CCNA Management and Security Governance Questions

75 of 262 questions · Page 3/4 · Management and Security Governance · Answers revealed

151
MCQeasy

A company wants to grant a third-party auditor read-only access to specific CloudTrail log files stored in an S3 bucket. The auditor should not be able to list or access any other objects in the bucket. What is the most secure way to achieve this?

A.Use CloudTrail's built-in console access for the auditor.
B.Create a new IAM user for the auditor with an S3 policy that grants s3:GetObject on the entire bucket.
C.Generate pre-signed URLs for the specific log files and share them with the auditor.
D.Use a bucket policy that grants the auditor's IAM user s3:GetObject access to the specific log file prefix.
AnswerC

Pre-signed URLs provide time-limited access to specific objects without requiring AWS credentials.

Why this answer

Using S3 pre-signed URLs grants time-limited access to specific objects without requiring the auditor to have AWS credentials. Option A is wrong because it grants broad access. Option B is wrong because a bucket policy granting GetObject for the auditor's IAM user still allows listing if they have ListBucket permission.

Option D is wrong because CloudTrail does not natively provide access to log files.

152
Multi-Selecthard

A company has an AWS Organization with hundreds of accounts. The security team wants to enforce that no account can disable AWS CloudTrail logging. Which TWO approaches can achieve this?

Select 2 answers
A.Enable CloudTrail as a trusted service and create an organization trail.
B.Apply an IAM policy to each account's root user to prevent disabling CloudTrail.
C.Create an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail.
D.Use AWS Config to automatically re-enable CloudTrail if it is disabled.
E.Configure CloudWatch Logs to monitor CloudTrail logs and alert if logging stops.
AnswersA, C

Organization trails cannot be stopped or deleted by member accounts.

Why this answer

Options A and D are correct. An SCP can deny the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions (A), and enabling CloudTrail as a trusted service with organization trail (D) prevents accounts from stopping logging. Option B is wrong because IAM policies are account-specific and cannot be enforced across all accounts.

Option C is wrong because CloudWatch Logs does not prevent disabling CloudTrail. Option E is wrong because Config cannot prevent the disabling of CloudTrail.

153
MCQhard

An organization has a requirement to retain all AWS CloudTrail logs for at least 7 years for compliance. Currently, logs are stored in an S3 bucket with default settings. What is the MOST cost-effective way to meet the retention requirement?

A.Use S3 Glacier Deep Archive immediately.
B.Set an S3 lifecycle policy to delete objects after 7 years.
C.Set the CloudTrail trail to store logs in an S3 bucket with 7-year retention.
D.Configure S3 lifecycle policy to transition objects to S3 Glacier after 30 days and expire after 7 years.
AnswerD

Transitioning to Glacier reduces cost while meeting retention.

Why this answer

Option B is correct because S3 lifecycle policies can transition objects to Glacier after a period and expire after 7 years. Option A is wrong because S3 Standard is expensive for long-term retention. Option C is wrong because CloudTrail does not manage retention.

Option D is wrong because Glacier Deep Archive is for longer than 7 years but is less cost-effective if accessed.

154
MCQhard

A security engineer creates the IAM policy shown in the exhibit. The policy is attached to an IAM role. When a user assumes the role and attempts to upload an object to the bucket without specifying server-side encryption, what is the expected behavior?

A.The request is denied because the condition is not met.
B.The request succeeds because the condition is ignored for PutObject.
C.The request is denied only if the object is publicly accessible.
D.The request succeeds because the condition is only for GetObject.
AnswerA

The condition requires the encryption header to be present and set to 'aws:kms'.

Why this answer

Option A is correct because the policy requires the condition s3:x-amz-server-side-encryption to be equal to aws:kms. If the request does not include encryption, the condition fails and the request is denied. Option B is wrong because the policy does not allow requests without encryption.

Option C is wrong because the condition applies to PutObject as well. Option D is wrong because the condition is not ignored.

155
Multi-Selecteasy

Which TWO AWS services can be used to detect and alert on suspicious API activity in real-time? (Choose two.)

Select 2 answers
A.AWS CloudTrail with CloudWatch Events
B.VPC Flow Logs
C.Amazon S3
D.AWS Config
E.Amazon GuardDuty
AnswersA, E

CloudTrail logs API calls and CloudWatch can alert.

Why this answer

Options B and C are correct. Option A is wrong because VPC Flow Logs are for network traffic. Option D is wrong because Config is for compliance.

Option E is wrong because S3 is storage.

156
Multi-Selecthard

A company wants to centrally manage and enforce security policies across multiple AWS accounts using AWS Organizations. Which THREE actions should be taken? (Choose three.)

Select 3 answers
A.Use the root user of each member account for administrative tasks.
B.Enable all features in AWS Organizations and create service control policies (SCPs) to restrict actions.
C.Use AWS CloudTrail to log API calls in all accounts and deliver logs to a centralized S3 bucket.
D.Create IAM roles in member accounts that grant cross-account access from the management account.
E.Disable CloudTrail in member accounts to reduce costs.
AnswersB, C, D

Correct: SCPs centrally enforce policies.

Why this answer

Options A, B, and D are correct. SCPs enforce policies across accounts. Centralized logging with CloudTrail provides auditing.

IAM roles for cross-account access allow secure management. Option C is wrong because using the root user for each account is not a best practice. Option E is wrong because disabling CloudTrail in member accounts removes auditing.

157
MCQmedium

A security engineer is auditing an S3 bucket policy that allows cross-account access. The engineer wants to ensure that only encrypted connections are permitted. Which condition should be added to the policy?

A.aws:SourceIp
B.aws:Referer
C.aws:SecureTransport
D.s3:x-amz-server-side-encryption
AnswerC

Enforces HTTPS connections.

Why this answer

Option C is correct because aws:SecureTransport is the condition key that enforces HTTPS. Option A is wrong because aws:SourceIp controls IP addresses, not encryption. Option B is wrong because s3:x-amz-server-side-encryption controls server-side encryption headers, not transport encryption.

Option D is wrong because aws:Referer controls referrer headers.

158
MCQmedium

A security engineer notices that an IAM user has permissions that exceed their job requirements. The engineer wants to implement the principle of least privilege. Which IAM feature should be used to grant only the necessary permissions?

A.Attach a permissions boundary to the user
B.Add the user to an IAM group with restricted permissions
C.Use a resource-based policy on the user
D.Attach a service control policy (SCP) to the user's account
AnswerA

Permissions boundaries limit the maximum permissions the user can have.

Why this answer

Permissions boundaries set the maximum permissions that an identity-based policy can grant. Option A is correct because it restricts permissions to a defined boundary. Option B (service control policies) applies to all accounts in an organization, not individual users.

Option C (resource-based policies) are attached to resources, not users. Option D (IAM groups) do not enforce boundaries.

159
MCQhard

A company is using AWS Organizations with a management account and several member accounts. The security team has created an SCP that denies access to all actions for the 'ec2:*' service unless the request comes from a specific VPC endpoint. The SCP is attached to the organization root. However, users in a member account are still able to launch EC2 instances from the AWS Management Console, which does not use a VPC endpoint. The SCP is as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:*", "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-12345678" } } } ] } What is the most likely reason the SCP is not preventing the users from launching instances?

A.The SCP is not applied to the root user in the member account.
B.The SCP is attached to the organization root but not to the member account.
C.The condition key 'aws:sourceVpce' is not supported in SCPs.
D.The management account is not affected by SCPs, and the users are using the management account.
AnswerC

SCPs do not support this condition key, so the condition is ignored.

Why this answer

Option D is correct because the condition key 'aws:sourceVpce' is not supported in SCPs; SCPs support only a subset of condition keys, and 'aws:sourceVpce' is not among them. Therefore, the condition is ignored, and the deny does not apply. Option A is wrong because SCPs apply to all principals.

Option B is wrong because the SCP is attached to the root. Option C is wrong because the management account is not subject to SCPs, but the member accounts are.

160
Multi-Selectmedium

Which THREE AWS services can be used to detect and alert on suspicious API activity in an AWS account? (Choose three.)

Select 3 answers
A.AWS CloudTrail Insights
B.Amazon Inspector
C.Amazon GuardDuty
D.AWS Config
E.AWS Security Hub
AnswersA, C, E

Identifies unusual API activity patterns.

Why this answer

GuardDuty identifies threats, CloudTrail logs API calls (with Insights for anomalous activity), and Security Hub aggregates findings. Config evaluates configuration, not activity; Inspector scans for vulnerabilities.

