CCNA Security Governance Questions

75 of 262 questions · Page 1/4 · Security Governance topic · Answers revealed

1
MCQmedium

Refer to the exhibit. A security engineer creates this IAM policy for a user. Which action can the user perform?

A.Decrypt KMS keys only for resources in us-east-1.
B.Decrypt KMS keys when the request originates from S3 in us-east-1.
C.Decrypt any KMS key from any service.
D.Decrypt only S3 objects.
AnswerB

Condition specifies S3 service.

Why this answer

Option B is correct because the policy allows decrypting KMS keys only when the request comes through S3. Option A is wrong because it requires S3 endpoint. Option C is wrong because the policy is limited to S3.

Option D is wrong because there is no resource restriction.

2
MCQhard

A company's security team discovers that an IAM role has been assumed from an unexpected external AWS account. Which AWS service can be used to analyze the trust policy and identify unintended access?

A.AWS IAM Access Analyzer
B.AWS CloudTrail Insights
C.AWS Config
D.AWS Security Hub
AnswerA

Identifies external access to resources by analyzing policies.

Why this answer

IAM Access Analyzer analyzes resource-based policies (including trust policies) to identify external access. It generates findings for roles, S3 buckets, etc.

3
Multi-Selectmedium

A company uses AWS Organizations and wants to ensure that no member account can disable AWS CloudTrail or delete CloudTrail log files from S3. Which TWO actions should the security team take? (Choose TWO.)

Select 2 answers
A.Create an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail.
B.Enable MFA delete on the S3 bucket that stores CloudTrail logs.
C.Apply an SCP to the management account to prevent disabling CloudTrail.
D.Add an S3 bucket policy that denies s3:DeleteObject for the CloudTrail log bucket.
E.Create an IAM role for CloudTrail with permissions to write logs only.
AnswersA, D

Prevents stopping or deleting CloudTrail across accounts.

Why this answer

Options A and C are correct. An SCP can deny the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions. An S3 bucket policy with a deny effect can protect the log files from deletion.

Option B is incorrect because CloudTrail does not support MFA for log file deletion directly. Option D is incorrect because IAM roles are not preventive. Option E is incorrect because SCPs cannot be applied to the management account in a way that prevents it from modifying CloudTrail; the management account is not affected by SCPs.

4
MCQeasy

A developer has created an S3 bucket policy that grants public read access. The security team wants to prevent any S3 bucket from becoming public. Which AWS service can enforce this restriction across all accounts?

A.AWS CloudTrail with a metric filter
B.S3 Block Public Access settings on each account
C.A service control policy (SCP) denying s3:PutBucketPolicy
D.IAM permissions boundary
AnswerC

SCPs can deny actions across all accounts in an organization.

Why this answer

AWS Organizations SCPs can deny specific S3 actions that make buckets public. Option C is correct. Option A (IAM policies) are per-user, not account-wide.

Option B (S3 Block Public Access) is per-account or per-bucket, but can be overridden. Option D (CloudTrail) only logs.

5
MCQhard

A company has a single AWS account with multiple IAM users. The security team wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. They attach an IAM policy that denies all actions if the user does not have MFA. However, after attaching the policy, some users report that they are unable to perform any actions even after authenticating with MFA. The policy uses the condition "aws:MultiFactorAuthPresent": "false". The security team verifies that the users have MFA enabled and are using it. What is the most likely cause of this issue?

A.The condition should be "Bool": "aws:MultiFactorAuthPresent": "false" but the policy uses StringLike.
B.The policy is missing a NotAction element; it should deny all actions except for the ones needed for MFA enrollment.
C.The policy is incorrectly written; it should use "Effect": "Allow" and the condition "aws:MultiFactorAuthPresent": "true".
D.The users are signing in as the root user of the account, not as IAM users.
AnswerD

Root user does not have the aws:MultiFactorAuthPresent condition key.

Why this answer

Option A is correct because the condition key aws:MultiFactorAuthPresent is not present when a user uses the root user or when the session is from a federated identity without MFA. However, for IAM users using the console, the key should be present if MFA is used. But if the policy is attached to the user and includes a Deny for aws:MultiFactorAuthPresent false, but the user is using MFA, the condition should evaluate to true (MFA present).

If users still get denied, it might be because they are using the root user (not IAM user) or the policy is too broad. Option B is wrong because the policy condition is correctly written to deny when MFA is not present. Option C is wrong because the policy is fine.

Option D is wrong because the effect is Deny. The most likely cause in typical SCS-C02 scenarios is that the users are using the root user instead of an IAM user, because root user does not have the aws:MultiFactorAuthPresent key. Alternatively, the policy might be missing an Allow for the console itself.

However, the question states "IAM users" so likely root user is not the case. Another common issue: the condition key aws:MultiFactorAuthPresent is only present when the session is established using MFA; for long-lived sessions, it might be missing. But the most likely is that the policy does not include an Allow for the actions they need; it only denies.

Since all actions are denied by default, they need an Allow. But the policy only denies. Actually, the policy denies if MFA not present; if MFA is present, the condition fails, so the Deny does not apply, and other Allow policies can take effect.

So if there is no Allow policy, they would still be denied. But typically, IAM users have an Allow for necessary services. A common mistake is that the policy is too restrictive because it denies all actions, but the condition only applies when MFA not present.

If MFA is present, the Deny does not apply. So the issue might be that the users are not using MFA. But they report they are.

Another possibility: the policy is attached to the user but also there is a deny-all policy. Option B might be correct if the policy uses "Effect": "Deny" and the condition, but the condition works. Option A is plausible if they are using root.

I'll go with A because root user is a common pitfall.

6
Multi-Selecthard

Which THREE are benefits of using AWS CloudTrail for security governance? (Choose three.)

Select 3 answers
A.Enables real-time log analysis with Amazon CloudWatch Logs
B.Automatically remediates noncompliant resources
C.Supports compliance audits by providing event history
D.Provides a record of API activity in the account
E.Allows security analysis of user activity
AnswersC, D, E

CloudTrail logs are used for compliance.

Why this answer

CloudTrail logs API calls (A), helps with compliance (C), and enables security analysis (E). Option B is for CloudWatch Logs. Option D is for Config.

7
MCQmedium

A company wants to ensure that all S3 buckets in their AWS account have encryption enabled. Which AWS service can continuously evaluate compliance and automatically remediate non-compliant buckets?

A.AWS CloudTrail
B.AWS Config
C.AWS IAM
D.Amazon S3
AnswerB

AWS Config evaluates resources against rules and can auto-remediate.

Why this answer

Option D is correct: AWS Config with a managed rule 's3-bucket-server-side-encryption-enabled' can evaluate compliance and trigger an auto-remediation action to enable encryption. Option A is wrong because CloudTrail only logs. Option B is wrong because IAM does not manage bucket encryption.

Option C is wrong because S3 itself does not auto-remediate.

8
MCQmedium

A company wants to enforce that all EC2 instances use a specific AMI ID. Which AWS service can be used to detect and remediate non-compliant instances?

A.AWS Systems Manager
B.Amazon Inspector
C.AWS Config
D.AWS CloudTrail
AnswerC

Config detects non-compliant resources and can auto-remediate.

Why this answer

AWS Config is the correct service because it continuously evaluates your AWS resource configurations against desired policies, such as requiring a specific AMI ID for all EC2 instances. You can create an AWS Config rule (e.g., a custom Lambda rule or a managed rule like 'ec2-instance-managed-by-systems-manager') to detect non-compliant instances, and then use AWS Config auto-remediation with Systems Manager Automation documents to terminate or replace them. This directly enforces compliance by both detecting and remediating violations.

Exam trap

The trap here is that candidates often confuse AWS Config with AWS Systems Manager because both can perform remediation, but only AWS Config provides continuous configuration evaluation and rule-based detection of non-compliant resources like AMI IDs.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager is primarily an operations and management service for patching, inventory, and automation, but it lacks native configuration compliance evaluation and remediation triggering based on resource state; it can be used as part of a remediation action but not as the primary detection and enforcement service. Option B is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposures, not for enforcing AMI ID compliance on EC2 instances. Option D is wrong because AWS CloudTrail is an audit logging service that records API calls for governance and compliance, but it does not detect or remediate non-compliant resource configurations.

9
Multi-Selectmedium

A company uses AWS KMS to encrypt sensitive data. The security team needs to ensure that KMS keys cannot be deleted accidentally. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Attach an SCP that denies kms:ScheduleKeyDeletion for all accounts.
B.Enable CloudTrail to log key deletion events.
C.Enable automatic key rotation.
D.Modify the key policy to deny kms:ScheduleKeyDeletion for all principals.
E.Disable the key to prevent usage.
AnswersA, D

Prevents scheduling key deletion.

Why this answer

Options A and C are correct. Enabling key rotation creates new cryptographic material but does not prevent deletion; however, the question asks about preventing deletion, so key rotation is not directly relevant. Actually, the correct answers are: enabling deletion protection on the key (Option B is correct if we consider that KMS now supports key deletion protection; but traditionally, the way to prevent deletion is to disable key deletion via key policy or using SCP.

Option A: enabling automatic key rotation does not prevent deletion. Option B: disabling the key does not prevent deletion. Option C: using SCP to deny kms:ScheduleKeyDeletion is correct.

Option D: using a key policy to deny deletion is correct. Option E: using CloudTrail is detective, not preventive. The correct two are C and D.

I'll revise:

10
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. The security team uses AWS Config to monitor compliance. Recently, they noticed that a developer in the 'development' account created an S3 bucket that is publicly accessible. The security team wants to prevent this in the future by automatically remediating any public S3 bucket. They have an SCP that denies s3:PutBucketPublicAccessBlock, but developers are still making buckets public by using bucket ACLs. The security team wants to implement a solution that automatically fixes any bucket that becomes public. Which solution should they choose?

