CCNA Infrastructure Security Questions

75 of 328 questions · Page 4/5 · Infrastructure Security topic · Answers revealed

226
Multi-Selectmedium

Which TWO of the following are valid ways to control inbound traffic to an EC2 instance? (Select TWO.)

Select 2 answers
A.Network ACLs
B.IAM policies
C.Amazon CloudWatch alarms
D.AWS Key Management Service (KMS)
E.Security groups
AnswersA, E

NACLs are stateless firewalls applied at the subnet level.

Why this answer

Options A and D are correct because security groups are stateful firewalls for instances, and NACLs are stateless firewalls for subnets. Option B is wrong because IAM does not control network traffic. Option C is wrong because CloudWatch monitors, not controls.

Option E is wrong because KMS manages encryption keys.

227
MCQhard

A company is designing a VPC with public and private subnets. The application servers in the private subnets need to download patches from the internet. Which architecture provides the highest security while allowing internet access?

A.Place a NAT Gateway in the public subnet and configure the private subnet route table to send 0.0.0.0/0 traffic to the NAT Gateway
B.Create a VPC endpoint for Amazon S3 and route traffic through it
C.Attach an internet gateway to the private subnet and configure the route table to send 0.0.0.0/0 traffic to the internet gateway
D.Place a bastion host in the public subnet and configure the private instances to route internet traffic through it
AnswerA

NAT Gateway enables outbound internet from private subnets while preventing inbound connections.

Why this answer

Option D is correct because a NAT Gateway in a public subnet allows outbound internet access from private subnets while blocking inbound traffic. Option A is wrong because an internet gateway attached to the private subnet would allow inbound traffic. Option B is wrong because a bastion host is for SSH access, not for outbound internet.

Option C is wrong because a VPC endpoint is for private connectivity to AWS services, not general internet.

228
MCQhard

A company uses an AWS Transit Gateway to connect multiple VPCs and on-premises networks. A security engineer needs to ensure that traffic between VPCs is inspected by a third-party firewall appliance. Which architecture should be used?

A.Configure security groups on the transit gateway to inspect traffic.
B.Create VPC endpoints for each VPC to route traffic through the firewall.
C.Attach the firewall appliance to a dedicated inspection VPC and route traffic from other VPCs through the inspection VPC using transit gateway route tables.
D.Use network ACLs on the transit gateway to filter traffic.
AnswerC

This is the common architecture for centralized traffic inspection using a transit gateway.

Why this answer

The correct answer is D because by attaching the firewall appliance in a dedicated inspection VPC and using route tables to direct traffic through it, you can inspect inter-VPC traffic. Option A is wrong because security groups are instance-level firewalls and cannot inspect all traffic in a transit gateway. Option B is wrong because network ACLs are stateless and applied at subnet level, not at transit gateway level.

Option C is wrong because VPC endpoints are for accessing AWS services privately, not for traffic inspection.

229
MCQeasy

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which AWS service provides a managed, highly available, and scalable solution for this requirement?

A.NAT instance in a public subnet
B.Internet Gateway attached to the VPC
C.NAT Gateway in a public subnet
D.AWS Site-to-Site VPN connection
AnswerC

NAT Gateway is managed, scalable, and highly available.

Why this answer

Option B is correct because a NAT Gateway provides outbound internet access for instances in private subnets and is managed by AWS. Option A is wrong because a NAT instance is not managed. Option C is wrong because an Internet Gateway is used for public subnets.

Option D is wrong because a VPN connection is for hybrid networking, not internet access.

230
Multi-Selectmedium

A company wants to implement a defense-in-depth strategy for its web application running on EC2 instances. Which TWO AWS services should be used to provide both network and application-layer protection?

Select 2 answers
A.Amazon GuardDuty
B.AWS WAF
C.Security Groups
D.AWS Shield Advanced
E.Network ACLs
AnswersB, C

WAF provides application-layer protection.

Why this answer

Options B and C are correct. AWS WAF provides application-layer protection (e.g., SQL injection), and Security Groups act as a virtual firewall for network-layer protection. Option A is wrong because NACLs are network-layer but stateless and less granular.

Option D is wrong because GuardDuty is a threat detection service, not a prevention firewall. Option E is wrong because Shield Advanced provides DDoS protection but is not a firewall.

231
Multi-Selecthard

A company wants to restrict access to an RDS database to only EC2 instances that have a specific tag 'Environment: Production'. Which TWO steps should be taken?

Select 2 answers
A.Attach an IAM policy to the EC2 instance role that allows rds:Connect only if the request originates from the VPC Endpoint.
B.Create a resource-based policy on the RDS instance.
C.Use the RDS instance's security group to allow traffic only from the EC2 instance's security group.
D.Create a security group rule that references the EC2 instance's security group.
E.Create a VPC Endpoint for RDS and attach an IAM policy that uses the condition 'ec2:ResourceTag/Environment' : 'Production'.
AnswersA, E

Combines with endpoint policy.

Why this answer

Options B and C are correct. Using a VPC Endpoint with an IAM policy that checks the ec2:ResourceTag condition key ensures that only instances with the required tag can access the database. Option A is wrong because security groups do not support tag-based rules.

Option D is wrong because an IAM role alone does not restrict access based on tags. Option E is wrong because RDS does not support resource-based policies for tag conditions.

232
Multi-Selectmedium

A company is using AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all S3 buckets created by CloudFormation are encrypted at rest. Which THREE configuration steps should be taken?

Select 3 answers
A.Create an AWS Config rule to check for unencrypted S3 buckets.
B.Use a CloudFormation stack policy to prevent updates that remove encryption.
C.Create a service control policy (SCP) that denies creation of S3 buckets without encryption.
D.In the CloudFormation template, specify the BucketEncryption property for each S3 bucket.
E.Create an IAM role that only allows creation of encrypted buckets.
AnswersA, C, D

Detects non-compliance.

Why this answer

Options A, C, and D are correct. Using AWS Config rules can detect unencrypted buckets. A service control policy (SCP) can deny creation of unencrypted buckets.

The CloudFormation template can also specify encryption. Option B is wrong because IAM roles do not enforce encryption. Option E is wrong because it only applies to the template, not enforcement.

233
MCQmedium

A company uses an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances in private subnets. The security team wants to ensure that only the ALB can communicate with the EC2 instances. Which security group configuration should be applied to the EC2 instances?

A.Allow inbound HTTP traffic from the EC2 instances' own security group
B.Allow inbound HTTP traffic from 0.0.0.0/0
C.Allow inbound HTTP traffic from the VPC CIDR block
D.Allow inbound HTTP traffic from the ALB's security group
AnswerD

This ensures only the ALB can initiate traffic to the EC2 instances.

Why this answer

Option C is correct because referencing the ALB security group as the source allows only traffic originating from the ALB, regardless of IP changes. Option A is wrong because a CIDR block is less dynamic and may not cover all ALB IPs. Option B is wrong because it allows all HTTP traffic from anywhere.

Option D is wrong because the EC2 security group should not reference itself.

234
MCQhard

A company has a VPC with a public subnet and a private subnet. They launch an EC2 instance in the private subnet with a default security group that allows all outbound traffic. The instance needs to download files from an S3 bucket in the same region. Which configuration allows this without internet access?

A.Set up an AWS Direct Connect connection to the S3 bucket.
B.Create a VPC gateway endpoint for S3 and add a route to the private subnet's route table.
C.Attach an internet gateway to the VPC and add a route to the private subnet.
D.Create a NAT gateway in the public subnet and add a route to the private subnet's route table.
AnswerB

Gateway endpoint provides private access to S3.

Why this answer

A VPC gateway endpoint for S3 allows private instances to access S3 without internet. Option C is correct. NAT gateway (A) would require internet.

Internet gateway (B) would expose instance. Direct Connect (D) is for on-premises.

235
MCQeasy

A company is deploying a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The instances are in a private subnet. How should the security group for the EC2 instances be configured?

A.Allow inbound HTTP/HTTPS from the internet gateway.
B.Allow inbound HTTP/HTTPS from the security group of the ALB.
C.Allow inbound HTTP/HTTPS from 0.0.0.0/0.
D.Allow inbound HTTP/HTTPS from the VPC CIDR.
AnswerB

This restricts traffic to only the ALB.

Why this answer

Option A is correct because the security group should allow HTTP/S traffic from the ALB's security group, which is a best practice for least privilege. Option B is wrong because allowing all IPs exposes instances to direct internet traffic. Option C is wrong because the ALB is in a public subnet, not the VPC CIDR.

Option D is wrong because the instances are in a private subnet and should not receive traffic from the internet.

236
MCQeasy

Which of the following is a best practice for securing an AWS account root user?

A.Create access keys for the root user and use them for API calls.
B.Enable multi-factor authentication (MFA) and avoid using the root user.
C.Use the root user for daily administrative tasks.
D.Share the root user password with the IT team for emergency access.
AnswerB

MFA adds security, and avoid using root user.

Why this answer

Option B is correct because the AWS root user has unrestricted access to all AWS resources and services, making it a high-value target. Enabling multi-factor authentication (MFA) adds an extra layer of security beyond the password, and AWS best practices dictate that the root user should only be used for a limited set of tasks (e.g., changing account settings) and never for daily operations. This minimizes the attack surface and reduces the risk of compromise.

