without the required 'classification' tag is automatically denied. Which S3 bucket policy condition should be used?

A.s3:x-amz-tagging-directive
B.s3:ExistingObjectTag
C.aws:RequestTag
D.s3:object-lock-mode
AnswerB

Checks tags already on the object.

Why this answer

Option C is correct because using 's3:ExistingObjectTag' with a deny condition ensures that if the tag does not exist, the request is denied. Option A is incorrect because 's3:x-amz-tagging-directive' is for copy operations. Option B is incorrect because 'aws:RequestTag' checks tags provided in the request, not existing tags.

Option D is incorrect because 's3:object-lock-mode' is for object lock.

115
MCQhard

A security engineer is designing a system to detect and respond to IAM policy changes that could grant excessive permissions. The solution must alert within minutes of the change and automatically revert the change if it violates a predefined baseline. Which combination of services should the engineer use?

A.AWS CloudTrail and Amazon S3
B.AWS CloudTrail, Amazon CloudWatch Events, and AWS Lambda
C.AWS Config and AWS Systems Manager
D.IAM Access Analyzer and AWS Lambda
AnswerB

This combination provides real-time alerting and automated remediation.

Why this answer

Option D is correct: AWS CloudTrail logs the change, CloudWatch Events triggers a Lambda function that compares the new policy to a baseline stored in S3, and if a violation is detected, the function reverts the change. Option A is wrong because AWS Config does not auto-remediate quickly and is not event-driven in real time. Option B is wrong because S3 does not process events.

Option C is wrong because IAM Access Analyzer does not auto-remediate.

116
MCQeasy

A startup is deploying a web application on AWS. The application runs on EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that all traffic to the EC2 instances is encrypted. They configure the ALB to listen on HTTPS (port 443) and forward traffic to the EC2 instances on HTTP (port 80). Additionally, they create a security group for the EC2 instances that only allows inbound traffic from the ALB's security group on port 80. However, a security audit reveals that the traffic between the ALB and EC2 instances is not encrypted. Which step should the security team take to encrypt the traffic between the ALB and EC2 instances?

A.Update the EC2 security group to allow traffic on port 443 from the ALB.
B.Enable encryption at rest on the EC2 instances.
C.Configure the target group to use HTTPS protocol and install a certificate on the EC2 instances.
D.Change the ALB listener to use TCP instead of HTTPS.
AnswerC

Encrypts traffic between ALB and EC2.

Why this answer

Option D is correct because to encrypt traffic between ALB and targets, you need to configure HTTPS on the target group so the ALB sends HTTPS requests to the EC2 instances. Option A is wrong because the listener is already HTTPS. Option B is wrong because the security group already filters.

Option C is wrong because encryption at rest does not affect traffic.

117
MCQhard

A security engineer notices that an IAM role in the production account is being assumed by a user from another AWS account, which violates the principle of least privilege. The role's trust policy allows the root user of the external account. What is the MOST secure way to restrict access to only a specific user in the external account?

A.Apply an SCP to the external account to deny the sts:AssumeRole action.
B.Create an IAM policy in the external account that denies sts:AssumeRole for the role.
C.Modify the trust policy to specify the exact user ARN instead of the root ARN.
D.Add a condition to the role's permissions policy requiring a specific source IP.
AnswerC

Limits assumption to the specified user.

Why this answer

Option C is correct because modifying the trust policy to include the specific user ARN is the most direct and secure approach. Option A is incorrect because SCPs do not affect cross-account access. Option B is incorrect because IAM policies on the role do not restrict who can assume it.

Option D is incorrect because the external account's IAM policies do not control trust.

118
MCQmedium

A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to read objects from an S3 bucket only from the office IP range 192.0.2.0/24. However, the user reports that they can access objects from any IP address. What is the most likely reason?

A.The policy does not include an explicit Deny for requests outside the IP range.
B.The condition key is misspelled; it should be aws:SourceIp without the 's'.
C.The policy is attached to the user, but the bucket has a bucket policy that allows public access.
D.The resource ARN is missing the bucket name.
AnswerA

Without explicit Deny, other policies may allow access.

Why this answer

Option A is correct because the policy is missing an explicit Deny. The Allow with condition only grants access from the specified IP range, but the default implicit Deny can be overridden by other policies that allow s3:GetObject without conditions. Option B is wrong because S3 bucket policies are separate.

Option C is wrong because the resource is correct. Option D is wrong because the condition is correct.