161
MCQhard

A company uses AWS Organizations to manage 50 accounts. The security team has enabled AWS CloudTrail in the management account with an organization trail that delivers logs to a central S3 bucket. The bucket policy grants necessary permissions to CloudTrail. Recently, the security team noticed that logs from two member accounts stopped appearing in the bucket. Other accounts continue to deliver logs correctly. The CloudTrail status in the management account shows that the trail is logging and deliveries are succeeding. The security team checked the CloudTrail configuration in the affected member accounts and found that they do not have any trails configured. The IAM roles used for CloudTrail in the management account have sufficient permissions. What is the most likely cause of the missing logs?

A.The KMS key used for encryption does not include permissions for the member accounts.
B.The S3 bucket policy does not grant write access to the CloudTrail service for the affected member accounts.
C.The CloudTrail service-linked role in the member accounts is missing.
D.An SCP attached to the affected member accounts denies cloudtrail:PutLogEvents.
AnswerB

Correct: Bucket policy must allow CloudTrail from all accounts.

Why this answer

Option A is correct. An organization trail automatically logs all accounts in the organization, but if a member account is not configured to allow CloudTrail to deliver logs to the central bucket, it may fail. However, the most common issue is that the bucket policy does not grant the necessary permissions for the member accounts' CloudTrail service to write logs.

The bucket policy must have a statement that allows the CloudTrail service from all accounts in the organization to write. If the policy only allows the management account, member accounts will fail. Option B is wrong because CloudTrail is not a service that can be disabled per account by SCPs unless explicitly denied.

Option C is wrong because KMS key policy is not relevant if SSE-S3 is used. Option D is wrong because CloudTrail does not use a service-linked role for organization trails; it uses the CloudTrail service-linked role for the management account.

162
MCQhard

A company has a multi-account AWS Organizations setup with hundreds of accounts. The Security team needs to enforce a policy that prohibits the creation of any S3 bucket with public read access across all accounts. They have enabled all features in Organizations and are using Service Control Policies (SCPs). The team creates an SCP with a Deny effect for s3:PutBucketAcl and s3:PutBucketPolicy when the request includes a condition that would make the bucket public. They attach the SCP to the root OU. However, a developer in a member account under the root OU is able to create a bucket with a bucket policy that grants public read access. The SCP is evaluated and shows the Deny is effective for s3:PutBucketPolicy but the bucket policy is still created. What is the MOST likely reason for this behavior?

A.The S3 Block Public Access settings at the account level are overriding the SCP.
B.The developer used a different API call, such as PutObject with public-read canned ACL, which is not blocked by the SCP because it does not match the denied actions.
C.The developer used an IAM role that is attached to an Amazon EC2 instance, which bypasses SCPs.
D.The SCP only denies actions when the request comes from outside the organization, but the developer is within the organization.
AnswerB

The SCP denied specific actions; the developer may have used a different method that also makes the bucket public.

Why this answer

Option C is correct. SCPs deny the action s3:PutBucketPolicy, but if the bucket policy is created via a different API call (e.g., via CloudFormation or an S3 feature like Object Ownership settings) that bypasses the specific action, the SCP may not deny it. In this case, the developer might have used a method that does not directly call s3:PutBucketPolicy.

Option A is wrong because SCPs apply to all accounts in the OU regardless of IAM roles. Option B is wrong because SCPs are not overridden by resource-based policies; they are evaluated before IAM. Option D is wrong because the S3 Block Public Access settings are account-level and can be overridden by explicit permissions.

163
MCQeasy

A security engineer needs to grant cross-account read access to an S3 bucket in Account A to a user in Account B. What is the correct combination of actions?

A.Attach an IAM policy to the user in Account B allowing the action; no bucket policy needed
B.Apply a bucket policy in Account A granting access to the user in Account B; no user policy needed
C.Use S3 bucket ACLs to grant READ access to the Account B user
D.Apply a bucket policy in Account A granting access to the principal in Account B, and attach an IAM policy to the user in Account B allowing the action
AnswerD

Both policies are required for cross-account access.

Why this answer

Cross-account S3 access requires both a bucket policy in the resource account (Account A) that explicitly grants the cross-account principal (the user in Account B) the s3:GetObject action, and an IAM policy attached to the user in Account B that allows the same action. This two-way authorization is necessary because the bucket policy controls access to the S3 resource, while the IAM policy controls the user's permissions to initiate the request. Without both, the request will be denied by either the resource-based policy or the identity-based policy.

Exam trap

The trap here is that candidates often assume either a bucket policy alone or an IAM policy alone is sufficient for cross-account access, failing to recognize that AWS requires both the resource-based policy to grant access to the external principal and the identity-based policy to authorize the user to make the request.

How to eliminate wrong answers

Option A is wrong because an IAM policy alone in Account B cannot grant access to a resource in Account A; the resource owner must also allow access via a bucket policy or ACL. Option B is wrong because a bucket policy alone in Account A is insufficient; the user in Account B must also have an IAM policy that permits the s3:GetObject action, otherwise the request is denied by the user's own account. Option C is wrong because S3 bucket ACLs are legacy and do not support granting access to individual IAM users in another account; they only support AWS accounts or predefined groups, and are generally superseded by bucket policies for cross-account access.

164
MCQhard

A company wants to enforce that all S3 buckets are encrypted with SSE-KMS. Which AWS service can be used to automatically remediate non-compliant buckets?

A.AWS CloudTrail with CloudWatch Events
B.AWS Service Catalog
C.AWS Config with auto-remediation
D.AWS Organizations
AnswerC

Config can remediate non-compliant resources automatically.

Why this answer

AWS Config with auto-remediation can enforce that all S3 buckets are encrypted with SSE-KMS. You create an AWS Config rule (e.g., s3-bucket-server-side-encryption-enabled) that evaluates bucket encryption settings, and attach an AWS Systems Manager Automation document (e.g., AWS-EnableS3BucketEncryption) as a remediation action. When a non-compliant bucket is detected, AWS Config automatically triggers the remediation action to enable SSE-KMS encryption on that bucket.

Exam trap

The trap here is that candidates may confuse AWS Config's evaluation and remediation capabilities with AWS CloudTrail's logging and event-driven actions, assuming CloudTrail with CloudWatch Events can automatically fix non-compliance without custom code, but AWS Config is the only service that provides native, automated remediation via managed rules and automation documents.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail with CloudWatch Events can detect API calls (like creating an unencrypted bucket) and trigger a notification or a Lambda function, but it does not provide native auto-remediation; you would need custom code to enforce encryption, making it less direct and not an automatic remediation service. Option B is wrong because AWS Service Catalog is used to create and manage a catalog of approved IT services (e.g., pre-configured S3 buckets with SSE-KMS), but it does not monitor or remediate existing non-compliant buckets; it only governs new resources provisioned through the catalog. Option D is wrong because AWS Organizations provides centralized policy management (e.g., Service Control Policies) to restrict actions like creating unencrypted buckets, but it cannot automatically remediate already non-compliant buckets; it only prevents future violations.

165
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all S3 buckets across the organization are encrypted with AWS KMS keys. What is the MOST effective way to enforce this requirement?

A.Use AWS CloudTrail to log all bucket creation events and alert the security team.
B.Create an IAM role in each account that denies s3:PutBucketEncryption if encryption is not set.
C.Use AWS Config rules to detect unencrypted buckets and trigger a Lambda function to encrypt them.
D.Create a service control policy (SCP) that denies any S3 bucket creation or modification without encryption enabled.
AnswerD

SCPs can be applied to OUs to enforce encryption across all accounts.

Why this answer

Option A is correct because SCPs can be applied to the root OU to deny any S3 bucket creation or modification that does not have encryption configured. Option B is wrong because IAM roles operate within accounts and cannot enforce across accounts in the organization. Option C is wrong because Config rules can detect noncompliant buckets but do not prevent their creation.

Option D is wrong because CloudTrail is for logging and does not enforce encryption.

166
MCQmedium

A company needs to audit all changes to IAM policies in its AWS account. Which AWS service should be used to record the change history of IAM policies?

A.Amazon CloudWatch Logs
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Config
AnswerC

Correct: CloudTrail records all API calls, including IAM policy changes.

Why this answer

Option A is correct because AWS CloudTrail records API calls, including IAM policy changes (CreatePolicy, PutPolicy, etc.). Option B is wrong because AWS Config records resource configurations but not the full history of each change. Option C is wrong because Amazon GuardDuty does not log changes.

Option D is wrong because AWS CloudWatch Logs stores logs but does not automatically capture IAM changes.

167
MCQhard

A security engineer is designing a cross-account IAM role that allows an external AWS account to access resources in the company's account. The external account's root user must not be able to delegate permissions to other users. Which trust policy condition should be included?