Exam trap

The trap here is that candidates may think the root user is necessary for daily administration or that sharing credentials is acceptable for emergencies, but AWS explicitly prohibits these practices in favor of IAM roles and MFA-protected root user access only for account-level changes.

How to eliminate wrong answers

Option A is wrong because creating access keys for the root user violates AWS security best practices; root user access keys provide unrestricted, permanent credentials that cannot be rotated or scoped down, and AWS recommends never using them for API calls. Option C is wrong because using the root user for daily administrative tasks exposes the account to unnecessary risk; instead, AWS Identity and Access Management (IAM) users with appropriate permissions should be used for routine operations. Option D is wrong because sharing the root user password with the IT team undermines accountability and security; AWS recommends using IAM roles or a secure password management system for emergency access, not distributing the root password.

237
MCQeasy

A company is using AWS Systems Manager Session Manager to provide secure shell access to EC2 instances without opening inbound ports. Which of the following is a requirement for this setup?

A.The EC2 instance must have an IAM role that allows SSM actions.
B.The EC2 instance must be in a public subnet.
C.The EC2 instance must have a public IP address.
D.The security group must allow inbound SSH from 0.0.0.0/0.
AnswerA

The SSM Agent uses the role to communicate with Systems Manager.

Why this answer

Option B is correct. Session Manager requires an SSM Agent installed on the EC2 instance and an IAM role that allows the agent to communicate with the Systems Manager service. Option A is not required; Session Manager works without SSH.

Option C is not required; Session Manager uses the AWS API. Option D is not required; security groups can still be restrictive.

238
MCQmedium

A company needs to securely store database credentials used by a Lambda function. The credentials must be automatically rotated. Which service should be used?

A.AWS Identity and Access Management (IAM)
B.AWS Key Management Service (KMS)
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager supports automatic rotation of database credentials.

Why this answer

AWS Secrets Manager supports automatic rotation of credentials for RDS databases. Systems Manager Parameter Store can store secrets but does not natively rotate them (unless with custom automation). KMS is for encryption keys, not credential management.

IAM is not for storing secrets.

239
MCQmedium

An organization uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets have server-side encryption enabled. Which approach would enforce this across all accounts?

A.Create IAM roles in each account to enforce encryption.
B.Apply an S3 bucket policy to each bucket requiring encryption.
C.Apply a Service Control Policy that denies PutBucketPolicy or PutBucketEncryption without encryption.
D.Use AWS Config rules to detect unencrypted buckets.
AnswerC

SCPs centrally prevent noncompliant actions.

Why this answer

Option D is correct because a Service Control Policy (SCP) can deny actions that create or modify S3 buckets without encryption. Option A is wrong because AWS Config is detective. Option B is wrong because IAM roles in each account require manual setup.

Option C is wrong because S3 Bucket Policies are per-bucket and not centralized.

240
MCQeasy

A company wants to allow an EC2 instance in a VPC to download patches from the internet but block all other outbound traffic. Which configuration should be used?

A.Place a NAT Gateway in a public subnet and route the EC2 instance's traffic through it
B.Use a Virtual Private Gateway and connect to a VPN
C.Attach an Internet Gateway and add a route 0.0.0.0/0 to the EC2 instance's route table
D.Use a VPC Peering connection to an external VPC with internet access
AnswerA

NAT Gateway enables outbound-only internet access.

Why this answer

Option A is correct because a NAT Gateway in a public subnet allows outbound internet access while blocking inbound. Option B is wrong because an Internet Gateway directly attached would allow bidirectional traffic. Option C is wrong because a VPN does not provide internet access.

Option D is wrong because VPC Peering does not provide internet access.

241
MCQeasy

A company uses Amazon S3 to store sensitive data. The security team wants to ensure that all objects are encrypted at rest. Which feature should they enable on the S3 bucket?

A.Versioning
B.Server access logging
C.Cross-Region Replication
D.Default encryption
AnswerD

Default encryption automatically encrypts objects when stored.

Why this answer

Amazon S3 default encryption ensures that all new objects are encrypted. Option A is correct. Option B is for logging access.

Option C is for versioning. Option D is for cross-region replication.

242
MCQhard

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts have AWS CloudTrail enabled in all regions. Which approach should be used?

A.Create an SCP that requires CloudTrail to be enabled.
B.Enable CloudTrail in each account using a cross-account IAM role.
C.Use AWS Config rules to detect non-compliant accounts and automatically enable CloudTrail.
D.Enable AWS CloudTrail from the master account as an organization trail.
AnswerD

Organization trails automatically apply to all accounts in the organization.

Why this answer

Option D is correct because you can use CloudTrail organization trails, which automatically apply to all accounts in the organization. Option A is wrong because SCPs cannot enable services; they only deny or allow actions. Option B is wrong because AWS Config rules are detective and cannot enable CloudTrail.

Option C is wrong because manually enabling in each account is not scalable and may be missed.

243
MCQeasy

A startup is building a web application on AWS. They have an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group. They want to protect the application from common web exploits like SQL injection and cross-site scripting. They also need to allow only traffic from certain geographic regions. Which AWS service should they use to achieve these requirements?

A.AWS WAF
B.AWS Shield Advanced
C.Security groups on the ALB
D.Network ACLs on the ALB subnets
AnswerA

WAF can block SQL injection, XSS, and geo-match rules.

Why this answer

Option B is correct because AWS WAF can block SQL injection, XSS, and geo-based requests. Option A is wrong because AWS Shield Advanced is for DDoS protection. Option C is wrong because Network ACLs are stateless and cannot inspect application layer.

Option D is wrong because Security Groups are stateful but cannot inspect application layer.

244
MCQhard

A company is running a critical web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application serves traffic on port 443. The security team has implemented a security group for the ALB that allows inbound HTTPS from 0.0.0.0/0. The EC2 instances are in a private subnet with a security group that allows inbound traffic from the ALB security group on port 8080. The application works correctly. However, the security team wants to add an additional layer of defense by implementing a web application firewall (WAF) to block common web exploits. The team also wants to ensure that only traffic from the company's corporate IP range (203.0.113.0/24) can access the application for administrative purposes on a separate path. The team has enabled AWS WAF on the ALB and associated a web ACL. They have also created a rule to allow traffic from the corporate IP range and block all other traffic. After deploying these changes, external users (not from corporate IP) cannot access the application at all. The company wants external users to be able to access the main application, but only corporate IPs should access the admin path. What should the security engineer do to fix the issue?

A.Configure the security group of the ALB to allow only corporate IPs.
B.Create two separate ALBs, one for admin traffic and one for main traffic.
C.Remove the WAF rule that blocks all non-corporate traffic and rely on security groups.
D.Modify the WAF rule to allow traffic from the corporate IP range on the admin path and allow all traffic on the main application path.
AnswerD

This allows external users on main path and restricts admin path.

Why this answer

The correct action is to create a WAF rule that allows traffic from corporate IPs on the admin path and allows all other traffic on the main path, instead of blocking all non-corporate traffic. Option A is correct. Option B would allow all traffic, defeating the purpose.

Option C is too permissive. Option D doesn't address the WAF issue.

245
MCQeasy

A company is designing a security group for a web application that must receive HTTPS traffic from the internet and send traffic to a backend database. The backend database is an Amazon RDS MySQL instance. What is the best practice for configuring the security groups?

A.Web server SG: inbound HTTPS from 0.0.0.0/0. Database SG: inbound MySQL from web server SG.
B.Web server SG: inbound HTTPS from 0.0.0.0/0, outbound to database SG on port 3306. Database SG: inbound MySQL from web server CIDR block.
C.Web server SG: inbound HTTPS from 0.0.0.0/0, outbound all traffic. Database SG: inbound MySQL from 0.0.0.0/0.
D.Web server SG: inbound HTTPS from 0.0.0.0/0, inbound MySQL from database SG. Database SG: outbound MySQL to web server SG.
AnswerA

Security group references are best practice for inter-tier communication.

Why this answer

Option D is correct because the web server security group should allow inbound HTTPS from 0.0.0.0/0, and the database security group should allow inbound MySQL traffic only from the web server security group. Option A is wrong because using the CIDR of the web server is less flexible. Option B is wrong because allowing all traffic is insecure.

Option C is wrong because the web server should not allow inbound MySQL.

246
MCQhard

A security engineer is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application tier should be accessible only from the web tier. The database tier should be accessible only from the application tier. Which combination of security groups provides the MOST secure configuration?

A.Web SG: allow HTTP/HTTPS from 0.0.0.0/0. App SG: allow HTTP from Web SG CIDR. DB SG: allow MySQL from App SG CIDR.
B.Web SG: allow HTTP/HTTPS from 0.0.0.0/0. App SG: allow all traffic from Web SG. DB SG: allow MySQL from App SG.
C.Web SG: allow HTTP/HTTPS from 0.0.0.0/0. App SG: allow HTTP from Web SG security group ID. DB SG: allow MySQL from 10.0.0.0/24.
D.Web SG: allow HTTP/HTTPS from 0.0.0.0/0. App SG: allow HTTP from Web SG security group ID. DB SG: allow MySQL from App SG security group ID.
AnswerD

Security group references ensure only instances in the web tier can access the app tier, and only instances in the app tier can access the database.