A.Use CloudTrail to detect PutBucketAcl events and send to SNS for manual remediation
B.Use AWS Config with the s3-bucket-public-read-prohibited managed rule and an automatic remediation action using AWS Systems Manager Automation
C.Update the SCP to deny s3:PutBucketAcl with a condition for public access
D.Attach an IAM policy to all users that denies s3:PutBucketAcl
AnswerB

Detects and automatically fixes public buckets.

Why this answer

Option B is correct because AWS Config's s3-bucket-public-read-prohibited managed rule evaluates S3 bucket ACLs and policies for public read access. When a noncompliant bucket is detected, an automatic remediation action using AWS Systems Manager Automation can invoke a custom SSM document (e.g., AWS-DisableS3BucketPublicReadWrite) to remove public ACLs or apply a bucket policy that denies public access. This provides automated, event-driven remediation without relying on manual intervention or incomplete SCPs.

Exam trap

The trap here is that candidates often assume an SCP or IAM policy that denies the specific API call (s3:PutBucketAcl) is the best solution, but the question requires automatic remediation of already-public buckets, not prevention—and SCPs cannot remediate existing noncompliant resources, only block future actions.

How to eliminate wrong answers

Option A is wrong because using CloudTrail to detect PutBucketAcl events and sending to SNS for manual remediation does not automatically fix the bucket; it requires human action, which is slow and error-prone, and does not meet the requirement for automatic remediation. Option C is wrong because updating the SCP to deny s3:PutBucketAcl with a condition for public access would prevent developers from setting public ACLs in the first place, but the question states that developers are already bypassing the existing SCP (which denies s3:PutBucketPublicAccessBlock) by using ACLs; an SCP that denies s3:PutBucketAcl could be effective, but the question explicitly asks for a solution that automatically fixes any bucket that becomes public, not one that prevents the action—furthermore, SCPs cannot retroactively remediate already-public buckets. Option D is wrong because attaching an IAM policy to all users that denies s3:PutBucketAcl is not scalable in a multi-account environment (IAM policies are account-specific and cannot be applied across all accounts via AWS Organizations), and it also does not provide automatic remediation for buckets that are already public.

11
Multi-Selectmedium

A security engineer is designing a data encryption strategy for an S3 bucket that contains sensitive information. Which TWO of the following are valid options for enforcing encryption at rest?

Select 2 answers
A.Use an AWS KMS key with automatic key rotation.
B.Enable S3 default encryption on the bucket.
C.Enable AWS CloudTrail to log all object uploads.
D.Attach an IAM policy to users to require encryption.
E.Use a bucket policy to deny PutObject requests without the x-amz-server-side-encryption header.
AnswersB, E

Correct: Automatically encrypts new objects.

Why this answer

Options B and C are correct. S3 default encryption can be enabled to automatically encrypt objects, and bucket policies can enforce that objects are uploaded with encryption headers. Option A is wrong because CloudTrail does not encrypt data.

Option D is wrong because IAM policies cannot enforce encryption at the service level. Option E is wrong because KMS keys are used for encryption but the question asks for enforcement methods.

12
MCQmedium

Refer to the exhibit. A security engineer attaches this S3 bucket policy to an S3 bucket. What is the effect of this policy?

A.Requests over HTTP are denied, but HTTPS requests are allowed.
B.The policy has no effect because there is no Allow statement.
C.All requests over HTTPS are allowed.
D.All requests to the bucket are denied.
AnswerA

The policy denies when SecureTransport is false, i.e., HTTP.

Why this answer

Option C is correct because the policy denies all S3 actions when the request is not made over HTTPS. Option A is wrong because it denies all requests. Option B is wrong because it allows HTTPS.

Option D is wrong because there is no explicit allow.

13
MCQmedium

A company uses AWS KMS to encrypt data in S3 buckets. The security team needs to ensure that KMS keys can only be used by specific IAM roles within the same account. Which key policy should be applied?

A."Principal": {"AWS": "arn:aws:iam::123456789012:*"}
B."Principal": {"AWS": "*"}
C."Principal": {"AWS": "arn:aws:iam::123456789012:root"}
D."Principal": {"AWS": "arn:aws:iam::123456789012:role/AllowedRole"}
AnswerD

This restricts the key usage to the specified IAM role.

Why this answer

Option A is correct because specifying the IAM role ARN in the key policy grants that role access. Option B is wrong because allowing the root user enables any IAM user with appropriate permissions. Option C is wrong because it allows all principals in the account.

Option D is wrong because it allows access to anyone in the organization.

14
Multi-Selectmedium

Which TWO actions are best practices for securing an AWS account root user? (Select TWO.)

Select 2 answers
A.Use the root user for everyday administrative tasks.
B.Create access keys for the root user.
C.Delete the root user to prevent unauthorized access.
D.Create an IAM user with administrative privileges and use it instead of the root user.
E.Enable MFA on the root user.
AnswersD, E

Reduces exposure of root user credentials.

Why this answer

Options A and D are correct. Enabling MFA on the root user adds an extra layer of security. Creating an IAM admin user and using it for daily tasks reduces root user usage.

Option B is wrong because the root user should not be used for daily tasks. Option C is wrong because access keys should not be created for the root user; they are long-term credentials. Option E is wrong because the root user email should be monitored, but that is not a best practice for securing the root user itself.

15
MCQhard

A company uses AWS Organizations with many accounts. The security team wants to ensure that no account can disable AWS CloudTrail or stop logging. Which configuration should be used?

A.Enable CloudTrail log file validation.
B.Attach an IAM policy to the root user in each account.
C.Use AWS Config rules to detect and alert when CloudTrail is modified.
D.Apply an SCP that denies cloudtrail:StopLogging and cloudtrail:DeleteTrail.
AnswerD

SCPs can deny actions across all accounts.

Why this answer

Option A is correct because an SCP can deny the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions at the organizational level. Option B is wrong because AWS Config rules can detect but not prevent. Option C is wrong because IAM policies in the master account do not affect member accounts.

Option D is wrong because CloudTrail itself cannot prevent its own modification.

16
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centrally manage IAM policies across all accounts. Which AWS feature should the team use to enforce permissions across member accounts?

A.IAM roles with cross-account access
B.Service Control Policies (SCPs)
C.AWS Config rules
D.AWS CloudTrail trails
AnswerB

SCPs centrally manage permissions across accounts.

Why this answer

Option C is correct because SCPs allow central control over permissions for all accounts in an organization. Option A is wrong because IAM policies are per-account. Option B is wrong because AWS Config is for compliance monitoring, not enforcement.

Option D is wrong because AWS CloudTrail is for auditing, not enforcement.

17
Multi-Selecthard

A company is implementing AWS Organizations with multiple accounts. Which THREE are benefits of using service control policies (SCPs)? (Choose three.)

Select 3 answers
A.Grant cross-account access
B.Prevent users from disabling CloudTrail
C.Enforce compliance requirements
D.Manage consolidated billing
E.Centrally restrict permissions across accounts
AnswersB, C, E

SCPs can deny actions that disable logging.

Why this answer

Options A, B, and C are correct. D is wrong because SCPs are not used for billing. E is wrong because SCPs do not enable cross-account access.

18
MCQmedium

A company is using AWS Organizations to manage multiple accounts. The security team needs to enforce that all newly created S3 buckets across the organization have server-side encryption (SSE-S3) enabled by default. Which solution is MOST operationally efficient?

A.Create an AWS Lambda function that is triggered by S3 event notifications to enable encryption on any new bucket.
B.Set a default bucket encryption policy in each account’s S3 console.
C.Apply an SCP to the root organizational unit that denies s3:CreateBucket if the bucket lacks encryption settings.
D.Use AWS Config with a managed rule s3-bucket-server-side-encryption-enabled to trigger remediation.
AnswerC

SCPs can deny actions with conditions, preventing noncompliant bucket creation across all accounts.

Why this answer

Using an SCP to deny creation of buckets without encryption is the most efficient because it prevents noncompliant buckets from being created at the root level. Option A (Lambda on CloudTrail) is reactive and less efficient. Option C (AWS Config rule) only detects noncompliant buckets after creation.

Option D (IAM permissions) does not block at the organization level.

19
MCQmedium

A security engineer needs to ensure that all EC2 instances launched in a development account are tagged with a cost center. What is the most effective way to enforce this?

A.Use AWS Config to detect untagged instances and send alerts
B.Use AWS Systems Manager to tag instances after launch
C.Create a tag policy in AWS Organizations requiring the cost center tag
D.Use an IAM policy that denies ec2:RunInstances unless the request includes the cost center tag
AnswerD

This prevents launching instances without the required tag.

Why this answer

Option D is correct because using an IAM policy with a condition key (e.g., `aws:RequestTag`) that denies `ec2:RunInstances` unless the `cost center` tag is specified in the API call enforces tagging at launch time. This prevents any untagged instance from being created, providing proactive enforcement rather than reactive detection or remediation.

Exam trap

The trap here is that candidates often choose AWS Config (Option A) because it is a common governance tool, but they miss that Config only detects non-compliance after the fact, whereas IAM policies provide preventive enforcement at the API level.

How to eliminate wrong answers

Option A is wrong because AWS Config can only detect and alert on untagged instances after they are launched, not prevent their creation, leaving a window of non-compliance. Option B is wrong because AWS Systems Manager can tag instances after launch, but this is a reactive measure that does not enforce tagging at creation time and may miss instances that are not managed by Systems Manager. Option C is wrong because tag policies in AWS Organizations are used to enforce consistent tagging across accounts but do not prevent the launch of untagged resources; they only provide a compliance check and can mark non-compliant resources, not block the action.

