CCNA Security and Compliance Questions

75 of 260 questions · Page 3/4 · Security and Compliance · Answers revealed

151
MCQeasy

A company wants to ensure that all Amazon S3 buckets have versioning enabled to protect against accidental deletion of objects. A SysOps administrator needs to automatically detect any buckets that do not have versioning enabled and receive notifications. Which AWS service should the administrator use?

A.AWS CloudTrail
B.AWS Config
C.Amazon Inspector
D.AWS Trusted Advisor
AnswerB

Correct. AWS Config evaluates resource configurations against desired policies using managed or custom rules. The 's3-bucket-versioning-enabled' managed rule will flag buckets that do not have versioning enabled.

Why this answer

AWS Config is the correct service because it provides managed rules, such as 's3-bucket-versioning-enabled', that continuously evaluate your S3 buckets against desired configuration states. When a bucket is non-compliant (versioning disabled), AWS Config can trigger an Amazon SNS notification to alert the administrator, enabling automated detection and remediation.

Exam trap

The trap here is that candidates confuse AWS Config (continuous configuration auditing) with AWS CloudTrail (API activity logging), thinking that CloudTrail can detect non-compliant states when it only records actions that change the state.

How to eliminate wrong answers

Option A (AWS CloudTrail) is wrong because it records API activity (e.g., PutBucketVersioning calls) but does not continuously evaluate the current configuration state of resources; it cannot proactively detect buckets with versioning disabled unless an API call is made. Option C (Amazon Inspector) is wrong because it is designed for vulnerability assessment of EC2 instances and container workloads, not for auditing S3 bucket configurations. Option D (AWS Trusted Advisor) is wrong because while it can check S3 bucket versioning as part of its cost optimization and security checks, it does not provide automated, real-time notifications for configuration drift; it is a manual, periodic review tool.

152
MCQmedium

A SysOps administrator manages IAM roles for Amazon EC2 instances. The administrator needs to identify permissions that have never been used in the last 90 days to right-size the policies. Which AWS feature should be used to achieve this?

A.AWS CloudTrail Insights
B.IAM Access Analyzer unused access analysis
C.IAM policy simulator
D.AWS Config managed rules
AnswerB

Analyzes service last accessed data to identify unused permissions for least privilege.

Why this answer

IAM Access Analyzer unused access analysis is the correct AWS feature because it specifically analyzes IAM roles and policies to identify permissions that have not been used within a specified time frame (e.g., 90 days). It provides a report of unused actions, allowing the administrator to right-size policies by removing unnecessary permissions. This directly addresses the requirement to identify unused permissions for EC2 instance roles.

Exam trap

The trap here is that candidates may confuse IAM Access Analyzer unused access analysis with AWS CloudTrail Insights, but CloudTrail Insights focuses on anomalous activity patterns rather than a straightforward unused permissions report for policy right-sizing.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail Insights analyzes management and data events to detect unusual activity patterns, not to identify unused permissions over a specific period. Option C is wrong because the IAM policy simulator tests whether a given policy allows or denies specific actions for a user, role, or resource, but it does not analyze historical usage or identify unused permissions. Option D is wrong because AWS Config managed rules evaluate resource configurations against compliance rules, not historical permission usage.

153
MCQeasy

A company wants to allow a developer to deploy applications using AWS CloudFormation but restrict the developer from creating or modifying IAM resources. Which IAM policy should be used?

A.Allow iam:*
B.Deny cloudformation:*
C.Allow cloudformation:* and deny iam:*
D.Allow cloudformation:* only
AnswerC

This enables CloudFormation actions while explicitly blocking IAM actions.

Why this answer

Option A is correct because it allows all CloudFormation actions but denies IAM-related actions. Option B is wrong because it does not explicitly deny IAM actions, so the developer could still create IAM resources if the policy allows it. Option C is wrong because it denies all actions on CloudFormation stacks, which is too restrictive.

Option D is wrong because it allows all actions on IAM, which is the opposite of what is needed.

154
Multi-Selecteasy

A SysOps administrator needs to ensure that an Amazon S3 bucket is not publicly accessible. Which THREE actions should be taken to prevent public access?

Select 3 answers
A.Enable versioning on the bucket.
B.Delete the bucket policy if it exists.
C.Configure the bucket to block new public ACLs using S3 Object Ownership.
D.Review and remove any public ACLs on the bucket and objects.
E.Use the S3 Block Public Access feature at the bucket level.
AnswersC, D, E

Prevents future public ACLs.

Why this answer

Correct options: A, C, E. Option A is correct because blocking public access at the bucket level prevents any public policies or ACLs. Option C is correct because removing public ACLs ensures no objects are publicly accessible.

Option E is correct because disabling public ACLs via S3 Object Ownership prevents future public ACLs. Option B is wrong because deleting the bucket policy does not address public ACLs. Option D is wrong because enabling versioning does not affect public access.

155
Multi-Selectmedium

Which TWO IAM policy conditions can be used to enforce multi-factor authentication (MFA) for API calls? (Choose two.)

Select 2 answers
A.aws:PrincipalType
B.aws:MultiFactorAuthPresent
C.aws:MultiFactorAuthAge
D.aws:TokenIssueTime
E.aws:SourceIp
AnswersB, C

This condition checks whether MFA was used to authenticate the request.

Why this answer

Options A and C are correct. The condition key 'aws:MultiFactorAuthPresent' checks if MFA was used. The condition key 'aws:MultiFactorAuthAge' checks how long ago MFA was authenticated.

Option B is wrong because 'aws:TokenIssueTime' is not a valid condition key. Option D is wrong because 'aws:SourceIp' is for IP address. Option E is wrong because 'aws:PrincipalType' is for principal type.

156
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any account can create access keys for themselves. Which is the MOST effective way to enforce this policy across all accounts?

A.Set an IAM permissions boundary on all users that denies 'iam:CreateAccessKey'.
B.Attach a service control policy to the root organizational unit that denies 'iam:CreateAccessKey'.
C.Create an S3 bucket policy that denies access to IAM users with access keys.
D.Create an IAM group with a policy that denies 'iam:CreateAccessKey' and add all users to that group.
AnswerB

SCPs affect all accounts in the organization, including root users.

Why this answer

Option D is correct because a service control policy (SCP) can deny the IAM action 'iam:CreateAccessKey' for all users in all accounts. Option A is wrong because a bucket policy is for S3, not IAM actions. Option B is wrong because an IAM group policy only applies to users in that group, and users could be added outside the group.

Option C is wrong because an IAM permissions boundary limits the maximum permissions a user can have but does not prevent the root user from creating access keys.

157
MCQhard

Refer to the exhibit. A SysOps administrator applies this S3 bucket policy to a bucket named 'my-bucket'. The root user of account 123456789012 attempts to upload an object to the bucket without specifying encryption. What will happen?

A.The upload succeeds because the root user has full access.
B.The upload is denied because the request does not meet the condition.
C.The upload succeeds because the bucket has default encryption enabled.
D.The upload is denied because the policy explicitly denies all actions.
AnswerB

The condition requires the encryption header to be set to aws:kms.

Why this answer

Option A is correct because the policy allows s3:* only when the condition s3:x-amz-server-side-encryption equals aws:kms. Since the upload does not specify encryption, the condition is not met, so the request is denied (implicit deny). Option B is wrong because default encryption would not apply if the request does not include the header.

Option C is wrong because the condition explicitly requires aws:kms. Option D is wrong because the policy does not deny; it allows conditionally.

158
Multi-Selecteasy

Which TWO AWS services can be used to encrypt data at rest in Amazon RDS? (Choose TWO.)

Select 2 answers
A.AWS Certificate Manager (ACM)
B.AWS CloudHSM
C.AWS Identity and Access Management (IAM)
D.Amazon RDS encryption feature
E.AWS Key Management Service (AWS KMS)
AnswersD, E

RDS supports encryption at rest using KMS.

Why this answer

Option B is correct because AWS KMS can be used to manage keys for RDS encryption. Option C is correct because RDS supports encryption at rest using AWS KMS. Option A is wrong because AWS Certificate Manager is for SSL/TLS certificates.

Option D is wrong because CloudHSM is a hardware security module but not directly integrated with RDS for encryption at rest. Option E is wrong because IAM is for access control.

159
Multi-Selectmedium

Match each AWS service with its primary security compliance function. (Drag each service to its correct function.) (Choose 4.)

Select 4 answers
A.AWS CloudTrail -> Detect unauthorized API calls
B.AWS Config -> Monitor resource configuration changes
C.Amazon GuardDuty -> Identify malicious activity
D.Amazon Macie -> Discover sensitive data in S3
AnswersA, B, C, D

CloudTrail logs all API calls and can be used to detect unauthorized or unusual activity.

Why this answer

AWS CloudTrail is the service that records API activity in your AWS account, including both management and data events. By enabling CloudTrail, you can detect unauthorized API calls by analyzing the recorded events for actions that were not initiated by authorized users or services, such as an IAM user making a call from an unexpected IP address or using an unknown user agent.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail with AWS Config, thinking both are for monitoring configuration changes, but CloudTrail focuses on API activity logging while Config tracks resource configuration state changes.

How to eliminate wrong answers

Option A is correct because AWS CloudTrail specifically logs API calls and is used to detect unauthorized activity. Option B is correct because AWS Config continuously monitors and records changes to AWS resource configurations, enabling compliance auditing. Option C is correct because Amazon GuardDuty uses machine learning and threat intelligence to identify malicious activity such as unusual API calls or compromised instances.

Option D is correct because Amazon Macie uses machine learning and pattern matching to discover and protect sensitive data, such as personally identifiable information (PII), stored in Amazon S3 buckets.

160
MCQmedium

An organization requires that all data in transit between EC2 instances and the internet be encrypted. Which AWS service can be used to enforce this requirement?

A.Use a network ACL to allow only port 443.
B.Use an Application Load Balancer (ALB) with a TLS listener.
C.Use a security group to allow only TLS traffic.
D.Use AWS Direct Connect to route all traffic.
AnswerB

An ALB can terminate TLS and encrypt traffic between clients and the load balancer.

Why this answer

Option B is correct because an ALB can terminate TLS and enforce encrypted connections. Option A is wrong because Security Groups do not encrypt traffic. Option C is wrong because NACLs are stateless and do not provide encryption.