Why this answer

Option D is correct because it uses specific security group references, which are more secure than CIDR ranges. Option A is wrong because it uses CIDR for the web tier, which is less specific. Option B is wrong because it allows all traffic from the web tier.

Option C is wrong because it uses CIDR for the database tier.

247
MCQmedium

A company wants to store audit logs for a minimum of 7 years to meet compliance requirements. The logs are stored in Amazon S3. Which action should be taken to ensure logs are not deleted before 7 years?

A.Enable MFA Delete on the bucket.
B.Configure an S3 Lifecycle policy to transition objects to Glacier after 7 years.
C.Enable S3 Versioning to preserve all versions of objects.
D.Create an S3 bucket policy that denies s3:DeleteObject unless the object age is greater than 7 years.
AnswerD

Denies deletion of objects younger than 7 years.

Why this answer

An S3 bucket policy denying s3:DeleteObject if the object age is less than 7 years can prevent premature deletion. Option B is correct. Lifecycle policy (A) transitions objects, doesn't prevent deletion.

Versioning (C) helps with overwrites but not deletion. MFA Delete (D) adds protection but doesn't enforce time-based retention.

248
Multi-Selecthard

A security engineer is reviewing the security of an Amazon EKS cluster. The cluster is used to run containerized applications. Which three actions should the engineer take to improve the security of the cluster?

Select 3 answers
A.Restrict access to the cluster using AWS IAM authentication for kubectl.
B.Use the default VPC for the cluster.
C.Configure the cluster API server endpoint to be private.
D.Grant the cluster-admin role to all developers.
E.Enable audit logging for the cluster.
AnswersA, C, E

IAM provides fine-grained access control to the cluster.

Why this answer

Options A, C, and E are correct. Enabling audit logging helps monitor API calls. Restricting kubectl access via IAM ensures only authorized users can manage the cluster.

Using a private endpoint for the API server prevents exposure to the internet. Option B is incorrect because using the default VPC is not inherently insecure; custom VPCs can be used. Option D is incorrect because cluster-admin is too permissive; least privilege should be applied.

249
MCQmedium

Refer to the exhibit. The bucket policy allows access from a specific IP range and denies access over HTTP. A user from IP 198.51.100.5 makes a GET request over HTTPS. What will happen?

A.Denied because of the explicit Deny statement.
B.Allowed because the request is over HTTPS.
C.Allowed because the Deny condition is not satisfied.
D.Denied because no explicit allow matches the request.
AnswerD

The Allow requires a specific IP, which is not met, resulting in implicit deny.

Why this answer

Option C is correct because the Allow statement requires the source IP to be in 203.0.113.0/24, but the user's IP is 198.51.100.5, so the Allow does not apply. The Deny statement only applies if aws:SecureTransport is false, but the request uses HTTPS, so Deny does not apply. The result is implicit deny (no explicit allow), so access is denied.

Option A is wrong because the condition is not met. Option B is wrong because the Deny condition is not triggered. Option D is wrong because explicit deny would apply if the condition matched.

250
MCQmedium

A company is designing a VPC with public and private subnets. The web servers in the public subnets must be accessible from the internet on port 443, but the database servers in the private subnets should only be accessible from the web servers on port 3306. Which combination of security group rules and network ACL rules should be used to meet these requirements with the least administrative overhead?

A.Use security groups for all tiers; add an inbound rule to the database security group allowing traffic from the web security group on port 3306.
B.Use security groups for all tiers; add an inbound rule to the web security group allowing internet traffic on port 443, and add an outbound rule to the web security group allowing traffic to the database security group on port 3306.
C.Use security groups for the web tier and network ACLs for the database tier; add an inbound rule to the database network ACL allowing traffic from the web subnet CIDR on port 3306.
D.Use security groups for the web tier and network ACLs for the database tier; add an inbound rule to the database network ACL allowing all traffic from the web security group.
AnswerA

Security groups are stateful and can reference other security groups, reducing overhead. This is correct.

Why this answer

Option C is correct because security groups are stateful and can reference other security groups, allowing you to allow inbound traffic from the web security group to the database security group without needing to manage IP addresses. Network ACLs are stateless and would require explicit allow rules for return traffic, increasing overhead. Options A and B use network ACLs for the database tier, which is less efficient.

Option D is incorrect because it allows all traffic from the web security group, which is more permissive than necessary.

251
MCQmedium

A company is using AWS WAF to protect a web application behind an Application Load Balancer. The Security Engineer wants to block requests that contain SQL injection attacks. Which action should the Engineer take?

A.Enable AWS Shield Advanced to automatically block SQL injection attacks.
B.Create a WAF rule with a SQL injection match condition and set the action to block.
C.Use Amazon GuardDuty to detect and block SQL injection attempts.
D.Configure the security group of the EC2 instances to block traffic containing SQL injection patterns.
AnswerB

AWS WAF can inspect HTTP requests and block SQL injection patterns.

Why this answer

Option D is correct because AWS WAF has managed rules for SQL injection that can be enabled with a block action. Option A is wrong because WAF rules are not applied at the EC2 instance level. Option B is wrong because Shield Advanced provides DDoS protection, not SQL injection detection.

Option C is wrong because GuardDuty is for threat detection, not inline blocking of web requests.

252
MCQeasy

A company is using AWS Key Management Service (KMS) to encrypt data at rest in Amazon S3. The security team wants to ensure that only a specific IAM role can decrypt the data. Which KMS policy element should be used?

A.Principal
B.Resource
C.Action
D.Effect
AnswerA

Specifies the IAM role that can use the key.

Why this answer

Option B (Principal) is correct because it specifies who can use the key. Option A (Effect) is for allow/deny. Option C (Action) is for allowed operations.

Option D (Resource) is for the key ARN.

253
MCQmedium

A company is using an Application Load Balancer (ALB) to distribute traffic to EC2 instances in a VPC. The Security Engineer notices that the ALB health checks are failing. Which configuration change should the Engineer make to resolve the issue?

A.Add a rule to the target instances' security group to allow inbound traffic from 0.0.0.0/0 on the health check port.
B.Add a rule to the target instances' security group to allow inbound traffic from the VPC CIDR on the health check port.
C.Add a rule to the ALB's security group to allow inbound traffic from the internet on the health check port.
D.Add a rule to the ALB's security group to allow outbound traffic to the target instances on the health check port.
AnswerB

ALB health checks come from the VPC CIDR.

Why this answer

Option B is correct because the ALB health checks originate from the VPC CIDR, so the security group must allow traffic from the VPC CIDR. Option A is wrong because the ALB does not have a fixed IP; it uses the VPC CIDR for health checks. Option C is wrong because health checks are not sent from the internet.

Option D is wrong because the ALB's security group is for the ALB itself, not for the target instances.

254
MCQhard

Refer to the exhibit. A security engineer is reviewing VPC Flow Logs and sees the above entry. The engineer notices that traffic from IP 203.0.113.10 to an instance in the VPC on port 443 is being accepted. The security group for the instance only allows inbound HTTPS from the VPC CIDR (10.0.0.0/16). What is the most likely reason the traffic is accepted?

A.The network ACL associated with the subnet has an inbound rule allowing port 443 from 203.0.113.10/32.
B.The VPC Flow Logs capture traffic before security group evaluation.
C.The network ACL inbound rule is evaluated before the security group inbound rule.
D.The security group has a default rule that allows all inbound traffic from the internet.
AnswerA

NACLs are stateless and can allow traffic even if security groups deny it, but the traffic is evaluated by both. If the security group denies, the traffic should be dropped. However, the flow log shows ACCEPT, so both must allow. The security group description says it only allows from VPC CIDR, so the traffic should be denied. This is a trick: the security group rule might be overridden by a NACL? Actually, security groups are stateful and if the inbound rule denies, the traffic is dropped. So the most likely reason is that the security group actually allows it from that IP, but the exhibit says it only allows from VPC CIDR. Possibly the security group has a rule allowing from 203.0.113.10? Option C is the best guess given the flow log shows ACCEPT. But the correct answer is that the security group might have been updated, but the question states the security group only allows from VPC CIDR. So the most likely reason is that the NACL allows it, but that would still be blocked by security group. Actually, if the security group denies, the NACL cannot override. So the only explanation is that the security group rule described is incorrect or there is another security group. Given the options, Option C is the only plausible one because NACLs can allow traffic, but they cannot override a security group deny. However, the flow log shows ACCEPT, so both must allow. So the security group must have allowed it. The question is flawed, but in exam context, Option C is the expected answer.

Why this answer

VPC Flow Logs capture traffic at the network interface level after security group and NACL evaluation. The entry shows ACCEPT, meaning the traffic was allowed. Since the security group denies traffic from outside the VPC CIDR, the NACL must have allowed it.

NACLs are stateless and evaluate inbound and outbound rules separately. Option C is correct because the NACL inbound rule allows port 443 from 203.0.113.10/32, and the response traffic is allowed by the outbound rule. Option A is incorrect because Flow Logs are post-filtering.

Option B is incorrect because the security group denies the traffic. Option D is incorrect because the order of NACL rules does not change the fact that the security group denies it.

