CCNA Management and Security Governance Questions

37 of 262 questions · Page 4/4 · Management and Security Governance · Answers revealed

226
MCQhard

A company's Security team is using AWS Organizations with a consolidated billing account. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket in the management account. Which combination of actions should the security team take? (Choose the best answer.)

A.Use AWS Config rules to detect when CloudTrail is disabled.
B.Create a new IAM policy that requires each account owner to enable CloudTrail.
C.Enable CloudTrail in the management account only and use cross-account logging.
D.Use an SCP to deny disabling CloudTrail and use CloudFormation StackSets to deploy CloudTrail in all accounts.
AnswerD

SCP prevents disabling, StackSets deploy automatically.

Why this answer

Option C is correct because using an SCP to deny disabling CloudTrail and a CloudFormation StackSet to deploy CloudTrail in each account ensures enforcement and deployment. Option A is wrong because relying on individual account owners is not automated. Option B is wrong because enabling CloudTrail only in the management account does not cover member accounts.

Option D is wrong because Config rules do not prevent disabling of CloudTrail.

227
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts are encrypted with AWS KMS. Which policy should be used to enforce this?

A.Apply a bucket policy on each bucket denying PutObject without encryption
B.Create an SCP at the root OU that denies s3:PutBucketAction without encryption
C.Enable AWS Config with the s3-bucket-server-side-encryption-enabled rule
D.Attach an IAM policy to each account's admin user requiring encryption
AnswerB

SCPs can deny actions across all accounts in the organization.

Why this answer

Option B is correct because Service Control Policies (SCPs) at the root OU can deny the s3:PutBucketAction (which includes s3:PutBucketEncryption) unless the request includes encryption settings that use AWS KMS. This enforces encryption at the organizational level, overriding any account-level permissions, and ensures that all S3 buckets across all accounts are encrypted with KMS.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config) with preventive controls (like SCPs), or assume that bucket policies or IAM policies can enforce organization-wide encryption when they lack the scope or precedence to do so.

How to eliminate wrong answers

Option A is wrong because bucket policies are applied per bucket and cannot enforce encryption on buckets that already exist without encryption; they also require manual application to each bucket and do not prevent creation of unencrypted buckets. Option C is wrong because AWS Config rules are detective, not preventive—they can detect non-compliant buckets but cannot block the creation of unencrypted buckets. Option D is wrong because IAM policies attached to admin users can be overridden or bypassed by other users or roles with different permissions, and they do not apply to service-linked roles or cross-account access.

228
MCQeasy

A company has an AWS account with multiple S3 buckets that contain sensitive data. The security team wants to ensure that no public access is granted to any bucket. The team has enabled AWS Config and set up a rule to detect public buckets. The rule reports that all buckets are compliant. However, during a security review, a team member finds that one bucket has a bucket policy that grants 's3:GetObject' to 'Principal': '*'. Why did the AWS Config rule not detect this?

A.AWS CloudTrail must be enabled for Config to evaluate policies.
B.The AWS Config rule only checks ACLs, not bucket policies.
C.The bucket is in a different AWS account.
D.IAM Access Analyzer must be enabled first.
AnswerB

Correct: The managed rule checks ACLs only.

Why this answer

Option A is correct. The AWS Config managed rule 's3-bucket-public-read-prohibited' checks for public read access via ACLs, not bucket policies. To detect public access via bucket policies, a custom rule is needed.

Option B is wrong because CloudTrail would log access, not detect compliance. Option C is wrong because SCPs are for Organizations. Option D is wrong because IAM Access Analyzer analyzes resource-based policies but does not enforce.

229
Multi-Selecthard

Which THREE AWS services can be used to centrally manage security across multiple accounts? (Select THREE.)

Select 3 answers
A.AWS Config
B.AWS Shield
C.AWS CloudTrail
D.Amazon GuardDuty
E.AWS Organizations
AnswersA, C, E

Config can aggregate rules and compliance across accounts.

Why this answer

AWS Config is correct because it provides a centralized view of resource configurations and compliance across multiple accounts when integrated with AWS Organizations. By enabling Config in the management account and using aggregation authorizations, you can aggregate configuration and compliance data from all member accounts into a single administrator account, enabling centralized security governance.