A.Condition: StringEquals aws:PrincipalOrgID
B.Condition: Bool aws:PrincipalIsAWSService false
C.Condition: ArnLike aws:SourceArn
D.Condition: StringEquals aws:SourceAccount
AnswerB

Setting this to false ensures that the principal is not an AWS service, which helps prevent root user delegation, but the actual correct condition is to use 'aws:PrincipalAccount' with the external account ID.

Why this answer

Option D is correct because 'aws:PrincipalIsAWSService':'false' ensures the principal is not an AWS service, which is not relevant; however, the correct condition is 'aws:PrincipalAccount' to restrict to the specific external account. But among the options, D is the closest to limiting the root user delegation. Actually, the correct answer is 'aws:PrincipalAccount' with a specific account ID to prevent root delegation.

Option A is wrong because 'aws:SourceArn' is for service roles. Option B is wrong because 'aws:SourceAccount' is for service roles. Option C is wrong because 'aws:PrincipalOrgID' is for organization.

Option D is correct because 'aws:PrincipalIsAWSService' set to false prevents AWS services from assuming the role, but that doesn't address delegation. The question's answer should be 'aws:PrincipalAccount' with the external account ID. However, given the options, D is the only one that restricts the principal type.

The explanation should clarify.

168
MCQhard

An organization uses AWS Organizations and wants to restrict the use of specific EC2 instance types across all member accounts. Which policy type should be used to enforce this restriction?

A.Resource-based policy
B.IAM policy
C.Service control policy (SCP)
D.AWS CloudFormation policy
AnswerC

SCPs can be attached to OUs to restrict services across accounts.

Why this answer

Option A is correct because SCPs can deny actions at the account level. Option B is wrong because IAM policies are account-specific and can be overridden. Option C is wrong because resource-based policies are for specific resources.

Option D is wrong because it is not a policy type.

169
MCQhard

An organization uses AWS Organizations with multiple OUs. The security team wants to ensure that any new account created in the 'Production' OU automatically gets a set of mandatory tags (CostCenter, Environment) and that these tags cannot be removed. What is the most effective approach?

A.Use AWS Service Catalog to provision accounts with pre-defined tags.
B.Use AWS Config rules to detect untagged resources and send alerts.
C.Create an IAM policy in each account that prohibits tag removal.
D.Apply an SCP that denies changes to the specified tags for all accounts in the Production OU.
AnswerD

SCPs can deny actions that would modify protected tags.

Why this answer

Option B is correct: using an SCP with a condition that denies modification of those specific tags. SCPs can prevent any IAM actions that remove or modify tags. Option A is wrong because AWS Config rules only detect, not prevent.

Option C is wrong because SCPs cannot be used to automatically add tags. Option D is wrong because IAM policies in each account are less centralized.

170
MCQhard

A security engineer notices that CloudTrail logs are not being delivered to the S3 bucket for the past 2 hours. The output of 'get-trail-status' is shown. What is the most likely cause?

A.The S3 bucket does not exist.
B.The trail has been stopped.
C.The S3 bucket policy denies write access from CloudTrail.
D.CloudWatch Logs delivery is failing.
AnswerC

Correct: A misconfigured bucket policy can block delivery.

Why this answer

Option D is correct because the latest delivery time is a Unix timestamp that is old (2 hours ago), but the delivery succeeded at that time. However, the 'LatestDeliveryAttemptSucceeded' shows a recent time, indicating a recent delivery. Wait: Actually, the 'LatestDeliveryTime' is 1625097600 which is July 1, 2021, but the current time might be later.

If logs are not delivering, check S3 bucket policy. The bucket policy might have been changed to deny write access. Option A is wrong because the trail is logging.

Option B is wrong because CloudWatch Logs delivery is also recent. Option C is wrong because the trail is not stopped.

171
MCQeasy

A company needs to centrally manage access to AWS resources across multiple accounts. Which AWS service should be used to define and enforce a set of common permissions for all accounts in the organization?

A.AWS Directory Service
B.AWS IAM
C.AWS Single Sign-On (SSO)
D.AWS Organizations with SCPs
AnswerD

SCPs allow central control of permissions across accounts.

Why this answer

Option A is correct because AWS Organizations allows you to create SCPs that define maximum permissions for accounts. Option B is wrong because IAM is per-account. Option C is wrong because AWS SSO is for federated access, not for enforcing permissions.

Option D is wrong because AWS Directory Service is for directory services.

172
MCQeasy

A company has a single AWS account with several IAM users. The security team wants to ensure that all IAM users have strong passwords and that passwords are rotated every 90 days. The team also wants to receive a notification if any user's password is older than 90 days. The team has enabled an IAM password policy that requires strong passwords and sets a maximum password age of 90 days. However, they are not receiving notifications about expired passwords. Which additional step should the security team take to receive notifications?

A.Create an AWS Config rule that checks the password policy and triggers an SNS notification.
B.Configure IAM to automatically send an email when a password expires.
C.Enable AWS CloudTrail to log password changes and use Amazon CloudWatch Events to monitor.
D.Use AWS Trusted Advisor to check password policy and send notifications.
AnswerA

Config can evaluate the password policy and notify via SNS.

Why this answer

Option A is correct because AWS Config can evaluate the password policy and trigger SNS notifications when non-compliant. Option B is wrong because CloudTrail does not evaluate password age. Option C is wrong because Trusted Advisor does not monitor IAM user password age.

Option D is wrong because IAM itself does not send notifications for password expiration.

173
MCQhard

A large enterprise uses AWS Organizations with hundreds of accounts. The security team needs to enforce that all accounts have AWS CloudTrail enabled and logs are delivered to a centralized S3 bucket in the management account. The team also wants to ensure that no account can disable CloudTrail or delete the bucket. Which combination of controls meets these requirements?

A.Enable AWS CloudTrail in the management account and use S3 bucket policies.
B.Use a service control policy (SCP) to deny actions that disable CloudTrail or delete the bucket.
C.Use an IAM policy in each account to prevent trail modifications.
D.Use AWS Config rules to detect and alert on disabled trails.
AnswerB

SCPs can prevent these actions across all accounts.

Why this answer

Service control policies (SCPs) are the correct mechanism because they allow the management account to centrally restrict permissions across all accounts in the organization. By creating an SCP that denies the `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, `cloudtrail:UpdateTrail`, and `s3:DeleteBucket` actions, the security team can prevent any account (including root users) from disabling CloudTrail or deleting the centralized S3 bucket, regardless of IAM policies or direct resource-based policies.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like SCPs), or assume that IAM policies in each account are sufficient, not realizing that account administrators can modify or remove those policies.

How to eliminate wrong answers

Option A is wrong because enabling CloudTrail in the management account does not prevent other accounts from disabling their own trails or deleting the bucket; S3 bucket policies alone cannot block actions like `cloudtrail:StopLogging` or `cloudtrail:DeleteTrail` that occur outside S3. Option C is wrong because IAM policies are account-scoped and can be overridden by the account's own administrators or root user, so they cannot enforce a blanket denial across all accounts. Option D is wrong because AWS Config rules are detective, not preventive—they can alert on disabled trails but cannot block the disabling action itself.

174
MCQhard

A company has an AWS account with a single VPC and multiple subnets. The security team wants to ensure that no network ACL (NACL) allows inbound SSH (port 22) from 0.0.0.0/0. Which AWS service can be used to detect and alert on such non-compliant NACLs?

A.Amazon Inspector
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudTrail
AnswerC

Correct: AWS Config can evaluate NACL rules with custom rules.

Why this answer

Option D is correct because AWS Config can evaluate NACL rules using a custom rule that checks for inbound SSH from 0.0.0.0/0. Option A is wrong because AWS CloudTrail logs API calls but does not evaluate NACL configurations. Option B is wrong because Amazon GuardDuty focuses on threat detection.

Option C is wrong because AWS Inspector assesses vulnerabilities on EC2, not NACLs.

175
MCQhard

A company uses AWS Organizations and wants to restrict the use of specific AWS services in member accounts. For example, they want to block the use of Amazon Redshift. Which policy type should be used?

A.Service control policies (SCPs)
B.IAM permissions boundaries
C.IAM identity-based policies
D.S3 bucket policies
AnswerA

SCPs can deny services across all accounts in an organization.

Why this answer

Service control policies (SCPs) can deny access to services at the organization level. Option B is correct. Option A (IAM permissions boundaries) are per-entity.

Option C (IAM policies) are per-identity. Option D (Resource-based policies) are per-resource.

176
Multi-Selecteasy

A company needs to ensure that its S3 buckets are not publicly accessible. Which TWO AWS services can be used to detect and report on public S3 buckets? (Choose two.)

Select 2 answers
A.Amazon GuardDuty
B.AWS Trusted Advisor
C.AWS Config
D.AWS CloudTrail
E.Amazon Inspector
AnswersB, C

Correct: Trusted Advisor checks for publicly accessible S3 buckets.

