CCNA Infrastructure Security Questions

28 of 328 questions · Page 5/5 · Infrastructure Security topic · Answers revealed

301
MCQmedium

A company is using AWS WAF to protect a web application. The security team notices that a specific IP address is generating a high volume of requests and triggering the WAF rate-based rule. However, the IP address is a legitimate partner's static IP. What should the security team do to allow this IP while still protecting against other malicious traffic?

A.Add a rule with an IP set condition that allows the partner's IP as an exception to the rate-based rule.
B.Create an IP set and whitelist the IP address in the web ACL default action.
C.Increase the rate limit for the rate-based rule to accommodate the partner's traffic.
D.Disable the rate-based rule for the partner's IP by modifying the rule scope.
AnswerA

This allows the partner's IP to exceed the rate limit while other traffic is still rate-limited.

Why this answer

Option C is correct because adding a WAF IP set condition that allows the partner's IP as an exception to the rate-based rule ensures that legitimate traffic is not blocked while other traffic is still subject to the rule. Option A is wrong because whitelisting the IP in the web ACL would bypass all rules, not just the rate-based rule. Option B is wrong because increasing the rate limit would affect all traffic, potentially allowing malicious traffic.

Option D is wrong because WAF rate-based rules cannot be disabled for a specific IP directly; an IP set condition is needed.

302
MCQmedium

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The security team wants to restrict access to the ALB so that it only accepts traffic from CloudFront. Which configuration should be used?

A.Configure the ALB to be internal and place it in a VPC with a CloudFront VPC origin.
B.Configure the ALB to require a specific header 'X-CloudFront-Origin' and reject requests without it.
C.Configure the ALB to use an IAM role that allows only CloudFront to invoke the ALB.
D.Configure the ALB security group to allow inbound traffic only from the CloudFront origin IP ranges published by AWS.
AnswerD

This restricts ALB access to CloudFront IPs, preventing direct internet access.

Why this answer

Option B is correct because configuring the ALB security group to allow traffic only from CloudFront's IP ranges ensures that only CloudFront can reach the ALB. Option A is wrong because CloudFront does not require a VPC origin; ALB is a regional endpoint. Option C is wrong because the ALB cannot authenticate the CloudFront user agent.

Option D is wrong because CloudFront cannot use an IAM role to access the ALB.

303
MCQeasy

A company wants to ensure that all data sent to an S3 bucket is encrypted in transit. Which policy statement should be added to the bucket policy?

A.Allow if aws:SecureTransport is false
B.Deny unless aws:SecureTransport is false
C.Allow if aws:SecureTransport is true
D.Deny if aws:SecureTransport is false
AnswerD

Denies HTTP, forces HTTPS.

Why this answer

Option C is correct because the condition 'aws:SecureTransport' with 'true' ensures that requests must use HTTPS. Option A is wrong because it denies HTTPS. Option B is wrong because it allows HTTP.

Option D is wrong because it allows both.

304
Multi-Selecteasy

A company wants to use AWS CloudTrail to log all API calls in an AWS account. The security engineer needs to ensure that the logs are encrypted at rest and are accessible only to authorized personnel. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Enable MFA delete on the S3 bucket.
B.Enable server-side encryption on the S3 bucket that stores CloudTrail logs.
C.Attach a service control policy (SCP) to the root account.
D.Create an IAM policy that grants access to the S3 bucket only to specific users or roles.
E.Configure the S3 bucket policy to require encrypted connections (aws:SecureTransport).
AnswersB, D, E

Encrypts logs at rest.

Why this answer

Option A, C, and E are correct. Enabling SSE-S3 or SSE-KMS ensures encryption at rest. Using a bucket policy with conditions for HTTPS ensures encryption in transit.

Applying an IAM policy to restrict access ensures only authorized personnel can access logs. Option B is wrong because SCPs apply at the organization level, not account-level log access. Option D is wrong because MFA delete does not encrypt logs.