255
MCQmedium

A security engineer is reviewing the SQS queue policy shown in the exhibit. The queue is subscribed to an SNS topic in the same account. The security team has a requirement that only the SNS topic should be allowed to send messages to the queue. What is the issue with this policy?

A.The second statement allows any principal in the 10.0.0.0/8 range to receive messages from the queue.
B.The policy does not specify a principal, so it will not work.
C.The aws:SourceArn condition uses ArnLike which is deprecated.
D.The aws:SourceIp condition cannot be used with SQS queue policies.
AnswerA

This is overly permissive and should be scoped down.

Why this answer

Option A is correct because the second statement in the SQS queue policy allows any principal in the 10.0.0.0/8 IP range to receive messages from the queue, which violates the security requirement that only the SNS topic should be allowed to send messages. The policy should restrict the `sqs:SendMessage` action to the SNS topic using a condition like `aws:SourceArn` and should not include a broad `Effect: Allow` for `sqs:ReceiveMessage` without restricting the principal or source.

Exam trap

The trap here is that candidates may focus on the `aws:SourceArn` condition or the lack of a principal, overlooking the fact that the second statement grants broad receive access to any IP in the 10.0.0.0/8 range, which violates the requirement to restrict message sending to only the SNS topic.

How to eliminate wrong answers

Option B is wrong because SQS queue policies can work without specifying a principal if the policy is attached to the queue itself, and the `Principal` element can be omitted or set to `*` to allow all principals, but the issue here is not the absence of a principal. Option C is wrong because `ArnLike` is not deprecated; it is a valid condition operator used for pattern matching on ARNs, and the `aws:SourceArn` condition is commonly used with `ArnLike` to restrict access to specific resources. Option D is wrong because `aws:SourceIp` can be used with SQS queue policies to restrict access based on IP addresses, but it is not the issue here; the problem is the overly permissive second statement.

256
MCQhard

A company is deploying a multi-tier web application across multiple Availability Zones. The application includes a web tier, application tier, and database tier. The security team requires that the web tier can communicate with the application tier only on port 8080, and the application tier can communicate with the database tier only on port 3306. Which security group configuration should be used?

A.In the application tier security group, allow inbound from the web tier security group on port 8080. In the database tier security group, allow inbound from the application tier security group on port 3306.
B.In the database tier security group, allow inbound from the application tier's CIDR block on port 3306.
C.In the application tier security group, allow inbound from the web tier's CIDR block on port 8080.
D.In the web tier security group, allow outbound to 0.0.0.0/0 on port 8080.
AnswerA

Using security group IDs as sources ensures only those groups can communicate.

Why this answer

Using security group IDs as sources in rules allows traffic only from specific resources. Option D is correct. CIDR blocks (A, B) are less specific.

Ephemeral ports (C) are not needed for ingress rules.

257
MCQeasy

A company is using AWS CloudTrail to log API calls. The security team wants to ensure that log files are not modified after they are created. Which feature should they enable?

A.Server-side encryption with AWS KMS
B.Log file integrity validation
C.S3 Object Lock
D.CloudWatch Logs integration
AnswerB

This validates that log files have not been modified.

Why this answer

CloudTrail log file integrity validation creates a hash chain that can be used to detect modifications. Option A is correct. Option B is for encryption, not integrity.

Option C is for retention. Option D is for monitoring.

258
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all new S3 buckets created in any account in the organization are encrypted with a specific KMS key. Which approach should be used?

A.Set up AWS Config rules to detect non-compliant buckets
B.Apply a Service Control Policy (SCP) that denies s3:CreateBucket unless encryption is configured
C.Create an IAM role that requires encryption and attach it to all users
D.Use an S3 bucket policy with a condition for encryption
AnswerB

SCPs can deny actions based on conditions, enforcing encryption at creation time.

Why this answer

Option D is correct because an SCP can deny creation of S3 buckets that do not have the required encryption. Option A is wrong because IAM roles are for individual accounts, not organization-wide enforcement. Option B is wrong because a bucket policy is per bucket, not preventive for new buckets.

Option C is wrong because AWS Config can detect non-compliance but does not prevent creation.

259
MCQmedium

A security engineer is setting up a new VPC with public and private subnets. The VPC has an Internet Gateway attached. The public subnet's route table has a default route (0.0.0.0/0) pointing to the Internet Gateway. The private subnet's route table has a default route pointing to a NAT gateway. The engineer launches an EC2 instance in the private subnet and assigns it a public IP address. However, the instance cannot access the internet. What should the engineer do to resolve this issue?

A.Attach an Elastic IP to the instance.
B.Update the private subnet's route table to point 0.0.0.0/0 to the Internet Gateway.
C.Remove the public IP address from the instance and ensure the private subnet has a route to the NAT gateway.
D.Allow outbound traffic in the instance's security group.
AnswerC

Private subnet instances should not have public IPs; they use NAT gateway for internet access.

Why this answer

Option C is correct. If an instance in a private subnet is assigned a public IP, it still cannot access the internet directly because the route table does not have a route to the Internet Gateway. The correct approach is to not assign a public IP and use a NAT gateway.

Option A is wrong because the route table is correct for a private subnet. Option B is wrong because the security group is not the issue. Option D is wrong because the IGW is already attached.

260
MCQhard

Refer to the exhibit. A security engineer applies this S3 bucket policy to an S3 bucket. The bucket contains sensitive data. What is the effect of this policy?

A.It allows anonymous users to upload objects.
B.It denies PutObject requests that are not using HTTPS.
C.It denies all PutObject requests to the bucket.
D.It enforces that all objects must be encrypted at rest.
AnswerB

The condition checks for SecureTransport false, so only non-HTTPS requests are denied.

Why this answer

The policy denies PutObject requests that are not using HTTPS (SecureTransport false). So it enforces HTTPS for uploads. Option B is correct.

Option A is incorrect because it does not deny all PutObject. Option C is incorrect because it does not enforce encryption. Option D is incorrect because it does not allow anonymous uploads.

261
Multi-Selecthard

A security engineer is designing a VPC with public and private subnets. The application must be able to send outbound traffic to the internet, but inbound traffic from the internet must be blocked except for a single HTTP load balancer. The application also needs to access an S3 bucket in the same AWS region. Which combination of VPC components meets these requirements? (Choose two.)

Select 2 answers
A.S3 Interface Endpoint in the VPC
B.VPC Peering to a shared services VPC
C.NAT Gateway in a public subnet
D.Internet Gateway attached to the VPC
E.S3 Gateway Endpoint in the VPC
AnswersC, E

Allows outbound internet to EC2 instances in private subnets.

Why this answer

Option A (NAT Gateway in public subnet) allows outbound internet. Option C (S3 Gateway Endpoint) provides private access to S3. Option B is wrong because Internet Gateway alone would allow inbound.

Option D is wrong because VPC Peering is not needed. Option E is wrong because VPC Endpoint (Interface) for S3 is not supported; S3 uses Gateway Endpoint.

262
MCQhard

A security engineer reviews the above IAM policy attached to an IAM user. The user reports that they cannot download objects from the S3 bucket 'example-bucket' when connected from the office network (IP range 10.0.0.0/16). What is the most likely cause?

A.The bucket policy overrides the IAM policy
B.The policy does not allow the s3:GetObject action
C.The source IP condition does not match the user's actual IP address
D.The user is not assuming the correct IAM role
AnswerC

The condition requires the request to come from 10.0.0.0/16, but the user's IP might be different.

Why this answer

Option C is correct because the policy grants access based on the source IP of the request. IAM user credentials are used, but the actual source IP must match the condition. Option A is wrong because the policy allows GetObject.

Option B is wrong because the policy does not require a specific IAM role. Option D is wrong because the bucket policy is not shown; the IAM policy is the issue.

263
MCQmedium

A security engineer notices that an Amazon EC2 instance is sending suspicious outbound traffic to an unknown IP address. The instance is part of an Auto Scaling group. The engineer needs to immediately stop the traffic without affecting the availability of the application. What should the engineer do?

A.Add a network ACL rule to deny outbound traffic to the suspicious IP address.
B.Terminate the instance immediately.
C.Update the security group attached to the instance to deny outbound traffic to the suspicious IP address.
D.Detach the instance from the Auto Scaling group.
AnswerC

Security group rules are stateful; adding a deny rule for the specific IP will block the traffic immediately.

Why this answer

Option B is correct because modifying the security group to deny outbound traffic to the specific IP is immediate and reversible. Option A is wrong because terminating the instance would affect availability. Option C is wrong because a NACL would affect all instances in the subnet.

Option D is wrong because detaching the instance from the ASG does not stop the traffic.

264
Multi-Selecteasy

A company wants to allow only specific IP addresses to access an S3 bucket. Which two methods can achieve this? (Choose TWO.)

Select 2 answers
A.Use an IAM policy with a condition that limits access to specific IP addresses.
B.Configure a network ACL on the subnet that blocks traffic from all but specific IPs.
C.Enable VPC Flow Logs to filter traffic from specific IPs.
D.Attach a security group to the S3 bucket that allows traffic only from specific IPs.
E.Use an S3 bucket policy with a condition that limits access to specific IP addresses.
AnswersA, E

IAM policies can also use aws:SourceIp condition.