Why this answer

AWS Trusted Advisor (option B) checks S3 bucket permissions and reports any bucket that has open access policies, including public read or write access. AWS Config (option C) can evaluate S3 bucket policies against custom or managed rules (e.g., s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited) to detect noncompliant buckets and trigger remediation. Both services provide detection and reporting capabilities for public S3 buckets.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty's threat detection capabilities with S3 bucket policy auditing, but GuardDuty does not evaluate bucket permissions for public access; it only detects suspicious API activity after the fact.

177
MCQmedium

A company is implementing a multi-account strategy using AWS Organizations. The security team wants to enforce that all newly created member accounts automatically have an IAM role that allows read-only access to the management account. Which configuration should be used?

A.Create an AWS Lambda function that listens for AWS CloudTrail CreateAccount events and creates the role in the new account.
B.Use AWS CloudFormation StackSets to deploy the role to all existing and future accounts.
C.Use an AWS Config managed rule to evaluate new accounts and trigger a remediation action to create the role.
D.Configure an SCP with the 'iam_role' setting to specify a role name and path to be automatically created in new accounts.
AnswerD

AWS Organizations supports automatic creation of a default IAM role in new member accounts via the 'iam_role' setting in an SCP.

Why this answer

Option B is correct because AWS Organizations allows you to create a service control policy (SCP) that specifies a default IAM role for new accounts. Option A is wrong because CloudFormation StackSets can deploy resources but not automatically create roles for new accounts. Option C is wrong because AWS Config rules evaluate existing resources but do not provision roles for new accounts.

Option D is wrong because AWS Lambda can be triggered by AWS CloudTrail events but is not the native mechanism for automatic role creation on new account creation.

178
Multi-Selecteasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that no root user credentials are used for any account. Which TWO actions should be taken to enforce this?

Select 2 answers
A.Delete the root user from all accounts.
B.Use AWS Config rules to detect root user activity.
C.Create an IAM role that prevents root user actions.
D.Create a service control policy (SCP) that denies all actions for the root user.
E.Enable multi-factor authentication (MFA) on the root user.
AnswersD, E

SCP can deny root user actions across accounts.

Why this answer

Options A and B are correct. Option A: SCP can deny all actions from the root user. Option B: IAM password policy does not apply to root user, but enabling multi-factor authentication (MFA) for root user is a best practice.

Option C is wrong because deleting root user is not possible. Option D is wrong because IAM roles cannot prevent root user actions. Option E is wrong because AWS Config cannot prevent root user usage.

179
MCQeasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to prevent any IAM user from creating access keys. Which type of policy should be used to enforce this control across all accounts?

A.Service Control Policy (SCP)
B.AWS CloudTrail trail
C.AWS Config managed rule
D.IAM permissions boundary
AnswerA

SCPs can deny actions across all accounts in an organization.

Why this answer

Option C is correct because a Service Control Policy (SCP) can be applied to the organization root or OUs to deny actions across all accounts. Option A is wrong because IAM policies are account-specific and not centrally managed. Option B is wrong because AWS Config rules can detect but not prevent.

Option D is wrong because CloudTrail is for logging, not enforcement.

180
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket in the management account. What is the most efficient way to enforce this across all accounts?

A.Create a service control policy (SCP) that denies modifications to CloudTrail settings.
B.Use AWS Trusted Advisor to check CloudTrail status and send alerts.
C.Configure each account individually with a CloudTrail trail pointing to the central bucket.
D.Use AWS Config rules in each account to detect non-compliant trails.
AnswerA

SCPs can prevent disabling CloudTrail or altering trail configurations across all accounts.

Why this answer

Using an SCP in AWS Organizations can deny the action of disabling CloudTrail or modifying trail settings, enforcing that CloudTrail remains enabled. Option A is wrong because it requires manual setup in each account. Option B is wrong because AWS Config can detect but not prevent disabling.

Option D is wrong because it only monitors, not enforces.

181
MCQmedium

A security engineer notices that an S3 bucket contains objects that are accessible to authenticated users from other AWS accounts. The bucket policy allows access to the 'aws:SourceArn' condition that references an Amazon Resource Name (ARN) from another account. What is the MOST effective way to restrict access to only users from the company's own account?

A.Apply an SCP to deny s3:GetObject for any principal outside the organization.
B.Remove the bucket policy and add an IAM policy to the company's users.
C.Modify the condition to use 'aws:SourceArn' with an ARN from the company's account.
D.Add a condition using 'aws:SourceAccount' with the company's account ID.
AnswerD

Restricts access to requests originating from the specified account.

Why this answer

Option D is correct because using 'aws:SourceAccount' condition with the company's account ID ensures only requests originating from that account are allowed. Option A is incorrect because removing the bucket policy does not address existing objects. Option B is incorrect because SCPs do not affect cross-account access to resources.

Option C is incorrect because 'aws:SourceArn' is already used; the issue is the ARN belongs to another account.

182
MCQeasy

A security auditor needs to view a list of all IAM users, including their last activity timestamps, for a compliance review. Which AWS service provides this information natively?

A.AWS CloudTrail
B.IAM Access Analyzer
C.AWS IAM credential report
D.AWS Config
AnswerC

The credential report includes last login, key usage, etc.

Why this answer

Option B is correct: IAM's credential report includes last activity timestamps for each user. Option A is wrong because CloudTrail logs events but not a consolidated report. Option C is wrong because AWS Config does not provide activity timestamps.

Option D is wrong because Access Analyzer analyzes resource policies, not user activity.

183
Multi-Selecthard

Which THREE are best practices for managing security in a multi-account AWS environment? (Choose three.)

Select 3 answers
A.Use SCPs to restrict permissions across accounts.
B.Disable AWS CloudTrail in production accounts to reduce costs.
C.Use a dedicated security account for security tools and audits.
D.Centralize logging in a dedicated security account.
E.Use the root user of each account for administrative tasks.
AnswersA, C, D

SCPs provide central control over permissions.

Why this answer

Options A, C, and D are correct. Using SCPs, centralizing logs, and using a dedicated security account are best practices. Option B is wrong because using the root user for daily tasks is not a best practice.

Option E is wrong because disabling CloudTrail reduces visibility.

184
MCQeasy

A company wants to centrally manage access keys for all IAM users across multiple accounts. Which AWS service should be used to rotate access keys automatically?

A.AWS STS
B.AWS IAM
C.AWS Secrets Manager
D.AWS CloudHSM
AnswerB

IAM provides APIs to rotate access keys, but automation must be custom-built.

Why this answer

Option A is correct because IAM access keys can be rotated using IAM credential report and IAM policies, but there is no built-in automatic rotation. However, AWS Secrets Manager can automatically rotate secrets for supported services, but not for IAM access keys. The correct answer is none; IAM access keys must be rotated manually or via custom automation.

Given options, Option A is the best because IAM is the service that manages access keys, and you can use IAM API to rotate them. Option B is wrong because STS provides temporary credentials. Option C is wrong because Secrets Manager can store but not rotate IAM keys automatically.

Option D is wrong because CloudHSM is for hardware security modules.

185
MCQmedium

A security engineer notices that an IAM user has permissions to launch EC2 instances but the engineer wants to ensure that all new instances are automatically tagged with the creator's user name. What is the most efficient way to enforce this?

A.Use AWS CloudTrail to monitor and alert on untagged instances.
B.Add an IAM policy to the user that uses a condition key 'aws:RequestTag/Creator' with a value '${aws:username}'.
C.Use AWS Config rules to automatically tag resources after creation.
D.Create an SCP that denies EC2:RunInstances unless the request includes a 'Creator' tag with the user name.
AnswerB

This condition forces the user to include the tag with their username.

Why this answer

Using a service control policy (SCP) with a condition that requires tagging on EC2 RunInstances is not possible because SCPs cannot enforce tagging; they can only deny if tags are missing. Option B is the most efficient: using IAM policy with a condition that requires the tag 'Creator' to equal the IAM user name. Option A is incorrect because SCPs cannot enforce tagging.

Option C is overly complex. Option D is incorrect because CloudTrail does not enforce tagging.

186
Multi-Selecthard

A company wants to implement least privilege access for a data analytics team that uses Amazon Athena to query data in S3. Which THREE steps should be taken?

Select 3 answers
A.Grant full S3 access to all buckets
B.Grant write access to an S3 bucket for query results
C.Grant access to Amazon Redshift
D.Grant permissions to use Athena workgroups and queries
E.Grant read access to the specific S3 buckets containing the data
AnswersB, D, E

Athena writes query results to S3.

Why this answer

Option B is correct because Athena requires a dedicated S3 bucket to store query results, and granting write access to that specific bucket ensures the service can write output without exposing other data. This aligns with least privilege by limiting write permissions to only the necessary location.