119
MCQeasy

A developer accidentally committed AWS access keys to a public GitHub repository. The security team needs to immediately revoke the compromised keys and ensure that no new keys are created for that IAM user. What is the most effective immediate action?

A.Rotate the access keys and update the application.
B.Change the IAM user's password.
C.Delete the IAM user and recreate it with new permissions.
D.Deactivate the access keys using the AWS Management Console.
AnswerC

Deleting the user removes all keys and prevents the user from creating new ones; recreate with necessary permissions.

Why this answer

Deleting the IAM user revokes all access keys and prevents any new keys from being created. Option A is wrong because it only deactivates but does not delete. Option B is wrong because changing the password does not affect access keys.

Option C is wrong because it only rotates but the old key remains active until deleted.

120
MCQeasy

Which AWS service allows you to create and manage encryption keys for your AWS resources?

A.AWS CloudHSM
B.AWS Key Management Service (KMS)
C.AWS Certificate Manager
D.AWS Secrets Manager
AnswerB

KMS is for encryption keys.

Why this answer

AWS Key Management Service (KMS) is the managed service designed specifically for creating, storing, and managing encryption keys used to encrypt data across AWS services. It integrates with AWS CloudTrail for auditing key usage and supports symmetric and asymmetric keys, with automatic key rotation and fine-grained access control via IAM and key policies.

Exam trap

The trap here is that candidates confuse AWS CloudHSM (a dedicated hardware security module) with KMS, not realizing that CloudHSM requires manual management and does not natively integrate with AWS services for automatic encryption, whereas KMS is the fully managed key creation and management service.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for generating and storing keys, but it does not offer a managed key creation and management service with integrated AWS service encryption; instead, it requires you to manage the HSM appliance and client software yourself. Option C is wrong because AWS Certificate Manager (ACM) handles SSL/TLS certificate provisioning, renewal, and deployment, not the creation or management of encryption keys for data at rest or in transit. Option D is wrong because AWS Secrets Manager is designed to rotate, manage, and retrieve secrets (e.g., database credentials, API keys), not to create or manage encryption keys; it can use KMS to encrypt secrets, but it is not a key management service itself.

121
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that no account can disable a specific security service, such as AWS Config, across all accounts. Which approach should be used?

A.Create an IAM role with a deny policy for the action and attach it to all users
B.Create an AWS Config rule to check for the action and automatically remediate
C.Attach a service control policy (SCP) that denies the action at the root organization level
D.Enable AWS CloudTrail and create a metric filter to alert on the action
AnswerC

SCPs can deny actions across all accounts, including root users.

Why this answer

A service control policy (SCP) can deny actions across all accounts in an organization. Option B is correct because an SCP with a Deny effect on config:StopConfigurationRecorder prevents disabling. Option A is wrong because IAM roles do not apply to the root user.

Option C is wrong because CloudTrail logs actions but does not prevent them. Option D is wrong because Config rules do not prevent disabling.

122
MCQhard

Refer to the exhibit. A security engineer runs the CLI command to determine if the IAM user 'testuser' created a key pair in January 2023. The output shows one event. What can be concluded from this output?

A.The key pair 'my-key-pair' was created in a different AWS account.
B.The user 'testuser' created the key pair 'my-key-pair' on January 15, 2023.
C.The user 'testuser' performed all actions in January 2023.
D.The user 'testuser' performed a read-only operation.
AnswerB

The event shows the creation with the user's ARN and resource ARN.

Why this answer

Option A is correct because the event is logged with the user's ARN. Option B is wrong because the event is not read-only (ReadOnly: false). Option C is wrong because the command only checks for CreateKeyPair events, not all events.

Option D is wrong because the command does not show resource ARN filtering; it shows the key pair ARN.

123
Multi-Selectmedium

A company is implementing a data retention policy for CloudTrail logs. The logs are stored in an S3 bucket. The policy requires that logs be retained for 7 years and then automatically deleted. Which TWO actions should the security engineer take to meet this requirement?

Select 2 answers
A.Use AWS Backup to manage retention and deletion.
B.Enable S3 Object Lock in compliance mode on the bucket.
C.Configure the S3 bucket policy to deny s3:DeleteObject actions for all principals.
D.Enable S3 Versioning and create a lifecycle policy to delete noncurrent versions.
E.Create an S3 Lifecycle policy that expires objects after 2555 days (7 years).
AnswersC, E

This prevents accidental deletion of logs before the retention period expires.