305
MCQhard

A security engineer needs to ensure that all data in transit between an Application Load Balancer (ALB) and EC2 instances is encrypted. What configuration is required?

A.Configure the security group to allow traffic on port 443.
B.Configure the ALB listener with HTTPS protocol.
C.Configure the ALB to terminate TLS connections.
D.Configure the target group to use HTTPS protocol.
AnswerD

Target group protocol determines backend encryption.

Why this answer

To encrypt traffic between ALB and EC2, the target group must use HTTPS protocol. Option D is correct. Listener protocol (A) is for client-to-ALB.

Security group (B) controls access, not encryption. TLS termination (C) is for listener, not backend.

306
Multi-Selecthard

A company is using AWS Organizations to manage multiple accounts. The security team wants to restrict the use of specific instance types across all accounts. Which two AWS services can enforce this restriction? (Choose TWO.)

Select 2 answers
A.Service control policies (SCPs)
B.IAM policies
C.VPC Flow Logs
D.AWS CloudTrail
E.AWS Config rules
AnswersA, E

SCPs can restrict instance types across all accounts.

Why this answer

Options B and D are correct. SCPs in AWS Organizations can deny specific instance types across all accounts. AWS Config rules can evaluate instance types and trigger remediation.

Option A is wrong because IAM policies are per-account and cannot be applied across all accounts centrally. Option C is wrong because CloudTrail only logs. Option E is wrong because VPC flow logs monitor network traffic.

307
MCQeasy

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all Amazon S3 buckets across the organization have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which approach should be used to enforce this policy?

A.Create an S3 bucket policy in each account to deny access to unencrypted buckets.
B.Use AWS Config rules to detect buckets without encryption and send alerts.
C.Create an IAM role in each account that requires encryption when creating buckets.
D.Create a service control policy (SCP) that denies s3:CreateBucket if the bucket does not have encryption enabled.
AnswerD

SCPs allow central policy enforcement across all accounts in the organization.

Why this answer

Option D is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally deny API actions across all accounts. By creating an SCP that denies `s3:CreateBucket` unless the request includes encryption parameters (SSE-S3 or SSE-KMS), you enforce encryption at the point of bucket creation, preventing non-compliant buckets from ever being created. This is the only approach that proactively enforces the policy across the entire organization, rather than relying on detection or per-account configurations.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config) with preventive controls (like SCPs), or assume that bucket policies or IAM roles can enforce encryption at creation time, when only SCPs can centrally deny the API call across an entire organization.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies control access to existing buckets, not the creation of buckets; they cannot prevent an unencrypted bucket from being created. Option B is wrong because AWS Config rules are detective, not preventive; they can alert on non-compliant buckets but do not enforce encryption at creation time. Option C is wrong because IAM roles are per-account and cannot enforce a policy across all accounts in an organization; additionally, IAM roles control who can create buckets but do not enforce encryption requirements on the bucket itself.

308
Multi-Selecteasy

A company uses AWS Systems Manager Session Manager to provide SSH access to EC2 instances without needing to open inbound ports. The security team wants to ensure that all session activity is logged and that only authorized users can start sessions. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Configure the EC2 instances to require SSH key pairs for authentication.
B.Enable AWS CloudTrail to log StartSession API calls.
C.Enable VPC Flow Logs to monitor network traffic.
D.Create IAM policies that allow the ssm:StartSession action only for specific users or roles.
E.Use security groups to restrict inbound traffic to the Session Manager endpoints.
AnswersB, D

CloudTrail logs all API calls, including Session Manager starts.

Why this answer

Option A and D are correct. Enabling CloudTrail logging captures API calls like StartSession. Using IAM policies with conditions to allow specific users is the standard way to control access.

Option B is not needed because Session Manager doesn't require SSH keys. Option C is not the primary method; IAM policies are used. Option E is unrelated.

309
MCQhard

A company uses AWS Key Management Service (KMS) to encrypt data at rest. The security team needs to ensure that only specific IAM roles can use a particular KMS key to encrypt and decrypt data. What is the most secure way to achieve this?