Exam trap

The trap here is that candidates often assume Athena requires broad S3 permissions or confuse it with Redshift Spectrum, leading them to select full S3 access or irrelevant Redshift permissions instead of focusing on the specific read and write buckets needed for least privilege.

187
Multi-Selecthard

Which THREE steps should a security engineer take to remediate a compromised IAM user whose access keys were exposed? (Choose three.)

Select 3 answers
A.Deactivate the access keys.
B.Create a new IAM user with the same permissions.
C.Remove the user from all IAM groups.
D.Change the IAM user's password.
E.Delete the access keys.
AnswersA, C, E

Deactivating keys stops their use immediately.

Why this answer

Immediately deactivate or delete the access keys to stop usage. Rotate the keys if the user still needs access, but the old keys must be deactivated. Remove the compromised user from any groups to limit permissions.

Changing the password does not affect access keys. Creating a new user with the same permissions is unnecessary if the user can be cleaned. Reviewing CloudTrail logs is important but is an investigation step, not immediate remediation.

188
MCQeasy

Which AWS service provides a centralized view of compliance status for AWS resources?

A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Security Hub
AnswerA

Config provides compliance status.

Why this answer

AWS Config is the correct answer because it provides a centralized view of compliance status by continuously evaluating your AWS resource configurations against desired policies (e.g., managed or custom rules). It generates compliance scores and detailed reports for each resource, enabling you to track whether your infrastructure adheres to internal or regulatory standards. This is distinct from other services because Config focuses specifically on configuration compliance, not threat detection or API activity.

Exam trap

The trap here is that candidates often confuse AWS Security Hub (which provides a centralized dashboard for security findings) with a compliance status view, but Security Hub aggregates findings from multiple sources and does not perform native configuration compliance evaluations—that is AWS Config's role.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious activity, not a compliance status tool. Option C (AWS CloudTrail) is wrong because it records API calls and user activity for auditing and governance, but does not evaluate resource configurations against compliance rules. Option D (AWS Security Hub) is wrong because it aggregates security findings from multiple services (e.g., GuardDuty, Inspector) and provides a consolidated security posture, but it does not perform configuration compliance evaluations itself; it relies on AWS Config as a source for compliance checks.

189
MCQmedium

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. The security engineer tests the configuration and finds that requests from the VPC endpoint are being denied. The bucket policy contains the following condition: "Condition": { "StringEquals": { "aws:SourceVpce": "vpce-12345678" } }. The VPC endpoint ID is correct. The engineer also confirms that the VPC endpoint policy allows the necessary S3 actions. What is the most likely reason for the denial?

A.The request is not being routed through the VPC endpoint; the EC2 instance is using a public S3 endpoint.
B.The EC2 instance does not have an IAM role that allows s3:GetObject.
C.The VPC endpoint is in a different region than the S3 bucket.
D.The condition key is misspelled; it should be aws:SourceVpce (no 'e' at the end).
AnswerA

If not using endpoint, the condition key is not present.

Why this answer

Option B is correct because the key should be aws:SourceVpce, not aws:SourceVpce. Wait, the condition uses aws:SourceVpce, which is correct. However, the condition might need to be combined with an Allow.

The most common issue is that the bucket policy also has a Deny for public access, but the VPC endpoint request might not include the condition key if the request is not made through the endpoint. Option A: The VPC endpoint might be in a different region, but that would not cause denial; S3 supports cross-region access. Option C: The condition key is correct.

Option D: The IAM role is needed but not necessarily. Actually, the most likely issue is that the bucket policy is missing an explicit Allow for the VPC endpoint; the condition alone does not grant access. The policy must have an Allow statement with the condition.

If the policy only has a Deny or the Allow does not include the condition, it might fail. But the question says the policy allows access only from that VPC endpoint, implying there is an Allow with that condition. Another common issue: the VPC endpoint DNS name resolves to public IP, but the condition aws:SourceVpce is only present if the request goes through the endpoint.

If the request originates from an EC2 instance in the VPC but does not use the endpoint, the condition is not met. Option A is plausible: the EC2 instance might be accessing S3 via the public internet instead of through the endpoint. That would cause the condition to fail.

So Option A is correct.

190
Matchingmedium

Match each AWS VPC flow log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Capture IP traffic for a VPC

Capture IP traffic for a subnet

Capture IP traffic for a network interface

Capture IP traffic for a transit gateway

Why these pairings

Flow logs can be created at different resource levels.

191
Multi-Selecteasy

Which TWO are valid methods to centrally manage multiple AWS accounts? (Choose two.)

Select 2 answers
A.AWS IAM
B.AWS Service Catalog
C.Amazon Cognito
D.AWS Control Tower
E.AWS Organizations
AnswersD, E

Control Tower provides governance for multi-account environments.

Why this answer

AWS Organizations (A) and AWS Control Tower (B) provide centralized management. Option C (IAM) is per-account. Option D (Cognito) is for external users.

Option E (Service Catalog) is for product approval.

192
MCQeasy

A security engineer is tasked with ensuring that all S3 buckets in an AWS account have versioning enabled. The engineer needs to identify buckets that do not have versioning enabled. Which AWS service is BEST suited for this task?

A.AWS Trusted Advisor
B.AWS CloudTrail
C.IAM Access Analyzer
D.AWS Config
AnswerD

Config has managed rules to evaluate bucket versioning status.

Why this answer

AWS Config has a managed rule (s3-bucket-versioning-enabled) that can evaluate S3 buckets and report compliance. Option A (CloudTrail) logs API calls. Option B (IAM Access Analyzer) analyzes policies.

Option C (Trusted Advisor) has limited checks and may not cover all buckets.

193
MCQhard

Refer to the exhibit. A security engineer runs the get-trail-status command for a CloudTrail trail. The engineer notices that LatestCloudWatchLogsDeliveryTime is null. What does this indicate?

A.The trail has stopped logging.
B.The trail is not delivering logs to S3.
C.The digest delivery has failed.
D.The trail is not configured to deliver logs to CloudWatch Logs.
AnswerD

If CloudWatch Logs integration is not set, the timestamp is null.

Why this answer

Option A is correct because if CloudWatch Logs integration is not configured, that field is null. Option B is wrong because trail is logging. Option C is wrong because digest delivery is successful.

Option D is wrong because delivery attempts succeeded.

194
MCQmedium

A company has a single AWS account with multiple IAM users. The security team wants to enforce that all users use MFA for API calls. An IAM policy is created that denies all actions unless MFA is present. The policy is attached to all users. However, users report that they can still make API calls without MFA. The security team reviews the policy and confirms it is correct. What is the most likely reason the policy is not being enforced?

A.The policy uses the wrong condition key; it should be 'aws:MultiFactorAuthPresent'.
B.AWS CloudTrail is not enabled, so the policy cannot be evaluated.
C.An SCP at the root level allows all actions without MFA.
D.The IAM password policy does not require MFA.
AnswerA

Correct: The condition key must be exactly correct.

Why this answer

Option C is correct. If users have an explicit Allow (e.g., from a group policy) that does not require MFA, the Deny in the MFA policy might not override if the Allow is from a different policy. However, the most common reason is that the policy is not attached to the user's groups or they have an inline policy that allows actions.

But the question states the policy is attached to all users. Another possibility is that the condition key is misspelled. The correct condition key is 'aws:MultiFactorAuthPresent'.

If the policy uses 'aws:MultiFactorAuthAge' or a different key, it may not work. Option A is wrong because SCPs are not used in a single account. Option B is wrong because CloudTrail does not enforce MFA.

Option D is wrong because password policy does not affect API calls.

195
MCQmedium

A company uses AWS Organizations and wants to restrict the AWS Regions in which resources can be created across all member accounts. Which mechanism should be used?

A.Apply a service control policy (SCP) that denies operations in unauthorized regions.
B.Use VPC endpoints to restrict API calls to specific regions.
C.Configure AWS Config rules to detect and delete resources in unauthorized regions.
D.Attach an IAM policy to each user that denies operations in unauthorized regions.
AnswerA

Correct: SCPs can deny actions in specific regions across all accounts.

Why this answer

Option D is correct because an SCP can deny operations in unauthorized regions. Option A is wrong because IAM policies can be overridden by account administrators. Option B is wrong because VPC endpoints do not control region usage.

Option C is wrong because AWS Config can detect resources in unauthorized regions but does not prevent creation.

196
Multi-Selectmedium

A security engineer is designing a solution to protect sensitive data in S3. Which THREE mechanisms can be used to enforce encryption at rest?