Why this answer

Options A and B are correct. S3 bucket policies support the aws:SourceIp condition to restrict access based on IP addresses. Bucket policies can also be combined with IAM policies.

Option C is wrong because security groups cannot be attached to S3. Option D is wrong because network ACLs cannot be attached to S3. Option E is wrong because VPC flow logs only monitor traffic.

265
MCQeasy

A company is designing a new AWS account structure using AWS Organizations. The security team wants to restrict the use of specific AWS services across all member accounts. Which feature should they use?

A.AWS Single Sign-On (SSO)
B.AWS CloudTrail
C.AWS Identity and Access Management (IAM) cross-account roles
D.Service control policies (SCPs)
AnswerD

SCPs can restrict which AWS services can be used in member accounts.

Why this answer

Service control policies (SCPs) are the correct feature because they allow you to centrally restrict which AWS services and actions are permitted across all member accounts in an AWS Organization. SCPs act as a permission guardrail that applies to all IAM users, roles, and root users within the affected accounts, enabling the security team to enforce service restrictions without modifying individual account configurations.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking IAM cross-account roles can enforce service restrictions, but SCPs are the only mechanism that applies globally across all users and roles in an AWS Organization.

How to eliminate wrong answers

Option A is wrong because AWS Single Sign-On (SSO) is a service for managing user access and authentication across multiple AWS accounts and applications, not for restricting service usage. Option B is wrong because AWS CloudTrail is a logging and monitoring service that records API activity, but it does not enforce or restrict which services can be used. Option C is wrong because IAM cross-account roles allow users in one account to assume roles in another account for access, but they do not provide a centralized mechanism to deny specific services across all accounts.

266
MCQeasy

A company wants to host a static website in an Amazon S3 bucket. The bucket must be private and accessible only through an Amazon CloudFront distribution. Which configuration ensures that CloudFront can access the S3 bucket while blocking direct access via S3 URL?

A.Use CloudFront signed URLs and configure the bucket policy to allow access from CloudFront IP ranges
B.Enable S3 Block Public Access and configure CloudFront to use the bucket as an origin
C.Configure the bucket policy to allow s3:GetObject from the CloudFront service principal
D.Create an Origin Access Control (OAC) and update the bucket policy to allow access only to the CloudFront distribution
AnswerD

OAC ensures only CloudFront can access the bucket via a special principal.

Why this answer

Option A is correct because an Origin Access Control (OAC) allows CloudFront to access the bucket while blocking direct S3 access. Option B is wrong because a bucket policy allowing s3:GetObject from CloudFront's service principal is the older method (OAI), but OAC is the recommended approach. Option C is wrong because S3 block public access would also block CloudFront if not properly configured.

Option D is wrong because CloudFront signed URLs are for end users, not for origin access.

267
Multi-Selectmedium

A security engineer is configuring a VPC for a three-tier application. The web tier must be accessible from the internet, the application tier must be accessible only from the web tier, and the database tier must be accessible only from the application tier. Which TWO security group configurations should be used? (Choose TWO.)

Select 2 answers
A.Allow inbound SSH from 0.0.0.0/0 on the web tier security group.
B.Allow inbound HTTP/HTTPS from 0.0.0.0/0 on the web tier security group.
C.Allow inbound HTTP/HTTPS from the web tier security group on the database tier security group.
D.Allow inbound HTTP/HTTPS from the web tier security group on the application tier security group.
E.Allow inbound HTTP/HTTPS from the internet on the database tier security group.
AnswersB, D

Web tier needs to be publicly accessible.

Why this answer

Option A is correct because the web tier security group should allow HTTP/HTTPS from the internet. Option D is correct because the application tier security group should allow traffic from the web tier security group. Option B is wrong because the database tier should not allow traffic from the web tier.

Option C is wrong because the web tier should not allow SSH from the internet. Option E is wrong because the database tier should not allow traffic from the internet.

268
Multi-Selectmedium

A security engineer is designing a VPC with public and private subnets. The application servers in the private subnets need to access the internet for software updates, but must not be directly reachable from the internet. Which TWO actions satisfy these requirements?

Select 2 answers
A.Configure the private subnet's security group to allow inbound traffic from 0.0.0.0/0.
B.Add a route in the private subnet's route table pointing to the NAT gateway.
C.Attach an internet gateway to the private subnet's route table.
D.Create a VPC gateway endpoint for Amazon S3.
E.Deploy a NAT gateway in a public subnet.
AnswersB, E

Correct: This routes outbound internet traffic through the NAT gateway.

Why this answer

Option B is correct because a NAT gateway, when deployed in a public subnet with an associated Elastic IP and a route to an internet gateway, allows instances in private subnets to initiate outbound connections to the internet (e.g., for software updates) while preventing any unsolicited inbound connections from the internet. The private subnet's route table must include a default route (0.0.0.0/0) pointing to the NAT gateway's private IP address to forward outbound traffic through it.

Exam trap

The trap here is that candidates often confuse a NAT gateway with an internet gateway, mistakenly thinking that adding an internet gateway to a private subnet's route table provides outbound-only access, when in fact it enables bidirectional internet connectivity and requires public IPs on the instances.

269
MCQeasy

A company wants to audit all changes to security group rules in their AWS account. Which AWS service should be used to record these changes?

A.Amazon CloudWatch Logs.
B.AWS CloudTrail.
C.VPC Flow Logs.
D.AWS Config.
AnswerB

CloudTrail records API calls for auditing.

Why this answer

Option B is correct because AWS CloudTrail records API calls, including changes to security group rules. Option A is wrong because CloudWatch Logs stores log data but does not record API calls. Option C is wrong because AWS Config records resource configuration changes but is not primarily for auditing API calls; CloudTrail is the correct service for API auditing.

Option D is wrong because VPC Flow Logs captures network traffic, not configuration changes.

270
MCQmedium

A company has a requirement to log all network traffic flowing through a VPC, including traffic between EC2 instances within the same subnet. Which AWS service should be used?

A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudTrail
AnswerA

VPC Flow Logs capture IP traffic information.

Why this answer

Option C is correct because VPC Flow Logs capture network traffic information at the VPC, subnet, or ENI level. Option A is wrong because CloudTrail logs API calls, not network traffic. Option B is wrong because AWS Config records resource configuration changes.

Option D is wrong because GuardDuty is a threat detection service that uses flow logs but does not log traffic itself.

271
MCQeasy

A company has an Amazon RDS for MySQL database in a private subnet. The security team wants to ensure that only an application server in the same VPC can connect to the database. Which security group configuration should be used?

A.Inbound rule on the RDS security group: allow MySQL on port 3306 from the VPC's CIDR.
B.Inbound rule on the RDS security group: allow MySQL on port 3306 from the subnet CIDR of the application server.
C.Inbound rule on the RDS security group: allow MySQL on port 3306 from the security group ID of the application server.
D.Inbound rule on the application server's security group: allow outbound MySQL to the RDS security group.
AnswerC

This restricts access to instances that are in the specified security group.

Why this answer

Option C is correct because referencing the application server's security group ID as the source in the inbound rule for MySQL (port 3306) on the RDS security group allows traffic only from instances that are members of that security group, regardless of their IP addresses. This is the most secure and precise method, as it automatically adapts to changes in the application server's IP (e.g., after scaling or replacement) and avoids opening the database to the entire subnet or VPC CIDR.

Exam trap

The trap here is that candidates often confuse inbound vs. outbound rules or mistakenly think that allowing a subnet CIDR is equivalent to allowing a specific instance, when in fact security group ID-based rules provide instance-level granularity and are the recommended approach for this use case.

How to eliminate wrong answers

Option A is wrong because allowing the VPC's CIDR on port 3306 would permit any resource in the VPC (including unauthorized instances, Lambda functions in the same VPC, or even compromised hosts) to connect to the database, violating the principle of least privilege. Option B is wrong because allowing the subnet CIDR of the application server still opens the database to all instances in that subnet, not just the specific application server, and does not protect against lateral movement within the subnet. Option D is wrong because it configures an outbound rule on the application server's security group, which controls traffic leaving the application server, not inbound access to the RDS instance; the RDS security group's inbound rules are what enforce which sources can connect to the database.

272
MCQeasy

A company wants to ensure that all data in transit between its EC2 instances and an RDS database is encrypted. The instances and the database are in the same VPC. Which configuration step is necessary to achieve this?

A.Enable encryption at rest for the RDS instance using AWS KMS.
B.Set up a VPN connection between the EC2 instances and the RDS database.
C.Configure the security group for the RDS instance to enforce encryption.
D.Enable SSL/TLS on the RDS instance and configure the EC2 instances to connect using SSL.
AnswerD

SSL/TLS encrypts data in transit between client and database.

Why this answer

Option A is correct. To encrypt data in transit, you must enable SSL/TLS on the RDS instance and configure the client (EC2) to use SSL when connecting. Option B (enforcing encryption on the security group) is not a valid concept.

Option C (using VPN) is unnecessary for intra-VPC traffic. Option D (enabling encryption at rest) does not cover transit encryption.

273
MCQeasy

A company wants to protect its Amazon EC2 instances from distributed denial-of-service (DDoS) attacks at the network layer. Which AWS service should be used?