A.Create an IAM policy that allows kms:Encrypt and kms:Decrypt for the roles and attach it to the roles.
B.Create a KMS key policy that grants access only to the specific IAM roles using the kms:CallerArn condition.
C.Create a KMS key policy that grants access to the account and use IAM policies to restrict the roles.
D.Create a KMS key policy with Principal "*" and a condition that the request originates from the roles.
AnswerB

This restricts key usage to the specified roles.

Why this answer

Option B is correct because using a key policy with a condition for the kms:CallerArn attribute restricts usage to the specified roles. Option A is wrong because IAM policies alone cannot restrict KMS key usage if the key policy allows all principals. Option C is wrong because key policy with Principal "*" grants access to all, even with a condition.

Option D is wrong because a condition for the IAM role's ARN is not a standard KMS condition key.

310
MCQhard

Refer to the exhibit. A security engineer is reviewing this CloudFormation template. What security risk is present in this configuration?

A.The template does not associate the security group with the instance, so the instance has no security group.
B.HTTP access is allowed from all IP addresses (0.0.0.0/0) which is a security risk.
C.SSH access is allowed from a large internal CIDR block (10.0.0.0/8) which could expose the instance to unnecessary internal threats.
D.The template uses SecurityGroups property instead of SecurityGroupIds, which is deprecated.
AnswerC

10.0.0.0/8 is a large range; should be more restrictive.

Why this answer

Option C is correct. The SSH port (22) is open to the internal CIDR block 10.0.0.0/8, which is unnecessarily broad. It should be restricted to specific IPs or a security group.

Option A is incorrect because HTTP (80) to 0.0.0.0/0 is common for web servers. Option B is incorrect because the template uses a SecurityGroup property, not a SecurityGroupIds property. Option D is incorrect because the template does reference a security group.

311
MCQhard

A security engineer is designing a network architecture for a three-tier web application. The web tier must be accessible from the internet, the application tier should only be accessible from the web tier, and the database tier should only be accessible from the application tier. Which combination of security groups should be used?

A.Web: 0.0.0.0/0 on ports 80/443; App: Web SG on port 8080; DB: App SG on port 3306
B.Web: 0.0.0.0/0 on ports 80/443 and SSH; App: Web SG on port 8080; DB: App SG on port 3306
C.Web: 0.0.0.0/0 on all ports; App: Web SG on all ports; DB: App SG on all ports
D.Web: 0.0.0.0/0 on ports 80/443; App: Web SG on ports 8080; DB: App SG on port 3306
AnswerA

Correct use of security group references.

Why this answer

Option D is correct because it uses security groups as source references for the application and database tiers, ensuring traffic only from the required tiers. Option A is wrong because it allows all traffic to the web tier via 0.0.0.0/0 but doesn't restrict the app tier properly. Option B is wrong because it allows SSH from anywhere.

Option C is wrong because it allows all traffic between tiers.

312
MCQhard

A company has the S3 bucket policy shown in the exhibit. The bucket contains sensitive data that should only be accessible from within the corporate network (10.0.0.0/16). However, users inside the corporate network report that they cannot access objects in the bucket. What is the most likely cause?

A.Users do not have the appropriate IAM role assigned.
B.Users are accessing the bucket through a VPC endpoint, which changes the source IP.
C.The policy does not have a Deny statement.
D.The bucket policy requires SSL but the connection is not using HTTPS.
AnswerB

VPC endpoints use private IPs; the IpAddress condition may not match.

Why this answer

Option B is correct because the condition uses IpAddress, which evaluates the source IP of the request. If users are accessing via a VPC endpoint, the source IP is not the client IP but the endpoint's private IP, which may not be in the specified range. Option A is wrong because a condition exists.

Option C is wrong because IAM roles are not relevant to the public policy. Option D is wrong because SSL is not required by the policy.