Option D is wrong because Direct Connect provides a dedicated connection but does not inherently encrypt traffic.

161
MCQeasy

A company requires that all access to the AWS Management Console be protected by multi-factor authentication (MFA). The SysOps administrator has enabled an IAM policy that denies all actions if the user does not authenticate with MFA. However, some users report they cannot list their own MFA devices. What is the MOST likely cause?

A.The policy denies the iam:ListMFADevices action without an MFA-authenticated session
B.The policy is applied to the root user only
C.Users are not using MFA-enabled access keys
D.The policy is not applied in the us-east-1 region
AnswerA

The policy should allow iam:ListMFADevices without MFA to enable users to set up MFA.

Why this answer

Option B is correct because the policy that denies actions without MFA also blocks the action to list MFA devices, which is needed to set up MFA. The policy should include an exception for the iam:ListMFADevices action. Option A is incorrect because the problem is not that users are not using MFA; it's that they cannot list devices to set up MFA.

Option C is incorrect because the policy is not limited to a specific region. Option D is incorrect because IAM is not region-specific.

162
MCQhard

A company has an S3 bucket that stores sensitive customer data. The security team requires that all objects in the bucket be encrypted at rest using AWS KMS. An administrator notices that some objects are not encrypted. What is the MOST efficient way to enforce encryption for future uploads?

A.Use an SCP to require KMS encryption for all S3 actions.
B.Use AWS Config to detect unencrypted objects and automatically encrypt them.
C.Add a bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header set to aws:kms.
D.Enable S3 default encryption on the bucket with KMS.
AnswerC

Bucket policies can conditionally deny uploads without encryption.

Why this answer

Option A is correct because a bucket policy that denies PutObject without the correct encryption header will enforce encryption for all uploads. Option B is wrong because S3 default encryption only applies if no encryption header is provided; it can be overridden. Option C is wrong because SCPs affect IAM permissions, not S3 bucket configurations.

Option D is wrong because encryption is enforced per object upload, not after upload.

163
MCQeasy

A company's security policy requires that all IAM user passwords must be at least 12 characters long. The SysOps administrator needs to enforce this requirement across the AWS account. Which action should the administrator take?

A.Create an AWS Config rule to check password length and auto-remediate.
B.Update the IAM account password policy to require a minimum length of 12 characters.
C.Enable AWS CloudTrail to monitor for password changes and alert the administrator.
D.Attach a service control policy (SCP) that denies IAM user creation if the password is less than 12 characters.
AnswerB

The IAM password policy is the native way to enforce password complexity requirements at the account level. When enabled, users must comply when creating or changing their passwords.

Why this answer

The IAM account password policy is the native AWS mechanism for enforcing password requirements across all IAM users in an account. By updating this policy to require a minimum length of 12 characters, the administrator ensures that any new or changed password must comply, and existing passwords are not affected until the next change. This is a direct, account-wide setting that requires no additional services or custom logic.

Exam trap

The trap here is that candidates confuse AWS Config (which can detect but not enforce password length at creation time) with the IAM password policy (which is the correct, built-in enforcement mechanism), or they mistakenly think SCPs can inspect password content when they only control API actions at a high level.

How to eliminate wrong answers

Option A is wrong because AWS Config rules can detect noncompliant passwords but cannot directly enforce password length at the point of creation or change; auto-remediation would require a custom Lambda function to modify the password policy, which is unnecessary when the native IAM password policy already exists. Option C is wrong because CloudTrail logs API calls but does not enforce password requirements; it only provides auditing after the fact, which does not prevent users from setting short passwords. Option D is wrong because service control policies (SCPs) apply to AWS Organizations and can restrict IAM user creation actions, but they cannot evaluate or enforce password length at the time of password creation or change; SCPs operate at the API level and lack the granularity to inspect password content.

164
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team requires that all logs be encrypted at rest and stored in an S3 bucket that blocks public access. The SysOps administrator configures the bucket with default encryption (SSE-S3) and a bucket policy that denies all actions unless the request includes the x-amz-server-side-encryption header with value AES256. However, CloudTrail delivery fails. What is the MOST likely cause?

A.The bucket policy requires the x-amz-server-side-encryption header, but CloudTrail does not include this header
B.CloudTrail does not support SSE-S3 encryption
C.The bucket policy does not grant CloudTrail the s3:PutObject permission
D.The bucket has default encryption enabled, which conflicts with CloudTrail's encryption
AnswerA

CloudTrail uses SSE-S3 automatically but does not set the header; the policy denies the request.

Why this answer

Option C is correct because CloudTrail delivers logs using SSE-S3 by default, but it does not include the x-amz-server-side-encryption header in the PutObject requests. The bucket policy requires that header, so the requests are denied. Option A is incorrect because CloudTrail can deliver to buckets with default encryption.

Option B is incorrect because the bucket policy does not need to allow CloudTrail explicitly; the service has permissions via the trail's bucket policy. Option D is incorrect because SSE-S3 is supported by CloudTrail.

165
MCQmedium

A company uses AWS Organizations to manage multiple AWS accounts. The security team requires that all Amazon S3 buckets in every account be encrypted at rest using AWS KMS customer managed keys. The SysOps administrator needs to enforce this requirement centrally without requiring changes in each account individually. Which approach should the administrator use?

A.Create an IAM policy in each account that denies creation of unencrypted S3 buckets
B.Configure an S3 bucket policy on each bucket to require encryption
C.Create a service control policy (SCP) in the management account that denies creation of S3 buckets without KMS encryption
D.Enable AWS Config rules in each account to detect and remediate non-compliant buckets
AnswerC

SCPs apply to all accounts in the organization and can deny actions that do not meet encryption requirements, enforcing compliance centrally.

Why this answer

Option C is correct because a service control policy (SCP) applied at the AWS Organizations management account can centrally deny the creation of S3 buckets that do not have AWS KMS encryption enabled, affecting all member accounts without requiring individual account changes. SCPs act as a permission guardrail that restricts what actions accounts can perform, even for account administrators, making them ideal for enforcing organization-wide security policies like mandatory KMS encryption on S3 bucket creation.

Exam trap

The trap here is that candidates often confuse detective controls like AWS Config rules (which alert or remediate after the fact) with preventive controls like SCPs (which block the action at the API level), leading them to choose a reactive solution instead of the correct proactive, centrally enforced SCP.

How to eliminate wrong answers

Option A is wrong because IAM policies are account-specific and must be applied in each account individually, failing the requirement for a central, no-change-per-account approach; additionally, IAM policies cannot enforce encryption settings on S3 bucket creation because the encryption requirement is a resource-level condition, not an identity-based permission. Option B is wrong because S3 bucket policies are configured per bucket and require manual changes on each existing and new bucket, which does not meet the central enforcement requirement and does not prevent creation of unencrypted buckets. Option D is wrong because AWS Config rules operate within each account and require individual setup and remediation actions per account, which violates the central enforcement without per-account changes; Config rules are detective and reactive, not preventive at the point of bucket creation.

166
MCQmedium

A company wants to encrypt data at rest in an Amazon RDS for MySQL DB instance. Which solution meets this requirement with minimal administrative overhead?

A.Create a new encrypted DB instance and migrate the data.
B.Use application-level encryption to encrypt data before storing it in the DB.
C.Enable encryption on the existing DB instance by modifying the DB instance.
D.Store the data in an S3 bucket with encryption enabled and use RDS to access it.
AnswerA

Encryption must be enabled at creation time.

Why this answer

Option B is correct because RDS encryption at rest is enabled at launch and cannot be added later. Option A is wrong because enabling encryption after launch is not supported. Option C is wrong because application-level encryption adds overhead.

Option D is wrong because RDS does not use S3 for storage.

167
MCQeasy

A SysOps administrator needs to generate a report of all IAM users and their last activity. Which AWS service can provide this information?

A.AWS Config
B.IAM Credential Report
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerB

The IAM Credential Report contains last activity for users.

Why this answer

Option D is correct because IAM Credential Report includes details about IAM users, including password last used and access key last used. Option A is wrong because CloudTrail logs API calls but does not generate a consolidated report. Option B is wrong because Trusted Advisor does not provide IAM activity reports.

Option C is wrong because AWS Config tracks resource changes, not user activity.

168
MCQhard

An organization has a requirement to prevent any IAM user from deleting an S3 bucket that contains critical data. The SysOps administrator needs to implement a preventive control that works even if the user has full administrative privileges. Which solution should the administrator implement?

A.Attach an IAM policy to the user that explicitly denies s3:DeleteBucket.
B.Enable MFA Delete on the bucket.
C.Apply a service control policy (SCP) that denies s3:DeleteBucket for the account.
D.Add a bucket policy that denies s3:DeleteBucket for the user.
AnswerC

SCPs can restrict actions even for administrators.

Why this answer

Option D is correct because an SCP can deny the s3:DeleteBucket action at the organizational level, overriding any allow. Option A is wrong because an IAM policy with deny can be overridden if the user has admin privileges (except with explicit deny, but if the user has full admin, they might have permissions to change policy). Option B is wrong because bucket policies cannot prevent IAM users from deleting the bucket if they have s3:DeleteBucket permission.

Option C is wrong because MFA delete only applies to objects, not bucket deletion.

169
MCQeasy

A company wants to securely store database credentials used by an application running on Amazon EC2. Which AWS service should be used to rotate and manage access to these secrets?

A.AWS Identity and Access Management (IAM)
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
AnswerC

Secrets Manager is designed to securely store secrets and automatically rotate them, meeting the requirement.

Why this answer

AWS Secrets Manager provides automatic rotation of secrets, while Systems Manager Parameter Store does not offer native rotation. KMS is for encryption keys, not secrets. IAM is for access management, not secret storage.

170
MCQeasy

A company wants to provide temporary credentials to an application running on an on-premises server so it can access AWS resources. The credentials must be rotated automatically. Which IAM feature should be used?

A.Use an EC2 instance profile and attach it to the on-premises server.
B.Configure a SAML 2.0 identity provider and federate the application.
C.Create an IAM user with programmatic access and share the access key.
D.Use IAM Roles Anywhere with a certificate authority to issue temporary credentials.
AnswerD

IAM Roles Anywhere provides temporary credentials for on-premises workloads.