Select 3 answers
A.Use an SCP to deny s3:PutObject without encryption
B.Enable default encryption on the S3 bucket
C.Enable cross-region replication
D.Apply a bucket policy that denies PutObject without the x-amz-server-side-encryption header
E.Enable MFA Delete on the S3 bucket
AnswersA, B, D

Enforces encryption across accounts.

Why this answer

Option A is correct because an SCP (Service Control Policy) can be applied at the organizational level to deny any s3:PutObject action that does not include encryption parameters. This enforces encryption at rest across all accounts in the organization, preventing users from uploading unencrypted objects regardless of individual bucket policies or default encryption settings.

Exam trap

The trap here is that candidates confuse cross-region replication (which copies encrypted objects but does not enforce encryption) with an encryption enforcement mechanism, or they think MFA Delete relates to encryption at rest when it only protects against deletion.

197
MCQmedium

A security engineer needs to ensure that all EC2 instances launched in an account have a specific tag (e.g., CostCenter) applied. If an instance is launched without the tag, it should be automatically terminated. Which solution meets these requirements with minimal effort?

A.Use an SCP to deny ec2:RunInstances if the request does not include the required tag.
B.Use AWS Organizations Tag Policies to enforce the tag.
C.Use AWS Config rules with an automatic remediation action that invokes a Lambda function to terminate the instance.
D.Use AWS CloudTrail to detect RunInstances events and send alerts to the security team.
AnswerC

Config can detect untagged instances and auto-remediate by terminating them.

Why this answer

Option D is correct because AWS Config rules can detect untagged instances and trigger a Lambda function to terminate them. Option A is wrong because SCPs cannot enforce tagging on EC2 instances. Option B is wrong because Tag Policies only enforce tagging on resources that support tags, but they do not auto-remediate.

Option C is wrong because CloudTrail can detect launch events but cannot automatically terminate instances.

198
MCQeasy

A security engineer applies the above bucket policy to an S3 bucket. What is the effect of this policy?

A.All requests to the bucket are denied regardless of protocol.
B.All requests to the bucket must be made over HTTPS.
C.The policy has no effect because it uses a condition.
D.All requests to the bucket must be made over HTTP.
AnswerB

The policy denies requests that are not over HTTPS.

Why this answer

Option A is correct because the policy denies all actions to the bucket if the request is not made over HTTPS (SecureTransport is false). This ensures only encrypted connections are allowed. Option B is wrong because it denies non-HTTPS requests, not allows them.

Option C is wrong because it denies all actions, not just a few. Option D is wrong because the policy explicitly denies non-HTTPS requests.

199
MCQeasy

A company wants to implement a least-privilege security model for its AWS environment. The security team has identified that many IAM users have overly permissive policies. The team wants to use AWS IAM Access Analyzer to identify policies that grant access to external principals. However, the team is not seeing any findings. What is the most likely reason?

A.IAM Access Analyzer is not enabled for the account.
B.IAM Access Analyzer only analyzes S3 bucket policies, not IAM policies.
C.IAM Access Analyzer requires AWS Organizations to be enabled.
D.All policies are already least-privilege and do not grant access to external principals.
AnswerA

The analyzer must be enabled in each account to generate findings.

Why this answer

Option A is correct because IAM Access Analyzer analyzes policies that grant access to external principals from the perspective of the account. If the analyzer is not enabled for the account, it will not generate findings. Option B is wrong because the analyzer works with existing policies.

Option C is wrong because findings are generated for policies that grant access to external principals, not just security groups. Option D is wrong because IAM Access Analyzer does not require the organization to be enabled.

200
MCQhard

A security engineer is troubleshooting a situation where an IAM user is unable to assume a role in a different account. The trust policy of the role allows the user's account to assume the role, and the user has permissions to call AssumeRole. However, the user receives an 'AccessDenied' error. What is the most likely cause?

A.The role ARN is incorrect.
B.The user's IAM policy does not grant sts:AssumeRole for the target role.
C.An SCP in the user's account denies sts:AssumeRole.
D.The role requires MFA and the user has not authenticated with MFA.
AnswerB

Even if the trust policy allows the account, the user must have explicit permissions to assume the role.

Why this answer

Option B is correct because the user's IAM permissions must explicitly allow the sts:AssumeRole action for the specific role ARN. Option A is wrong because the error would be different if the role did not exist. Option C is wrong because SCPs apply to all principals in the account, but the user already has a policy allowing AssumeRole.

Option D is wrong because MFA would result in a different error message.

201
MCQmedium

A security engineer reviews the above CloudTrail event. Which action should the engineer take FIRST to mitigate a potential security issue?

A.Revert the bucket policy to remove the public access.
B.Delete the bucket to prevent data exposure.
C.Contact the root user to confirm the action.
D.Disable the root user's access keys.
AnswerA

The bucket is now publicly readable; immediate remediation is needed.

Why this answer

The CloudTrail event shows that the root user executed `s3:PutBucketPolicy` to apply a bucket policy that grants public access (e.g., `Principal: "*"` or `Effect: "Allow"` with `Action: "s3:GetObject"`). Reverting the bucket policy to remove public access is the immediate corrective action to stop unauthorized data exposure. This directly addresses the security issue by revoking the public read permissions that were just granted.

Exam trap

The trap here is that candidates may focus on disabling the root user's access keys (Option D) because they associate root user actions with compromised credentials, but the real issue is the bucket policy itself—the root user intentionally or unintentionally made the bucket public, and the immediate fix is to revert that policy.

How to eliminate wrong answers

Option B is wrong because deleting the bucket is an overly destructive action that would cause data loss and disrupt any legitimate workloads; the correct first step is to fix the policy, not destroy the resource. Option C is wrong because the root user is the one who performed the action, so contacting them to 'confirm' wastes time and does not mitigate the ongoing public exposure; the engineer should act immediately to revoke access. Option D is wrong because the root user's access keys are not relevant here—the root user performed the action via the AWS Management Console or the root user's own credentials, and disabling access keys does not revoke the bucket policy that is already in effect.

202
Multi-Selecthard

A security engineer is designing a logging solution for a multi-account environment using AWS Organizations. The solution must meet the following requirements: - Logs from all accounts must be centrally stored and immutable. - Only the security team should be able to delete logs. - Logs must be encrypted at rest. Which TWO steps should the engineer take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Enable S3 default encryption on the log bucket.
B.Enable S3 Object Lock and configure a bucket policy to deny s3:DeleteObject unless the principal is the security team.
C.Stream logs to CloudWatch Logs and set a retention policy of 10 years.
D.Create an IAM role in each account that allows the security team to access logs.
E.Enable CloudTrail organizational trail in the management account.
AnswersB, E

Prevents deletion and restricts to security team.

Why this answer

Options B and D are correct. Option B: An organizational CloudTrail trail logs all accounts centrally. Option D: S3 object lock prevents deletion/modification, and a bucket policy with a condition denying deletion except by the security team ensures immutability and access control.

Option A is wrong because cross-account roles don't centralize logging. Option C is wrong because S3 default encryption does not prevent deletion. Option E is wrong because CloudWatch Logs does not inherently prevent log deletion.

203
Multi-Selectmedium

A company wants to implement a least-privilege access model for their AWS resources. Which TWO of the following are best practices for achieving this?

Select 2 answers
A.Use a single IAM role for all users in the account.
B.Grant permissions only for the specific actions required.
C.Attach IAM policies to groups rather than individual users.
D.Use conditions in IAM policies to restrict access based on attributes like source IP or time.
E.Always use AWS managed policies instead of customer managed policies.
AnswersB, D

This is the fundamental practice of least-privilege.

Why this answer

Option A is correct: granting only the necessary permissions is the core of least-privilege. Option D is correct: using conditions to restrict access based on attributes like IP or time. Option B is wrong because using a single role for all users violates least-privilege.

Option C is wrong because attaching policies to groups is good, but not specifically for least-privilege. Option E is wrong because using managed policies alone does not ensure least-privilege.

204
MCQeasy

A security engineer needs to automate the response to an AWS CloudTrail log event that indicates a potential security threat. Which AWS service would be most appropriate to orchestrate the automated response?

A.AWS Lambda
B.Amazon Simple Queue Service (SQS)
C.AWS Step Functions
D.Amazon EventBridge
AnswerC

Correct: Step Functions orchestrates workflows and coordinates services.

Why this answer

Option C is correct because AWS Step Functions can coordinate multiple AWS services into a workflow, such as invoking Lambda functions, making API calls, etc. Option A is wrong because Amazon EventBridge can trigger events but does not orchestrate complex workflows. Option B is wrong because AWS Lambda can execute code but is not an orchestrator.

Option D is wrong because Amazon SQS is a message queue, not an orchestrator.

205
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that the logs are delivered to a centralized S3 bucket in the management account. The team creates an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail. Additionally, they enable CloudTrail organizational trail. However, after some time, they discover that one member account has disabled CloudTrail. What is the most likely reason this happened?