Why this answer

Combining S3 lifecycle expiration with object lock or bucket policy is not needed. The simplest is to use S3 lifecycle policy to expire objects after 7 years. Option D ensures that logs are not deleted prematurely before the retention period ends.

124
MCQhard

A company uses AWS Organizations with SCPs. The security team wants to ensure that no IAM user can be created without MFA. Which SCP should be applied at the root OU?

A.Deny iam:CreateUser unconditionally
B.Use an IAM policy to require MFA for API calls
C.Deny iam:CreateUser unless the request includes a condition for MFA
D.Attach an IAM policy to all users requiring MFA
AnswerC

This SCP denies creation of users without MFA requirement.

Why this answer

Option C is correct because it uses a Service Control Policy (SCP) to deny the `iam:CreateUser` action unless the request includes a condition that MFA is present. SCPs are account-level permission boundaries in AWS Organizations, and this approach ensures that no IAM user can be created without MFA across all accounts in the organization, as SCPs are evaluated before any IAM policies.

Exam trap

The trap here is that candidates confuse SCPs with IAM policies, thinking an IAM policy can enforce MFA at the root OU level, but SCPs are the only mechanism that can apply organization-wide restrictions on actions like `iam:CreateUser`.

How to eliminate wrong answers

Option A is wrong because unconditionally denying `iam:CreateUser` would prevent all user creation, including those with MFA, which does not meet the requirement of allowing MFA-enabled users. Option B is wrong because an IAM policy requiring MFA for API calls only controls access to existing users and does not prevent the creation of users without MFA; it also cannot be applied at the root OU level as SCPs are needed. Option D is wrong because attaching an IAM policy to all users requiring MFA is an account-level action that does not prevent the creation of new users without MFA, and it cannot be enforced across all accounts via the root OU.

125
MCQmedium

A security engineer is reviewing the CloudTrail configuration for a trail named 'management-trail'. The engineer needs to ensure that all S3 object-level operations in the bucket 'my-bucket' are logged. What is the issue with the current configuration?

A.The ReadWriteType is set to 'All', which does not include write events.
B.The 'Values' field should end with a '/*' to capture all objects under the prefix.
C.The IncludeManagementEvents should be set to false to focus on data events.
D.The trail should be configured as a multi-region trail to capture all regions.
AnswerB

Without '/*', only the prefix itself is logged, not objects.

Why this answer

Option B is correct because the 'DataResources' value should include a trailing '/*' to indicate all objects under the prefix. Option A is incorrect because the ReadWriteType is 'All', which covers both read and write. Option C is incorrect because the event selector includes management events.

Option D is incorrect because the trail is not necessarily multi-region from this output.

126
Multi-Selecthard

A company has a security requirement that any Amazon RDS database must be encrypted at rest. Which TWO actions should be taken to enforce this requirement?

Select 2 answers
A.Configure VPC security groups to block unencrypted connections.
B.Use an AWS Config rule to detect unencrypted RDS instances and trigger auto-remediation.
C.Attach an SCP to the OU to require encryption for all RDS instances.
D.Use an IAM policy to deny the rds:CreateDBInstance action unless encryption is enabled.
E.Enable encryption on all existing RDS instances using a Lambda function.
AnswersB, D

Correct: Detects and remediates non-compliant instances.

Why this answer

Options A and C are correct. To enforce encryption, you can use IAM policies with conditions that require encryption parameters, and use AWS Config rules to detect unencrypted databases and trigger remediation. Option B is wrong because enabling encryption on existing databases requires a snapshot restore.

Option D is wrong because SCPs cannot enforce encryption at the service level. Option E is wrong because VPC security groups control network access, not encryption.

127
Multi-Selectmedium

Which TWO of the following are valid methods to centrally manage security policies and enforce compliance across multiple AWS accounts? (Choose two.)

Select 2 answers
A.Deploy AWS Config conformance packs using AWS CloudFormation StackSets across accounts.
B.Attach IAM policies to all IAM users in each account.
C.Use AWS Security Hub to automatically enforce compliance rules.
D.Use AWS Organizations service control policies (SCPs) to restrict allowed actions.
E.Enable VPC Flow Logs in each account and send them to a central S3 bucket.
AnswersA, D

Conformance packs contain rules and remediation actions that can be deployed centrally.