20
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The security team requires that all CloudTrail trails be encrypted with a customer-managed KMS key. Which CloudFormation template snippet correctly enforces this requirement?

A.Trail with KMSKeyId set to 'aws/cloudtrail'
B.Trail with KMSKeyId set to 'arn:aws:kms:us-east-1:123456789012:key/abcd1234-...'
C.Trail with KMSKeyId set to 'alias/my-cloudtrail-key'
D.Trail without KMSKeyId specified
AnswerB

This specifies a customer-managed KMS key.

Why this answer

Option C sets KMSKeyId to a customer-managed key, ensuring encryption. Option A uses AWS managed key (default). Option B does not encrypt.

Option D uses an alias but could be AWS managed; the KMSKeyId must be a customer-managed key ARN.

21
MCQeasy

A company uses AWS Secrets Manager to store database credentials. The security team needs to ensure that secrets are automatically rotated every 30 days. Which configuration should be used?

A.Manually update the secret in Secrets Manager every 30 days.
B.Use Amazon Macie to detect when secrets are stale.
C.Set an expiration date on the secret and recreate it.
D.Enable automatic rotation using an AWS Lambda function.
AnswerD

Secrets Manager natively supports rotation with Lambda.

Why this answer

Option D is correct because AWS Secrets Manager provides a built-in mechanism to automatically rotate secrets using an AWS Lambda function. By configuring a rotation schedule (e.g., every 30 days), Secrets Manager invokes the Lambda function to create a new version of the secret and update the database credentials, ensuring compliance without manual intervention.

Exam trap

The trap here is that candidates may confuse setting an expiration date (Option C) with automatic rotation, but expiration only triggers deletion or recreation, not the seamless, scheduled credential update that a Lambda-based rotation provides.

How to eliminate wrong answers

Option A is wrong because manually updating the secret every 30 days is not automated and violates the requirement for automatic rotation; it also introduces human error risk and operational overhead. Option B is wrong because Amazon Macie is a data discovery and classification service that identifies sensitive data in S3, not a tool for detecting stale secrets or managing rotation schedules in Secrets Manager. Option C is wrong because setting an expiration date on a secret only marks it for deletion or forces recreation, but does not automatically rotate the secret; the secret must be manually recreated, and the rotation process is not triggered by expiration alone.

22
MCQhard

A company is using AWS Config to evaluate resource compliance. They need to ensure that all EC2 instances have a specific tag key 'Environment' with a value of 'Production' or 'Development'. Which type of AWS Config rule should be used?

A.Custom AWS Config rule written in Python
B.Custom AWS Config rule using AWS Lambda
C.AWS Config managed rule 'ec2-instance-tags'
D.AWS Config managed rule 'required-tags'
AnswerB

A custom rule can check for both tag key and value.

Why this answer

Option B is correct because a custom AWS Config rule (Lambda function) can evaluate the required tags. Option A is wrong because managed rules may not have the exact logic. Option C is wrong because AWS Config does not have a built-in 'required-tags' rule with custom values.

Option D is wrong because AWS Config rules cannot be written in Python directly; they use Lambda.

23
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization block public access. Which policy should be attached to the root organizational unit to achieve this?

A.Enable AWS CloudTrail to log public access attempts and alert the security team.
B.Use AWS Config rules to remediate non-compliant buckets automatically.
C.Attach a service control policy (SCP) that denies s3:PutBucketPublicAccessBlock.
D.Create an IAM role with a bucket policy that blocks public access.
AnswerC

SCPs can be attached to OUs to centrally restrict permissions.

Why this answer

Option B is correct because a service control policy (SCP) can be applied at the root OU to deny actions that allow public access. Option A is wrong because IAM roles are account-specific. Option C is wrong because CloudTrail is for logging.

Option D is wrong because AWS Config rules evaluate compliance but do not enforce.

24
MCQeasy

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in the organization have multi-factor authentication (MFA) enabled. Which combination of actions should be taken to enforce this requirement?

A.Create an SCP that denies IAM actions without MFA and attach it to the IAM group that contains all users.
B.Create an SCP that denies IAM actions without MFA and attach it to the root organizational unit (OU).
C.Create an SCP that denies IAM actions without MFA and attach it to each IAM user.
D.Create an SCP that denies IAM actions without MFA and attach it to the management account.
AnswerB

Attaching the SCP to the root OU applies it to all accounts in the organization, enforcing MFA for all IAM users.

Why this answer

Option B is correct because Service Control Policies (SCPs) in AWS Organizations can be attached to the root organizational unit (OU) to apply a blanket denial of IAM actions when MFA is not present, affecting all accounts and users within the organization. This leverages the `aws:MultiFactorAuthPresent` condition key in an SCP to enforce MFA at the organization level, ensuring that even if IAM users are created in member accounts, they cannot perform IAM actions without MFA. Attaching the SCP to the root OU ensures the policy cascades down to all child OUs and accounts, providing centralized enforcement.

Exam trap

The trap here is that candidates mistakenly think SCPs can be attached to IAM users or groups, but SCPs are organization-level policies that only apply to OUs, accounts, or the root, not to individual IAM entities.

How to eliminate wrong answers

Option A is wrong because SCPs cannot be attached to IAM groups; SCPs are applied to OUs, accounts, or the root of the organization, not to IAM entities like groups, users, or roles. Option C is wrong because SCPs cannot be attached directly to IAM users; they are only applicable to AWS Organizations entities (OUs, accounts, or the root). Option D is wrong because attaching the SCP to the management account would only affect that single account, not the member accounts; SCPs must be attached to the root OU or relevant OUs to enforce policies across the entire organization.

25
MCQeasy

A company wants to centrally manage access keys for IAM users. Which AWS service can generate and rotate access keys automatically?

A.AWS CloudHSM
B.AWS KMS
C.AWS Systems Manager Parameter Store
D.AWS Secrets Manager
AnswerD

Secrets Manager can rotate IAM access keys automatically.

Why this answer

AWS Secrets Manager is the correct service because it natively supports automatic rotation of secrets, including IAM user access keys. You can configure a rotation schedule (e.g., every 30 days) and Secrets Manager will generate a new access key pair, update the IAM user, and optionally disable or delete the old key. This provides a fully managed, centralized solution for rotating access keys without custom scripting.

Exam trap

The trap here is that candidates often confuse AWS KMS (which handles encryption keys) with Secrets Manager (which handles secrets like passwords and access keys), or they assume Parameter Store can rotate secrets automatically, but only Secrets Manager provides built-in, configurable rotation for IAM access keys.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM provides hardware security modules for cryptographic key storage and operations, but it does not generate or rotate IAM access keys. Option B is wrong because AWS KMS manages encryption keys (symmetric and asymmetric) and performs cryptographic operations, but it cannot create or rotate IAM user access keys. Option C is wrong because AWS Systems Manager Parameter Store can store secrets as parameters, but it lacks built-in rotation capabilities; you would need to implement custom rotation logic using Lambda, whereas Secrets Manager provides native rotation.

26
MCQeasy

A company wants to automate the enforcement of security best practices across all AWS accounts in an organization. The solution should automatically remediate noncompliant resources. Which AWS service should be used to achieve this?

A.AWS Organizations service control policies (SCPs)
B.AWS IAM Access Analyzer
C.Amazon GuardDuty
D.AWS Config rules with auto-remediation
AnswerD

Config rules can detect and auto-remediate noncompliant resources.

Why this answer

Option B is correct because AWS Config rules can automatically remediate noncompliant resources using SSM Automation documents or Lambda functions. Option A is wrong because SCPs only enforce preventive controls, not auto-remediation. Option C is wrong because GuardDuty is a threat detection service, not for compliance automation.

Option D is wrong because IAM Access Analyzer analyzes resource policies for unintended access, not for enforcing best practices.

27
MCQhard

A security engineer notices that an IAM user has been inactive for 90 days. What is the best way to identify and disable such users?

A.Use CloudTrail to identify users with no recent events
B.Use AWS Config rule to detect inactive users
C.Use IAM Credential Report and disable users with no activity in 90 days
D.Use AWS Organizations to disable users
AnswerC

Credential Report shows last usage.

Why this answer

The IAM Credential Report provides a comprehensive CSV export of all IAM users in the account, including the `password_last_used` and `access_key_last_used_date` columns. This allows a security engineer to directly identify users who have had no activity for 90 days and then disable them by applying an IAM policy with a `Deny` effect or removing their credentials. It is the most straightforward, native, and accurate method for this specific task.

Exam trap

The trap here is that candidates confuse CloudTrail (which logs events) with the IAM Credential Report (which directly reports user activity), or they assume AWS Config can evaluate user inactivity when it is designed for resource configuration compliance, not behavioral monitoring.

How to eliminate wrong answers

Option A is wrong because CloudTrail records API activity but does not natively aggregate or report on user inactivity over a 90-day period; you would need to write custom queries and there is no built-in 'inactive user' view. Option B is wrong because AWS Config rules evaluate resource configurations (e.g., whether an IAM user has a policy attached) but cannot directly detect user login or API activity inactivity; there is no managed Config rule for 'inactive IAM user'. Option D is wrong because AWS Organizations is a service for managing multiple AWS accounts centrally, not for disabling individual IAM users within a single account.

28
MCQmedium

Refer to the exhibit. An IAM policy is attached to a user. The user attempts to upload an object to my-bucket using server-side encryption with AWS KMS (SSE-KMS). What is the outcome?