A.Amazon CloudFront
B.Amazon GuardDuty
C.AWS Shield Advanced
D.AWS WAF
AnswerC

Provides advanced DDoS protection.

Why this answer

AWS Shield Advanced provides enhanced protections for Amazon EC2 instances against network-layer (Layer 3/4) DDoS attacks, such as SYN floods, UDP reflection attacks, and other volumetric attacks. It includes always-on traffic monitoring, automated mitigation, and access to the DDoS Response Team (DRT) for custom mitigations, making it the correct choice for network-layer DDoS protection.

Exam trap

The trap here is that candidates often confuse AWS WAF (Layer 7) with network-layer DDoS protection, or assume Amazon CloudFront's edge caching alone is sufficient for all DDoS types, but Shield Advanced is the specific service designed for comprehensive network-layer (Layer 3/4) DDoS mitigation.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that primarily protects against application-layer (Layer 7) attacks and provides edge-based DDoS mitigation, but it does not offer dedicated network-layer DDoS protection for EC2 instances directly. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious activity, but it does not actively mitigate or block DDoS attacks at the network layer. Option D is wrong because AWS WAF is a web application firewall that operates at Layer 7 (HTTP/HTTPS) to filter malicious requests like SQL injection or cross-site scripting, and it cannot mitigate network-layer (Layer 3/4) attacks such as SYN floods or UDP amplification.

274
MCQhard

A company's security team wants to detect and block malicious SQL injection attempts against an Application Load Balancer. Which AWS service should be used?

A.AWS WAF
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS Shield Advanced
AnswerA

WAF can use rules to block SQL injection patterns.

Why this answer

AWS WAF is a web application firewall that can be associated with an Application Load Balancer to inspect HTTP/HTTPS requests for malicious patterns, such as SQL injection attempts. It uses managed rule sets (e.g., AWS Managed Rules for SQL injection) to detect and block these attacks in real time, making it the correct choice for this use case.

Exam trap

The trap here is that candidates often confuse GuardDuty's threat detection (which covers network and account-level anomalies) with application-layer attack detection, or assume Shield Advanced's DDoS protection includes web application firewall capabilities.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for anomalous behavior, but it does not inspect or block application-layer requests like SQL injection at the ALB level. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and network exposure, not for detecting or blocking live web application attacks. Option D is wrong because AWS Shield Advanced provides DDoS protection against volumetric and state-exhaustion attacks, but it does not include application-layer inspection for SQL injection payloads.

275
Multi-Selectmedium

Which TWO of the following are valid methods to protect sensitive data in transit between an on-premises data center and AWS? (Select TWO.)

Select 2 answers
A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.Internet Gateway
D.VPC Peering
E.AWS Direct Connect with IPSec VPN
AnswersB, E

Site-to-Site VPN encrypts traffic between on-premises and AWS.

Why this answer

AWS Site-to-Site VPN (Option B) creates an encrypted tunnel between an on-premises VPN device and a Virtual Private Gateway in AWS, using IPSec to protect data in transit. This ensures confidentiality and integrity of data crossing the public internet, making it a valid method for securing sensitive data between an on-premises data center and AWS.

Exam trap

The trap here is that candidates often assume AWS Transit Gateway or VPC Peering inherently encrypt traffic, but they do not; encryption must be explicitly added via VPN or Direct Connect with IPSec, and the exam tests this distinction between connectivity and encryption.

276
Multi-Selectmedium

A security engineer is investigating a potential security incident in an AWS account. The engineer needs to determine which user or role performed a specific API call that created a new security group. Which THREE AWS tools can the engineer use to find this information? (Choose THREE.)

Select 3 answers
A.AWS CloudTrail event history
B.Amazon CloudWatch Logs
C.VPC Flow Logs
D.AWS CloudTrail
E.AWS Config
AnswersA, D, E

Event history provides a searchable view of the last 90 days of API calls.

Why this answer

Option A, D, and E are correct. CloudTrail logs all API calls, including who made the call. CloudTrail event history provides a view of the last 90 days.

AWS Config records configuration changes, including security group creation. Option B is wrong because CloudWatch Logs does not capture API calls unless specifically configured. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

277
MCQeasy

A company wants to provide temporary security credentials to users accessing AWS resources from a mobile app. Which AWS service should they use?

A.AWS Signer
B.AWS Directory Service
C.Amazon Cognito Identity Pools (Federated Identities)
D.AWS IAM roles for cross-account access
AnswerC

Cognito Identity Pools issue temporary AWS credentials.

Why this answer

AWS Cognito Identity Pools provide temporary credentials for authenticated users. Option A is correct. Option B is for identity federation with external providers.

Option C is for managing user directories. Option D is for signing requests.

278
MCQhard

A company uses AWS Shield Advanced to protect its web application against DDoS attacks. The application is behind an Application Load Balancer (ALB) with a web application firewall (AWS WAF) in front. The security team notices that some requests are being blocked by AWS WAF, but the source IP addresses are legitimate customers. What step should the team take to minimize false positives?

A.Implement rate-based rules with a count action and use the count data to create custom rules.
B.Switch to using AWS Managed Rules for IP reputation lists.
C.Increase the WAF rate-based rule threshold to allow more requests.
D.Reconfigure the ALB idle timeout to a higher value.
AnswerA

Rate-based rules with count allow monitoring and adjusting thresholds to avoid false positives.

Why this answer

Option D is correct because rate-based rules allow legitimate traffic while limiting excessive requests. Option A is wrong because increasing the threshold may allow more attacks. Option B is wrong because using AWS Managed Rules for IP reputation could block legitimate IPs.

Option C is wrong because reconfiguring the ALB idle timeout does not affect WAF blocking.

279
Multi-Selectmedium

A security engineer is designing a VPC with public and private subnets. The private subnets must be able to download software updates from the internet. Which TWO components can provide this functionality without exposing the private instances to inbound internet traffic?

Select 2 answers
B.Internet gateway
C.VPC endpoint
D.Egress-only internet gateway
E.NAT instance
AnswersA, E

NAT gateway enables outbound internet for private subnets.

Why this answer

Option A (NAT gateway) and Option C (NAT instance) are correct because they allow outbound traffic to the internet and block unsolicited inbound traffic. Option B is wrong because an internet gateway allows bidirectional traffic. Option D (egress-only internet gateway) is for IPv6.

Option E (VPC endpoint) is for AWS services, not general internet.

280
MCQeasy

A security engineer is configuring a security group for a web server that should only accept HTTPS traffic from the internet. Which inbound rule should be set?

A.TCP port 3389 from 0.0.0.0/0
B.TCP port 22 from 0.0.0.0/0
C.TCP port 80 from 0.0.0.0/0
D.TCP port 443 from 0.0.0.0/0
AnswerD

Port 443 is HTTPS.

Why this answer

Option B is correct because HTTPS uses TCP port 443. Option A is wrong because port 80 is HTTP. Option C is wrong because port 22 is SSH.

Option D is wrong because port 3389 is RDP.

281
MCQmedium

A company wants to launch an Amazon EC2 instance that must be accessible via SSH from the company's corporate network (IP range 198.51.100.0/24). The instance should not be accessible from the internet. Which network configuration should the security engineer recommend?

A.Place the instance in a private subnet with a route to an internet gateway, and add a security group rule that allows SSH inbound from 198.51.100.0/24.
B.Place the instance in a public subnet, and add a network ACL rule that denies all inbound traffic from 0.0.0.0/0.
C.Place the instance in a private subnet, and add a security group rule that allows SSH inbound from 198.51.100.0/24.
D.Place the instance in a public subnet, and add a security group rule that allows SSH inbound from 0.0.0.0/0.
AnswerC

The instance is in a private subnet, and the security group restricts SSH to the corporate IP range.

Why this answer

The instance should be placed in a private subnet with a security group allowing SSH from the corporate IP range. A bastion host or VPN could be used, but the question asks for the instance's network configuration. Option A is correct.

Option B is incorrect because placing in a public subnet exposes it to the internet. Option C is incorrect because a public subnet with a NACL blocking everything would block SSH. Option D is incorrect because a private subnet with a route to an internet gateway would still be private? Actually, private subnets do not have direct internet access, but a route to an internet gateway would make it a public subnet.

So D is wrong.

282
MCQeasy

A company wants to allow an EC2 instance to access an S3 bucket without exposing the instance to the internet. Which AWS service should be used to achieve this?

B.AWS Site-to-Site VPN
C.Internet Gateway
D.VPC Endpoint (Gateway type) for S3
AnswerD

This provides private connectivity to S3.

Why this answer

Option B is correct. A VPC endpoint for S3 allows private connectivity between the VPC and S3 without internet access. Option A (Internet Gateway) would expose the instance.

Option C (NAT Gateway) is for outbound internet. Option D (VPN) is for on-premises connectivity.

283
MCQmedium

A company's security engineer is configuring a web application firewall (WAF) to protect a public-facing Application Load Balancer (ALB). The application is vulnerable to SQL injection attacks. Which AWS WAF rule should be used to mitigate this threat?

A.Add a rule to block cross-site scripting (XSS) attacks.
B.Add a rule from the AWS Managed Rules for SQL injection.
C.Add a rate-based rule to limit requests per IP.
D.Add a geographic match rule to block traffic from specific countries.
AnswerB

SQL injection rule group blocks SQLi patterns.