Why this answer

AWS Config conformance packs provide a way to deploy a collection of AWS Config rules and remediation actions across multiple accounts and Regions. When combined with AWS CloudFormation StackSets, you can centrally deploy these conformance packs to all accounts in an AWS Organization, ensuring consistent compliance enforcement. This approach allows you to define and manage security policies as code, automatically evaluating resources against desired configurations.

Exam trap

The trap here is that candidates often confuse AWS Security Hub's detection and aggregation capabilities with actual enforcement, but Security Hub does not automatically enforce compliance—it only reports findings, while conformance packs and SCPs provide the enforcement mechanism.

128
MCQhard

A company is using AWS Organizations and wants to delegate the administration of certain accounts to different teams. For example, the finance team should be able to manage billing-related accounts, but not development accounts. Which AWS feature allows this type of delegation?

A.AWS Organizations delegated administrator
B.AWS IAM Identity Center (AWS SSO)
C.Service control policies (SCPs)
D.IAM roles in each account
AnswerA

Delegated administrator allows specific accounts to manage other accounts for a service.

Why this answer

Option A is correct because AWS Organizations delegated administrator allows you to register member accounts as delegated administrators for specific services, giving them limited administrative permissions. Option B is wrong because SCPs are for denying permissions, not for delegation. Option C is wrong because IAM roles are for users, not for account-level delegation.

Option D is wrong because AWS SSO provides user access, not account management delegation.

129
MCQhard

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to enforce that all S3 buckets created by CloudFormation have encryption enabled. Which approach should be used to enforce this policy?

A.Use AWS Service Catalog to enforce encryption
B.Use AWS CloudFormation Guard to validate templates
C.Enable AWS CloudTrail to detect unencrypted buckets
D.Create an SCP to deny creation of unencrypted S3 buckets
AnswerB

CloudFormation Guard can check for encryption settings before deployment.

Why this answer

Option B is correct because a CloudFormation Guard rule can validate templates before deployment to ensure encryption is configured. Option A is wrong because SCPs cannot enforce resource configurations within a stack. Option C is wrong because CloudTrail cannot enforce.

Option D is wrong because Service Catalog enforces on products, not on all CloudFormation templates.

130
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to prevent members of the 'Developers' group from modifying IAM roles in any account. What is the most effective way to enforce this restriction?

A.Apply a service control policy (SCP) that denies IAM role modification actions to all accounts in the organization.
B.Attach an IAM policy to the Developers group in the management account that denies IAM actions.
C.Use AWS Config to detect IAM role modifications and automatically revert them.
D.Create a cross-account role in each member account that denies IAM actions.
AnswerA

Correct: SCPs apply to all accounts and cannot be overridden by IAM policies.

Why this answer

Option D is correct because an SCP can deny IAM role modifications (iam:*Role*) for the entire organization, and it cannot be overridden by account-level permissions. Option A is wrong because a cross-account role only defines access, not restrictions. Option B is wrong because IAM policies can be overridden by administrators in the member account.

Option C is wrong because attaching a policy to the Developers group only affects users in the management account, not all accounts.

131
MCQeasy

A security engineer is designing a system to centrally manage IAM users and roles across multiple AWS accounts. The company uses AWS Organizations. Which AWS service should be used to manage permissions across accounts?

A.AWS Config
B.AWS Artifact
C.AWS CloudTrail
D.AWS IAM Identity Center (AWS SSO)
AnswerD

Centrally manages access across accounts.

Why this answer

Option A is correct because AWS IAM Identity Center (formerly AWS SSO) is the service for centrally managing user access to multiple accounts. Option B is wrong because AWS Config is for resource compliance. Option C is wrong because AWS CloudTrail is for auditing API activity.

Option D is wrong because AWS Artifact is for compliance reports.

132
Multi-Selecthard

A company has a security policy that requires all IAM users to use multi-factor authentication (MFA) when accessing the AWS Management Console. The company also wants to enforce this policy using an SCP. Which TWO conditions must be met for the SCP to be effective?

Select 2 answers
A.The SCP must use a condition that checks if MFA is present.
B.The SCP must use the condition key 'aws:SourceIp' to allow only MFA-enabled IPs.
C.The SCP must require users to register MFA devices before accessing the console.
D.The SCP must be attached to the root organizational unit to apply to all accounts.
E.The SCP must be attached to individual IAM users.
AnswersA, D

The SCP uses aws:MultiFactorAuthPresent to check MFA status.