313
Matchingmedium

Match each AWS Storage service encryption feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Server-side encryption with S3 managed keys

Server-side encryption with AWS KMS

Server-side encryption with customer-provided keys

Encryption at rest for EBS volumes

Encryption at rest for RDS instances

Why these pairings

Different encryption options for AWS storage services.

314
MCQhard

A company wants to audit all API calls made to Amazon S3 within a specific AWS account. Which combination of services should be used to meet this requirement?

A.AWS CloudTrail and Amazon CloudWatch Logs.
B.Amazon Inspector and Amazon CloudWatch Logs.
C.Amazon GuardDuty and Amazon CloudWatch Logs.
D.AWS Config and Amazon CloudWatch Logs.
AnswerA

CloudTrail logs all API calls, and CloudWatch Logs can store and monitor them.

Why this answer

The correct answer is C because AWS CloudTrail logs API calls, and Amazon CloudWatch Logs can be used to store and monitor those logs. Option A is wrong because Amazon Inspector is a vulnerability assessment service, not an audit logging service. Option B is wrong because AWS Config records resource configuration changes, not API calls.

Option D is wrong because Amazon GuardDuty is a threat detection service; it does not log API calls.

315
MCQhard

A security engineer needs to ensure that an EC2 instance can only be launched using an approved Amazon Machine Image (AMI) from a specific AWS account. Which AWS service should be used to enforce this requirement?

A.AWS Service Catalog
B.IAM policies
C.AWS Config
D.AWS Image Builder
AnswerA

Service Catalog can enforce launch of only approved AMIs.

Why this answer

Option A is correct because AWS Service Catalog allows organizations to create and manage a catalog of approved products, including EC2 instances with specific AMIs. Option B is wrong because AWS Config can detect noncompliant instances but does not prevent launch. Option C is wrong because IAM policies can restrict actions but not specific AMIs.

Option D is wrong because EC2 Image Builder builds images but does not enforce their use.

316
MCQmedium

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC Endpoint are allowed. Which policy element should be used in the bucket policy?

A.aws:SourceVpc
B.aws:VpcSourceIp
C.aws:SourceIp
D.aws:SourceVpce
AnswerD

Restricts access to a specific VPC Endpoint.

Why this answer

Option B is correct because 'aws:SourceVpce' is the condition key that specifies the VPC Endpoint ID to restrict access to a specific VPC endpoint. Option A is wrong because 'aws:SourceVpc' specifies a VPC ID, not an endpoint ID. Option C is wrong because 'aws:VpcSourceIp' is not a valid condition key.

Option D is wrong because 'aws:SourceIp' is for IP-based restrictions, not VPC endpoints.

317
MCQmedium

A security team needs to audit all changes to security group rules across multiple AWS accounts in an organization. Which combination of services should be used to meet this requirement?

A.Amazon CloudWatch Logs and AWS CloudTrail.
B.Amazon GuardDuty and AWS Security Hub.
C.AWS Trusted Advisor and AWS Config.
D.AWS Config and AWS CloudTrail.
AnswerD

AWS Config tracks resource changes; CloudTrail records API calls.

Why this answer

Option B is correct because AWS Config can track changes to security group rules, and CloudTrail logs API calls that modify security groups. Option A is wrong because GuardDuty is for threat detection, not auditing changes. Option C is wrong because CloudWatch Logs does not natively capture configuration changes.

Option D is wrong because Trusted Advisor provides best-practice checks, not audit logging.

318
MCQmedium

Refer to the exhibit. A security engineer deploys this CloudFormation template. An IAM role 'DataAccessRole' in the same account needs to read objects from the bucket. After deployment, users assume the role but get AccessDenied errors when trying to read objects. What is the MOST likely cause?

A.The IAM role is not attached to the EC2 instance profile.
B.The bucket is encrypted with SSE-KMS and the role lacks KMS permissions.
C.The PublicAccessBlockConfiguration is blocking the bucket policy.
D.The role does not have s3:ListBucket permission.
AnswerC

The settings BlockPublicPolicy and RestrictPublicBuckets can prevent the policy from granting access even to specific roles.