A.The upload fails because the Deny statement denies any PutObject that does not use AES256 encryption.
B.The upload fails because the Allow statement requires AES256 encryption.
C.The upload succeeds because the policy does not explicitly deny SSE-KMS.
D.The upload succeeds because the Allow statement matches the s3:PutObject action.
AnswerA

The Deny statement explicitly denies when encryption is not AES256.

Why this answer

Option D is correct because the Deny statement applies when encryption is not AES256, and SSE-KMS is not AES256. The Allow statement allows only AES256. Since SSE-KMS does not match, the Deny overrides.

Option A is wrong because the Deny statement denies. Option B is wrong because the Allow only allows AES256. Option C is wrong because the Deny is explicit.

29
MCQmedium

A security engineer is designing a solution to automatically remediate non-compliant resources in an AWS account. The engineer needs to trigger an AWS Lambda function when an EC2 instance is launched without the required tags. Which AWS service should be used to detect the non-compliant resource and invoke the Lambda function?

A.AWS CloudTrail
B.AWS Config
C.Amazon GuardDuty
D.AWS Systems Manager
AnswerB

AWS Config rules can invoke Lambda for remediation.

Why this answer

Option A is correct because AWS Config rules can evaluate resources and trigger remediation via Lambda. Option B is wrong because CloudTrail logs API calls but does not trigger remediation. Option C is wrong because GuardDuty is for threat detection.

Option D is wrong because Systems Manager is for management, not compliance.

30
MCQmedium

A company uses AWS Organizations with all features enabled. The security team wants to ensure that no IAM users are created in any account. Which approach should be used?

A.Use AWS Config rules to detect IAM users and notify via SNS.
B.Enable AWS CloudTrail Insights to detect anomalous IAM activity.
C.Attach a service control policy (SCP) that denies iam:CreateUser.
D.Apply an IAM policy to the root user to deny iam:CreateUser.
AnswerC

SCPs can prevent actions across all accounts in the organization.

Why this answer

Option C is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict permissions across all accounts in the organization. By attaching an SCP that denies the `iam:CreateUser` action, you prevent the creation of IAM users in any member account, regardless of any IAM policies attached to users or roles within those accounts. This provides a guardrail that cannot be overridden by account administrators, ensuring compliance with the security team's requirement.

Exam trap

The trap here is that candidates often confuse IAM policies with SCPs, thinking that an IAM policy attached to the root user can block actions across the account, but SCPs are the only mechanism that can enforce such restrictions across all principals in an organization.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can only detect and notify about IAM users after they are created; they do not prevent the creation of IAM users, so they fail to meet the requirement of ensuring no IAM users are created. Option B is wrong because AWS CloudTrail Insights is designed to detect anomalous API activity and generate insights, but it does not block or prevent IAM user creation; it only provides post-event analysis. Option D is wrong because applying an IAM policy to the root user does not prevent IAM user creation in other accounts or even in the same account, as the root user is not subject to IAM policies; additionally, IAM policies cannot be attached to the root user, and even if they could, they would not affect other users or roles in the account.

31
Drag & Dropmedium

Drag and drop the steps to set up a secure S3 bucket with encryption and access control in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Secure S3 bucket requires encryption, public access block, bucket policy, versioning, and access logging.

32
MCQmedium

A company uses AWS Key Management Service (KMS) to encrypt sensitive data in Amazon S3. The security team needs to ensure that the KMS key can only be used from within the company's VPC and not from the public internet. How can this be achieved?

A.Use an SCP to deny kms:Encrypt unless the request comes from the VPC.
B.Use AWS CloudTrail to monitor KMS calls and alert if they come from outside the VPC.
C.Create a VPC endpoint for KMS and modify the KMS key policy to allow usage only from the specified VPC endpoint.
D.Create a VPC endpoint for KMS and attach a bucket policy that requires the endpoint.
AnswerC

Key policy with condition 'aws:sourceVpce' restricts usage to the VPC endpoint.

Why this answer

Using a VPC endpoint for KMS and a key policy that restricts usage to the VPC endpoint prevents public internet access. Option A is wrong because it does not restrict usage to VPC. Option B is wrong because an SCP cannot restrict KMS key usage to a specific VPC.

Option D is wrong because CloudTrail does not enforce access restrictions.

33
MCQhard

A security engineer is investigating a potential data exfiltration incident. The engineer notices that an EC2 instance in a private subnet is making outbound connections to an external IP address on port 443. The VPC has a NAT gateway in a public subnet, and the route table for the private subnet directs 0.0.0.0/0 to the NAT gateway. The security group for the instance allows all outbound traffic. Which AWS service can the engineer use to determine which IAM role or user is responsible for launching the instance?

A.AWS Config
B.VPC Flow Logs
C.IAM Access Analyzer
D.AWS CloudTrail
AnswerD

CloudTrail logs RunInstances API calls with user identity.

Why this answer

AWS CloudTrail logs all API calls, including RunInstances, capturing the user or role that launched the instance. Option A (VPC Flow Logs) shows IP traffic but not user identity. Option C (AWS Config) shows resource configuration but not who launched it.

Option D (IAM Access Analyzer) analyzes policies.

34
MCQmedium

A security engineer is designing a system to centrally manage security rules across multiple AWS accounts. The engineer wants to ensure that any resources that are non-compliant with security policies are automatically remediated. Which combination of services should the engineer use?

A.AWS CloudTrail with Amazon SNS
B.Amazon GuardDuty with AWS Step Functions
C.AWS Security Hub with Amazon EventBridge
D.AWS Config with AWS Lambda for automatic remediation
AnswerD

Config evaluates compliance and can invoke Lambda for remediation.

Why this answer

Option A is correct because AWS Config can detect non-compliant resources and trigger Lambda functions for remediation. Option B is wrong because Security Hub provides findings but does not automatically remediate. Option C is wrong because CloudTrail logs events but does not evaluate compliance.

Option D is wrong because GuardDuty provides threat detection but not configuration compliance.

35
MCQeasy

A security engineer needs to automatically detect and respond to unauthorized API calls in an AWS account. Which two services should be used together?

A.AWS CloudTrail and Amazon EventBridge
B.Amazon GuardDuty and Amazon SNS
C.AWS Config and AWS Lambda
D.Amazon Inspector and Amazon S3
AnswerA

CloudTrail logs API calls, EventBridge triggers automated responses.

Why this answer

CloudTrail logs API calls, and CloudWatch Events (now Amazon EventBridge) can trigger automated responses. Option C is correct. Option A (Config + Lambda) is for configuration compliance.

Option B (GuardDuty + SNS) is for threat detection alerting. Option D (Inspector + S3) is for vulnerability assessment.

36
MCQhard

Refer to the exhibit. A security engineer applies this bucket policy to an S3 bucket. A user without HTTPS tries to download an object. What is the outcome?

A.The request is denied because the condition matches
B.The request fails because the condition does not match
C.The request succeeds because the policy has a Deny effect
D.The request succeeds because the resource is not specific enough
AnswerA

Policy denies when SecureTransport is false.

Why this answer

The bucket policy includes a condition that denies requests when `aws:SecureTransport` is `false`. Since the user attempts to download an object without HTTPS, the condition matches, and the explicit Deny effect overrides any Allow. Therefore, the request is denied.

Exam trap

The trap here is that candidates may think a Deny effect always denies, but they must check whether the condition evaluates to true; if the condition does not match, the Deny is not applied, and the request could succeed based on other policies.

How to eliminate wrong answers

Option B is wrong because the condition does match (the request lacks HTTPS, so `aws:SecureTransport` is false), so the Deny applies. Option C is wrong because the policy has a Deny effect, which denies the request, not allows it to succeed. Option D is wrong because the resource is specific enough (the bucket ARN is explicit), and the Deny effect is triggered by the condition, not by resource specificity.

37
Multi-Selecteasy

Which TWO of the following are valid AWS IAM security best practices?

Select 2 answers
A.Implement a strong password policy for IAM users.
B.Share IAM user access keys among team members for convenience.
C.Delete IAM users instead of disabling them when not needed.
D.Enable multi-factor authentication (MFA) for privileged users.
E.Use the AWS account root user for everyday administrative tasks.
AnswersA, D

Password policies enforce complexity and rotation.

Why this answer

Option A is correct: a password policy enforces complexity. Option D is correct: MFA adds an extra layer of security. Option B is wrong: access keys should not be shared.

Option C is wrong: root user should be avoided for daily tasks. Option E is wrong: deleting users is not a best practice; deactivating is better.

38
MCQmedium

An IAM policy is attached to a user. The user reports that they cannot list objects in the bucket 'example-bucket' from their home office IP address 203.0.113.50. What is the most likely cause?

A.The policy effect is Deny by default.
B.The resource ARN should be arn:aws:s3:::example-bucket without the /*.
C.The policy does not allow the s3:ListBucket action.
D.The IP address condition restricts access to the 10.0.0.0/24 range.
AnswerD

Correct: The condition only allows requests from the specified IP range.

Why this answer

Option B is correct because the policy allows s3:* actions only if the source IP is in the 10.0.0.0/24 range (private IP). Since the user's home office IP is 203.0.113.50 (public), the condition fails. Option A is wrong because the policy allows s3:* which includes s3:ListBucket.

Option C is wrong because the resource is specified as arn:aws:s3:::example-bucket/* which only matches objects, not the bucket itself. However, the error is about listing objects, which requires s3:ListBucket on the bucket resource, not the objects. That is a resource issue, but the main issue is the IP condition.

Option D is wrong because the effect is Allow.

39
MCQeasy

A security engineer needs to ensure that an Amazon S3 bucket is not publicly accessible. Which AWS service can be used to continuously monitor and alert if the bucket becomes public?

A.AWS CloudTrail
B.AWS Config
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

Correct: AWS Config evaluates resource configurations against rules.