Why this answer

Options A and E are correct. The SCP must deny actions if the user has not authenticated with MFA (A), and the SCP must be attached to the root organizational unit (E) to apply to all accounts. Option B is wrong because the condition key aws:MultiFactorAuthPresent is the correct one.

Option C is wrong because SCPs cannot enforce MFA registration; they can only deny access. Option D is wrong because MFA authentication is required for console access, not just API calls.

133
Multi-Selectmedium

A security engineer is implementing a data classification policy for an S3 bucket that contains sensitive customer data. The policy requires that all objects be encrypted at rest using AWS KMS and that any attempt to upload an unencrypted object be denied. Which THREE steps should the engineer take to enforce this policy? (Choose THREE.)

Select 3 answers
A.Enable S3 bucket keys to reduce KMS API calls.
B.Create a customer managed KMS key.
C.Enable bucket policy to enforce SSL (aws:SecureTransport).
D.Add a bucket policy that denies PutObject if s3:x-amz-server-side-encryption is not aws:kms.
E.Enable S3 default encryption with the KMS key.
AnswersB, D, E

Provides encryption key for S3.

Why this answer

Options A, E, and B are correct. Option A: KMS key can be used for server-side encryption. Option E: Bucket policy with condition s3:x-amz-server-side-encryption-aws:kms denies uploads without KMS encryption.

Option B: Default encryption ensures objects are encrypted even if no header is provided. Option C is wrong because enforcing SSL does not relate to encryption at rest. Option D is wrong because bucket keys are for performance, not policy enforcement.

134
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to prevent all users in the production account from disabling AWS CloudTrail or modifying its configuration. What is the MOST effective way to achieve this?

A.Use IAM policies to deny only cloudtrail:DeleteTrail for all users.
B.Enable CloudTrail log file validation and use AWS Config to detect changes.
C.Create an SCP in AWS Organizations that denies cloudtrail:StopLogging, cloudtrail:DeleteTrail, cloudtrail:UpdateTrail, and similar actions.
D.Attach an IAM permissions boundary to all IAM roles in the production account that denies CloudTrail modifications.
AnswerC

SCPs can deny actions across all accounts in the organization.

Why this answer

Option C is correct because an SCP can deny actions related to CloudTrail across the entire account. Option A is wrong because IAM permissions boundaries limit permissions but can be overridden by an SCP. Option B is wrong because CloudTrail itself cannot prevent modifications to its configuration.

Option D is wrong because it only prevents deletion, not modification.

135
MCQeasy

Refer to the exhibit. A CloudFormation template creates an S3 bucket. Which security control is NOT enabled by this template?

A.Bucket versioning
B.Bucket policy restrictions
C.Blocking public access
D.Server-side encryption
AnswerA

Versioning is not configured.

Why this answer

The template enables default encryption (AES256) and public access blocks, but it does not enable versioning. Option C is correct. Option A is wrong because SSE is enabled.

Option B is wrong because public access is blocked. Option D is wrong because bucket policy is blocked.

136
Multi-Selecthard

A security team needs to ensure that all IAM users in a production account use multi-factor authentication (MFA) before accessing the AWS Management Console. Which THREE steps should be taken? (Choose THREE.)

Select 3 answers
A.Use AWS Config rules to detect users without MFA.
B.Enable MFA for each IAM user.
C.Attach an IAM policy that denies console access if MFA is not present.
D.Apply an SCP that requires MFA for console access.
E.Configure an IAM password policy to require MFA.
AnswersB, C, E

Required for users to have MFA devices.

Why this answer

Options A, C, and E are correct. Enabling MFA on each user, using IAM policy to deny console access without MFA, and using a password policy that requires MFA are all necessary steps. Option B is incorrect because AWS Config can detect but not enforce MFA usage.

Option D is incorrect because SCPs apply to accounts, not individual user console access.

137
MCQhard

A security engineer is designing a centralized logging solution for a multi-account AWS environment using AWS Organizations. The solution must ensure that all CloudTrail logs from all accounts are delivered to a single S3 bucket in the security account. Additionally, the logs must be encrypted with a KMS key that is managed by the security account. Which combination of steps is required?