Why this answer

Option C is correct because IAM Roles Anywhere allows workloads outside of AWS to assume an IAM role and obtain temporary credentials using X.509 certificates. Option A is wrong because IAM users have long-term credentials. Option B is wrong because instance profiles are for EC2 instances only.

Option D is wrong because federation with SAML is for user identities, not machine identities.

171
Multi-Selecthard

A company is using AWS Organizations and wants to delegate administration of a specific member account to a user in the management account. Which TWO steps are required?

Select 2 answers
A.Create an IAM user in the member account with the same name as the management account user.
B.Grant the user in the management account permissions to assume the role in the member account.
C.Enable AWS Single Sign-On (SSO) for the member account.
D.Create a service control policy (SCP) that allows the member account to be administered.
E.Create an IAM role in the member account with a trust policy that allows the management account to assume it.
AnswersB, E

User needs sts:AssumeRole permission.

Why this answer

Correct options: A and D. Option A is correct because you need to create an IAM role in the member account with a trust policy allowing the management account to assume it. Option D is correct because the user must have permissions to assume that role.

Option B is wrong because SCPs do not grant permissions; they restrict. Option C is wrong because AWS SSO is not required; IAM roles suffice. Option E is wrong because the management account already has full access; delegation is about giving specific users access.

172
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores sensitive user data in an S3 bucket. The security team requires that traffic between the ALB and the EC2 instances be encrypted, and that the EC2 instances only accept traffic from the ALB. Currently, the ALB terminates HTTPS and forwards HTTP to the instances. The SysOps administrator needs to implement the required security controls. Which solution should the administrator implement?

A.Use an AWS Global Accelerator to route traffic to the instances and enable encryption.
B.Create a network ACL that allows inbound HTTPS traffic from the ALB subnet and outbound HTTPS responses. Use AWS Certificate Manager to install a certificate on the instances.
C.Enable S3 VPC endpoint and configure the ALB to forward traffic to the instance via the endpoint.
D.Configure the target group to use HTTPS protocol, install a TLS certificate on the EC2 instances, and update the security group on the instances to allow inbound traffic only from the ALB's security group.
AnswerD

This ensures encryption and restricts traffic source.

Why this answer

Option A is correct because using HTTPS on the target group and a security group that allows traffic only from the ALB's security group encrypts traffic and restricts access. Option B is wrong because a network ACL is stateless and not the best for this; also, encrypting with ACM on instances is complex. Option C is wrong because a Load Balancer cannot be used as a source in a security group rule.

Option D is wrong because using a VPC endpoint for S3 does not encrypt traffic between ALB and instances.

173
Multi-Selecthard

Which THREE steps are required to enable AWS CloudTrail log file integrity validation? (Choose three.)

Select 3 answers
A.Enable CloudTrail to log management events and data events for all resources.
B.Ensure that the S3 bucket for CloudTrail logs has the appropriate bucket policy to allow CloudTrail to write digest files.
C.Create a customer-managed KMS key to encrypt the digest files.
D.Create a new CloudTrail trail or update an existing one to enable log file integrity validation.
E.Configure CloudTrail to deliver logs to CloudWatch Logs for real-time analysis.
AnswersA, B, D

The trail must be logging events to generate digest files.

Why this answer

Option A is correct because enabling CloudTrail to log management events and data events for all resources is a prerequisite for log file integrity validation. The integrity validation process relies on digest files that contain hashes of the log files, and these digest files are only generated for trails that capture events. Without logging events, there are no log files to validate, making this step essential for the integrity validation feature to function.

Exam trap

The trap here is that candidates often confuse encryption (KMS) with integrity validation (hashing), assuming that enabling encryption is a required step for integrity, when in fact CloudTrail handles digest file signing and hashing independently of any KMS encryption settings.

174
Multi-Selecthard

A SysOps administrator needs to ensure that an Amazon RDS for MySQL database is compliant with PCI DSS requirements. Which THREE configurations should be implemented?

Select 3 answers
A.Enable Multi-AZ deployment for high availability.
B.Require SSL/TLS connections to the database.
C.Configure automated backups with a retention period of 30 days.
D.Enable RDS audit logging to capture database activities.
E.Enable encryption at rest using AWS KMS.
AnswersB, D, E

PCI DSS requires encryption of cardholder data in transit.

Why this answer

Options A, C, and E are correct. Encryption at rest (RDS encryption), encryption in transit (SSL/TLS), and logging (audit logs) are PCI DSS requirements. Option B is wrong because Multi-AZ is for high availability, not security.

Option D is wrong because automated backups are for data recovery, not security.

175
MCQhard

A company manages multiple AWS accounts under AWS Organizations. The security team requires that all Amazon S3 buckets in the organization must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to automatically detect any bucket that is not compliant and remediate it by enabling SSE-KMS. Which AWS feature or service should be used to implement this automated compliance enforcement?

A.AWS Config with the s3-bucket-server-side-encryption-enabled managed rule and automatic remediation using an AWS Systems Manager Automation document.
B.AWS CloudTrail to log bucket creation events and trigger an AWS Lambda function that applies SSE-KMS.
C.Amazon Inspector to scan S3 buckets for encryption compliance and automatically apply SSE-KMS.
D.AWS Trusted Advisor to check S3 bucket encryption and send notifications but not auto-remediate.
AnswerA

Correct. AWS Config evaluates compliance, and automatic remediation can apply a Systems Manager Automation document that enables SSE-KMS on the bucket.

Why this answer

AWS Config's `s3-bucket-server-side-encryption-enabled` managed rule can evaluate S3 buckets for encryption compliance. When a non-compliant bucket is detected, AWS Config can trigger automatic remediation via an AWS Systems Manager Automation document that applies SSE-KMS encryption to the bucket. This provides a fully automated, policy-driven enforcement mechanism without manual intervention.

Exam trap

The trap here is that candidates may confuse AWS Config's evaluation and remediation capabilities with CloudTrail's logging or Trusted Advisor's advisory-only checks, failing to recognize that only AWS Config provides native automated remediation through Systems Manager Automation documents.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail logs API calls but does not evaluate compliance or trigger remediation directly; while you could build a custom solution using Lambda, it is not a native automated compliance enforcement feature. Option C is wrong because Amazon Inspector is designed for vulnerability management and network assessments of EC2 instances and containers, not for S3 bucket encryption compliance. Option D is wrong because AWS Trusted Advisor can check encryption settings and send notifications, but it cannot automatically remediate non-compliant resources.

176
Multi-Selecthard

A company uses AWS KMS to encrypt EBS volumes. Which TWO statements about using KMS with EBS are correct? (Choose two.)

Select 2 answers
A.You can import key material for EBS encryption
B.AWS managed KMS keys are automatically rotated each year
C.EBS can use either customer managed or AWS managed KMS keys
D.EBS supports asymmetric KMS keys
E.You must specify a KMS key when creating a snapshot
AnswersB, C

AWS managed keys are rotated annually.

Why this answer

EBS can use both customer managed and AWS managed KMS keys. AWS managed keys are automatically rotated. Option A and Option D are correct.

Option B is wrong because EBS does not support asymmetric KMS keys. Option C is wrong because you cannot specify a KMS key when creating a snapshot; you can only encrypt snapshots with a key. Option E is wrong because EBS does not support importing key material.

177
MCQeasy

A company's security policy requires that all IAM users must change their passwords every 90 days. The SysOps administrator needs to enforce this requirement. Which IAM setting should the administrator configure?

A.IAM password policy
B.IAM user permissions boundary
C.IAM role trust policy
D.IAM group policy
AnswerA

The IAM account password policy allows you to set password expiration, requiring users to change their passwords every 90 days.

Why this answer

The IAM password policy is the correct setting because it allows the SysOps administrator to define password rotation requirements, such as a mandatory password change every 90 days. This policy is applied at the account level and enforces the security requirement for all IAM users, ensuring compliance without needing to modify individual user permissions.

Exam trap

The trap here is that candidates may confuse IAM password policy with IAM user permissions or group policies, thinking that password rotation can be enforced through permission boundaries or role trust policies, which are unrelated to authentication settings.

How to eliminate wrong answers

Option B is wrong because an IAM user permissions boundary defines the maximum permissions a user can have, but it does not control password rotation or expiration settings. Option C is wrong because an IAM role trust policy defines which entities (users or services) can assume the role, not password policies for IAM users. Option D is wrong because an IAM group policy grants permissions to a group of users but does not enforce password expiration or rotation requirements.

178
MCQmedium

A company has an AWS account that contains multiple Amazon S3 buckets with sensitive data. A SysOps administrator needs to ensure that all S3 buckets in the account have versioning enabled to protect against accidental deletions. The administrator wants to automatically remediate any bucket that is created without versioning enabled. Which solution should be used?

A.Use AWS Config with a managed rule (s3-bucket-versioning-enabled) and an automatic remediation action that uses an AWS Systems Manager Automation document to enable versioning
B.Use Amazon CloudWatch Events to detect CreateBucket API calls and trigger an AWS Lambda function to enable versioning
C.Use AWS CloudTrail to monitor CreateBucket events and send an alert to the SysOps administrator for manual action
D.Use AWS Service Catalog to enforce versioning on all buckets provisioned through it
AnswerA

AWS Config evaluates resources against the rule. When a noncompliant bucket is detected (whether newly created or changed), the automatic remediation using Systems Manager Automation enables versioning on the bucket, ensuring continuous compliance.

Why this answer

AWS Config with the managed rule `s3-bucket-versioning-enabled` continuously evaluates S3 buckets against the desired configuration. When a noncompliant bucket is detected, an automatic remediation action can be configured to invoke an AWS Systems Manager Automation document that enables versioning on the bucket. This provides a fully automated, event-driven remediation without manual intervention, ensuring all buckets—including those created outside of AWS Config's initial evaluation—are brought into compliance.

Exam trap

The trap here is that candidates often choose CloudWatch Events + Lambda (Option B) thinking it provides real-time remediation, but they overlook that it only catches new buckets and fails to remediate existing noncompliant buckets or buckets that have versioning disabled after creation, whereas AWS Config provides continuous compliance monitoring and automatic remediation for both new and existing resources.