Why this answer

Option A is correct because AWS Config has managed rules like 's3-bucket-public-read-prohibited' that can evaluate S3 bucket policies and ACLs. Option B is wrong because AWS CloudTrail records API calls but does not evaluate resource configurations. Option C is wrong because Amazon GuardDuty focuses on threat detection.

Option D is wrong because AWS Trusted Advisor provides best-practice checks but not continuous monitoring and alerting.

40
MCQhard

A security engineer attaches the above SCP to an OU containing development accounts. The engineer expects that only t3.micro instances can be launched, but developers report that they cannot launch any EC2 instances. What is the MOST likely reason?

A.The SCP syntax is invalid because it uses Deny without an explicit Allow.
B.The condition StringNotEquals is evaluated incorrectly for EC2 instance types.
C.The SCP is applied at the organization root and overrides the OU-level policy.
D.The SCP denies all ec2 actions because there is no explicit allow statement.
AnswerD

SCPs do not grant permissions; they only filter what is allowed by IAM. Without an explicit allow, the default is deny.

Why this answer

Option D is correct because SCPs operate on a default-deny model: all actions are implicitly denied unless explicitly allowed. The policy only denies non-t3.micro instance types but does not include an explicit Allow statement for ec2:RunInstances or any other EC2 action. Without an explicit Allow, the implicit deny blocks all EC2 actions, including launching t3.micro instances.

Exam trap

The trap here is that candidates assume a Deny statement with a condition implicitly allows all other actions, forgetting that SCPs follow a default-deny model where any action not explicitly allowed is denied.

How to eliminate wrong answers

Option A is wrong because SCPs do not require an explicit Allow alongside a Deny; they can use Deny alone to restrict actions, but the issue here is the lack of any Allow statement. Option B is wrong because the StringNotEquals condition is evaluated correctly—it denies instance types that are not t3.micro, but the problem is the missing Allow for the action itself. Option C is wrong because the SCP is attached to the OU, not the root, and even if a root-level SCP existed, it would not override the OU-level policy unless explicitly set to deny; SCPs are additive and the most restrictive applies.

41
MCQeasy

A company wants to centrally manage and enforce security policies across all accounts in AWS Organizations. Which AWS service should be used to define and apply guardrails?

A.IAM Policy Simulator
B.AWS Control Tower
C.AWS Shield
D.AWS Config
AnswerB

Control Tower provides guardrails for multi-account governance.

Why this answer

Option D is correct because AWS Control Tower provides a managed service to set up a multi-account environment with guardrails. Option A is wrong because AWS Config is for compliance, not policy enforcement. Option B is wrong because IAM Policy Simulator is for testing.

Option C is wrong because AWS Shield is for DDoS protection.

42
MCQmedium

A company has a multi-account AWS environment managed with AWS Organizations. The security team wants to ensure that no EC2 instance in any account can be launched without a specific tag 'CostCenter'. The team has created a Service Control Policy (SCP) that denies the ec2:RunInstances action if the request does not include the tag 'CostCenter'. However, they find that instances are still being launched without the tag in some accounts. What is the most likely reason?

A.The SCP uses the wrong condition key; it should use 'aws:ResourceTag' instead.
B.The accounts launching instances without tags are the management account.
C.The SCP does not include an explicit allow for the action.
D.The SCP is not attached to the organizational units containing the accounts.
AnswerB

The management account is not affected by SCPs.

Why this answer

Option C is correct because SCPs do not affect the management account; the management account is exempt from SCPs. Option A is wrong because IAM policies are account-specific; the SCP should still apply if attached. Option B is wrong because SCPs do not require explicit allow for all actions; they work by deny.

Option D is wrong because the condition key for tags is 'aws:RequestTag', not 'aws:ResourceTag'.

43
MCQeasy

A startup uses a single AWS account for development. The developer has full administrative access and accidentally deleted an S3 bucket containing critical data. The security team wants to prevent similar incidents without hindering agility. What is the MOST effective control?

A.Remove the developer's permissions and require all changes through IT.
B.Configure an S3 lifecycle policy to archive objects to S3 Glacier.
C.Use AWS CloudTrail to monitor deletions and alert the security team.
D.Enable S3 Versioning and MFA Delete on the bucket.
AnswerD

Versioning allows recovery of deleted objects; MFA Delete adds protection.

Why this answer

Option D is correct because enabling S3 Versioning preserves all object versions, allowing recovery of deleted objects, while MFA Delete requires multi-factor authentication to permanently delete object versions or suspend versioning. This prevents accidental or unauthorized permanent deletions without hindering the developer's ability to create, read, and update objects, thus balancing security and agility.

Exam trap

The trap here is that candidates often choose CloudTrail (Option C) because it provides monitoring and alerts, but they overlook that it is a detective control, not a preventive or recovery control, and thus cannot stop or reverse the deletion of critical data.

How to eliminate wrong answers

Option A is wrong because removing the developer's permissions and requiring all changes through IT eliminates agility and violates the principle of least privilege by over-restricting access, which is not the most effective control for preventing accidental deletions while maintaining speed. Option B is wrong because an S3 lifecycle policy to archive objects to S3 Glacier only moves objects to a different storage class after a set period; it does not protect against immediate deletion of the bucket or its objects, nor does it enable recovery of already-deleted data. Option C is wrong because AWS CloudTrail monitors and alerts on API calls but does not prevent deletions; it only provides post-facto notification, which does not stop the incident or enable recovery of the deleted data.

44
Multi-Selecteasy

Which TWO AWS services can be used to detect and alert on unauthorized API calls in real time?

Select 2 answers
A.Amazon CloudWatch Alarms
B.AWS KMS
C.Amazon EventBridge
D.AWS IAM
E.AWS Config
AnswersA, C

CloudWatch can alarm on CloudTrail metric filters.

Why this answer

Options B and D are correct. Option B is correct because CloudTrail delivers events to CloudWatch Logs, and CloudWatch Alarms can trigger on metric filters. Option D is correct because EventBridge can process CloudTrail events and trigger alerts.

Option A is wrong because IAM is for identity management, not monitoring. Option C is wrong because Config is for compliance evaluation, not real-time alerting on API calls. Option E is wrong because KMS is for encryption key management.

45
MCQmedium

A company wants to centrally manage IAM users and allow them to access multiple AWS accounts using a single set of credentials. Which AWS service should be used?

A.AWS IAM Identity Center (AWS SSO)
B.IAM roles with cross-account trust
C.AWS Organizations consolidated billing
D.Amazon Cognito user pools
AnswerA

Provides single sign-on with temporary credentials for multiple accounts.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) is the correct service because it provides a centralized identity source that allows users to sign in once with a single set of credentials and then access multiple AWS accounts and business applications. It integrates with AWS Organizations to automatically manage permissions across accounts, eliminating the need for separate IAM users in each account.

Exam trap

The trap here is that candidates often confuse IAM roles with cross-account trust as a centralized solution, but they require manual role setup and do not provide a single sign-on portal or unified credential management across accounts.

How to eliminate wrong answers

Option B is wrong because IAM roles with cross-account trust allow users in one account to assume roles in another account, but they still require separate IAM users in the originating account and do not provide a single sign-on experience with a unified credential set. Option C is wrong because AWS Organizations consolidated billing only aggregates billing and payment across accounts; it does not manage user identities or provide authentication. Option D is wrong because Amazon Cognito user pools are designed for customer-facing identity and access management for web and mobile applications, not for centrally managing IAM users accessing multiple AWS accounts.

46
MCQmedium

A security team needs to ensure that all API calls made in the AWS account are logged and the logs are stored in a central S3 bucket that is encrypted with a KMS key. Which combination of steps should the team take to achieve this?

A.Enable AWS Config and have it deliver configuration history to an encrypted S3 bucket.
B.Enable CloudWatch Logs and stream logs to an encrypted S3 bucket.
C.Enable VPC Flow Logs and publish to an encrypted S3 bucket.
D.Enable CloudTrail and configure it to deliver logs to an encrypted S3 bucket.
AnswerD

CloudTrail is designed to log API calls and can deliver to an encrypted S3 bucket.

Why this answer

Option D is correct because CloudTrail logs API calls and can deliver them to an encrypted S3 bucket. Option A is wrong because CloudWatch Logs does not directly store logs in S3. Option B is wrong because Config records resource changes, not API calls.

Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

47
MCQeasy

A company wants to use AWS CloudFormation to manage infrastructure. The security team requires that all templates are scanned for security vulnerabilities before deployment. Which service should be integrated into the pipeline?

A.Amazon Inspector
B.AWS CloudFormation Guard
C.AWS Config
D.AWS Shield Advanced
AnswerB

Guard allows policy-as-code to validate templates pre-deployment.

Why this answer

AWS CloudFormation Guard (cfn-guard) is a policy-as-code tool that allows you to define rules to validate CloudFormation templates against security best practices before deployment. It integrates into CI/CD pipelines to enforce compliance with organizational policies, such as ensuring encryption is enabled or public access is restricted, directly addressing the requirement to scan templates for security vulnerabilities.

Exam trap

The trap here is confusing runtime vulnerability scanning (Amazon Inspector) with pre-deployment template validation (CloudFormation Guard), leading candidates to choose Inspector because they associate 'security vulnerabilities' with runtime scanning rather than infrastructure-as-code compliance.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans running EC2 instances, container images, and Lambda functions for software vulnerabilities and network exposure, not CloudFormation templates. Option C is wrong because AWS Config is a service for evaluating and auditing the configuration of deployed AWS resources against desired policies, not for scanning infrastructure-as-code templates before deployment. Option D is wrong because AWS Shield Advanced is a managed Distributed Denial of Service (DDoS) protection service for applications running on AWS, not a tool for scanning CloudFormation templates.