A.Create a trail in each account, each delivering to the same S3 bucket. Use a bucket policy to allow cross-account writes. Use a single KMS key with appropriate key policy.
B.Use AWS Config to deliver logs to a central bucket. Enable CloudWatch Logs in each account and stream to the security account.
C.Create a trail in the management account with organization trail enabled, delivering to a bucket in the management account. Use KMS default encryption.
D.Create a trail in the security account with organization trail enabled, delivering to a bucket in the security account. Configure bucket policy and KMS key policy to allow CloudTrail and S3 from all accounts.
AnswerD

Organization trail from security account centralizes logs; proper policies allow cross-account delivery.

Why this answer

Option D is correct because a trail in the security account with organization trail enabled will deliver logs from all accounts to the specified S3 bucket. The S3 bucket policy must grant CloudTrail write access from all accounts, and the KMS key policy must grant CloudTrail and S3 permissions for all accounts. Option A is wrong because organization trails can only be created in the management account.

Option B is wrong because individual trails per account are not centralized. Option C is wrong because CloudWatch Logs is not required.

138
MCQmedium

A financial services company uses AWS Organizations to manage multiple accounts. The Security team has enabled AWS CloudTrail in all accounts and logs are delivered to a central S3 bucket in the management account. The company has a requirement to detect and alert on any IAM user or role that performs a console login without multi-factor authentication (MFA) across all accounts. Currently, the team manually reviews CloudTrail logs, which is time-consuming and error-prone. They want an automated solution that uses AWS services and follows AWS best practices for security governance. The solution must be cost-effective and should not require custom code or third-party tools. What should the Security team do to meet this requirement?

A.Enable Amazon GuardDuty and create a custom rule to detect console logins without MFA.
B.Configure CloudTrail to deliver logs to Amazon CloudWatch Logs. Create a metric filter for the event name 'ConsoleLogin' with additionalEventData.MFAUsed != 'Yes'. Create a CloudWatch Alarm on the metric to send a notification via Amazon SNS.
C.Create an AWS Config managed rule to check for console logins without MFA across all accounts.
D.Use AWS IAM Access Analyzer to generate findings when IAM users log in without MFA.
AnswerB

This solution uses CloudTrail logs, CloudWatch Logs metric filter, and CloudWatch Alarm to detect and alert on console logins without MFA. It is automated, cost-effective, and requires no custom code.

Why this answer

Option B is correct because it uses AWS CloudTrail with Amazon CloudWatch Logs and a metric filter to detect console logins without MFA, and then creates a CloudWatch Alarm to trigger an SNS notification. This approach is automated, serverless, and follows AWS best practices without custom code. Option A is incorrect because AWS Config managed rules can evaluate resource configurations but cannot evaluate CloudTrail events like console login MFA status.

Option C is incorrect because Amazon GuardDuty focuses on threat detection (e.g., unusual API calls, compromised instances), not IAM MFA compliance. Option D is incorrect because AWS IAM Access Analyzer analyzes resource policies for external access, not user behavior such as MFA usage during login.

139
Multi-Selectmedium

A security engineer is designing a governance framework for a multi-account AWS environment. The framework must enforce the principle of least privilege for cross-account access. Which TWO strategies should be implemented?

Select 2 answers
A.Enable AWS CloudTrail in all accounts and aggregate logs.
B.Grant full administrative access to a central security group.
C.Use a single IAM user across all accounts for administrative tasks.
D.Use IAM roles with specific permissions and trust policies for cross-account access.
E.Define service control policies (SCPs) that restrict the maximum permissions per account.
AnswersD, E

Roles allow temporary, scoped access.

Why this answer

Option D is correct because IAM roles with specific permissions and trust policies enable cross-account access without sharing long-term credentials. The trust policy defines which accounts can assume the role, and the permissions policy grants only the necessary actions, enforcing the principle of least privilege.

Exam trap

The trap here is that candidates may confuse detective controls (like CloudTrail logging) with preventive controls (like IAM roles and SCPs), or mistakenly think that sharing a single IAM user or granting broad permissions is acceptable for administrative convenience.

140
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all newly created accounts automatically have AWS CloudTrail enabled, with logs delivered to a centralized S3 bucket. Which solution meets these requirements with the least operational overhead?

A.Create an SCP that enables CloudTrail and enforces log delivery to the centralized S3 bucket.
B.Use AWS Trusted Advisor to check CloudTrail status and send alerts to the security team.
C.Create an SCP that denies actions to disable CloudTrail and modify the S3 bucket policy. Use AWS CloudFormation StackSets to deploy a CloudTrail trail in each account.
D.Use AWS Config rules with auto-remediation to enable CloudTrail in each account.
AnswerC

Correct: StackSets automate deployment of CloudTrail across accounts, and SCP prevents disabling.