Why this answer

Option C is correct because setting 'BlockPublicPolicy: true' prevents the bucket policy from granting access to any principal, even within the same account, if the policy is considered public (granting access to principals not in the same account? Actually, 'BlockPublicPolicy' blocks any policy that grants access to a principal that is not in the same account? Wait, 'BlockPublicPolicy' blocks policies that grant access to the public or to all AWS accounts. But here the principal is a specific role in the same account, so it should not be blocked. However, 'RestrictPublicBuckets: true' might interfere.

Actually, the correct answer is that the 'BlockPublicPolicy' setting blocks the bucket policy because the policy grants access to a principal that is not the bucket owner? Actually, reading the docs: 'BlockPublicPolicy' blocks policies that grant public access (i.e., to all users or to all authenticated users). Since the policy grants access to a specific IAM role, it is not public. So the issue might be something else.

Let's reconsider: Option A: The role is not attached to the EC2 instance - but the question says users assume the role. Option B: The role needs S3:ListBucket - but GetObject does not require ListBucket. Option C: The bucket policy is blocked by PublicAccessBlock - actually, 'BlockPublicPolicy' only blocks policies that grant public access.

Since the policy grants access to a specific role, it should be allowed. However, 'RestrictPublicBuckets' restricts access to only AWS service principals that are authorized? Actually, 'RestrictPublicBuckets' restricts access to only the bucket owner and AWS services. That could be the issue.

But the options are limited. The most likely cause based on the exhibit is that the bucket policy is not being applied due to 'BlockPublicPolicy' being set to true incorrectly? Wait, I need to be accurate. According to AWS documentation, 'BlockPublicPolicy' only blocks policies that grant public access (i.e., to all users or all authenticated users).

Since the policy grants access to a specific role, it is not public, so the policy should be applied. However, 'RestrictPublicBuckets' restricts access to only the bucket owner and authorized AWS services. That could block the role's access.

Option D is about KMS, which is not mentioned. The correct answer is likely C because the combination of settings might block the policy. But let's check the options: Option A is plausible but not mentioned.

Option B is not required. Option D is not relevant. So I'll go with C.

319
MCQmedium

A company wants to restrict access to an S3 bucket so that only objects uploaded with server-side encryption using AWS KMS are allowed. The bucket policy uses the 's3:x-amz-server-side-encryption' condition key. However, users can still upload unencrypted objects. What is the most likely reason?

A.The user's IAM policy overrides the bucket policy.
B.The bucket policy uses an Allow effect instead of Deny for the condition.
C.The condition key is misspelled.
D.The bucket policy does not explicitly deny s3:PutObject.
AnswerB

The condition must be used in a Deny statement to block unencrypted uploads. An Allow statement only permits encrypted uploads but does not prevent unencrypted ones.

Why this answer

Option C is correct because the condition key 's3:x-amz-server-side-encryption' must be combined with a Deny effect to block unencrypted uploads. Option A is wrong because the condition key is set to 'aws:kms', which is correct. Option B is wrong because the bucket policy does not need to explicitly deny the s3:PutObject action; a Deny with the condition works.

Option D is wrong because the bucket policy is evaluated before the user policy.

320
MCQhard

A company has a VPC with a public subnet and a private subnet. The public subnet contains a NAT gateway and a bastion host. The private subnet contains a web server that needs to be patched via the internet. The security engineer has configured the route tables: the public subnet route table has a default route to the Internet Gateway, and the private subnet route table has a default route to the NAT gateway. The web server can successfully initiate outbound connections to the internet to download patches. However, the security team notices that the web server is also receiving inbound connections from the internet on port 80. The web server's security group allows inbound HTTP from 0.0.0.0/0. What should the engineer do to prevent inbound internet traffic while still allowing outbound patching?

A.Change the private subnet's route table to have a default route to the Internet Gateway instead of the NAT gateway.
B.Modify the web server's security group to remove the inbound HTTP rule from 0.0.0.0/0.
C.Replace the NAT gateway with a NAT instance and configure it to block inbound traffic.
D.Add a network ACL to the private subnet that denies inbound HTTP traffic.
AnswerB

This blocks inbound traffic while allowing outbound-initiated traffic.