Exam trap

The trap here is that candidates confuse services that aggregate findings (like GuardDuty with Organizations) with services that centrally manage security policies and configurations, leading them to select GuardDuty instead of recognizing that only AWS Config, AWS CloudTrail (for centralized logging), and AWS Organizations (for policy-based governance) provide true centralized management.

230
Multi-Selectmedium

Which TWO actions should a security engineer take to protect root user credentials? (Select TWO.)

Select 2 answers
A.Use the root user only for billing
B.Share the root user credentials with the security team
C.Do not create access keys for the root user
D.Enable MFA on the root user account
E.Delete the root user account
AnswersC, D

Access keys increase risk.

Why this answer

Option C is correct because AWS strongly recommends that you do not create access keys for the root user. Access keys provide programmatic access to the AWS API, and if compromised, an attacker would have unrestricted access to all AWS resources and billing information. By not creating access keys, you eliminate this high-risk attack vector.

Exam trap

The trap here is that candidates often think the root user can be deleted or that using it only for billing is acceptable, but AWS explicitly prohibits deleting the root user and recommends using IAM users with billing permissions instead.

231
MCQmedium

A company wants to automatically detect and notify about any S3 buckets that have public read access. Which combination of services should be used?

A.AWS CloudTrail and AWS Lambda
B.AWS Config and Amazon EventBridge
C.AWS IAM Access Analyzer and Amazon CloudWatch
D.AWS Trusted Advisor and Amazon SES
AnswerB

Config evaluates and sends events to EventBridge, which can trigger SNS.

Why this answer

AWS Config can evaluate S3 bucket public access using managed rules, and Amazon EventBridge can trigger notifications via SNS.

232
MCQhard

An IAM policy is used to grant access to an S3 bucket. The policy condition requires that objects be retrieved using AES256 encryption. However, users can still download objects without specifying encryption. What is the MOST likely reason?

A.The condition key 's3:x-amz-server-side-encryption' applies only to PUT requests, not GET requests.
B.The resource ARN should include the bucket name without the '/*' suffix.
C.The condition should use 'Null' instead of 'StringEquals'.
D.The condition should use 'aws:SecureTransport' instead.
AnswerA

For GET requests, the condition key for server-side encryption is different.

Why this answer

Option C is correct because the condition 's3:x-amz-server-side-encryption' is a request header for uploads, not downloads. For downloads, the condition should be 's3:x-amz-server-side-encryption-customer-algorithm' or similar. Option A is incorrect because the resource ARN is correct.

Option B is incorrect because S3 supports multiple encryption types. Option D is incorrect because the condition is not null.

233
MCQhard

A company uses AWS Organizations with all features enabled. The security team needs to ensure that no member account can disable AWS CloudTrail logging or delete CloudTrail logs stored in S3. Which combination of preventive controls should be implemented?

A.Set up CloudWatch alarms to notify when CloudTrail is modified or logs are deleted.
B.Apply a service control policy (SCP) at the root OU to deny CloudTrail and S3 delete actions, and enable CloudTrail organizational trail.
C.Use IAM policies in each member account to deny CloudTrail and S3 delete actions.
D.Apply an S3 bucket policy denying delete actions, and enable CloudTrail organizational trail.
AnswerB

SCPs prevent all users including root; organizational trail prevents disabling.

Why this answer

Option B is correct because SCPs can deny actions like cloudtrail:DeleteTrail and s3:DeleteObject, and a CloudTrail organizational trail prevents member accounts from stopping logging. Option A is wrong because IAM policies are not enforced by root users. Option C is wrong because resource-based policies alone cannot prevent root user actions.

Option D is wrong because CloudWatch alarms are detective, not preventive.

234
Multi-Selecthard

A company's security team is implementing controls to meet PCI DSS compliance. The environment includes Amazon EC2, RDS, and S3. Which THREE controls should be implemented to address logging and monitoring requirements?

Select 3 answers
A.Enable AWS Config to track resource configuration changes.
B.Enable VPC Flow Logs for all VPCs.
C.Enable AWS CloudTrail across all AWS regions.
D.Deploy Amazon CloudWatch Application Insights.
E.Enable detailed billing reports.
AnswersA, B, C

Config provides configuration history and compliance.

Why this answer

AWS Config is correct because it tracks resource configuration changes and records them as configuration items, which is essential for PCI DSS Requirement 10.5.2 that mandates logging of all actions taken by any individual with root or administrative privileges. By monitoring changes to EC2, RDS, and S3 configurations, AWS Config provides an audit trail of who made changes, what changed, and when, directly supporting logging and monitoring compliance.