Why this answer

Option A is correct because SCPs can be used to prevent disabling CloudTrail and to enforce delivery to a specific bucket, but enabling it requires a proactive mechanism like AWS Config rules with auto-remediation or a custom resource. However, the best approach is to use CloudFormation StackSets or AWS Control Tower, but since Control Tower is not listed, the correct answer is using an SCP to prevent disabling and a CloudFormation StackSet to enable it. Actually, the simplest is to use AWS CloudFormation StackSets to deploy a CloudTrail trail across all accounts.

Option B is wrong because Lambda functions need to be triggered by something. Option C is wrong because SCPs cannot enable services, only deny. Option D is wrong because Trusted Advisor does not enforce configurations.

141
Multi-Selecteasy

Which TWO AWS services can be used to automatically enforce policies on resources at the time of creation? (Choose two.)

Select 2 answers
A.AWS Key Management Service (KMS)
B.AWS CloudTrail
C.AWS IAM
D.AWS Service Catalog
E.AWS Config (with automatic remediation)
AnswersD, E

Service Catalog allows creation of resources with predefined policies.

Why this answer

Options B and D are correct. AWS Service Catalog allows creation of pre-approved resources with policies, and AWS Config rules with remediation can enforce policies after creation. Option A is wrong because IAM policies are for permissions.

Option C is wrong because CloudTrail is for logging. Option E is wrong because AWS KMS is for encryption keys.

142
MCQmedium

A company wants to enforce that all IAM users in its AWS account use multi-factor authentication (MFA) for console login. Which action should be taken to ensure compliance?

A.Apply an SCP to the AWS account that mandates MFA for all users.
B.Create an IAM policy that denies access unless MFA is present and attach it to all IAM users.
C.Enable MFA on the root user and share credentials with all users.
D.Configure the account password policy to require MFA.
AnswerB

Correct: IAM policies can use conditions to require MFA for access.

Why this answer

Option A is correct because an IAM policy with a condition that checks 'aws:MultiFactorAuthPresent' can deny API actions if MFA is not used. Option B is wrong because AWS Organizations service control policies (SCPs) cannot enforce MFA at the user level. Option C is wrong because MFA is not enforced through a password policy.

Option D is wrong because MFA is not enforced by enabling it on the root user.

143
MCQeasy

A company wants to ensure that all IAM users have multi-factor authentication (MFA) enabled. Which AWS service can be used to detect users without MFA and automatically send a notification?

A.AWS Trusted Advisor
B.AWS CloudTrail
C.AWS Config
D.AWS IAM
AnswerC

Config can evaluate resources against rules and trigger notifications.

Why this answer

Option B is correct because AWS Config has a managed rule 'iam-user-mfa-enabled' that can evaluate IAM users and trigger an SNS notification. Option A is wrong because IAM itself does not have automatic detection and notification. Option C is wrong because CloudTrail records events but does not evaluate configuration.

Option D is wrong because Trusted Advisor checks for MFA on root account but not on all IAM users.

144
MCQeasy

A company wants to centrally manage backups for Amazon RDS instances across multiple AWS accounts. Which AWS service should be used to automate the creation and enforcement of backup policies?

A.S3 Lifecycle policies
B.AWS Backup
C.AWS CloudTrail
D.AWS Systems Manager
AnswerB

AWS Backup provides centralized backup management across accounts.

Why this answer

Option B is correct because AWS Backup allows centralized backup policies across accounts and regions. Option A is wrong because S3 Lifecycle policies are for object lifecycle, not RDS backups. Option C is wrong because CloudTrail is for auditing API calls.

Option D is wrong because Systems Manager is for operational management, not backup policies.

145
Multi-Selecteasy

A company is using AWS Organizations and wants to restrict the use of specific AWS services in member accounts. Which TWO approaches can be used to enforce these restrictions? (Choose TWO.)

Select 2 answers
A.Use Service Quotas to limit the number of resources per service.
B.Enable AWS CloudTrail to log service usage.
C.Apply a service control policy (SCP) to the organizational unit (OU).
D.Create IAM policies in each member account to deny access to the services.
E.Use AWS Config rules to automatically terminate resources.
AnswersC, D

Denies actions at the account level.

Why this answer

Options A and B are correct. Option A: SCPs can deny service actions across all accounts in an OU. Option B: IAM policies can restrict users within an account.