48
MCQmedium

A security engineer is designing a cross-account access policy. The engineer has an S3 bucket in Account A and wants to grant read access to a user in Account B. Which combination of policies is required?

A.A bucket policy in Account A that allows access to the user in Account B.
B.A bucket ACL in Account A granting access to the user in Account B.
C.An IAM policy in Account B that grants s3:GetObject to the bucket.
D.A bucket policy in Account A allowing the user, and an IAM policy in Account B granting s3:GetObject.
AnswerD

Both policies are necessary for cross-account access.

Why this answer

Option D is correct because both a bucket policy in Account A allowing the user and an IAM policy in Account B granting s3:GetObject are required. Option A is wrong because bucket policy alone is insufficient. Option B is wrong because IAM policy alone is insufficient.

Option C is wrong because ACLs are legacy and less secure.

49
MCQhard

A company has a multi-account AWS Organization with hundreds of accounts. The security team wants to prevent any IAM user from creating access keys in any account. What is the most scalable and secure approach?

A.Use IAM Access Analyzer to generate findings when access keys are created.
B.Configure IAM password policies in each account to disallow access keys.
C.Apply an SCP that denies the IAM:CreateAccessKey action to all accounts in the organization.
D.Create an AWS Config rule in each account to automatically delete access keys.
AnswerC

SCPs centrally enforce permissions across all accounts.

Why this answer

Option A is correct: a service control policy (SCP) at the root or OU level can deny the IAM:CreateAccessKey action, which applies to all accounts in the organization. Option B is wrong because it does not prevent users in other accounts from creating keys. Option C is wrong because IAM Access Analyzer does not block actions.

Option D is wrong because it requires manual updates and is not scalable.

50
MCQhard

A company uses AWS Organizations and has a requirement to enforce that all EC2 instances launched in any account must have a specific tag "Environment" with value "Production". The security team wants to prevent any instance without this tag from being launched. They implement a service control policy (SCP) that denies the ec2:RunInstances action if the request does not include the required tag. However, they find that users are still able to launch instances without the tag. The SCP is attached to the root OU. The team also has an IAM policy that allows ec2:RunInstances with no conditions. What is the most likely reason the SCP is not preventing the launches?

A.The SCP does not apply to the root user in member accounts.
B.The IAM policy allows the action, which overrides the SCP deny.
C.The SCP is applied to the management account, not the member accounts.
D.The SCP uses ec2:ResourceTag instead of aws:RequestTag for the condition.
AnswerD

Use aws:RequestTag to enforce tags on creation.

Why this answer

Option D is correct because the SCP condition must use the ec2:ResourceTag condition key, but ec2:ResourceTag only works for existing resources, not for creation tags. For RunInstances, the condition key should be aws:RequestTag to enforce tags on creation. Option A is wrong because IAM policies are evaluated after SCPs, but SCPs can deny regardless.

Option B is wrong because SCPs apply to all users including root. Option C is wrong because the SCP is attached to the root OU, not management account.

51
MCQeasy

The exhibit shows an S3 bucket policy. The security team wants to ensure that only users from account 123456789012 can access objects in the bucket. What is a potential security issue with this policy?

A.The policy grants access to all IAM users in the account, not just specific ones.
B.The policy does not restrict access to a specific VPC.
C.The policy uses a wildcard in the resource ARN.
D.The policy does not require MFA.
AnswerA

Using the root ARN grants access to the entire account, not a specific principal.

Why this answer

The policy grants access to the entire account root (all users in that account) and does not restrict to specific IAM users or roles. Therefore, any user in the account can access the objects if they have permission to call s3:GetObject. Additionally, there is no condition for encryption in transit or at rest, but the primary issue is that it's too permissive within the account.

Option A is wrong because it grants access to the entire account. Option C is wrong because there is no condition for MFA. Option D is wrong because it does not restrict to specific IPs.

52
MCQeasy

An S3 bucket policy is created as shown. What is the effect of this policy?

A.It blocks all access to the bucket.
B.It denies all requests that are not made over HTTPS.
C.It allows anonymous access to the bucket over HTTPS.
D.It requires server-side encryption for all objects.
AnswerB

The condition denies when SecureTransport is false.

Why this answer

Option A is correct because the policy denies all actions when the request is not using HTTPS (SecureTransport is false). Option B is incorrect because it does not allow anonymous access. Option C is incorrect because it does not enforce encryption at rest.

Option D is incorrect because it does not block all access, only non-HTTPS requests.

53
MCQmedium

A company requires that all Amazon EC2 instances be launched only with an approved Amazon Machine Image (AMI) that has been hardened by the security team. Which AWS service should be used to enforce this requirement?

A.AWS Config
B.EC2 Image Builder
C.AWS Systems Manager Patch Manager
D.AWS Service Catalog
AnswerA

Correct: AWS Config can check that EC2 instances use approved AMIs.

Why this answer

Option B is correct because AWS Config can evaluate whether EC2 instances are launched from approved AMIs using a managed rule or custom rule. Option A is wrong because AWS Service Catalog can provide a product portfolio but does not enforce at launch. Option C is wrong because EC2 Image Builder builds and manages images but does not enforce usage.

Option D is wrong because AWS Systems Manager Patch Manager patches instances but does not control which AMIs are used.

54
Drag & Dropmedium

Drag and drop the steps to configure Amazon GuardDuty for multi-account security in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Multi-account GuardDuty requires enabling in master, inviting members, accepting, configuring export, and delegating admin.

55
MCQeasy

A company has a requirement to audit all API calls made to AWS services in their account. Which AWS service should be used to meet this requirement?

A.AWS Config
B.Amazon Inspector
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerD

CloudTrail records all API calls for auditing.

Why this answer

Option B is correct because AWS CloudTrail records API activity in the account. Option A is wrong because Amazon GuardDuty is a threat detection service. Option C is wrong because AWS Config records resource configuration changes, not API calls.

Option D is wrong because Amazon Inspector is a vulnerability assessment service.

56
MCQhard

A global e-commerce company operates in three AWS Regions: us-east-1, eu-west-1, and ap-southeast-1. The company uses AWS Organizations with 50 member accounts grouped by business unit. The security team recently discovered that several S3 buckets containing customer data were accidentally made public due to misconfigured bucket policies. The team wants to implement a preventive control that blocks any S3 bucket from becoming public across all accounts, while still allowing authorized cross-account access. The solution must be centrally managed and not require changes to existing IAM policies. Additionally, the team needs to be notified immediately when a public bucket is attempted. Which solution meets all requirements?

A.Use Amazon Macie to discover public buckets and alert the security team.
B.Create an SCP that denies s3:PutBucketPolicy only for policies that specify 'Principal': '*' or 'Principal': {'AWS': '*'}
C.Create an SCP that denies s3:PutBucketPolicy and s3:PutBucketAcl when the condition includes making the bucket public, and use CloudTrail and CloudWatch Events to send notifications on denied API calls.
D.Deploy an AWS Config rule in each account that triggers a Lambda function to make non-compliant buckets private.
AnswerC

SCPs are preventive and centrally managed; CloudTrail logs denied events, and CloudWatch Events can trigger SNS for notifications.

Why this answer

Option C is correct because it uses an SCP to centrally deny the s3:PutBucketPolicy and s3:PutBucketAcl actions when the request would make a bucket public, which is a preventive control that blocks the operation before it happens. The requirement for immediate notification is met by using CloudTrail to log the denied API calls and CloudWatch Events to trigger alerts, all without modifying existing IAM policies or requiring per-account changes.

Exam trap

The trap here is that candidates often confuse detective controls (like Macie or Config rules that remediate) with preventive controls (like SCPs that block the action), and they may overlook that SCPs can deny specific API actions with conditions to precisely target public bucket creation without affecting authorized cross-account access.

How to eliminate wrong answers

Option A is wrong because Amazon Macie is a data discovery and classification service that can detect public buckets after they exist, but it is a detective control, not a preventive control that blocks the action. Option B is wrong because an SCP that denies s3:PutBucketPolicy only when 'Principal': '*' or 'Principal': {'AWS': '*'} is specified does not cover all ways a bucket can become public, such as through bucket ACLs (s3:PutBucketAcl) or policies that grant public access via other principal patterns (e.g., 'Principal': {'AWS': 'arn:aws:iam::123456789012:root'} with a condition that allows anonymous access). Option D is wrong because an AWS Config rule that triggers a Lambda function to make non-compliant buckets private is a reactive (corrective) control, not a preventive control that blocks the bucket from becoming public in the first place, and it requires per-account deployment rather than being centrally managed.

57
MCQmedium

A company wants to ensure that IAM users with console access have strong passwords. Which IAM password policy setting should the company configure to enforce the use of at least one uppercase letter?

A.MinimumPasswordLength
B.RequireUppercaseCharacters
C.RequireNumbers
D.RequireSymbols
AnswerB

Enforces at least one uppercase letter.

Why this answer

Option B is correct because 'RequireUppercaseCharacters' enforces uppercase letters. Option A is wrong because 'RequireNumbers' is for digits. Option C is wrong because 'RequireSymbols' is for special characters.

Option D is wrong because 'MinimumPasswordLength' is about length, not character types.

58
MCQmedium

A company requires that all IAM users in the Security team must use multi-factor authentication (MFA) to access the AWS Management Console. The company has enabled MFA for all users, but the Security team administrator reports that some users can still sign in without MFA. Which action should the administrator take to enforce MFA for all sign-ins?

A.Create a new IAM policy that requires MFA for programmatic access only.
B.Enable the 'aws:MultiFactorAuthPresent' condition in the IAM password policy.
C.Update the password policy to require MFA for all IAM users.
D.Attach an IAM policy that denies all actions if 'aws:MultiFactorAuthPresent' is false.
AnswerD

This explicitly denies access without MFA, enforcing MFA for console sign-in.