Why this answer

Option A is correct. AWS WAF has a managed rule group called SQLi that specifically blocks SQL injection attempts. Option B (Rate-based rule) is for DDoS.

Option C (Cross-site scripting) is for XSS. Option D (Geographic match) is for geo-blocking.

284
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy should be used?

A.Security group assigned to the S3 bucket
B.IAM policy with aws:SourceIp condition
C.S3 bucket policy with aws:SourceVpc condition
D.Network ACL attached to the S3 bucket
AnswerC

The aws:SourceVpc condition key restricts access to requests originating from the specified VPC.

Why this answer

Option C is correct because S3 bucket policies support the `aws:SourceVpc` condition key, which allows you to restrict access to requests originating from a specific VPC. This works by evaluating the VPC ID from which the request was made, using the source VPC information that AWS automatically includes in requests from VPC endpoints. No other mechanism (security groups, IAM source IP conditions, or network ACLs) can directly enforce VPC-level access control on S3.

Exam trap

The trap here is that candidates often confuse network-level controls (security groups, NACLs) with service-level controls (bucket policies) and assume that S3 can be protected like an EC2 instance, when in fact S3 only supports bucket policies and IAM policies for access control.

How to eliminate wrong answers

Option A is wrong because security groups are network-level firewalls for EC2 instances and cannot be assigned to S3 buckets; S3 is a managed service that does not support security group attachments. Option B is wrong because `aws:SourceIp` condition in IAM policies checks the originating IP address, not the VPC, so it cannot restrict access based on VPC membership and would not work for traffic from a VPC endpoint where the source IP is internal. Option D is wrong because network ACLs are stateless firewalls attached to subnets, not to S3 buckets, and they cannot control access to S3 at the bucket level.

285
MCQhard

A Security Engineer is designing a network architecture for a multi-tier application. The web tier must be accessible from the internet, while the application tier should only be accessible from the web tier, and the database tier only from the application tier. All tiers are in the same VPC. Which configuration meets these requirements with minimal administrative overhead?

A.Use network ACLs with inbound rules that reference the prefix list of the previous tier's subnets.
B.Use network ACLs with inbound rules that allow traffic from the previous tier's subnet CIDR.
C.Use security groups with inbound rules that allow traffic from the previous tier's public IP addresses.
D.Use security groups with inbound rules that reference the security group of the previous tier.
AnswerD

Security groups are stateful and can reference other security groups, simplifying rule management.

Why this answer

Option B is correct because security group rules can reference other security groups by ID, allowing traffic between tiers without managing IP addresses. Option A is wrong because NACLs are stateless and require explicit allow rules for return traffic, adding complexity. Option C is wrong because using public IPs for internal communication is unnecessary and insecure.

Option D is wrong because prefix lists are used for IP address management, not for allowing traffic between security groups.

286
MCQhard

A company uses AWS CloudFormation to deploy infrastructure. The security team wants to ensure that all CloudFormation stacks include a specific tag "Environment" with a value of "Production" or "Development". Which approach should be used?

A.Use AWS CloudFormation Guard to validate that the template includes the required tag with allowed values.
B.Apply an IAM policy that requires the tag on all CloudFormation actions.
C.Use AWS Config to detect and automatically remediate non-compliant stacks.
D.Create an SCP to deny CloudFormation stacks that do not have the required tag.
AnswerA

Guard can be integrated into CI/CD pipelines to enforce policies.

Why this answer

AWS CloudFormation Guard is a policy-as-code tool that can validate templates before deployment. SCPs apply to accounts, not stacks. IAM policies can require tags but not specific values easily.

Config rules are reactive.

287
MCQeasy

A company wants to use AWS Direct Connect to establish a dedicated network connection from its on-premises data center to AWS. Which of the following is a security best practice when configuring Direct Connect?

A.Use a private virtual interface (VIF) and enable IPsec encryption for the traffic.
B.Use a public VIF to access all AWS services including VPC resources.
C.Use a private VIF and establish an IPsec VPN tunnel over the Direct Connect connection.
D.Use a private VIF and enable MACsec encryption at the physical layer.
AnswerA

Private VIF provides private connectivity; adding IPsec encrypts data in transit.

Why this answer

Option A is correct because using a private VIF ensures traffic goes over the AWS private network, not the internet, and encrypting with IPsec adds a layer of security. Option B is wrong because MACsec is for physical layer security, not required for private VIF. Option C is wrong because public VIF is for public services and is less secure.

Option D is wrong because a VPN over Direct Connect is redundant if private VIF is used.

288
MCQmedium

Refer to the exhibit. A security engineer runs the above command and sees the security group configuration. Based on the output, which statement is correct?

A.The security group has no outbound rules.
B.The security group allows SSH access from any IP address.
C.The security group allows HTTP traffic from the internet.
D.The security group is associated with multiple EC2 instances.
AnswerC

HTTP is allowed from 0.0.0.0/0.

Why this answer

The security group allows HTTP from anywhere (0.0.0.0/0) and SSH from a specific IP range. The outbound rule allows all traffic. Option C is correct.

Option A is incorrect because SSH is not open to all. Option B is incorrect because there is an outbound rule. Option D is incorrect because there is only one security group.

289
Multi-Selectmedium

A security engineer is designing a VPC with public and private subnets. The company requires that all outbound traffic from private subnets to the internet must go through a single IP address for whitelisting by third-party services. Which TWO actions should the engineer take?

Select 2 answers
A.Use a VPC Peering connection to a central VPC with an Internet Gateway.
B.Deploy a NAT Gateway in a private subnet.
C.Configure the private subnet route table with a default route to an Internet Gateway.
D.Deploy a NAT Gateway in a public subnet and assign an Elastic IP.
E.Attach an Internet Gateway to the VPC.
AnswersD, E

Correct placement and IP assignment for outbound traffic.

Why this answer

A NAT Gateway in a public subnet with an Elastic IP allows private instances to access the internet using a single IP. Route tables for private subnets must point default route (0.0.0.0/0) to the NAT Gateway.

290
MCQeasy

A company runs a web application on EC2 instances in an Auto Scaling group across two Availability Zones. The instances are behind an Application Load Balancer. The security team wants to ensure that only the ALB can send traffic to the instances. The instances are in a security group named 'app-sg'. Currently, 'app-sg' has an inbound rule allowing HTTP traffic from 0.0.0.0/0. The team wants to restrict access to only the ALB's security group. The ALB is in a security group named 'alb-sg'. Which course of action should the security engineer take to meet the requirement with minimal disruption?

A.Modify the inbound rule of 'app-sg' to allow HTTP traffic from the private IP addresses of the ALB nodes.
B.Modify the inbound rule of 'app-sg' to allow HTTPS traffic from 0.0.0.0/0 and remove the HTTP rule.
C.Modify the inbound rule of 'app-sg' to allow HTTP traffic from the ALB's elastic network interface (ENI).
D.Modify the inbound rule of 'app-sg' to allow HTTP traffic from security group 'alb-sg'.
AnswerD

Correct: This restricts inbound traffic to only the ALB, as the ALB is associated with 'alb-sg'.

Why this answer

Option D is correct because security groups can reference each other by ID, allowing traffic from any instance associated with the source security group (alb-sg) without needing to know the ALB's IP addresses. This ensures that only the ALB can send HTTP traffic to the EC2 instances, as the rule dynamically applies to all ALB nodes across Availability Zones. It also minimizes disruption because no IP changes are required, and the rule automatically scales with the ALB.

Exam trap

The trap here is that candidates may think they need to use the ALB's private IP addresses or ENI details, but AWS security groups support referencing other security groups by ID, which is the correct and scalable method for this use case.

How to eliminate wrong answers

Option A is wrong because ALB nodes use elastic network interfaces (ENIs) with private IPs that can change during scaling or replacement, making this approach brittle and requiring constant updates; it also violates the principle of using security group references for dynamic environments. Option B is wrong because allowing HTTPS from 0.0.0.0/0 still permits traffic from any source, failing to restrict access to only the ALB, and removing the HTTP rule does not address the requirement. Option C is wrong because referencing an ALB's ENI is not a valid security group rule source; security groups can only reference other security groups or CIDR blocks, not specific ENIs.

291
MCQeasy

A company has an S3 bucket that contains sensitive data. The security team wants to ensure that all access to the bucket is encrypted in transit. Which policy should be attached to the bucket to enforce this?

A.Configure a bucket policy that denies requests that do not include the x-amz-server-side-encryption header.
B.Attach a bucket policy that denies requests when aws:SecureTransport is false.
C.Enable default encryption on the bucket using SSE-S3.
D.Use Amazon CloudFront to serve the content and require HTTPS.
AnswerB

This enforces HTTPS for all requests.

Why this answer

Option D is correct. An S3 bucket policy with a condition that denies access if the request does not use aws:SecureTransport (HTTPS) ensures encryption in transit. Option A (enable default encryption) is for at-rest encryption.

Option B (require encryption using SSE-S3) is also at-rest. Option C (use CloudFront) does not enforce HTTPS for direct access.

292
MCQeasy

A company wants to ensure that all traffic to and from an Amazon RDS instance is encrypted in transit. Which solution should the security engineer implement?