Option C is wrong because AWS Config only detects noncompliance, does not prevent. Option D is wrong because CloudTrail is for logging. Option E is wrong because Service Quotas does not restrict service usage.

146
MCQmedium

A company has an AWS environment with multiple accounts managed under AWS Organizations. The security team wants to enforce that all newly created S3 buckets in any account have encryption enabled by default. Which approach should the security team take?

A.Use AWS Config rules to detect unencrypted buckets and send alerts.
B.Enable S3 default encryption in each account's S3 settings.
C.Apply an IAM policy to the root user of each account to enforce bucket encryption.
D.Create a Service Control Policy (SCP) that denies the creation of S3 buckets without encryption.
AnswerD

SCPs can be applied to all accounts in the organization to prevent non-compliant resource creation.

Why this answer

Option C is correct because SCPs can be applied to all accounts in the organization to deny the creation of S3 buckets without encryption. Option A is wrong because S3 default encryption is a bucket-level setting, not an organization-wide enforcement. Option B is wrong because AWS Config rules are reactive, not preventive.

Option D is wrong because IAM policies are account-specific and cannot be centrally enforced across all accounts.

147
MCQmedium

A company has a requirement to automatically rotate secrets for an RDS database every 90 days. The secrets are stored in AWS Secrets Manager. Which resource should be configured to perform the rotation?

A.CloudWatch Logs subscription filter
B.Amazon EventBridge scheduled rule
C.AWS Config rule
D.AWS Lambda function
AnswerD

Performs the actual rotation.

Why this answer

Option D is correct because Secrets Manager uses a Lambda function to rotate secrets. Option A is wrong because AWS Config is for compliance, not rotation. Option B is wrong because Amazon EventBridge can trigger rotation but the actual rotation logic is in Lambda.

Option C is wrong because CloudWatch Logs is for log storage.

148
MCQmedium

A security engineer is configuring an S3 bucket policy to restrict access to only requests that originate from a specific VPC endpoint. Which condition key should be used?

A.aws:VpcSourceIp
B.aws:SourceVpc
C.aws:SourceIp
D.aws:SourceVpce
AnswerD

This condition key restricts access to requests that originate from the specified VPC endpoint.

Why this answer

Option C is correct because 'aws:SourceVpce' restricts access to a specific VPC endpoint. Option A is wrong because 'aws:SourceVpc' restricts to a VPC, not the endpoint. Option B is wrong because 'aws:SourceIp' restricts by IP address.

Option D is wrong because 'aws:VpcSourceIp' is not a valid condition key.

149
MCQeasy

A company wants to centrally manage and enforce backup policies for all EC2 instances across multiple AWS accounts. Which AWS service should be used?

A.AWS Config
B.AWS CloudFormation StackSets
C.AWS Backup
D.AWS Systems Manager
AnswerC

Centralized backup service with policy enforcement.

Why this answer

AWS Backup is the correct service because it provides a centralized, policy-based solution to define and enforce backup policies across multiple AWS accounts and regions. It integrates with AWS Organizations to manage backups for EC2 instances and other supported resources, ensuring compliance with governance requirements without needing custom scripts or manual processes.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation (which can detect missing backups) with actual backup enforcement, or they mistakenly think CloudFormation StackSets can schedule backups, but neither service provides the centralized backup lifecycle management that AWS Backup offers.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations against desired policies (e.g., compliance rules), not for creating or enforcing backup schedules. Option B is wrong because AWS CloudFormation StackSets deploy and manage infrastructure as code across accounts, but they do not natively provide backup lifecycle management or automated backup policies. Option D is wrong because AWS Systems Manager is an operations hub for patch management, automation, and inventory, but it lacks native backup policy enforcement for EC2 instances across multiple accounts.

150
MCQeasy

A company wants to automatically detect and remediate S3 buckets that are publicly accessible. Which AWS service can be used to evaluate bucket policies against a defined rule and trigger an automated response?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Inspector
D.AWS Config
AnswerD

AWS Config rules can evaluate resource compliance and trigger remediation.

Why this answer

Option B is correct because AWS Config rules can evaluate resources and trigger remediation actions. Option A is incorrect because CloudTrail is for auditing API calls, not real-time evaluation. Option C is incorrect because GuardDuty is a threat detection service.

Option D is incorrect because Inspector is for vulnerability assessment.

← PreviousPage 2 of 4 · 262 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Management and Security Governance questions.