How to eliminate wrong answers

Option B is wrong because Amazon CloudWatch Events (now Amazon EventBridge) can detect `CreateBucket` API calls, but triggering a Lambda function to enable versioning only remediates buckets at creation time; it does not detect or fix buckets that were created before the rule was enabled or buckets that have versioning disabled after creation. Option C is wrong because AWS CloudTrail monitoring and sending an alert requires manual action by the SysOps administrator, which is not an automatic remediation and does not meet the requirement to automatically remediate. Option D is wrong because AWS Service Catalog only enforces versioning on buckets provisioned through it; buckets created directly via the S3 console, CLI, or SDK bypass Service Catalog and remain noncompliant.

179
MCQmedium

Refer to the exhibit. An IAM user has this policy attached. What is the effect when the user attempts to get an object from my-bucket from an IP address in the range 198.51.100.0/24?

A.Allowed because the Deny condition does not match
B.Denied because there is no explicit Allow for that IP range
C.Allowed because there is an Allow statement
D.Denied because the Deny statement applies
AnswerD

The Deny statement explicitly denies access from IPs not in the range.

Why this answer

The policy has an Allow statement that grants s3:GetObject only from IP range 192.0.2.0/24. It also has a Deny statement that denies s3:GetObject from any IP not in that range (via NotIpAddress). Since the request comes from 198.51.100.0/24, which is not in the allowed range, the Deny statement applies and overrides any Allow.

The request will be denied. Option C is correct. Option A is wrong because the Deny explicitly denies it.

Option B is wrong because the Allow only applies to the specified range. Option D is wrong because the Deny is explicit.

180
MCQeasy

A company requires that all data stored in Amazon S3 be encrypted at rest. Which S3 feature should be enabled to meet this requirement without changing the application code?

A.Use an S3 bucket policy to deny unencrypted uploads.
B.Enable default encryption on the S3 bucket.
C.Enable S3 Object Lock.
D.Use client-side encryption.
AnswerB

Automatically encrypts objects on PUT.

Why this answer

Option A is correct because default encryption automatically encrypts all new objects. Option B is wrong because it requires bucket policies. Option C is wrong because it is a client-side feature.

Option D is wrong because it is not a standard S3 feature.

181
MCQmedium

The CISO asks for a centralized dashboard showing security findings from GuardDuty, Macie, Inspector, and Firewall Manager across 30 AWS accounts. Findings must be normalized into a single format so they can be prioritized by severity without switching between services. Which AWS service provides this capability?

A.Enable AWS Security Hub with an administrator account in the organization; integrate GuardDuty, Macie, Inspector, and Firewall Manager as finding providers
B.Deploy a custom Lambda function that polls each service's API and writes findings to a DynamoDB table for a custom dashboard
C.Enable Amazon Detective to investigate and correlate security findings across all accounts
D.Configure AWS Config conformance packs to evaluate security compliance checks across all accounts and report to an aggregator account
AnswerA

Security Hub's organization integration automatically enables member accounts and routes their findings to the designated administrator account. All findings — regardless of source service — are normalized to ASFF with a consistent severity schema. The security team sees one consolidated dashboard instead of five separate consoles.

Why this answer

AWS Security Hub is designed to aggregate, normalize, and prioritize security findings from multiple AWS services (GuardDuty, Macie, Inspector, Firewall Manager) and third-party tools across accounts. By designating an administrator account in AWS Organizations, you can centrally view all findings in a single dashboard, with a standardized findings format (AWS Security Finding Format, ASFF) that includes severity, resource, and remediation fields. This directly meets the CISO's requirement for a centralized, normalized, severity-prioritized view without switching between services.

Exam trap

The trap here is that candidates often confuse Amazon Detective (a visualization/investigation tool) with Security Hub (a centralized finding aggregation and prioritization service), or they assume a custom Lambda solution is acceptable despite the exam's emphasis on managed, scalable services that reduce operational burden.

How to eliminate wrong answers

Option B is wrong because deploying a custom Lambda function to poll APIs and write to DynamoDB is a manual, brittle approach that does not provide the native normalization, cross-account aggregation, or built-in severity prioritization that Security Hub offers out of the box; it also introduces operational overhead and potential latency. Option C is wrong because Amazon Detective is a service for investigating and visualizing security data (e.g., VPC Flow Logs, GuardDuty findings) but it does not aggregate findings from multiple services into a single normalized dashboard for prioritization; it focuses on root-cause analysis after an alert. Option D is wrong because AWS Config conformance packs evaluate resource compliance against rules (e.g., PCI DSS, CIS benchmarks) and report compliance status, but they do not ingest or normalize security findings from GuardDuty, Macie, Inspector, or Firewall Manager; they are for configuration compliance, not security finding aggregation.

182
MCQmedium

Refer to the exhibit. A SysOps administrator runs the AWS CLI command to check the event selectors for a CloudTrail trail. What does the output indicate?

A.The trail logs all management events.
B.The trail logs both management and data events.
C.The trail logs all data events.
D.The trail logs only write management events.
AnswerA

IncludeManagementEvents true and ReadWriteType All.

Why this answer

Option C is correct because the output shows IncludeManagementEvents true and ReadWriteType All, so all management events are logged. Option A is wrong because data events are not logged (DataResources empty). Option B is wrong because read and write events are both logged.

Option D is wrong because data events are not logged.

183
Multi-Selecteasy

Which TWO services can be used to centrally manage cryptographic keys for AWS services? (Choose two.)

Select 2 answers
A.AWS CloudHSM
B.AWS Certificate Manager (ACM)
C.AWS Identity and Access Management (IAM)
D.AWS Key Management Service (KMS)
E.AWS Secrets Manager
AnswersA, D

Hardware security module for key management.

Why this answer

Option A is correct because AWS KMS is the managed key service. Option C is correct because AWS CloudHSM provides hardware-based key management. Option B is wrong because ACM manages certificates, not keys.

Option D is wrong because IAM manages identities. Option E is wrong because Secrets Manager manages secrets, not cryptographic keys.

184
MCQeasy

A company wants to monitor for unauthorized API calls in their AWS account. Which AWS service should they use?

A.Amazon CloudWatch
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerC

CloudTrail logs all API activity for governance and auditing.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made in an AWS account, including the identity, source IP, and timestamp of each call. This enables monitoring for unauthorized API activity by analyzing the logs for suspicious patterns or unexpected actions. CloudTrail is specifically designed for auditing API usage, unlike other services that focus on resource configuration or threat detection.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks resource configuration changes) with CloudTrail (which tracks API calls), leading them to select Config when the question specifically asks about monitoring API calls rather than resource state.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, but it does not natively capture or record API calls; it can only consume CloudTrail logs if configured. Option B is wrong because AWS Config evaluates and records resource configuration changes and compliance, not API calls; it focuses on resource state, not the actions that changed them. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes CloudTrail logs, VPC Flow Logs, and DNS logs for malicious activity, but it does not directly provide the raw API call history needed for monitoring unauthorized calls; it relies on CloudTrail as a data source.

185
MCQeasy

A company has an AWS account with several IAM users. The SysOps administrator needs to ensure that all users are required to use multi-factor authentication (MFA) to access the AWS Management Console. The administrator has enabled MFA for each user and created an IAM policy that denies all actions unless MFA is present. However, some users report that they can still access the console without MFA. What is the most likely reason?

A.The users are using the root account credentials.
B.The policy is attached to a group instead of the users.
C.The condition key in the policy is incorrect; it should be 'aws:MultiFactorAuthPresent' set to 'true'.
D.The password policy does not require MFA.
AnswerC

The condition key must be correctly specified.

Why this answer

Option D is correct because the policy must use the condition key 'aws:MultiFactorAuthPresent' with a Bool condition. If the condition key is misspelled or not included, the policy does not enforce MFA. Option A is wrong because the policy is applied to users, not groups.

Option B is wrong because the root user is not an IAM user. Option C is wrong because password policy does not enforce MFA.

186
MCQeasy

A company uses AWS Config to track resource changes. The security team wants to receive notifications whenever an IAM policy is changed. Which AWS service should be used with AWS Config to send notifications?

A.Amazon CloudWatch Logs
B.Amazon Simple Queue Service (SQS)
C.AWS CloudTrail
D.Amazon Simple Notification Service (SNS)
AnswerD

AWS Config can publish notifications to SNS.

Why this answer

Option D is correct because AWS Config can send configuration change notifications to Amazon SNS, which can then trigger emails or other notifications. Option A is incorrect because CloudWatch Logs is for log data, not notifications. Option B is incorrect because CloudTrail is for API activity, not configuration changes.

Option C is incorrect because SQS is a queue, not a notification service.

187
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. Which statement about the user's access is correct?

A.The user can get objects over HTTP.
B.The user can list objects in the bucket over HTTP.
C.The user can list objects only over HTTPS.
D.The user can get objects only over HTTPS.
AnswerD

GetObject requires SecureTransport true.

Why this answer

Option B is correct because the GetObject action requires HTTPS (SecureTransport true). Option A is wrong because ListBucket does not have the condition so HTTP is allowed. Option C is wrong because the condition applies to GetObject only.

Option D is wrong because the policy allows ListBucket with HTTP.

188
MCQmedium

A company's security policy requires that all Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled. The SysOps administrator needs to automatically detect any existing or new S3 bucket that does not have SSE-KMS enabled and automatically apply the encryption configuration. The solution must use managed AWS services with minimal custom code. Which combination of AWS services should be used?

A.Use AWS Config with a custom rule backed by an AWS Lambda function that checks if 'x-amz-server-side-encryption' is 'aws:kms' and auto-remediates by attaching a bucket policy that denies PUTs without SSE-KMS.
B.Enable default encryption on the AWS account's S3 buckets using an S3 account-level setting in the S3 console, which automatically applies SSE-KMS to all new buckets.
C.Create an AWS CloudTrail event that triggers an AWS Lambda function when a bucket is created, and the Lambda applies SSE-KMS encryption. Use AWS Config to periodically scan existing buckets and apply encryption.
D.Use AWS Identity and Access Management (IAM) with a Service Control Policy (SCP) that denies any S3 bucket creation without SSE-KMS enabled, and use AWS Config to detect and notify on non-compliance.
AnswerA

This uses AWS Config for detection and Lambda for remediation, which is a standard pattern. Bucket policy approach prevents future unencrypted uploads but does not encrypt existing objects; however, the requirement is to apply encryption configuration, which can be done via put-bucket-encryption API. The Lambda can call that API. This is a valid solution with managed services and minimal custom code (only the Lambda).