Why this answer

Option D is correct because attaching an IAM policy that explicitly denies access unless MFA is present will enforce MFA for all actions, including console sign-in. Option A is wrong because the default condition key 'aws:MultiFactorAuthPresent' is not set to 'true' for console sign-in; it is only set for API calls. Option B is wrong because requiring MFA for programmatic access does not affect console sign-in.

Option C is wrong because password policy cannot enforce MFA at sign-in.

59
MCQmedium

A company has a multi-account AWS Organization with 50 accounts. The security team uses AWS CloudTrail to log all API calls and sends the logs to a central S3 bucket in the security account. The team wants to ensure that any attempt to disable CloudTrail logging or delete the trail is detected and automatically remediated within 5 minutes. They have configured an AWS Config rule that triggers an AWS Lambda function when the CloudTrail configuration changes. However, the Lambda function is not being invoked when they test by stopping the trail. The Lambda function's IAM role has permissions to start and update CloudTrail. CloudTrail logs show that the Config rule is evaluating the resource, but the Lambda function is not triggered. What is the most likely cause?

A.The S3 bucket policy does not allow CloudTrail to write logs.
B.The Lambda function's IAM role does not have permission to modify CloudTrail.
C.The CloudTrail trail does not have permission to send logs to the S3 bucket.
D.The AWS Config service does not have permission to invoke the Lambda function.
AnswerD

Config needs a resource-based policy on the Lambda function allowing it to invoke.

Why this answer

Option A is correct because AWS Config must have permissions to invoke the Lambda function. Even if the Lambda function has permissions to modify CloudTrail, Config needs permission to invoke it. Option B is wrong because CloudTrail does not need permissions to invoke Lambda.

Option C is wrong because the Lambda function has permissions, but Config does not. Option D is wrong because the issue is not with the S3 bucket.

60
MCQhard

A company's security team discovers that an EC2 instance in the production account has been compromised. The instance has an IAM role attached that allows it to read from an S3 bucket containing sensitive data. The team needs to immediately stop the data exfiltration while preserving the evidence. What should the team do first?

A.Detach the S3 bucket from the VPC endpoint.
B.Apply an inline policy to the IAM role that denies all S3 actions.
C.Remove the IAM role from the EC2 instance.
D.Terminate the compromised EC2 instance immediately.
AnswerB

This immediately stops the role's ability to access S3.

Why this answer

Option C is correct because applying a deny-all policy to the role's S3 access will immediately stop the exfiltration without terminating the instance, preserving evidence. Option A is wrong because terminating the instance may destroy evidence. Option B is wrong because modifying the bucket policy takes time and may not be immediate.

Option D is wrong because removing the role may cause issues and does not immediately stop the exfiltration if the role is cached.

61
Multi-Selectmedium

Which TWO are best practices for managing IAM policies? (Select TWO.)

Select 2 answers
A.Use wildcards (*) to simplify policy management
B.Use inline policies instead of managed policies
C.Use SCPs to enforce permissions
D.Grant least privilege by using specific actions and resources
E.Use AWS managed policies when possible
AnswersD, E

Least privilege is a security best practice.

Why this answer

Option D is correct because the principle of least privilege is a foundational security best practice in AWS IAM. By specifying exact actions (e.g., s3:GetObject) and resources (e.g., arn:aws:s3:::example-bucket/*) instead of using wildcards, you minimize the blast radius of a compromised credential or misconfigured policy. This aligns with the AWS Well-Architected Framework's security pillar, which mandates granting only the permissions required to perform a task.

Exam trap

The trap here is that candidates often confuse SCPs as a method to grant permissions, when in fact SCPs only define a maximum permission boundary and cannot grant any access—permissions must still be explicitly allowed by IAM policies within the account.

62
Multi-Selecthard

Which THREE measures should a security team implement to detect and respond to potential security incidents in an AWS environment? (Select THREE.)

Select 3 answers
A.Run Amazon Inspector assessments.
B.Enable AWS CloudTrail.
C.Enable AWS Config.
D.Enable VPC Flow Logs for all VPCs.
E.Enable Amazon GuardDuty.
AnswersB, C, E

Logs API calls for auditing.

Why this answer

Options B, C, and D are correct. Amazon GuardDuty continuously monitors for malicious activity. AWS CloudTrail logs API calls for investigation.

AWS Config tracks configuration changes that may indicate security issues. Option A is wrong because VPC Flow Logs are for network traffic analysis, not detection of all incidents. Option E is wrong because Amazon Inspector is for vulnerability assessment, not incident detection.

63
MCQhard

A security engineer needs to monitor for unauthorized API calls in real-time. Which combination of services should be used?

A.Amazon S3 event notifications and AWS Lambda
B.AWS CloudTrail and Amazon CloudWatch Logs with metric filters
C.AWS Config and Amazon SNS
D.Amazon GuardDuty and AWS CloudTrail
AnswerB

CloudTrail logs, CloudWatch alarms on patterns.

Why this answer

AWS CloudTrail records all API calls in an AWS account, and CloudWatch Logs can ingest those logs. By creating metric filters on CloudWatch Logs, you can define patterns that match unauthorized API calls (e.g., AccessDenied errors) and trigger alarms in real time. This combination provides the necessary logging and real-time monitoring capability.

Exam trap

Cisco often tests the distinction between services that log events (CloudTrail) versus services that detect threats (GuardDuty) versus services that monitor configuration (Config), leading candidates to choose GuardDuty because it sounds security-focused, but it does not provide real-time metric-based alerting on raw API calls.

How to eliminate wrong answers

Option A is wrong because Amazon S3 event notifications are designed to notify on S3 object-level events (e.g., PUT, DELETE), not on API calls across all AWS services; they lack the ability to monitor unauthorized API calls broadly. Option C is wrong because AWS Config is a service for resource inventory, configuration history, and compliance rules, not for real-time monitoring of API call logs; Amazon SNS alone cannot parse or filter API call data. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes findings from multiple sources (including CloudTrail) but does not provide real-time monitoring of raw API calls itself; it relies on CloudTrail for data but adds latency for threat analysis rather than immediate metric-based alerting.

64
MCQhard

Refer to the exhibit. A security engineer applied the bucket policy shown. What is the effect of this policy?

A.All PutObject requests are denied.
B.Only GetObject requests that use HTTP are denied.
C.Only GetObject requests from specific IP ranges are denied.
D.All GetObject requests to the bucket are denied.
AnswerB

The condition denies access when SecureTransport is false, i.e., HTTP requests.

Why this answer

The bucket policy uses a `NotIpAddress` condition with the `aws:SourceIp` key to deny `s3:GetObject` requests that do not originate from the specified IP range (192.0.2.0/24). However, the `Null` condition on `aws:SecureTransport` ensures the policy only applies when the request is not using HTTPS (i.e., when `aws:SecureTransport` is false). Therefore, only GetObject requests over HTTP are denied; HTTPS requests from any IP are allowed, and PutObject requests are unaffected.

Exam trap

The trap here is that candidates overlook the `Null` condition on `aws:SecureTransport` and assume the `NotIpAddress` condition alone denies all requests from outside the IP range, missing that the policy only triggers when the request is over HTTP.

How to eliminate wrong answers

Option A is wrong because the policy only denies `s3:GetObject`, not `s3:PutObject`, so PutObject requests are not denied. Option C is wrong because the policy denies requests from IPs outside the specified range only when the request uses HTTP; it does not deny requests from specific IP ranges—it denies requests not from that range, but only under the HTTP condition. Option D is wrong because the policy does not deny all GetObject requests; it only denies those made over HTTP, leaving HTTPS GetObject requests unaffected.

65
MCQeasy

A security engineer needs to audit all API calls made in an AWS account for the past 90 days. Which AWS service should the engineer use?

A.Amazon S3 access logs
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Logs
AnswerB

Records API calls for auditing.

Why this answer

Option A is correct because CloudTrail logs API calls and can be configured to store logs for 90 days. Option B is wrong because CloudWatch Logs is for application logs, not API calls. Option C is wrong because S3 is storage, not an auditing service.

Option D is wrong because Config is for resource configuration changes, not API calls.

66
MCQhard

A security engineer is designing a centralized logging solution for a multi-account AWS environment. They need to ensure log files are tamper-proof and cannot be deleted or modified by anyone, including the root user of any account. Which configuration meets these requirements?

A.Create a bucket policy that denies s3:DeleteObject and s3:PutObject to all principals.
B.Enable MFA Delete on the S3 bucket and configure CloudTrail to log to that bucket.
C.Enable CloudTrail log file validation and store logs in a separate account.
D.Enable S3 Object Lock in Governance mode with a retention period, and use a separate account to manage the retention settings.
AnswerD

Object Lock prevents object deletion/modification, and Governance mode allows only users with special permissions to bypass retention, which can be restricted to a different account.

Why this answer

Option D is correct because S3 Object Lock in Governance mode prevents any user, including the root user, from deleting or overwriting objects until the retention period expires. By storing the logs in a separate account that manages the retention settings, the security engineer ensures that even if an attacker compromises the source account, they cannot modify or delete the logs because the lock is enforced by the destination account's S3 configuration.

Exam trap

The trap here is that candidates confuse MFA Delete (which only adds an extra authentication step for deletion but does not prevent root user deletion) with S3 Object Lock (which provides immutable storage that cannot be deleted or modified by any user, including root, during the retention period).