Exam trap

The trap here is that candidates may confuse operational monitoring tools (like CloudWatch Application Insights) or billing tools with the specific logging and monitoring controls required by PCI DSS, which focus on audit trails of configuration changes, network traffic, and API activity.

235
MCQhard

Refer to the exhibit. An IAM policy attached to a user allows s3:GetObject only from a specific IP range and denies all S3 actions if not using HTTPS. What happens when the user makes a GET request from IP 10.0.0.5 using HTTP?

A.Allowed because the IP is in the range
B.Allowed because the condition does not match
C.Denied because the Deny statement matches
D.Denied because the IP is not in the range
AnswerC

Deny overrides Allow.

Why this answer

The request is denied because the Deny statement's condition (SecureTransport: false) matches HTTP, and Deny overrides Allow. Option D is correct. Option A is wrong because Deny always overrides Allow.

Option B is wrong because the condition matches. Option C is wrong because the request is denied.

236
MCQhard

A company's security team needs to implement a solution to detect and alert on the creation of IAM users or roles with administrative privileges. The solution must be able to analyze historical account activity and provide real-time alerts. Which combination of AWS services should be used?

A.AWS CloudTrail and Amazon CloudWatch Logs with metric filters and alarms
B.Amazon GuardDuty and AWS Lambda
C.AWS Trusted Advisor and Amazon SES
D.AWS Config with managed rules and Amazon SNS
AnswerA

CloudTrail logs API calls, CloudWatch Logs filters events, and alarms trigger notifications.

Why this answer

AWS CloudTrail logs IAM CreateUser, CreateRole, and AttachRolePolicy events. Amazon CloudWatch Logs can filter these events and trigger alerts via CloudWatch Alarms. Option A is wrong because AWS Config evaluates current configuration but does not provide real-time alerts on API calls.

Option B is wrong because AWS Trusted Advisor is for best-practice checks, not real-time monitoring. Option D is wrong because Amazon GuardDuty focuses on threat detection, not specific IAM policy changes.

237
MCQeasy

A company needs to grant an IAM user permissions to start and stop specific EC2 instances. Which IAM policy element should be used to restrict actions to specific instances?

A.Resource
B.Condition
C.Principal
D.NotAction
AnswerB

Conditions like 'ec2:ResourceTag' can restrict to instances with specific tags.

Why this answer

Option B is correct because a Condition element can use 'ec2:ResourceTag' to restrict to instances with specific tags. Option A is wrong because 'NotAction' is for actions, not resources. Option C is wrong because 'Resource' can specify instance ARNs but not dynamically based on tags.

Option D is wrong because 'Principal' is for specifying who.

238
Multi-Selectmedium

Which TWO AWS services can be used to centrally manage and audit permissions across multiple AWS accounts? (Choose two.)

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.AWS Organizations
D.AWS Single Sign-On
E.IAM Access Analyzer
AnswersC, E

Organizations centrally manages accounts and can apply SCPs to control permissions.

Why this answer

AWS Organizations provides a central view of all accounts and can apply SCPs. IAM Access Analyzer analyzes resource policies across accounts to identify public or cross-account access. AWS Config evaluates resource configurations but does not centrally manage permissions.

AWS CloudTrail logs API calls but does not manage permissions. AWS SSO manages user access but not resource permissions.

239
MCQhard

A security engineer is designing a solution to monitor and remediate non-compliant resources across multiple AWS accounts. The company uses AWS Organizations and wants to enforce that any S3 bucket with public read access is automatically remediated. The solution must be centralized and scalable. Which approach should the engineer take?

A.Deploy an AWS Config conformance pack with a rule and an auto-remediation action using AWS Systems Manager Automation.
B.Create an AWS Config rule in each account and configure an Amazon CloudWatch Events rule to trigger an AWS Lambda function for remediation.
C.Use AWS Trusted Advisor to identify public buckets and manually remediate them.
D.Deploy an AWS Config conformance pack with a rule that checks for public buckets and reports non-compliance.
AnswerA

Conformance packs can include auto-remediation steps, enabling centralized scalable enforcement.

Why this answer

Option A is correct because AWS Config conformance packs allow you to deploy a collection of AWS Config rules and remediation actions across multiple accounts and Regions in AWS Organizations. By including an auto-remediation action using AWS Systems Manager Automation, the solution can automatically remediate S3 buckets with public read access in a centralized and scalable manner, without manual intervention or per-account configuration.