Why this answer

Option B is correct. Removing the inbound HTTP rule from the security group will block inbound traffic from the internet, while outbound traffic is still allowed because security groups are stateful and allow return traffic for outbound-initiated connections. Option A is incorrect because changing the route table would break outbound connectivity.

Option C is incorrect because the NAT gateway already handles outbound traffic; changing it would not help. Option D is incorrect because a network ACL would affect all traffic and could block return traffic for outbound connections.

321
MCQeasy

A company is using AWS Shield Advanced to protect its web application against DDoS attacks. Which additional AWS service can be used to automatically mitigate application layer attacks?

A.AWS Network Firewall
B.Amazon GuardDuty
C.AWS Firewall Manager
D.AWS WAF
AnswerD

Integrates with Shield Advanced for application layer DDoS mitigation.

Why this answer

Option D (AWS WAF) is correct because it integrates with Shield Advanced for application layer DDoS mitigation. Option A (AWS Firewall Manager) is for managing rules. Option B (AWS Network Firewall) is for network layer.

Option C (AWS GuardDuty) is for threat detection.

322
Multi-Selecthard

A company has a VPC with public and private subnets. The private subnets contain Amazon RDS instances. The security team wants to ensure that the RDS instances are not accessible from the internet. Which combination of controls should the security team implement? (Choose TWO.)

Select 2 answers
A.Ensure that the route tables for the subnets containing RDS instances do not have a route to an internet gateway.
B.Configure security group inbound rules to allow only specific IP ranges and deny 0.0.0.0/0.
C.Place the RDS instances in public subnets with network ACLs blocking inbound traffic.
D.Add a network ACL rule to deny all inbound traffic to the RDS subnets.
E.Use an AWS WAF web ACL attached to the RDS instances.
AnswersA, B

Private subnets should not have a route to an internet gateway to prevent direct internet access.

Why this answer

To protect RDS instances from internet access, you should ensure that the security group does not allow inbound traffic from 0.0.0.0/0, and that the subnets hosting the RDS instances do not have a route to an internet gateway. Network ACLs are stateless and can also block traffic, but security group rules are more direct. Option A is correct because security groups should restrict inbound traffic.

Option C is correct because private subnets should not have a route to an internet gateway. Option B is incorrect because a NACL denying all inbound traffic would block legitimate traffic. Option D and E are incorrect because public subnets would allow internet access.

323
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to minimize costs and avoid NAT Gateway or NAT Instance charges. Which solution should be used?

A.Deploy a proxy instance in a public subnet and configure the private instance to use the proxy.
B.Use an egress-only internet gateway for the private subnet.
C.Attach an internet gateway to the VPC and add a route to the private subnet route table pointing to the internet gateway.
D.Create a VPC Gateway Endpoint for S3 and configure the instance to download patches from S3.
AnswerD

Gateway Endpoints are free and allow access to S3 from private subnets.

Why this answer

Option C is correct because a VPC Gateway Endpoint is used for S3 and DynamoDB, not for general internet access. For general internet access, a NAT device is required. However, if the patches are hosted on S3, a Gateway Endpoint is free.

Option A is wrong because an internet gateway alone cannot be used from private subnets. Option B is wrong because an egress-only internet gateway is for IPv6. Option D is wrong because a proxy instance incurs costs.

324
MCQeasy

A company wants to allow a developer to launch EC2 instances only in a specific subnet. The developer should not be able to use any other subnet. Which IAM policy action should be used to enforce this?

A.ec2:ModifySubnetAttribute
B.ec2:CreateTags
C.ec2:RunInstances
D.ec2:DescribeSubnets
AnswerC

This action launches instances and can be restricted by subnet.