A.The member account's root user performed the action, which bypasses the SCP.
B.The SCP was not attached to the organizational unit (OU) containing the member account.
C.The SCP was applied to the management account instead of the member accounts.
D.The member account's IAM user used the AWS Management Console to disable CloudTrail.
AnswerB

If SCP not applied, the deny is not enforced.

Why this answer

Option B is correct because organizational trails cannot be disabled by member accounts, but a member account can create its own trails and then stop them, which might confuse the monitoring. However, the organizational trail remains enabled. If the organizational trail is still running, the logs are still delivered.

But the question says "disabled CloudTrail" - a member account cannot disable the organizational trail. The most likely reason is that the member account's IAM user had permissions to stop the organizational trail because the SCP might not apply to the management account. But SCPs apply to all accounts.

Another possibility: the member account root user can still stop the trail if the SCP does not deny. But the SCP should deny. If the SCP is applied correctly, the root cannot stop.

However, if the SCP is attached to the root OU but the member account is in a sub-OU that does not inherit the SCP, then it can. So option B is likely. Option A is wrong because CloudTrail cannot be disabled by API even with IAM if SCP denies.

Option C is wrong because SCP can be applied. Option D is wrong because management account can but member accounts cannot stop organizational trails.

206
Multi-Selecthard

Which THREE AWS services can be used to centrally manage and audit permissions across multiple accounts in AWS Organizations?

Select 3 answers
A.Amazon Inspector
B.AWS Shield
C.AWS IAM Access Analyzer
D.AWS CloudTrail
E.AWS Config
AnswersC, D, E

Access Analyzer helps identify resources shared with external entities.

Why this answer

Options A, B, and D are correct. Option A is correct because IAM Access Analyzer can analyze resource policies across accounts. Option B is correct because AWS CloudTrail logs can be aggregated from multiple accounts.

Option D is correct because AWS Config aggregator can aggregate compliance data. Option C is wrong because Inspector is for vulnerability assessments, not permission management. Option E is wrong because Shield is for DDoS protection.

207
MCQmedium

A security engineer needs to ensure that all API calls made to AWS services are logged for auditing. Which AWS service should be used?

A.AWS Config
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records API activity across AWS services.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to AWS services, capturing details such as the identity of the caller, the time of the call, the source IP address, request parameters, and response elements. This provides a complete audit trail of user activity and API usage, which is essential for security auditing and compliance.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration changes) with CloudTrail (which logs API calls), or they mistakenly think VPC Flow Logs or CloudWatch Logs are the primary services for API auditing, when in fact CloudTrail is the dedicated service for recording all AWS API activity.

How to eliminate wrong answers

Option A is wrong because AWS Config is designed for resource inventory, configuration history, and compliance rules, not for logging API calls; it tracks changes to resource configurations, not the API actions themselves. Option B is wrong because Amazon VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC, such as source/destination IPs and ports, but they do not log AWS API calls. Option D is wrong because Amazon CloudWatch Logs is a service for storing, monitoring, and accessing log files from various sources, but it does not natively capture API calls; it can be used to store CloudTrail logs, but the service that actually generates the API call logs is CloudTrail.

208
Multi-Selectmedium

Which TWO actions can be taken to enforce the principle of least privilege for IAM users in an AWS account? (Choose two.)

Select 2 answers
A.Use IAM roles with temporary credentials for access
B.Grant full administrative access to all users to simplify management
C.Use service control policies (SCPs) to restrict user permissions
D.Use the root user for daily administrative tasks
E.Regularly review and remove unused IAM policies
AnswersA, E

Temporary credentials reduce risk of long-term keys.

Why this answer

Option A reduces excessive permissions; Option E provides temporary permissions. Option B (full admin) violates least privilege. Option C (SCP) is for accounts, not users.

Option D (root user) is too permissive.

209
MCQeasy

A security engineer needs to centrally manage and enforce security policies across multiple AWS accounts in an organization. Which AWS service should they use?

A.AWS CloudFormation StackSets
B.AWS IAM
C.AWS Firewall Manager
D.AWS Organizations with SCPs
AnswerD

SCPs can define permission guardrails across all accounts in the organization.

Why this answer

AWS Organizations with Service Control Policies (SCPs) allows central policy management across accounts. Firewall Manager focuses on VPC security, not general policies.

210
MCQhard

A security engineer notices that an IAM user has been performing suspicious actions in an AWS account. The engineer needs to generate a credential report to identify the age of the user's access keys. Which AWS CLI command should the engineer run?

A.aws iam get-account-authorization-details
B.aws iam generate-credential-report && aws iam get-credential-report
C.aws iam generate-service-last-accessed-details
D.aws iam list-access-keys --user-name suspectUser
AnswerB

The credential report includes access key ages.

Why this answer

Option C is correct because generate-credential-report creates the report, and get-credential-report retrieves it. Option A is wrong because list-access-keys only lists keys without age. Option B is wrong because get-account-authorization-details is not for credential reports.

Option D is wrong because generate-service-last-accessed-details is for services.

211
MCQeasy

A company's security team wants to receive alerts when an IAM user creates a new access key. Which AWS service can be used to monitor and notify on this specific API call?

A.AWS Trusted Advisor
B.Amazon GuardDuty
C.AWS CloudTrail with Amazon CloudWatch Events
D.AWS Config
AnswerC

CloudTrail logs API calls and CloudWatch Events can trigger notifications.

Why this answer

Option C is correct because CloudTrail logs IAM CreateAccessKey events, and CloudWatch Events can trigger a notification. Option A is wrong because AWS Config is for resource compliance. Option B is wrong because GuardDuty is for threat detection.

Option D is wrong because Trusted Advisor is for best practices.

212
MCQhard

A company uses AWS Organizations with a multi-account strategy. The security team wants to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI) ID. Which approach should the team take to enforce this requirement across all accounts?

A.Use AWS Config to detect EC2 instances with noncompliant AMI IDs and send notifications.
B.Create an IAM policy in each account that denies ec2:RunInstances unless the AMI ID is in an approved list.
C.Create an SCP that denies ec2:RunInstances if the AMI ID is not in a specified list.
D.Deploy a Lambda function that terminates any EC2 instance with a noncompliant AMI ID.
AnswerC

SCPs can deny actions based on conditions and apply to all accounts in the organization.

Why this answer

Using an SCP to deny RunInstances with a condition on the AMI ID is the most direct way to enforce at the organization level. Option A (IAM policy in each account) is less manageable. Option C (AWS Config) detects but does not prevent.

Option D (Lambda) is reactive.

213
MCQmedium

A security engineer is designing a solution to enforce that all S3 buckets in an AWS account have server-side encryption enabled. The engineer needs to automatically remediate any non-compliant buckets. Which AWS service should be used to implement this requirement?

A.AWS Lambda with S3 events
B.AWS Config with managed rules and auto-remediation
C.AWS IAM policy to deny PutBucketEncryption without encryption
D.AWS CloudTrail
AnswerB

AWS Config evaluates resources against rules and can trigger auto-remediation via Systems Manager Automation.

Why this answer

AWS Config can evaluate resource configurations against rules and automatically remediate non-compliant resources using AWS Systems Manager Automation documents. Option A is wrong because AWS CloudTrail records API activity but does not enforce configuration. Option B is wrong because AWS Lambda can be used but is not the primary service for governance at scale.

Option D is wrong because IAM policies can prevent creating buckets without encryption but do not remediate existing ones.

214
MCQeasy

A developer needs to grant an IAM user read-only access to an S3 bucket containing sensitive data. The bucket is encrypted with an AWS KMS customer managed key. Which set of permissions must be included in the IAM policy?

A.s3:GetObject, kms:Encrypt
B.s3:GetObject, kms:Decrypt
C.kms:Decrypt
D.s3:ListBucket, kms:Decrypt
AnswerB

GetObject to read the object, Decrypt to decrypt the KMS-encrypted object.

Why this answer

Option B is correct because to read objects, the user needs both s3:GetObject and kms:Decrypt permissions. Option A is wrong because s3:ListBucket is not required for reading a specific object. Option C is wrong because kms:Encrypt is not needed for read-only.

Option D is wrong because s3:GetObject is required.

215
MCQeasy

A company wants to receive real-time notifications when an IAM user in their AWS account performs a console login. Which AWS service should be used to monitor and alert on this activity?

A.AWS IAM
B.AWS Config
C.AWS Trusted Advisor
D.AWS CloudTrail and Amazon EventBridge
AnswerD

CloudTrail logs API calls, EventBridge can trigger notifications.