Exam trap

The trap here is that candidates may confuse conformance packs with simple AWS Config rules, forgetting that conformance packs can include automated remediation actions via Systems Manager Automation, while standalone rules only detect and report non-compliance.

How to eliminate wrong answers

Option B is wrong because creating an AWS Config rule in each account is not centralized; it requires manual setup per account and does not scale efficiently across many accounts. Option C is wrong because AWS Trusted Advisor only identifies public buckets and provides recommendations, but it does not support automated remediation; manual remediation is not scalable or centralized. Option D is wrong because while an AWS Config conformance pack with a rule can detect non-compliant public buckets, it only reports non-compliance and does not include an auto-remediation action, failing to meet the requirement for automatic remediation.

240
MCQmedium

A company uses AWS Organizations with multiple accounts and wants to ensure that all newly created S3 buckets have encryption enabled. The Security team needs a solution that automatically remediates non-compliant buckets without manual intervention. What should they do?

A.Apply a service control policy (SCP) that denies the s3:PutBucketPublicAccessBlock and s3:PutBucketEncryption actions unless the bucket has encryption enabled.
B.Use an S3 bucket policy that denies PutObject unless the request includes the x-amz-server-side-encryption header.
C.Enable AWS Config with the s3-bucket-server-side-encryption-enabled rule and set up automatic remediation using Systems Manager Automation.
D.Create an IAM role with permissions to enforce encryption and attach it to all accounts in the organization.
AnswerA

SCPs can prevent creation of buckets that do not meet encryption requirements, providing preventive control.

Why this answer

Option A is correct because a service control policy (SCP) that denies the s3:PutBucketEncryption action unless the bucket already has encryption enabled effectively prevents creation of unencrypted buckets. SCPs operate at the AWS Organizations level and apply to all accounts, ensuring that any attempt to create or modify a bucket without encryption is denied, providing automated, organization-wide governance without manual intervention.

Exam trap

The trap here is that candidates often confuse reactive detection and remediation (like AWS Config with automation) with proactive prevention (like SCPs), and fail to realize that SCPs can enforce conditions on bucket creation itself, not just on object uploads.

How to eliminate wrong answers

Option B is wrong because an S3 bucket policy that denies PutObject unless the x-amz-server-side-encryption header is present only enforces encryption on objects uploaded to existing buckets, not on the bucket creation itself, and does not prevent creation of unencrypted buckets. Option C is wrong because AWS Config with the s3-bucket-server-side-encryption-enabled rule can detect non-compliant buckets, but automatic remediation using Systems Manager Automation requires manual setup and may not prevent creation in real time; it is reactive rather than proactive. Option D is wrong because creating an IAM role with permissions to enforce encryption and attaching it to all accounts does not automatically enforce encryption on new buckets; it only provides the capability, and users could still create buckets without encryption if they have other permissions.

241
Multi-Selectmedium

A security engineer needs to implement a solution to detect and alert on suspicious API calls in an AWS account. Which TWO AWS services should be integrated to achieve this? (Choose two.)

Select 2 answers
A.AWS Config
B.Amazon Inspector
C.AWS CloudTrail
D.AWS Trusted Advisor
E.Amazon GuardDuty
AnswersC, E

Correct: CloudTrail records API calls for analysis by GuardDuty.

Why this answer

Option A and Option C are correct. Amazon GuardDuty can analyze CloudTrail events to detect suspicious API calls. Option B is wrong because AWS Config evaluates configurations, not API calls.

Option D is wrong because Amazon Inspector assesses EC2 vulnerabilities. Option E is wrong because AWS Trusted Advisor provides best-practice checks.

242
MCQeasy

A company has a requirement that all S3 buckets must block public access. The security engineer needs to continuously monitor for compliance and automatically remediate any noncompliant buckets. Which combination of AWS services should the engineer use?

A.Amazon GuardDuty and AWS Security Hub
B.AWS Config and AWS Lambda (or SSM Automation)
C.AWS Organizations SCPs and AWS CloudTrail
D.AWS Trusted Advisor and Amazon SNS
AnswerB

Config detects noncompliant resources, and remediation actions can fix them automatically.