Why this answer

Option A is correct because it uses AWS Config with a custom Lambda-backed rule to detect non-compliant S3 buckets (those missing SSE-KMS) and auto-remediate by attaching a bucket policy that denies PUT requests without the 'x-amz-server-side-encryption: aws:kms' header. This satisfies the requirement for minimal custom code (only the Lambda function) and uses managed AWS services (AWS Config, Lambda, S3) to automatically detect and fix both existing and new buckets.

Exam trap

The trap here is that candidates often confuse S3 default encryption settings (which apply to objects, not buckets) with bucket policies or AWS Config rules, leading them to choose Option B or D, which cannot automatically remediate existing non-compliant buckets.

How to eliminate wrong answers

Option B is wrong because S3 account-level default encryption settings apply only to new objects uploaded to existing buckets, not to new buckets themselves, and cannot retroactively enforce encryption on existing buckets or detect non-compliant buckets. Option C is wrong because it requires creating a CloudTrail event trigger and a separate AWS Config periodic scan, which introduces more custom code and complexity than necessary, and the CloudTrail approach only catches bucket creation events, not modifications to existing buckets. Option D is wrong because IAM Service Control Policies (SCPs) can only deny bucket creation based on tags or conditions at creation time, but they cannot detect or remediate existing buckets that lack SSE-KMS, and AWS Config alone without a remediation action cannot automatically apply encryption.

189
MCQhard

A company's security policy requires that all Amazon S3 buckets must be non-publicly accessible. The SysOps administrator needs to automatically detect any bucket that becomes publicly accessible and automatically remediate it by applying a bucket policy that blocks public access. The solution should use AWS managed services with minimal custom code. Which combination of services should be used?

A.AWS IAM Access Analyzer with Amazon EventBridge
B.AWS Config with managed rule and automatic remediation via SSM Automation
C.AWS CloudTrail and AWS Lambda
D.AWS Trusted Advisor and Amazon SNS
AnswerB

Evaluates compliance and automatically applies remediation using managed automation.

Why this answer

AWS Config with a managed rule (e.g., s3-bucket-public-read-prohibited or s3-bucket-public-write-prohibited) can continuously evaluate S3 bucket configurations against the security policy. When a bucket becomes publicly accessible, AWS Config triggers an automatic remediation action using an SSM Automation document that applies a bucket policy to block public access, all without custom code.

Exam trap

The trap here is that candidates often choose AWS IAM Access Analyzer (Option A) because it detects public access, but they overlook that it lacks built-in automatic remediation, requiring additional services and custom code to achieve the full requirement.

How to eliminate wrong answers

Option A is wrong because AWS IAM Access Analyzer analyzes resource-based policies to identify external access, but it does not provide automatic remediation; it only generates findings and requires separate automation via EventBridge and custom logic. Option C is wrong because AWS CloudTrail records API calls but does not evaluate bucket configurations or trigger remediation; using Lambda would require custom code, violating the 'minimal custom code' requirement. Option D is wrong because AWS Trusted Advisor checks for publicly accessible S3 buckets but only provides recommendations and alerts via SNS; it cannot automatically remediate the issue.

190
MCQmedium

A SysOps administrator notices that an IAM user can access the AWS Management Console but cannot use the AWS CLI. The user has a password and an access key. What is the most likely cause?

A.The secret access key was not saved during creation
B.The user's access key is inactive
C.The user is using the wrong password for the CLI
D.The IAM policy denies CLI access unless MFA is present
AnswerD

A condition requiring MFA for CLI access would cause this issue.

Why this answer

If the user can access the console but not the CLI, it suggests that the IAM policy allows console access but denies CLI access. This could be due to a condition in the policy that checks for an MFA device. If the user has not configured an MFA device for CLI access but has for console, the CLI requests might be denied.

Option D is correct. Option A is wrong because if the access key were inactive, the user would not be able to make any CLI calls. Option B is wrong because the secret access key is not visible after creation, but that does not prevent use if the user has it.

Option C is wrong because the CLI does not require the console password.

191
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all S3 buckets across all accounts have encryption enabled. What is the most efficient way to enforce this policy?

A.Apply a service control policy (SCP) to the root organizational unit that denies S3 actions without encryption.
B.Configure an IAM role in the master account to enforce encryption via cross-account access.
C.Create an IAM policy in each account that denies s3:PutObject without encryption.
D.Use AWS CloudFormation StackSets to deploy a bucket policy to each account.
AnswerA

SCPs are used to centrally control permissions across all accounts in an organization.

Why this answer

Option D is correct because using a service control policy (SCP) in AWS Organizations allows you to centrally enforce permissions across all accounts. Option A is wrong because SCPs are the tool for this, not individual account policies. Option B is wrong because CloudFormation StackSets would require manual deployment.

Option C is wrong because IAM roles don't enforce bucket encryption.

192
MCQmedium

A company has a single AWS account with multiple IAM users. The security team wants to ensure that no IAM user can create or modify VPC resources. The SysOps administrator creates a managed policy that denies ec2:CreateVpc, ec2:DeleteVpc, ec2:ModifyVpcAttribute, and similar actions. The policy is attached to all IAM users via a group. However, after a week, a user reports that they were able to create a VPC. The administrator checks CloudTrail and confirms that the user created the VPC. What is the most likely cause?

A.The user used the AWS Management Console, which does not enforce IAM policies.
B.The user had an inline policy that allowed ec2:CreateVpc, overriding the group policy.
C.The policy was attached to the user's group, but the user was not a member of that group.
D.The user created the VPC using AWS CloudFormation with a service role that had full EC2 access.
AnswerD

If the user had permissions to pass a role, CloudFormation could create resources using that role's permissions.

Why this answer

Option D is correct because if the user has a service control policy (SCP) attached to the account that allows VPC creation, the SCP would override the IAM policy if the IAM policy is not properly denying. However, SCPs are for Organizations. Option A is correct because if the user has an inline policy that allows CreateVpc, that would override the deny from the group policy? Actually, an explicit allow would not override a deny; deny always wins.

So Option A is wrong. Option B is wrong because the policy was attached to the group. Option C is wrong because the user was using the console.

The correct answer is that the user might have an inline policy that explicitly allows the action, but since deny overrides allow, that cannot be the cause. Actually, if the user has an inline policy that allows, the deny from the group policy would still prevent it. So the most likely cause is that the policy was not attached to the user or the policy did not include all necessary actions.

However, the question says the policy denies VPC creation. The user could have used a different API call like RunInstances with VPC creation? No. The most plausible is that the user used an AWS service that creates VPCs on behalf of the user, such as AWS CloudFormation or AWS Service Catalog, and the user had permissions to those services.

Option D is correct because the user might have used AWS CloudFormation with a role that allows VPC creation.

193
MCQmedium

A company wants to enforce that all Amazon S3 buckets in their AWS account are encrypted at rest. They have enabled AWS CloudTrail and want to automatically remediate any non-compliant bucket created by users. Which AWS service should they use to achieve this?

A.AWS Trusted Advisor
B.Amazon Inspector
C.AWS Config
D.AWS Service Catalog
AnswerC

AWS Config can evaluate S3 bucket encryption and trigger auto-remediation.

Why this answer

Option C is correct because AWS Config can evaluate resource configurations against rules and trigger automated remediation using Systems Manager Automation or Lambda. Option A is wrong because AWS Service Catalog is used for creating and managing approved IT services, not for monitoring or remediation. Option B is wrong because AWS Trusted Advisor provides best-practice checks but does not automate remediation.

Option D is wrong because Amazon Inspector is for vulnerability assessment, not S3 bucket encryption enforcement.

194
MCQhard

A company uses an IAM policy that allows s3:GetObject for a specific bucket. However, an IAM user is getting an Access Denied error when trying to download an object. The bucket policy also allows s3:GetObject for the user's account. What is the most likely cause?

A.The IAM policy does not include the s3:GetObjectVersion action.
B.The bucket policy has a Deny statement that applies to the user.
C.The object is encrypted with a customer-managed KMS key, and the user does not have kms:Decrypt permissions.
D.The user's account is part of an AWS Organization with an SCP that denies s3:GetObject.
AnswerB

An explicit Deny in the bucket policy overrides allows.

Why this answer

Option C is correct because if the bucket policy explicitly denies access, that denial overrides any allow. Option A is wrong because if both policies allow, access is allowed. Option B is wrong because KMS permissions are separate.

Option D is wrong because SCPs apply to all accounts in the organization.

195
MCQmedium

An application running on Amazon EC2 needs to encrypt data before writing to Amazon S3. The encryption key must be rotated every 90 days and access to the key must be auditable. Which solution meets these requirements?

A.Use AWS KMS customer master key (CMK) with automatic rotation enabled and client-side encryption.
B.Use client-side encryption with a master key stored on the EC2 instance.
C.Use SSL/TLS to encrypt data in transit from EC2 to S3.
D.Use Amazon S3 server-side encryption with SSE-S3.
AnswerA

KMS provides key rotation and auditing via CloudTrail.

Why this answer

Option C is correct because AWS KMS provides managed keys with automatic rotation (optional) and integrates with CloudTrail for auditing. Option A is wrong because S3 server-side encryption with SSE-S3 does not allow customer-controlled key rotation. Option B is wrong because client-side encryption with a master key stored on the instance is not auditable and key rotation is manual.

Option D is wrong because SSL/TLS is for encryption in transit, not at rest.

196
MCQhard

A company has a legacy application that requires access to an S3 bucket using an IAM user's access keys. The security team wants to rotate the access keys every 90 days automatically. What is the MOST efficient way to achieve this?

A.Use AWS Lambda with a scheduled CloudWatch Events rule to rotate the keys.
B.Create a script that runs on an EC2 instance using cron to rotate the keys.
C.Store the access keys in AWS Secrets Manager and use automatic rotation.
D.Enable IAM access key rotation in the IAM console.
AnswerC

Secrets Manager supports automatic rotation of IAM keys.

Why this answer

Option D is correct because AWS Secrets Manager can automatically rotate IAM user access keys on a schedule. Option A is wrong because manual rotation is not automatic. Option B is wrong because Lambda can be used but requires custom code.

Option C is wrong because IAM doesn't natively rotate keys automatically.