How to eliminate wrong answers

Option A is wrong because a bucket policy that denies s3:DeleteObject and s3:PutObject to all principals would also block legitimate log delivery from services like CloudTrail or S3 access logs, making the logging solution non-functional. Option B is wrong because MFA Delete only protects against accidental or unauthorized deletion of objects and requires the MFA token to be presented with the delete request; it does not prevent the root user from deleting objects if they have the MFA device, and it does not prevent modification (overwriting) of objects. Option C is wrong because CloudTrail log file validation only provides integrity verification through digital signatures (SHA-256 hashing) to detect tampering after the fact, but it does not prevent deletion or modification of log files; a malicious actor could still delete or alter logs, and the validation would only reveal that tampering occurred.

67
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team needs to enforce that all S3 buckets across the organization have block public access enabled. Which policy should be used?

A.Configure a bucket policy on each S3 bucket to deny public access.
B.Create a service control policy (SCP) that denies s3:PutBucketPublicAccessBlock for all accounts.
C.Apply an IAM policy to the root user of each account.
D.Use AWS CloudFormation StackSets to deploy a bucket with public access blocked.
AnswerB

SCPs can deny actions across accounts in an organization.

Why this answer

Option A is correct because a service control policy (SCP) can be applied at the organizational level to deny actions that modify S3 public access settings. Option B is incorrect because IAM policies apply to users/roles, not accounts. Option C is incorrect because bucket policies are per-bucket, not organizational.

Option D is incorrect because CloudFormation StackSets deploy resources, not enforce policies.

68
MCQhard

A company has a requirement that all Amazon EC2 instances must be launched with an IAM role that grants least-privilege permissions. The security team wants to prevent users from launching instances without a role, and also want to ensure that the role used is one of a set of approved roles. How can this be enforced?

A.Use an SCP to require that all EC2 instances have an IAM role attached.
B.Attach an IAM policy to users that denies ec2:RunInstances unless the ec2:InstanceProfile condition matches an approved profile ARN.
C.Use an SCP to deny ec2:RunInstances unless the instance profile is in a specific list of ARNs.
D.Use AWS Config to detect instances without a role and automatically terminate them.
AnswerB

This policy condition ensures that only instances with an approved IAM role can be launched.

Why this answer

Using an IAM policy with a condition that checks the IAM instance profile ARN against a list of approved profiles will enforce both requirements. Option B is wrong because it only requires a role, not an approved one. Option C is wrong because AWS Config can detect but not prevent.

Option D is wrong because SCPs cannot enforce specific instance profile ARNs because they apply at the account level and cannot reference resource-level conditions like ec2:InstanceProfile.

69
Multi-Selecteasy

A security engineer needs to grant a user read-only access to an S3 bucket. Which THREE of the following are required in the IAM policy?

Select 3 answers
A.Action: s3:ListBucket
B.Action: s3:GetObject
C.Action: s3:PutObject
D.Effect: Allow
E.Action: s3:DeleteObject
AnswersA, B, D

Correct: Allows listing objects.

Why this answer

Options A, B, and D are correct. To grant read-only access, the policy must allow s3:ListBucket on the bucket resource and s3:GetObject on the object resources. Option C is wrong because s3:PutObject is write access.

Option E is wrong because s3:DeleteObject is not needed for read-only.

70
MCQeasy

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should they use to record policy changes?

A.Amazon Inspector
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerB

CloudTrail logs all API calls, including IAM policy changes.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made in the AWS account, including IAM policy changes (e.g., CreatePolicy, PutRolePolicy, AttachUserPolicy). These events are captured as CloudTrail log entries, providing a complete audit trail of who made the change, when, and from which source IP. This directly meets the requirement to audit all changes to IAM policies.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks resource configuration state) with CloudTrail (which tracks API call history), leading them to choose AWS Config because it can detect drift, but it does not provide the detailed audit trail of who made the change and when.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and unintended network exposure, not a service that records API activity or policy changes. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS logs, VPC flow logs, and CloudTrail events for malicious activity, but it does not itself record or store the raw API call history for IAM policy changes. Option D is wrong because AWS Config evaluates and records resource configuration changes (e.g., whether an IAM policy is attached to a user) and can trigger rules, but it does not capture the API call details (who, when, source IP) that are required for a complete audit trail of policy changes; that is CloudTrail's role.

71
MCQhard

A security engineer notices that an S3 bucket policy allows access to a principal from another AWS account. Which AWS feature can be used to check if this external access is intended?

A.AWS Trusted Advisor bucket permissions check
B.AWS Config rule s3-bucket-public-read-prohibited
C.AWS CloudTrail event history
D.AWS IAM Access Analyzer
AnswerD

Identifies external access and allows you to review and validate.

Why this answer

IAM Access Analyzer generates findings for external access to S3 buckets. You can review and archive findings if intended.

72
MCQeasy

A company has a three-tier web application running on AWS. The application consists of an Application Load Balancer (ALB), an EC2 Auto Scaling group for web servers, and an RDS MySQL database. The Security team recently discovered that the database is publicly accessible from the internet. They need to remediate this immediately while minimizing downtime. The database is critical for the application, and the application must remain available. The team has identified that the database security group currently allows inbound traffic from 0.0.0.0/0 on port 3306. The web servers are in a security group named 'web-sg'. The database security group is named 'db-sg'. The team wants to restrict access to only the ALB and the web servers. Which action should the team take to resolve the issue with the least downtime?

A.Create a new security group that allows inbound traffic from the web-sg security group on port 3306, then attach the new security group to the database instance.
B.Modify the inbound rule of the db-sg security group to allow traffic from the web-sg security group on port 3306 and remove the rule allowing traffic from 0.0.0.0/0.
C.Update the network ACL for the database subnet to deny inbound traffic from 0.0.0.0/0 on port 3306.
D.Move the RDS instance to a private subnet and update the application's database endpoint to use the new private IP address.
AnswerB

This change is immediate and does not affect running connections; new connections will be allowed only from web-sg.

Why this answer

Option B is correct because modifying the db-sg security group to allow inbound traffic from the web-sg security group (instead of 0.0.0.0/0) on port 3306 directly restricts database access to only the web servers. This change is applied immediately without requiring any resource recreation or downtime, as security group rules are stateful and take effect in real time. Removing the overly permissive rule eliminates the public exposure while keeping the existing database endpoint and application connectivity intact.

Exam trap

The trap here is that candidates may think creating a new security group (Option A) is safer or less disruptive, but modifying the existing security group is immediate and causes zero downtime, whereas attaching a new group can cause a brief connectivity gap during the transition.

How to eliminate wrong answers

Option A is wrong because creating a new security group and attaching it to the database instance would require detaching the existing db-sg and attaching the new one, which can cause a brief interruption in connectivity (downtime) and is unnecessary when the existing security group can be modified directly. Option C is wrong because network ACLs are stateless and apply at the subnet level, not the instance level; they would block traffic from 0.0.0.0/0 on port 3306 but would also require adding explicit allow rules for return traffic, and they do not replace the need to fix the security group rule that allows public access. Option D is wrong because moving the RDS instance to a private subnet requires creating a new RDS instance or modifying the existing one, which involves significant downtime and configuration changes (e.g., updating the application endpoint), and does not directly address the security group misconfiguration that allows public access.

73
Multi-Selectmedium

A security engineer needs to ensure that all API calls in an AWS account are logged and that the logs are encrypted at rest and retained for at least 7 years. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Configure CloudTrail to deliver logs to Amazon S3 Glacier.
B.Set an S3 lifecycle policy to transition logs to Glacier after 7 years.
C.Enable S3 Cross-Region Replication to a bucket in another region.
D.Enable S3 default encryption on the log bucket.
E.Enable CloudTrail in the account.
AnswersB, D, E

Retains logs for 7 years.

Why this answer

Options B, C, and D are correct. Option B: CloudTrail logs API calls. Option C: S3 default encryption encrypts the logs.

Option D: Lifecycle policy transitions logs to Glacier for long-term retention. Option A is wrong because CloudTrail does not directly write to Glacier. Option E is wrong because S3 Replication is for copying, not retention.

74
MCQmedium

A security team is reviewing IAM roles and policies. They want to ensure that any new IAM role created in the account must include a specific managed policy (e.g., SecurityAudit). What AWS service can enforce this requirement?

A.AWS CloudTrail
B.AWS Config rules
C.Service control policy (SCP) in AWS Organizations
D.IAM permissions boundary
AnswerC

SCPs can deny role creation if required policy is not attached.

Why this answer

Option C is correct because SCPs can deny IAM role creation if the role does not have a specific policy attached. Option A is wrong because IAM policies define permissions, not enforce role creation rules. Option B is wrong because AWS Config can detect noncompliant roles but cannot prevent their creation.

Option D is wrong because CloudTrail logs API calls but does not enforce policies.

75
MCQhard

A company has an S3 bucket that contains sensitive data. The bucket policy allows access only from a specific VPC endpoint. A security engineer notices that objects in the bucket are being deleted by an IAM user from outside the VPC. The engineer checks the bucket policy and confirms that the policy denies access if the request does not come from the VPC endpoint. However, the deletions continue. What is the most likely cause?

A.The bucket policy is missing a Deny statement for the s3:DeleteObject action.
B.The VPC endpoint policy allows the deletion.
C.The IAM user is the bucket owner and the bucket policy does not apply to the owner.
D.The bucket has an ACL that allows the IAM user to delete objects.
AnswerC

Bucket policies do not apply to the account that owns the bucket; IAM policies would need to be used.

Why this answer

Option B is correct because the bucket owner's account has full control over the bucket, and bucket policies do not override the owner's permissions. Option A is wrong because if the bucket policy were incorrect, it would not deny access. Option C is wrong because ACLs are not used here.

Option D is wrong because the deletion is happening, so the user is not blocked by the policy.

Page 1 of 4 · 262 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Governance questions.