Why this answer

AWS Config with a managed rule (s3-bucket-public-read-prohibited or s3-bucket-public-write-prohibited) can detect noncompliant buckets, and an automatic remediation action (e.g., Lambda or SSM Automation) can apply the block public access settings. Option A is for governance not detection. Option C is reactive and manual.

Option D is preventive but not continuous monitoring.

243
Multi-Selectmedium

Which TWO actions are valid ways to enforce the principle of least privilege in an AWS environment?

Select 2 answers
A.Use the root user for daily administration
B.Use S3 bucket policies to allow all IAM users
C.Grant only the necessary actions in IAM policies
D.Use SCPs to deny actions that are not required
E.Assign the AdministratorAccess managed policy to all users
AnswersC, D

This directly applies least privilege.

Why this answer

Options A and C are correct. Option A is correct because IAM policies should grant the minimum required permissions. Option C is correct because SCPs can restrict permissions across accounts.

Option B is wrong because S3 bucket policies are resource-based and not a direct least privilege method for users. Option D is wrong because assigning full access is against least privilege. Option E is wrong because root user has unrestricted access.

244
MCQeasy

A company wants to centralize the management of IAM users and groups for multiple AWS accounts. Which AWS service should be used to allow users to access multiple accounts with a single set of credentials?

A.AWS Organizations
B.IAM users and groups in each account
C.Amazon Cognito
D.AWS IAM Identity Center (AWS SSO)
AnswerD

Provides centralized access management across accounts.

Why this answer

Option B is correct because AWS IAM Identity Center (successor to AWS SSO) allows users to sign in once and access multiple accounts using role assignments. Option A is wrong because IAM users are per-account. Option C is wrong because Cognito is for customer-facing identity.

Option D is wrong because Organizations does not provide single sign-on.

245
MCQmedium

Refer to the exhibit. A security engineer runs the AWS CLI command to look up CloudTrail events. What can be concluded from the output?

A.The event name is DeleteTrail
B.The trail was deleted by user 'admin'
C.User 'admin' created a trail named 'my-trail' on Jan 15
D.The event is a read-only API call
AnswerC

The event shows CreateTrail.

Why this answer

The output shows that user 'admin' created a trail named 'my-trail' on Jan 15. Option A is correct. Option B is wrong because the event is not read-only.

Option C is wrong because the trail was created, not deleted. Option D is wrong because the event name is CreateTrail.

246
MCQmedium

A company uses AWS Organizations with a single management account and multiple member accounts. The security team needs to ensure that all member accounts automatically deploy AWS Config rules to audit security group configurations. Which solution meets this requirement with minimal operational overhead?

A.Configure an AWS Lambda function in each account that periodically checks security group compliance.
B.Enable AWS Security Hub and rely on its built-in security group checks.
C.Use AWS Config conformance packs deployed via AWS CloudFormation StackSets from the management account.
D.Create an AWS Config rule in each member account manually using AWS CloudFormation templates.
AnswerC

Conformance packs can be deployed across accounts using StackSets, automating rule deployment.

Why this answer

Option C is correct because AWS Config conformance packs, deployed via AWS CloudFormation StackSets from the management account, allow you to centrally deploy a collection of AWS Config rules and remediation actions across all member accounts in an AWS Organization. This approach ensures consistent security group auditing with minimal operational overhead, as StackSets automatically handle deployment, updates, and drift detection across accounts and Regions.

Exam trap

The trap here is that candidates often confuse AWS Security Hub’s ability to aggregate and visualize security findings with the ability to automatically deploy and enforce Config rules, leading them to select Option B, but Security Hub does not deploy or manage Config rules itself.

How to eliminate wrong answers

Option A is wrong because using an AWS Lambda function in each account to periodically check security group compliance introduces significant operational overhead (function maintenance, scheduling, cross-account coordination) and does not leverage AWS Config’s native, event-driven compliance evaluation. Option B is wrong because AWS Security Hub provides security posture visibility and aggregates findings, but it does not automatically deploy AWS Config rules; it relies on existing Config rules or other integrations to generate findings. Option D is wrong because manually creating an AWS Config rule in each member account using AWS CloudFormation templates requires per-account deployment and maintenance, which is not scalable and contradicts the requirement for minimal operational overhead.

247
MCQhard

A company's security team is implementing a solution to automatically revoke public access to Amazon S3 buckets that become public. The solution must be serverless and use native AWS services. Which combination of services should be used?