197
Multi-Selecteasy

A company uses AWS Shield Advanced to protect against DDoS attacks. Which of the following are benefits of AWS Shield Advanced? (Choose TWO.)

Select 2 answers
A.24/7 access to the DDoS Response Team (DRT)
B.Free for all AWS accounts
C.Integration with AWS WAF to create custom rules
D.Automatic scaling of resources during an attack
E.Enhanced DDoS protection for resources like EC2, ELB, CloudFront, and Route 53
AnswersA, E

Shield Advanced includes access to the DRT for assistance during attacks.

Why this answer

AWS Shield Advanced provides enhanced DDoS protection and access to the DDoS Response Team (DRT) (options A and B). Option C is wrong because Shield Advanced is not free; it has a cost. Option D is wrong because automatic scaling is not a direct benefit of Shield.

Option E is wrong because WAF is a separate service.

198
MCQhard

Refer to the exhibit. A SysOps administrator reviews the account password policy. Which of the following is true based on this output?

A.Passwords do not expire
B.Users cannot reuse their last 5 passwords
C.The maximum password age is 120 days
D.Users cannot change expired passwords
AnswerB

PasswordReusePrevention is 5.

Why this answer

The output shows MaxPasswordAge: 90 and ExpirePasswords: true, meaning passwords expire after 90 days. PasswordReusePrevention: 5 means users cannot reuse the last 5 passwords. Option B is correct.

Option A is wrong because password expiration is enabled (ExpirePasswords: true). Option C is wrong because MaximumPasswordAge is 90 days. Option D is wrong because HardExpiry is false, meaning users can change expired passwords.

199
MCQhard

A SysOps administrator receives an alert that an IAM user's access key was used from an unexpected geographic location. What should the administrator do to prevent future unauthorized use?

A.Disable the IAM user's account immediately
B.Enable multi-factor authentication (MFA) for the IAM user
C.Delete the IAM user's access key and create a new one
D.Add a condition to the IAM user's policy that denies access from outside the expected region
AnswerD

Using a condition key like 'aws:SourceIp' or 'aws:RequestedRegion' in a deny statement can prevent access from unexpected locations.

Why this answer

The best practice is to use a conditional policy that denies access based on the user's source IP or geographic location. This can be attached to the IAM user or group. Simply deleting the key may not be sufficient if the user needs it; the underlying issue is lack of location-based restriction.

Disabling the account or rotating the key are reactive measures, not preventive.

200
MCQhard

A company has an S3 bucket that stores sensitive customer data. The security team requires that all objects uploaded to the bucket must be encrypted at rest using AWS KMS with a specific customer managed key. Which bucket policy condition should be used to enforce this?

A."Condition": {"StringEquals": {"s3:x-amz-server-side-encryption": "aws:kms"}}
B."Condition": {"StringEquals": {"s3:x-amz-server-side-encryption": "aws:kms", "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:123456789012:key/abc123"}}
C."Condition": {"StringEquals": {"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:123456789012:key/abc123"}}
D."Condition": {"Null": {"s3:x-amz-server-side-encryption": "false"}}
AnswerB

Combines both conditions to enforce KMS encryption and the specific customer managed key, meeting the requirement.

Why this answer

The condition 's3:x-amz-server-side-encryption':'aws:kms' ensures KMS encryption is used, and 's3:x-amz-server-side-encryption-aws-kms-key-id' with the specific key ARN ensures only that key is used. Option A enforces KMS encryption but does not specify the key; Option B allows any KMS key; Option C is incorrect because it uses 'Null' condition incorrectly; Option D correctly enforces both encryption and key.

201
MCQmedium

A company wants to ensure that only specific IAM roles within the same AWS account can encrypt and decrypt data using an AWS KMS customer managed key. Which type of policy must be configured to achieve this restriction?

A.IAM policy attached to the roles
B.KMS key policy
C.Service control policy (SCP)
D.Resource policy attached to the KMS key
AnswerB

KMS key policies are resource-based policies that define who can use the key. They are required to grant access to IAM roles.

Why this answer

A KMS key policy is the primary mechanism to control access to a customer managed key. By default, a KMS key policy must explicitly grant the necessary permissions (kms:Encrypt, kms:Decrypt) to IAM roles, and it can restrict those permissions to specific roles within the same account using the `aws:PrincipalArn` condition key. This ensures that only the designated IAM roles can encrypt and decrypt data with that key.

Exam trap

The trap here is that candidates often think an IAM policy alone is sufficient to grant KMS key access, but they forget that KMS key policies act as a resource-based policy that must explicitly allow the IAM principal, otherwise the IAM policy is ignored.

How to eliminate wrong answers

Option A is wrong because an IAM policy attached to the roles alone is insufficient; KMS requires a key policy that explicitly allows the IAM roles to use the key, and without such a key policy, the IAM policy has no effect (the key policy acts as a resource-based policy that must grant access). Option C is wrong because a Service Control Policy (SCP) is used in AWS Organizations to set permission boundaries across accounts, not to grant or deny specific IAM roles access to a KMS key within a single account. Option D is wrong because while a KMS key policy is technically a resource policy, the term 'resource policy attached to the KMS key' is redundant and misleading; the correct and specific term is 'KMS key policy', and the question asks for the type of policy, not a generic description.

202
MCQeasy

A company requires that all AWS account activity be recorded and the logs be stored in a centralized S3 bucket for analysis. Which two AWS services should be used together to meet this requirement?

A.Amazon GuardDuty and Amazon S3
B.AWS CloudTrail and Amazon S3
C.AWS Config and Amazon S3
D.Amazon Inspector and Amazon S3
E.VPC Flow Logs and Amazon S3
AnswerB

CloudTrail logs API activity to S3.

Why this answer

Option D is correct because AWS CloudTrail records API activity and can deliver logs to an S3 bucket. Option A is wrong because Amazon GuardDuty is a threat detection service, not a logging service. Option B is wrong because AWS Config records resource configurations, not API activity.

Option C is wrong because Amazon Inspector is for vulnerability assessment. Option E is wrong because VPC Flow Logs capture network traffic, not API calls.

203
Multi-Selectmedium

Which TWO actions can a SysOps administrator take to secure an Amazon S3 bucket that contains sensitive data? (Choose TWO.)

Select 2 answers
A.Configure a cross-origin resource sharing (CORS) policy.
B.Enable default encryption using AWS KMS (SSE-KMS) on the bucket.
C.Enable cross-region replication for the bucket.
D.Block all public access to the bucket using the S3 Block Public Access feature.
E.Enable MFA Delete on the bucket to require multi-factor authentication for delete operations.
AnswersB, D

Ensures all objects are encrypted at rest.

Why this answer

Option A is correct because blocking public access is a fundamental security measure. Option C is correct because enabling default encryption ensures data is encrypted at rest. Option B is wrong because MFA delete is for versioned buckets but not a primary security control for all buckets.

Option D is wrong because CORS is for cross-origin requests, not security. Option E is wrong because cross-region replication is for disaster recovery, not security.

204
MCQhard

A company's security team notices that an IAM user has been generating multiple access keys and deleting them within a short period. The SysOps administrator needs to detect and alert on this behavior. Which solution is the MOST effective?

A.Enable AWS Trusted Advisor security checks and review the report weekly.
B.Enable IAM Access Analyzer to analyze user activity and send alerts.
C.Enable AWS CloudTrail and create a CloudWatch Events rule that triggers on iam:CreateAccessKey events and sends a notification to an SNS topic.
D.Use AWS Config to track IAM user configuration changes and trigger an alert when an access key is created.
AnswerC

CloudTrail logs API calls and CloudWatch Events can respond in real time.

Why this answer

Option B is correct because AWS CloudTrail logs all IAM API calls, and CloudWatch Events can trigger on the CreateAccessKey event. Option A is wrong because IAM Access Analyzer analyzes resource policies, not user activity. Option C is wrong because AWS Config evaluates resource compliance, not API call patterns.

Option D is wrong because Trusted Advisor does not monitor user behavior.

205
MCQhard

A company uses an IAM policy to allow users to manage their own passwords and access keys. The policy includes a condition that requires multi-factor authentication (MFA) for any sensitive operations. However, users report that they are unable to change their own passwords even when MFA is not required. What is the likely cause?

A.The condition key aws:MultiFactorAuthAge is set incorrectly.
B.The policy does not include the iam:ChangePassword action.
C.The policy is attached to a group instead of the user.
D.The condition key aws:MultiFactorAuthPresent is set to true, preventing password changes without MFA.
AnswerD

The condition likely requires MFA for password changes, but users are not using MFA.

Why this answer

Option C is correct because if the condition explicitly requires MFA for the ChangePassword action, users must authenticate with MFA to change their password. Option A is wrong because the policy is attached to users, not groups. Option B is wrong because a missing action would prevent all operations.

Option D is wrong because the condition key is valid.

206
MCQeasy

A company wants to ensure that all data in Amazon S3 is encrypted at rest using server-side encryption with AWS KMS managed keys (SSE-KMS). Which bucket policy statement should be used to deny any PUT request that does not include the 'x-amz-server-side-encryption' header with value 'aws:kms'?

A.Condition: { StringNotEquals: { 's3:x-amz-server-side-encryption': 'aws:kms' } }
B.Condition: { StringNotEquals: { 's3:x-amz-server-side-encryption-aws-kms-key-id': 'alias/aws/s3' } }
C.Condition: { StringNotEquals: { 's3:ServerSideEncryption': 'KMS' } }
D.Condition: { StringEquals: { 's3:x-amz-server-side-encryption': 'aws:kms' } }
AnswerA

Denies PUT if encryption is not SSE-KMS.

Why this answer

Option A is correct because the condition 's3:x-amz-server-side-encryption' checks for the header value. Denying the request when the string does not equal 'aws:kms' enforces SSE-KMS. Option B is wrong because it denies when the value equals 'aws:kms', which would block encryption.

Option C is wrong because it checks 's3:x-amz-server-side-encryption-aws-kms-key-id', which is not the header for encryption type. Option D is wrong because it checks 's3:ServerSideEncryption', which is not a valid condition key.

207
Multi-Selectmedium

A company is designing a secure application architecture. They need to ensure that sensitive data stored in Amazon S3 is not accessible from the public internet. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Use an S3 VPC Gateway Endpoint to restrict access to the VPC.
B.Enable default encryption on the bucket.
C.Enable MFA Delete on the bucket.
D.Use Amazon CloudFront with Origin Access Identity (OAI).
E.Block all public access at the bucket level.
AnswersA, E

Restricts access to within the VPC.