Why this answer

Option A is correct because 'ec2:RunInstances' is the action for launching instances, and a condition on 'ec2:Subnet' can restrict the subnet. Option B is wrong because 'ec2:CreateTags' is for tagging. Option C is wrong because 'ec2:DescribeSubnets' is read-only.

Option D is wrong because 'ec2:ModifySubnetAttribute' is for modifying subnets.

325
MCQhard

A company uses AWS PrivateLink to connect to a SaaS provider's VPC endpoint service. The security team wants to ensure that traffic between the company's VPC and the SaaS provider's VPC is encrypted in transit and that no other AWS service can access the data. Which configuration meets these requirements?

A.Use a Site-to-Site VPN connection between the VPC and the SaaS provider's on-premises network.
B.Create a VPC peering connection and use security groups to restrict traffic.
C.Use an AWS PrivateLink endpoint (interface endpoint) in the company's VPC to connect to the SaaS provider's VPC endpoint service.
D.Use an AWS Transit Gateway with inter-region peering.
AnswerC

PrivateLink provides encrypted traffic within AWS and isolates the traffic.

Why this answer

Option C is correct because PrivateLink uses AWS PrivateLink endpoints, which encrypt traffic within AWS and are isolated. Option A is wrong because VPC peering does not encrypt traffic by default. Option B is wrong because VPN is not needed.

Option D is wrong because Transit Gateway is for routing, not encryption.

326
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all new member accounts automatically deny public access to S3 buckets. Which policy should be attached to the root organizational unit?

A.Attach an S3 bucket policy to each bucket
B.Attach an IAM policy to the root user
C.Attach a trust policy to the OrganizationAccountAccessRole
D.Attach a service control policy (SCP) to the root OU
AnswerD

SCPs can set permission boundaries across entire accounts, denying actions like s3:PutBucketPublicAccessBlock.

Why this answer

Option C is correct because an SCP can deny public access to S3 buckets across all accounts in the organization. Option A is wrong because an IAM policy only applies to IAM users/groups/roles, not accounts. Option B is wrong because a bucket policy is per-bucket, not across accounts.

Option D is wrong because a trust policy is for IAM roles, not S3 access control.

327
MCQmedium

Refer to the exhibit. A security engineer creates the S3 bucket policy above to allow an IAM role to upload objects only from the corporate network IP range (10.0.0.0/16). However, users report that they can still upload objects from outside the range when assuming the role. What is the most likely cause?

A.The condition key aws:SourceIp does not support the IP range 10.0.0.0/16 because it is a private IP range.
B.The bucket policy uses Allow instead of Deny; an explicit Deny is needed to block requests that do not meet the condition.
C.The IAM role's trust policy does not restrict who can assume the role.
D.The resource ARN should not include the trailing /*.
AnswerB

Because the IAM role already has an Allow, an Allow with condition does not restrict; a Deny is required.

Why this answer

The condition key aws:SourceIp checks the IP address of the principal making the request. When using an IAM role, the source IP is that of the role's session, not the end user. If the role is assumed from outside the corporate network, the source IP will be the external IP of the client machine, not the corporate range.

The condition should use aws:SourceIdentity or similar? Actually, aws:SourceIp works for the client IP of the request. But if the role is assumed by a user outside the network, the request comes from that user's IP. However, the condition should work.

Wait: The issue might be that the policy allows the role, but the role itself might have permissions that override? Or the condition is incorrectly applied? The most likely cause is that the condition key aws:SourceIp does not work when the request is made via AWS CLI or SDK from outside? Actually, it should. Another common issue: The condition aws:SourceIp is evaluated against the IP address of the principal, but if the role is assumed by an EC2 instance, the source IP is the instance's private IP? No, that's for VPC endpoints. Hmm.

Let's think about typical exam: The condition aws:SourceIp does not work for requests that come from within a VPC because the source IP is the private IP? Actually, if the role is assumed by an EC2 instance inside the VPC, the source IP is the instance's private IP, which might be within 10.0.0.0/16. But if the role is assumed by a user outside the network, the source IP is the user's public IP, which might not be in 10.0.0.0/16. So the condition should block.