A.Amazon S3 event notifications on ObjectCreated events to invoke a Lambda function
B.Amazon EventBridge (CloudWatch Events) to detect PutBucketPolicy events and invoke an AWS Lambda function to remove the policy
C.Amazon CloudWatch Logs with a metric filter and alarm to trigger an SNS notification
D.AWS Config with managed rule 's3-bucket-public-read-prohibited' and auto-remediation via Systems Manager
AnswerB

EventBridge captures API calls from CloudTrail and triggers Lambda to revert the public policy.

Why this answer

Amazon EventBridge can detect S3 bucket policy changes via CloudTrail and trigger a Lambda function to remediate. Option A is wrong because AWS Config can detect but not automatically remediate without Lambda. Option C is wrong because S3 events only trigger on object-level events, not bucket policy changes.

Option D is wrong because CloudWatch Logs alone cannot trigger remediation.

248
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple AWS accounts? (Select TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Organizations
C.Amazon GuardDuty
D.AWS IAM
E.AWS Config
AnswersB, E

Enables central management of policies via SCPs.

Why this answer

Options B and D are correct. AWS Organizations allows you to centrally manage policies (SCPs) across accounts. AWS Config allows you to create rules that enforce compliance across accounts.

Option A is wrong because IAM is per-account. Option C is wrong because AWS CloudTrail is for auditing, not enforcement. Option E is wrong because Amazon GuardDuty is for threat detection.

249
MCQeasy

A security engineer needs to grant an EC2 instance access to an S3 bucket without storing long-term credentials on the instance. Which approach should the engineer use?

A.Generate an access key and secret key for an IAM user and store them in the EC2 instance.
B.Use an SCP to allow the EC2 instance to access the S3 bucket.
C.Store the credentials in the AMI used to launch the instance.
D.Create an IAM role with the required permissions and attach it to the EC2 instance as an instance profile.
AnswerD

Provides temporary credentials via the instance metadata service.

Why this answer

Option A is correct because an IAM role with an instance profile allows the EC2 instance to obtain temporary credentials. Option B is wrong because access keys are long-term credentials. Option C is wrong because storing keys in the AMI is insecure.

Option D is wrong because an SCP is for organization-wide policies, not for individual EC2 instances.

250
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that no account can disable Amazon GuardDuty. Which SCP should be applied?

A.Deny action: guardduty:StopMonitoringMembers
B.Deny action: guardduty:DisableGuardDuty
C.Deny action: guardduty:UpdateDetector
D.Deny action: guardduty:DeleteDetector
AnswerA

This prevents member accounts from disabling GuardDuty monitoring by the administrator.

Why this answer

SCPs can deny specific actions. The correct SCP denies the StopMonitoringMember action for GuardDuty.

251
MCQhard

A security engineer is auditing the AWS Organizations structure. The engineer notices that the 'Management' account (111111111111) has a status of 'ACTIVE' and joined method 'CREATED'. The engineer is concerned about potential security risks. Which action should the engineer take to improve security?

A.Remove the management account from the organization.
B.Delete the management account and create a new one.
C.Create a new root user for the management account and delete the old one.
D.Enable multi-factor authentication (MFA) for the root user of the management account.
AnswerD

MFA protects the root user of the management account.

Why this answer

Option A is correct because the root user of the management account should have MFA enabled to protect the account that can modify SCPs and manage other accounts. Option B is wrong because removing the management account is not possible. Option C is wrong because deleting the management account is not possible.

Option D is wrong because the root user cannot be deleted.

252
MCQeasy

A security engineer needs to generate a report of all AWS Identity and Access Management (IAM) users who have not used their access keys in the last 90 days. Which AWS service can provide this information?

A.AWS IAM Credentials Report
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerA

Correct: The IAM Credentials Report includes last used timestamps.

Why this answer

Option B is correct because AWS IAM Credentials Report provides a CSV file with details about IAM users, including last activity dates. Option A is wrong because AWS CloudTrail logs API calls but does not provide a summary report. Option C is wrong because AWS Config evaluates configurations, not usage.

Option D is wrong because Amazon GuardDuty does not track IAM key usage.

253
MCQeasy

A company needs to audit all changes to IAM policies in their AWS account for compliance. Which AWS service should be enabled to record the API calls that modify IAM policies?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.VPC Flow Logs
AnswerC

Records API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail records API calls, including IAM policy changes. Option A is incorrect because AWS Config records resource configurations but not API call history. Option B is incorrect because VPC Flow Logs capture network traffic.