Why this answer

Option B is correct because blocking public access at the bucket or account level prevents public access. Option C is correct because using S3 VPC Gateway Endpoint ensures access is only from within the VPC. Option A is wrong because encrypting data does not prevent public access.

Option D is wrong because CloudFront with OAI can provide secure access but does not by itself block public internet access if the bucket is public. Option E is wrong because MFA Delete is for deletion protection, not access control.

208
MCQeasy

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are configured with server-side encryption using AWS KMS (SSE-KMS). The administrator wants to automatically detect any S3 buckets that are not compliant and remediate them by enabling SSE-KMS. Which AWS service should be used to implement this automated compliance enforcement?

A.AWS Config
B.AWS Trusted Advisor
C.AWS Service Catalog
D.AWS CloudFormation
AnswerA

AWS Config can continuously monitor and evaluate S3 bucket encryption settings using managed rules and trigger auto-remediation actions to enable SSE-KMS on non-compliant buckets.

Why this answer

AWS Config is the correct service because it provides managed rules (e.g., s3-bucket-server-side-encryption-enabled) that can continuously evaluate S3 buckets for compliance with SSE-KMS. When a non-compliant bucket is detected, AWS Config can trigger an AWS Systems Manager Automation document or a custom remediation action (via AWS Config Rules remediation) to automatically enable SSE-KMS on the bucket, ensuring automated enforcement without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's reactive compliance monitoring with Trusted Advisor's advisory checks, or assume CloudFormation can handle post-deployment compliance, but only AWS Config provides the continuous evaluation and automated remediation required for this use case.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor only provides reactive recommendations and best-practice checks (e.g., S3 bucket permissions) but does not support automated remediation or custom compliance rules; it cannot automatically enable SSE-KMS on non-compliant buckets. Option C is wrong because AWS Service Catalog is used to create and manage a catalog of approved IT services (e.g., pre-configured S3 bucket templates) but does not perform ongoing compliance monitoring or remediation of existing resources. Option D is wrong because AWS CloudFormation is an infrastructure-as-code service for provisioning resources via templates; it can enforce SSE-KMS at deployment time but cannot automatically detect or remediate non-compliant buckets that already exist or are created outside of CloudFormation stacks.

209
Multi-Selectmedium

Which TWO actions can be used to protect data in transit between an EC2 instance and an S3 bucket? (Choose two.)

Select 2 answers
A.Configure security group rules on the EC2 instance to allow only S3 traffic.
B.Apply an S3 bucket policy that denies access unless the request includes the x-amz-server-side-encryption header.
C.Use HTTPS instead of HTTP when accessing S3 from the EC2 instance.
D.Enable S3 default encryption (SSE-S3) on the bucket.
E.Use S3 VPC endpoints to ensure traffic between the VPC and S3 does not traverse the internet.
AnswersC, E

HTTPS encrypts the data in transit.

Why this answer

Option C is correct because HTTPS encrypts the data in transit between the EC2 instance and S3 using TLS, protecting it from eavesdropping or tampering. This ensures that the HTTP request and response payload, as well as headers, are encrypted over the network, which is a direct method to protect data in transit.

Exam trap

The trap here is confusing encryption in transit (HTTPS) with encryption at rest (SSE-S3 or bucket policies requiring encryption headers), leading candidates to select options that protect data only after it reaches S3 rather than during network transmission.

210
MCQmedium

A SysOps administrator needs to ensure that all API calls made to AWS are logged for auditing purposes. Which AWS service should be enabled to capture management events?

A.AWS CloudTrail
B.S3 server access logs
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerA

CloudTrail records API activity in the AWS account.

Why this answer

Option B is correct because AWS CloudTrail logs all API calls for governance, compliance, and auditing. Option A is wrong because CloudWatch Logs stores logs but does not capture API calls. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because S3 access logs capture requests to S3, not all AWS API calls.

211
Multi-Selecteasy

A SysOps administrator is configuring a new VPC and wants to ensure that only traffic from a specific IP address range can access an EC2 instance via SSH. Which TWO components should be configured? (Choose two.)

Select 2 answers
A.VPC endpoint
B.Network ACL (NACL)
C.Security group
D.Internet gateway
E.Route table
AnswersB, C

NACLs control traffic at the subnet level and can allow/deny inbound SSH from specific IP ranges.

Why this answer

To restrict SSH access to a specific IP range, you configure a network ACL at the subnet level and a security group at the instance level. NACLs are stateless and evaluate rules in order; security groups are stateful. Both can allow inbound SSH from the specific IP range.

Internet gateway enables internet access but does not filter by IP. Route tables direct traffic but do not filter. VPC endpoint is for private connectivity to AWS services.

212
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission regarding the s3:DeleteObject action on the example-bucket?

A.Denied because of the explicit Deny statement
B.Denied because the action is not allowed explicitly
C.Allowed because the Allow statement is listed first
D.Allowed because the Deny statement has a typo
AnswerA

Explicit Deny overrides any Allow.

Why this answer

In IAM, an explicit Deny overrides any Allow. So even though the first statement allows all S3 actions, the second statement explicitly denies DeleteObject. Thus DeleteObject is denied.

Option B is correct. Options A, C, D are incorrect because Deny prevails.

213
MCQhard

An organization wants to enforce that all IAM users have multi-factor authentication (MFA) enabled before they can perform any action except changing their own password. Which IAM policy element is MOST appropriate?

A.Use a Condition element with 'aws:MultiFactorAuthPresent' set to 'true' in a Deny policy.
B.Use an Action element to allow only MFA actions.
C.Use a NotAction element to allow password change without MFA.
D.Use a Resource element to limit access to MFA-enabled users.
AnswerA

Denies access if MFA is not present.

Why this answer

Option A is correct because a Condition with 'aws:MultiFactorAuthPresent':'true' can be used to require MFA. Option B is wrong because Resource doesn't enforce MFA. Option C is wrong because Action specifies actions.

Option D is wrong because NotAction is not for MFA enforcement.

214
MCQmedium

An organization requires that all Amazon S3 buckets be encrypted with AES-256 server-side encryption. A SysOps administrator needs to enforce this policy across the entire AWS account. Which action should be taken?

A.Enable default encryption on all existing and future S3 buckets.
B.Use AWS CloudTrail to monitor uploads without encryption and alert the administrator.
C.Use S3 Inventory to list unencrypted objects and remediate them manually.
D.Apply an S3 bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header set to AES256.
AnswerD

This policy enforces encryption at upload time.

Why this answer

Option D is correct because a bucket policy that denies PutObject without the x-amz-server-side-encryption header set to AES256 will enforce encryption. Option A is wrong because default encryption does not prevent objects from being uploaded without encryption header. Option B is wrong because CloudTrail logs but does not enforce.

Option C is wrong because S3 Inventory does not enforce.

215
Multi-Selecthard

A company is using AWS CloudTrail to log all API calls. The security team wants to ensure that logs are tamper-proof and stored securely. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Write logs to a different AWS account.
B.Encrypt the CloudTrail log files with SSE-KMS.
C.Enable MFA Delete on the S3 bucket.
D.Enable S3 server access logs.
E.Enable CloudTrail log file validation.
AnswersB, E

Protects data at rest.

Why this answer

Option A is correct because enabling log file validation creates a digest file that can be used to verify integrity. Option C is correct because SSE-KMS encrypts the log files. Option B is wrong because S3 access logs are separate.

Option D is wrong because CloudTrail already logs to S3. Option E is wrong because MFA Delete is for versioning, not tamper-proofing.

216
Multi-Selecthard

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot pull secrets from AWS Secrets Manager. The instance has an IAM role with a policy that allows secretsmanager:GetSecretValue. The secret is in the same account and region. What are possible reasons for the failure? (Choose THREE.)

Select 3 answers
A.The EC2 instance is in a private subnet with no route to the internet or a VPC endpoint for Secrets Manager
B.The secret is in a different AWS account
C.The IAM role is not attached to the instance profile
D.The VPC endpoint for Secrets Manager has a policy that denies access from the instance's security group
E.The secret is encrypted with a customer managed KMS key, and the IAM role does not have kms:Decrypt permission
AnswersA, D, E

Without a route to the Secrets Manager service, the request will fail.

Why this answer

Possible reasons include: the secret is encrypted with a KMS CMK that the role does not have access to (A), the VPC endpoint policy for Secrets Manager denies the action (B), and the instance is in a private subnet without a VPC endpoint or NAT gateway (C). Option D is wrong because cross-account is not needed. Option E is wrong because the instance profile is already associated with the role.

217
Multi-Selecthard

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no one can disable AWS CloudTrail or delete CloudTrail log files from the S3 bucket. Which THREE actions should be taken? (Choose three.)

Select 3 answers
A.Enable CloudTrail log file validation
B.Send CloudTrail logs to CloudWatch Logs for real-time monitoring
C.Create a service control policy (SCP) that denies the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions
D.Enable MFA delete on the S3 bucket
E.Configure an S3 bucket policy that denies s3:DeleteObject actions on the CloudTrail log bucket
AnswersA, C, E

Log file validation creates a digest file that can be used to verify that log files have not been modified or deleted.

Why this answer

To protect CloudTrail logs, you should configure an SCP to deny CloudTrail disabling, enable log file validation to detect tampering, and use an S3 bucket policy that denies delete object permissions to all principals except the CloudTrail service. MFA delete adds another layer but is not a direct step for CloudTrail. CloudWatch Logs is for monitoring, not protection.

218
MCQmedium

An organization requires that all Amazon S3 buckets block public access entirely. A SysOps administrator needs to ensure that no bucket can be made public, even accidentally. Which approach enforces this control at the organizational level?

A.Apply an S3 Bucket Policy on each bucket that denies public access.
B.Use an AWS Config managed rule 's3-bucket-public-read-prohibited' to detect and remediate public buckets.
C.Enable S3 Block Public Access at the account level and attach an SCP to deny changes to it.
D.Create an IAM policy that denies s3:PutBucketPolicy for all users.
AnswerC

Correct. Account-level block public access prevents all public access, and an SCP prevents users from disabling it.