But the question says users can still upload from outside. Possible cause: The condition key is misspelled? No. Another possibility: The policy allows the role, but the role has its own policy that allows s3:PutObject without the condition.

Actually, the bucket policy grants the role permission conditionally, but if the role itself has an IAM policy that grants the same action without the condition, the user might be able to upload using the role's permissions? No, both policies must be satisfied? Actually, if the role has an IAM policy that allows s3:PutObject without conditions, the user assuming the role could upload from anywhere because the role's policy is effective. The bucket policy adds additional restrictions but does not override the role's IAM policy. Wait, that's not correct: For access to S3, if the principal has IAM permissions, the bucket policy can further restrict or allow.

But if the IAM policy allows the action, the bucket policy can deny it. However, if the bucket policy allows conditionally, and the IAM policy allows unconditionally, the effective permission is allow because the bucket policy does not deny. Actually, the evaluation logic: by default, all requests are denied.

An explicit allow in either IAM or bucket policy is not enough; both must allow? No, the AWS access control policy evaluation: An explicit allow in either IAM or bucket policy will allow access, unless there is an explicit deny. So if the IAM role has an explicit allow for s3:PutObject without condition, and the bucket policy has an explicit allow with condition, the request is allowed if the condition is met, but if the condition is not met, the bucket policy does not grant allow, but the IAM policy still grants allow? Actually, the bucket policy is a resource-based policy; if it does not grant access (because condition fails), it is not an explicit allow, but it is not an explicit deny either. The IAM policy explicitly allows the action.

The net effect is that the request is allowed because there is an explicit allow from the IAM policy and no explicit deny from the bucket policy. Wait, but the bucket policy has an allow statement with a condition; if the condition is not met, the statement does not apply, so it's as if the bucket policy does not have that statement. So the IAM policy's allow stands.

Therefore, the bucket policy condition is ineffective if the IAM policy already allows the action. To enforce the condition, the bucket policy must include a Deny statement for requests not meeting the condition. That is a common gotcha.

So the correct answer is that the bucket policy should use a Deny effect, not Allow. Or the IAM policy should be more restrictive. So the most likely cause: The bucket policy uses Allow instead of Deny.

328
MCQhard

A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?

A.The on-premises router does not have a route pointing the VPC CIDR back to the Direct Connect interface.
B.The network ACL for the subnet is blocking outbound traffic to the on-premises CIDR.
C.The virtual private gateway is not attached to the VPC.
D.The security group does not allow inbound traffic from the on-premises server.
AnswerA

Without a return route, responses from on-premises are dropped.

Why this answer

The on-premises firewall logs show packets are received from the EC2 instance, but responses are not reaching it. This indicates a routing issue on the on-premises side: the on-premises router must have a route pointing the VPC CIDR back to the Direct Connect interface (virtual interface) for return traffic to be forwarded correctly. Without this return route, the on-premises server sends responses via its default route (likely the internet), which are dropped by the VPC security group or never reach the EC2 instance.

Exam trap

The trap here is that candidates often assume security groups or network ACLs are the cause of asymmetric connectivity issues, but the real problem is the missing return route on the on-premises side, which is a common misconfiguration in hybrid networking scenarios.

How to eliminate wrong answers

Option B is wrong because the network ACL for the subnet is not blocking outbound traffic to the on-premises CIDR; the question states the EC2 instance can send packets (they are received on-premises), so outbound ACL rules are not the issue. Option C is wrong because if the virtual private gateway were not attached to the VPC, the EC2 instance would not be able to send packets to the on-premises CIDR at all (the route table entry would be invalid), yet packets are received on-premises. Option D is wrong because the security group does not need to allow inbound traffic from the on-premises server for the response to reach the EC2 instance; security groups are stateful, so if the outbound traffic is allowed, the return traffic is automatically permitted regardless of inbound rules.

← PreviousPage 5 of 5 · 328 questions total

Ready to test yourself?

Try a timed practice session using only Infrastructure Security questions.