Option D is incorrect because CloudWatch Logs stores logs but does not capture API calls directly.

254
MCQmedium

The exhibit shows an SCP attached to an organizational unit. What is the effect of this policy?

A.It allows s3:PutBucketPolicy only if the bucket ACL is set to bucket-owner-full-control.
B.It denies all s3:PutBucketPolicy actions on all buckets.
C.It denies s3:PutBucketPolicy for any bucket that does not have an ACL.
D.It allows s3:PutBucketPolicy for buckets owned by the management account.
AnswerA

The Deny is conditional; if the condition is not met (i.e., ACL is correct), the action is allowed.

Why this answer

The SCP denies s3:PutBucketPolicy only when the bucket ACL is not set to 'bucket-owner-full-control'. If the ACL is set to that value, the action is allowed. Thus, it ensures that when a bucket policy is created, the ACL must grant full control to the bucket owner.

It does not deny all PutBucketPolicy actions.

255
MCQeasy

A security engineer needs to audit all IAM role creations across an AWS account. Which AWS service should be used to log these API calls?

A.Amazon GuardDuty
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS CloudTrail
AnswerD

Correct: CloudTrail logs all API calls for auditing.

Why this answer

Option B is correct because AWS CloudTrail records API calls, including IAM role creation. Option A is wrong because AWS Config records resource configuration changes but not API call details. Option C is wrong because Amazon GuardDuty focuses on threat detection.

Option D is wrong because AWS CloudWatch Logs stores logs but does not capture API calls directly.

256
MCQmedium

A company wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which policy should be attached to the IAM users or group to enforce this requirement?

A.Allow access if MFA is present
B.Deny access if MFA is not present
C.Deny access if MFA is present
D.Grant access with a condition requiring MFA
AnswerB

This explicitly denies access when MFA is not used, enforcing MFA.

Why this answer

Option B is correct because the condition 'aws:MultiFactorAuthPresent':'true' in a Deny statement ensures that if MFA is not present, access is denied. Option A is wrong because it allows access without MFA. Option C is wrong because it only denies when MFA is present.

Option D is wrong because it allows access with MFA but does not deny without it.

257
MCQmedium

A company wants to use AWS CloudTrail to log all API activity across multiple accounts in AWS Organizations. Which configuration meets the requirement of centralized logging with minimal operational overhead?

A.Create a CloudTrail trail in each account and aggregate logs to a common S3 bucket
B.Enable CloudTrail in each account and use cross-account roles to centralize logs
C.Use AWS Config to record API calls and send to CloudWatch Logs
D.Create an organization trail in the management account that applies to all accounts
AnswerD

Organization trails automatically apply to all accounts.

Why this answer

Option D is correct because creating an organization trail in the management account automatically applies to all accounts in AWS Organizations, centralizing CloudTrail logs into a single S3 bucket without requiring per-account configuration. This approach minimizes operational overhead by leveraging the Organizations integration, which handles log delivery from member accounts transparently.

Exam trap

The trap here is that candidates often think they need to manually configure trails per account or use cross-account roles, missing the fact that AWS Organizations provides a native, low-overhead solution through organization trails that automatically centralize logging.

How to eliminate wrong answers

Option A is wrong because creating a trail in each account and aggregating logs to a common S3 bucket requires manual setup and maintenance per account, increasing operational overhead and risking inconsistent configurations. Option B is wrong because enabling CloudTrail in each account and using cross-account roles to centralize logs adds complexity with IAM role management and does not provide the automatic, unified logging that an organization trail offers. Option C is wrong because AWS Config records resource configuration changes, not API calls; it cannot replace CloudTrail for logging API activity, and sending to CloudWatch Logs does not centralize logs across accounts.

258
Multi-Selecthard

A company uses AWS Organizations with 50 accounts. The security team wants to centrally manage IAM roles that grant cross-account access to a central security account. Which THREE steps are required to set up this cross-account access?

Select 3 answers
A.Create an IAM group in the security account with permissions to assume roles in member accounts.
B.Enable AWS Organizations trusted access with AWS IAM Access Analyzer.
C.Create an IAM role in each member account with a trust policy that allows the security account to assume the role.
D.Apply an SCP to the member accounts that denies iam:PassRole for the roles.
E.Create an IAM user or role in the security account with an IAM policy that allows sts:AssumeRole to the member account roles.
AnswersC, D, E

This establishes the trust relationship for cross-account access.