Why this answer

Option C is correct because CloudTrail logs console login events, and CloudWatch Events (now Amazon EventBridge) can trigger a notification based on those events. Option A is wrong because IAM does not provide real-time monitoring. Option B is wrong because Config is for resource configuration changes, not API calls.

Option D is wrong because Trusted Advisor provides best-practice checks, not real-time monitoring.

216
MCQmedium

A company wants to centrally manage and enforce encryption on all EBS volumes across multiple AWS accounts. Which AWS service can be used to define and enforce encryption policies at the organizational level?

A.AWS Config
B.AWS IAM
C.AWS Key Management Service (KMS)
D.AWS Organizations
AnswerD

Organizations allow central policy management via SCPs and can enforce encryption settings.

Why this answer

Option A is correct: AWS Organizations can use SCPs or, more specifically, the EBS encryption by default policy can be enforced via a combination of SCP and AWS Config. However, the most direct service is AWS Organizations for centralized policy management. Option B is wrong because IAM is per-account.

Option C is wrong because AWS KMS manages keys, not enforcement. Option D is wrong because AWS Config evaluates but cannot enforce encryption by default across accounts without additional automation.

217
Multi-Selectmedium

Which TWO actions should a security engineer take to ensure that an S3 bucket is not publicly accessible? (Choose two.)

Select 2 answers
A.Enable S3 Block Public Access at the account level
B.Enable AWS CloudTrail for the bucket
C.Remove all bucket ACLs
D.Set a bucket policy that denies all public access
E.Enable S3 Block Public Access at the bucket level
AnswersA, E

Provides an additional layer of protection for all buckets in the account.

Why this answer

Block Public Access settings at bucket and account level prevent all public access. The other options are not correct because: ACLs can allow public access; CloudTrail does not block; Bucket policies are overridden by Block Public Access.

218
MCQhard

This SCP is attached to an organizational unit (OU). A developer in an account within the OU tries to launch a t2.small instance. What is the outcome?

A.The launch fails because the SCP denies all RunInstances actions.
B.The launch succeeds because the SCP allows t2.micro only.
C.The launch fails because the SCP denies non-t2.micro instances.
D.The launch succeeds because SCPs do not apply to developers.
AnswerC

Correct: t2.small is denied.

Why this answer

Option B is correct because the SCP denies ec2:RunInstances if the instance type is not t2.micro. Since t2.small is not t2.micro, the condition matches, and the action is denied. Option A is wrong because the condition is met.

Option C is wrong because the condition applies to instance resource. Option D is wrong because SCPs apply to all principals.

219
Multi-Selectmedium

A company wants to ensure that all Amazon S3 buckets are encrypted at rest. Which THREE services can be used together to automatically remediate unencrypted S3 buckets?

Select 3 answers
A.Amazon S3 default encryption
B.AWS CloudTrail
C.Amazon EventBridge
D.AWS Config
E.AWS Lambda
AnswersC, D, E

EventBridge can route Config compliance changes to trigger remediation.

Why this answer

Options A, C, and D are correct. AWS Config can detect unencrypted buckets (A), Amazon EventBridge can trigger a remediation action (C), and AWS Lambda can execute the remediation (D). Option B is wrong because S3 itself does not automatically remediate; it can be configured with default encryption but that is per-bucket.

Option E is wrong because CloudTrail is for auditing, not remediation.

220
MCQmedium

A company wants to enforce that all IAM users in an AWS account must have multi-factor authentication (MFA) enabled. Which AWS service can be used to automatically detect and remediate non-compliant users?

A.AWS Trusted Advisor
B.AWS IAM Access Analyzer
C.AWS CloudTrail
D.AWS Config
AnswerD

Config provides managed rules for IAM user MFA and can trigger automatic remediation.

Why this answer

AWS Config can evaluate IAM user MFA status using a managed rule (iam-user-mfa-enabled) and trigger automatic remediation via Systems Manager Automation or Lambda.

221
MCQhard

A security team needs to enforce that all EC2 instances launched in a specific AWS account use only approved AMIs. Which combination of services can enforce this requirement?

A.Use IAM policies to restrict ec2:RunInstances to only approved AMIs
B.Use AWS Service Catalog with a product that launches approved AMIs
C.Use an AWS Config rule to check AMI compliance and a service control policy (SCP) to deny noncompliant launches
D.Use AWS CloudTrail to log all EC2 launches and alert on noncompliant AMIs
AnswerC

Config evaluates, SCP denies the action.

Why this answer

AWS Config rules can evaluate launched instances, and SCPs can deny noncompliant launches. Option A is correct. Option B (Service Catalog) requires products, not enforced for direct EC2 run.

Option C (CloudTrail) only logs. Option D (IAM) cannot restrict based on AMI ID directly.

222
MCQhard

A company's security team needs to enforce encryption at rest for all RDS instances in the production account. They have enabled mandatory encryption using a service control policy. What else must be done to ensure existing unencrypted RDS instances are encrypted?

A.Attach a new KMS key policy to the RDS instance.
B.Create a snapshot of the unencrypted instance, copy the snapshot with encryption enabled, and restore the encrypted snapshot to a new DB instance.
C.Enable encryption on the DB subnet group and reboot the instance.
D.Modify the RDS instance to enable encryption using the AWS Console.
AnswerB

This is the standard procedure to migrate to encrypted RDS.

Why this answer

Option A is correct because RDS does not support encrypting existing unencrypted instances; you must create a snapshot, copy it encrypted, and restore. Option B is incorrect because you cannot enable encryption on an existing instance. Option C is incorrect because enabling encryption on the DB subnet group does not affect existing instances.

Option D is incorrect because you must use a snapshot copy.

223
Multi-Selectmedium

A security engineer is auditing IAM policies. The engineer wants to identify if any policy grants 'Effect: Allow' with 'Action: *' and 'Resource: *'. Which TWO AWS services can be used to detect such overly permissive policies?

Select 2 answers
A.AWS CloudTrail
B.AWS Trusted Advisor
C.AWS Config
D.IAM Access Analyzer
E.Amazon GuardDuty
AnswersC, D

Config can use custom rules to evaluate IAM policies.

Why this answer

IAM Access Analyzer can analyze policies for broad permissions. AWS Config can evaluate custom rules to check for such policies. Option A (CloudTrail) logs usage, not policy content.

Option C (GuardDuty) does not analyze IAM policies. Option E (Trusted Advisor) checks some but not all policies.

224
MCQeasy

A company wants to ensure that all IAM users in an account have multi-factor authentication (MFA) enabled. A security administrator needs to identify users who do not have MFA. Which AWS service should the administrator use?

A.AWS CloudTrail
B.IAM Access Analyzer
C.IAM Credential Report
D.AWS Config
AnswerC

The credential report includes MFA status for all users.

Why this answer

AWS IAM Credential Report lists all IAM users and their MFA status, providing a quick way to identify users without MFA. Option A (IAM Access Analyzer) focuses on resource policies. Option C (CloudTrail) logs events.

Option D (AWS Config) can check compliance but requires a rule; the credential report is more direct.

225
MCQhard

A company uses AWS Config to evaluate resource compliance. The security team notices that the AWS::IAM::Group resource type is not supported by AWS Config managed rules. What is the best way to detect IAM groups that have an inline policy allowing 'iam:CreateUser'?

A.Create a custom AWS Config rule using a Lambda function that evaluates IAM groups
B.Use IAM Access Analyzer to identify policies that grant broad access
C.Use AWS CloudTrail Insights to detect CreateUser events
D.Enable AWS Config advanced query and run a query on IAM groups
AnswerA

Lambda-backed Config rules can evaluate unsupported resource types via API calls.

Why this answer

AWS Config managed rules do not support the AWS::IAM::Group resource type, so you cannot use a managed rule to evaluate inline policies on IAM groups. The best approach is to create a custom AWS Config rule backed by a Lambda function that can evaluate the IAM group's inline policies and trigger a compliance check when the group configuration changes. This allows you to detect any inline policy that contains the 'iam:CreateUser' action.

Exam trap

The trap here is that candidates assume AWS Config advanced queries can evaluate any resource type, but AWS Config only supports querying resource types that it records, and IAM groups are not recorded, making Option D ineffective.

How to eliminate wrong answers

Option B is wrong because IAM Access Analyzer is designed to identify resources shared with external entities, not to evaluate inline policies on IAM groups for specific actions like 'iam:CreateUser'. Option C is wrong because AWS CloudTrail Insights detects unusual API activity patterns, not the static configuration of IAM group policies; it would only alert after a CreateUser event occurs, not proactively detect the policy. Option D is wrong because AWS Config advanced queries can query resource configuration data, but they cannot evaluate inline policies on IAM groups since AWS Config does not support the AWS::IAM::Group resource type for configuration recording or querying.

← PreviousPage 3 of 4 · 262 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Management and Security Governance questions.