A.Enable encryption at rest using AWS KMS.
B.Configure the database to require SSL/TLS connections and modify clients to connect using SSL.
C.Use an S3 bucket policy to enforce encryption in transit for all S3 traffic.
D.Use an AWS Transit Gateway to route traffic through a central VPC.
AnswerB

SSL/TLS encrypts data in transit between the client and the RDS instance.

Why this answer

Option B is correct because encrypting data in transit for Amazon RDS requires enabling SSL/TLS on the database instance and configuring client connections to use SSL/TLS. This ensures that all traffic between the client and the RDS instance is encrypted using TLS protocols, protecting against eavesdropping and man-in-the-middle attacks. Amazon RDS supports SSL/TLS for all database engines, and you can enforce SSL connections by setting the 'require_secure_transport' parameter (MySQL) or similar parameters for other engines.

Exam trap

The trap here is that candidates confuse encryption at rest (KMS) with encryption in transit (SSL/TLS), leading them to select Option A, which does not address network traffic encryption.

How to eliminate wrong answers

Option A is wrong because encryption at rest using AWS KMS protects data stored on disk, not data in transit; it does not encrypt network traffic between clients and the RDS instance. Option C is wrong because an S3 bucket policy enforces encryption in transit for S3 traffic only, not for RDS traffic; it is irrelevant to RDS connectivity. Option D is wrong because an AWS Transit Gateway is used to route traffic between VPCs and on-premises networks, not to enforce encryption; it does not provide any encryption of data in transit between clients and RDS.

293
Multi-Selecthard

Which THREE are AWS best practices for securing an Amazon EC2 instance? (Choose three.)

Select 3 answers
A.Store database credentials in instance metadata for easy retrieval.
B.Launch instances in the default VPC for easier network configuration.
C.Use security groups to control inbound and outbound traffic.
D.Disable password-based authentication and use SSH key pairs instead.
E.Regularly apply security patches using AWS Systems Manager Patch Manager.
AnswersC, D, E

Security groups are the primary mechanism for controlling network traffic to EC2 instances.

Why this answer

The correct answers are A, C, and E. Option A is correct because security groups act as a virtual firewall. Option C is correct because disabling password-based SSH access in favor of key pairs is a security best practice.

Option E is correct because AWS Systems Manager Patch Manager helps keep instances up to date. Option B is wrong because the default VPC allows inbound traffic from the internet by default; best practice is to create a custom VPC with appropriate rules. Option D is wrong because storing secrets in instance metadata is not secure; use AWS Secrets Manager or Parameter Store.

294
MCQeasy

A company wants to restrict access to an Amazon S3 bucket so that only objects uploaded with server-side encryption using AWS KMS (SSE-KMS) are allowed. Which bucket policy condition key should be used?

A.s3:x-amz-server-side-encryption-customer-key
B.s3:x-amz-server-side-encryption-aws-kms-key-id
C.kms:EncryptionContext
D.s3:x-amz-server-side-encryption
AnswerB

This condition key in a bucket policy can enforce that objects are encrypted with a specific KMS key.

Why this answer

The correct answer is C because the s3:x-amz-server-side-encryption-aws-kms-key-id condition key allows you to require that objects be encrypted with a specific KMS key. Option A is wrong because s3:x-amz-server-side-encryption only checks if encryption is enabled, not the key. Option B is wrong because kms:EncryptionContext is used for KMS policies, not S3 bucket policies.

Option D is wrong because s3:x-amz-server-side-encryption-customer-key is for SSE-C.

295
Multi-Selecthard

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket to store logs. The security team wants to ensure that traffic does not traverse the internet. Which solution should be used? (Choose two.)

Select 2 answers
A.Create an S3 Gateway Endpoint in the VPC
B.Attach a VPC Endpoint Policy to the Gateway Endpoint to restrict access to the specific bucket
C.Attach an Internet Gateway to the VPC
D.Create an S3 Interface Endpoint in the VPC
E.Use a NAT Gateway to route the traffic to the internet
AnswersA, B

Provides private connectivity to S3.

Why this answer

A VPC Gateway Endpoint (option A) allows instances in a private subnet to access S3 without traversing the internet by routing traffic through AWS's internal network. This is the correct foundational component because it uses prefix lists in the route table to direct S3 traffic to the endpoint, bypassing the need for an Internet Gateway or NAT Gateway.

Exam trap

The trap here is that candidates often confuse Gateway Endpoints with Interface Endpoints, assuming both are equally valid for S3, but Gateway Endpoints are the correct and cost-effective choice for S3 access from private subnets, while Interface Endpoints are used for services like API Gateway or Kinesis.

296
Multi-Selecthard

A security engineer is designing a multi-account strategy using AWS Organizations. The engineer needs to centrally manage network security across all accounts. Which TWO AWS services are most appropriate for this task?

Select 2 answers
A.AWS Firewall Manager
B.AWS Network Firewall
C.VPC Peering
D.AWS WAF
E.Amazon GuardDuty
AnswersA, B

Firewall Manager provides centralized management of firewall rules across accounts and resources.

Why this answer

Option B (AWS Network Firewall) is correct for centrally managing firewall rules. Option D (AWS Firewall Manager) is correct for centrally managing firewall policies across accounts. Option A (Amazon GuardDuty) is threat detection.

Option C (AWS WAF) is web application firewall but not for network-level security. Option E (VPC Peering) is a connectivity option, not a management service.

297
Multi-Selectmedium

A security engineer is configuring a VPC with public and private subnets. The engineer wants to ensure that the private subnet instances cannot initiate outbound connections to the internet but can receive responses from the internet if initiated from within the VPC. Which TWO configurations should be used?

Select 2 answers
A.Configure the private subnet security group to allow inbound traffic from the public subnet's security group.
B.Configure the private subnet route table to not have a route to an Internet Gateway or NAT Gateway.
C.Attach an Internet Gateway to the VPC and add a route to it in the private subnet route table.
D.Attach a NAT Gateway to the private subnet and add a route to it.
E.Configure the private subnet Network ACL to allow outbound traffic to 0.0.0.0/0.
AnswersA, B

Allows responses from public subnet.

Why this answer

Options A and D are correct. A NAT Gateway allows outbound internet but not inbound; however the question says cannot initiate outbound. So a NAT Gateway is not needed.

The correct approach is to not have a route to the internet for private subnet, and use a security group that allows inbound traffic only from the public subnet. Option B is wrong because Internet Gateway is for public subnets. Option C is wrong because it allows outbound.

Option E is wrong because Network ACLs are stateless and would need rules for both directions.

298
MCQmedium

A company wants to provide its developers with IAM roles that allow them to launch EC2 instances with specific security groups. The security team wants to ensure that developers cannot launch instances without a security group. How can this be enforced?

A.Create a service control policy that allows only the use of specific security groups.
B.Use an SCP to deny launching instances without a security group.
C.Add a condition in the IAM policy that requires the ec2:SecurityGroup parameter to have a specific value.
D.Configure the VPC to have no default security group.
AnswerC

For example, using 'aws:RequestTag/securitygroup' or 'ec2:SecurityGroup' condition keys.

Why this answer

Option C is correct because you can use a condition in the IAM policy to require the security group. Option A is wrong because default security group is always attached if none specified, so that doesn't enforce. Option B is wrong because that is the default behavior, but developers can still launch without specifying a security group.

Option D is wrong because that would allow any security group.

299
Multi-Selecthard

Which THREE measures can be taken to secure a VPC's network boundary? (Choose three.)

Select 3 answers
A.Attach an S3 bucket policy to restrict access to the bucket.
B.Use security groups to control inbound and outbound traffic at the instance level.
C.Attach an internet gateway to the VPC.
D.Use network ACLs to add an additional layer of stateless filtering at the subnet level.
E.Enable VPC Flow Logs to capture and analyze traffic metadata.
AnswersB, D, E

Security groups are stateful firewalls for instances.

Why this answer

Security groups act as a virtual firewall for EC2 instances, controlling inbound and outbound traffic at the instance level (stateful). They are a fundamental measure for securing the VPC network boundary by allowing only specified traffic to reach the instances, based on rules that evaluate source/destination IP, protocol, and port. This provides a critical layer of defense directly at the compute resource.

Exam trap

The trap here is confusing network security controls (security groups, network ACLs, VPC Flow Logs) with resource-level policies (S3 bucket policies) or connectivity components (internet gateway), leading candidates to select options that do not directly secure the VPC's network boundary.

300
MCQeasy

A company wants to provide temporary, limited-privilege credentials to users so they can access AWS resources from mobile applications. Which AWS service should the company use?

A.AWS Security Token Service (STS)
B.AWS Single Sign-On (SSO)
C.AWS Identity and Access Management (IAM) users
D.Amazon Cognito user pools
AnswerA

STS issues temporary, limited-privilege credentials for users.

Why this answer

Option B is correct because AWS STS issues temporary credentials. Option A is wrong because IAM users have long-term credentials. Option C is wrong because Cognito identity pools can use STS but the base service for temporary credentials is STS.

Option D is wrong because SSO provides federated access but not temporary credentials for mobile apps directly.

← PreviousPage 4 of 5 · 328 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Infrastructure Security questions.