Why this answer

The correct approach: create IAM roles in each member account with a trust policy allowing the security account to assume them, create an IAM user or role in the security account with sts:AssumeRole permissions, and use an SCP to prevent member accounts from modifying the trust policy. Option D is not needed because AWS Organizations can be used but not required. Option E is not necessary.

259
Multi-Selecteasy

Which TWO AWS services can be used to enforce that Amazon S3 buckets are not publicly accessible? (Choose two.)

Select 2 answers
A.IAM Access Analyzer
B.AWS CloudTrail
C.AWS Organizations service control policies (SCPs)
D.Amazon Macie
E.AWS Config
AnswersC, E

SCPs can deny PutBucketPolicy that grants public access.

Why this answer

AWS Config can evaluate bucket policies against a rule and trigger remediation. SCPs in AWS Organizations can deny actions that make buckets public. AWS CloudTrail only logs.

IAM Access Analyzer identifies public access but does not enforce. Amazon Macie discovers sensitive data.

260
MCQeasy

A company wants to run a security assessment that checks for vulnerabilities in an EC2 instance. Which AWS service should be used?

A.Amazon Inspector
B.AWS WAF
C.Amazon GuardDuty
D.AWS Shield Advanced
AnswerA

Automated vulnerability management service for EC2 and container workloads.

Why this answer

Amazon Inspector automatically assesses EC2 instances for vulnerabilities and network exposure.

261
Multi-Selectmedium

Which TWO actions are effective for detecting and responding to unauthorized access in an AWS environment? (Choose two.)

Select 2 answers
A.Enable AWS CloudTrail and monitor logs for suspicious activity.
B.Deploy Amazon GuardDuty to analyze CloudTrail logs and VPC Flow Logs for threats.
C.Use AWS Security Hub to automatically block suspicious IP addresses.
D.Enable VPC Flow Logs to capture all network traffic.
E.Enable IAM Access Analyzer to detect unauthorized access attempts.
AnswersA, B

CloudTrail provides audit logs of API calls.

Why this answer

AWS CloudTrail records all API activity in your AWS environment, including management and data plane events. By enabling CloudTrail and monitoring its logs for suspicious activity (e.g., unusual API calls, failed authentication attempts, or access from unexpected IP addresses), you can detect unauthorized access. This is a foundational detective control that provides the audit trail necessary for incident response.

Exam trap

The trap here is that candidates often confuse detection services (like GuardDuty and CloudTrail) with automated remediation services (like AWS WAF or Lambda-based blocking), leading them to incorrectly select Security Hub as a blocking mechanism or IAM Access Analyzer as a real-time detection tool.

262
MCQmedium

A company wants to grant cross-account access to an S3 bucket. What is the best practice for managing permissions?

A.Use an IAM role in the target account
B.Use S3 ACLs with the other account ID
C.Use an S3 bucket policy that grants access to the other account
D.Use an SCP to allow access
AnswerC

Bucket policy can grant cross-account access directly.

Why this answer

Option C is correct because an S3 bucket policy can explicitly grant cross-account access by specifying the other AWS account ID as the principal in the policy's Principal element. This allows the bucket owner to centrally manage permissions without requiring the target account to create an IAM role, and it works seamlessly with IAM user or role permissions in the external account. It is the recommended best practice for cross-account S3 access as per AWS documentation.

Exam trap

The trap here is that candidates often confuse cross-account access patterns and incorrectly choose IAM roles (Option A) because they think roles are always the best practice, but for S3 buckets, a bucket policy is simpler and more direct for granting access to an entire account.

How to eliminate wrong answers

Option A is wrong because using an IAM role in the target account requires the external account to assume that role, which is a cross-account access pattern but not the best practice for granting direct access to an S3 bucket; it adds unnecessary complexity and does not leverage the bucket's native policy. Option B is wrong because S3 ACLs are legacy and do not support cross-account access for objects in buckets with default encryption or when bucket policies are used; they also lack the granularity and auditability of bucket policies. Option D is wrong because SCPs (Service Control Policies) are used to restrict permissions across accounts in an AWS Organization, not to grant cross-account access to specific resources like an S3 bucket.

← PreviousPage 4 of 4 · 262 questions total

Ready to test yourself?

Try a timed practice session using only Management and Security Governance questions.