Why this answer

Option C is correct because S3 Block Public Access at the account level provides a centralized, immutable control that prevents any bucket in the account from being made public, regardless of bucket policies or ACLs. Attaching an SCP (Service Control Policy) to deny changes to these settings ensures that even administrators with full IAM permissions cannot disable the block, enforcing the control at the organizational level across all accounts in the organization.

Exam trap

The trap here is that candidates often confuse detective controls (like AWS Config rules) with preventive controls (like SCPs and account-level Block Public Access), assuming that detecting and auto-remediating public buckets is equivalent to preventing them from ever becoming public.

How to eliminate wrong answers

Option A is wrong because applying an S3 Bucket Policy on each bucket is not an organizational-level control; it is per-bucket and can be overridden or omitted by users with sufficient permissions, failing to enforce the requirement across all buckets. Option B is wrong because AWS Config managed rules are detective and reactive, not preventive; they can detect and auto-remediate public buckets, but there is a window of exposure before remediation occurs, and the rule can be disabled or modified by authorized users, so it does not enforce a hard block at the organizational level. Option D is wrong because an IAM policy that denies s3:PutBucketPolicy for all users does not prevent public access via bucket ACLs (e.g., granting public read/write via ACLs), and it can be bypassed by users with full administrative privileges who can modify or detach the IAM policy.

219
MCQmedium

A company's security policy requires that all Amazon RDS for PostgreSQL instances be encrypted at rest using AWS Key Management Service (KMS) customer managed keys and have automated backups enabled with a retention period of at least 30 days. A SysOps administrator needs to use AWS Config to automatically detect any RDS instance that is non-compliant with either requirement and automatically remediate it. Which combination of AWS Config managed rules and remediation actions should be used?

A.Use two AWS Config managed rules: 'rds-instance-encrypted' and 'rds-backup-enabled'. Configure each rule with an automatic remediation action that triggers an Amazon CloudWatch alarm, which then invokes an AWS Lambda function to enable encryption and backups.
B.Create custom AWS Config rules as AWS Lambda functions that evaluate the RDS instance configuration. In the Lambda function, if a resource is non-compliant, call the RDS API to enable encryption and modify backup settings.
C.Use the AWS Config managed rules 'rds-instance-encrypted' and 'rds-backup-enabled'. Configure automatic remediation for each rule using the corresponding AWS Systems Manager Automation runbook: 'AWSConfigRemediation-EnableRDSInstanceEncryption' and 'AWSConfigRemediation-EnableRDSInstanceBackup'.
D.Use a single custom AWS Config rule that checks both encryption and backup settings. If non-compliant, trigger an AWS Lambda function that uses the RDS API to configure both settings.
AnswerC

This is the correct approach. Managed rules evaluate compliance, and automatic remediation using Systems Manager Automation runbooks applies the fix without custom code. The runbooks perform the necessary API calls to enable encryption and backups, meeting the policy requirements.

Why this answer

Option C is correct because AWS Config managed rules 'rds-instance-encrypted' and 'rds-backup-enabled' natively evaluate encryption and backup compliance. The corresponding AWS Systems Manager Automation runbooks ('AWSConfigRemediation-EnableRDSInstanceEncryption' and 'AWSConfigRemediation-EnableRDSInstanceBackup') provide built-in, automatic remediation without custom code, aligning with the requirement to use managed rules and automatic remediation.

Exam trap

The trap here is that candidates may assume custom Lambda functions are required for complex remediation, but AWS provides pre-built Systems Manager Automation runbooks that integrate directly with AWS Config managed rules for common RDS compliance issues, making custom code unnecessary.

How to eliminate wrong answers

Option A is wrong because triggering a CloudWatch alarm to invoke a Lambda function is an indirect, custom remediation path; AWS Config supports direct automatic remediation via Systems Manager Automation runbooks, making this approach unnecessarily complex and not leveraging native capabilities. Option B is wrong because creating custom AWS Config rules as Lambda functions violates the requirement to use AWS Config managed rules; the question explicitly asks for managed rules, not custom ones. Option D is wrong because using a single custom rule that checks both encryption and backups is not a managed rule, and it requires custom Lambda code for remediation, which contradicts the directive to use managed rules and automatic remediation actions.

220
MCQmedium

A company requires that all API calls to AWS services be logged for compliance. The logs must be stored in a centralized S3 bucket with server-side encryption enabled. Which AWS service should be used to capture the API calls?

A.AWS Config
B.AWS CloudTrail
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerB

CloudTrail logs API calls and delivers to S3.

Why this answer

Option B is correct because AWS CloudTrail logs all API calls and can deliver logs to an S3 bucket with SSE. Option A is wrong because AWS Config records resource configuration changes, not API calls. Option C is wrong because CloudWatch Logs can store logs but is not the primary service for capturing API calls.

Option D is wrong because VPC Flow Logs capture network traffic, not API calls.

221
MCQeasy

A company wants to ensure that all S3 buckets are encrypted by default. Which AWS service can be used to automatically enforce encryption on newly created S3 buckets?

A.AWS Config with a managed rule and auto-remediation
B.S3 bucket policies
C.IAM policies
D.AWS CloudTrail
AnswerA

AWS Config can enforce encryption on buckets automatically.

Why this answer

AWS Config can evaluate resources against rules and take remediation actions. Using a managed rule like 's3-bucket-server-side-encryption-enabled' and an auto-remediation action, AWS Config can automatically apply encryption to buckets that are non-compliant. Option B is correct.

Option A is wrong because S3 does not have a bucket-level setting to enforce encryption by default; it must be configured per bucket. Option C is wrong because AWS CloudTrail logs API calls but does not enforce configurations. Option D is wrong because IAM policies can require encryption in requests but cannot automatically apply encryption to buckets.

222
MCQmedium

A company wants to enforce that all Amazon EC2 instances launched in the AWS account must have a specific termination protection setting enabled. The SysOps administrator needs to automatically remediate any instances that are launched without termination protection. Which AWS service should be used to achieve this?

A.AWS Config with a managed rule ec2-instance-no-public-ip and an SSM Automation remediation.
B.AWS Config with a custom rule using AWS Lambda to evaluate and enable termination protection.
C.Amazon Inspector to scan instances and trigger a remediation action.
D.AWS Systems Manager Patch Manager to apply a policy for termination protection.
AnswerB

A custom AWS Config rule can use a Lambda function to check if an EC2 instance has termination protection enabled. If not, the function can call the EC2 API to enable it. This provides automatic remediation for non-compliant resources.

Why this answer

AWS Config can evaluate resources against desired configurations using managed or custom rules. A custom AWS Config rule can invoke a Lambda function to check if termination protection is enabled on EC2 instances and automatically enable it if missing, providing the required remediation. This approach directly addresses the requirement to enforce termination protection on all launched instances.

Exam trap

The trap here is that candidates may confuse AWS Config's managed rules (which cover common compliance checks) with the need for a custom rule and Lambda function to enforce a specific setting like termination protection, or mistakenly think services like Inspector or Patch Manager can handle configuration enforcement.

How to eliminate wrong answers

Option A is wrong because the ec2-instance-no-public-ip rule checks for public IPs, not termination protection, and SSM Automation remediation is not designed to enable termination protection on EC2 instances. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposures, not for enforcing instance configuration settings like termination protection. Option D is wrong because AWS Systems Manager Patch Manager is used to automate patching of operating systems and applications, not to apply termination protection policies to EC2 instances.

223
MCQeasy

A company requires that all Amazon EC2 instances launched in its AWS account must have termination protection enabled. The SysOps administrator needs to automatically remediate any instance launched without termination protection. The solution should use AWS managed services without custom scripts. Which AWS service should be used?

A.Configure AWS Config with a managed rule 'ec2-termination-protection-check' and set an auto-remediation action using an AWS Systems Manager Automation document that enables termination protection on the instance.
B.Use Amazon EC2 Auto Scaling to automatically apply termination protection to all launched instances.
C.Enable AWS Trusted Advisor to send notifications when instances lack termination protection, and have administrators manually fix them.
D.Create an IAM policy that denies the RunInstances action unless termination protection is enabled.
AnswerA

AWS Config can evaluate resources against a rule and automatically remediate non-compliant resources using Systems Manager Automation. This meets the requirement without custom scripts.

Why this answer

Option A is correct because AWS Config's managed rule 'ec2-termination-protection-check' can detect instances without termination protection, and you can attach an auto-remediation action using an AWS Systems Manager Automation document (e.g., AWS-EnableTerminationProtection) to automatically enable termination protection on noncompliant instances. This solution uses only AWS managed services and requires no custom scripts, meeting the company's requirements.

Exam trap

The trap here is that candidates may confuse AWS Config's detection-only capability with its auto-remediation feature, or assume that IAM policies can enforce instance-level attributes at launch time, when in fact IAM conditions like 'ec2:DisableApiTermination' are not supported for the RunInstances action.

How to eliminate wrong answers

Option B is wrong because Amazon EC2 Auto Scaling does not have a native feature to automatically apply termination protection to all launched instances; it manages scaling policies and health checks, not instance attribute remediation. Option C is wrong because AWS Trusted Advisor only provides notifications and recommendations, not automated remediation; it requires manual intervention by administrators, which violates the requirement for automatic remediation. Option D is wrong because an IAM policy that denies RunInstances unless termination protection is enabled would prevent launching instances without termination protection, but it does not remediate instances already launched without it; additionally, IAM policies cannot enforce instance-level attributes like termination protection at launch time in a granular way, and the requirement is to remediate after launch, not prevent.

224
MCQmedium

A SysOps administrator needs to provide temporary, limited-privilege credentials to an application running on an EC2 instance. The application needs to access an S3 bucket. What is the most secure way to grant these credentials?

A.Use a Lambda function to generate temporary credentials from an IAM user.
B.Store the AWS access keys in an S3 bucket and have the application download them at startup.
C.Attach an IAM role with the necessary permissions to the EC2 instance.
D.Create an IAM user with programmatic access and store the access keys in the application's environment variables.
AnswerC

The instance profile provides temporary credentials automatically.

Why this answer

Option C is correct because using an IAM role with an instance profile is the best practice for providing temporary credentials to EC2. Option A is wrong because hardcoding credentials is insecure. Option B is wrong because storing in S3 is insecure.

Option D is wrong because IAM user credentials are long-term, not temporary.

225
MCQhard

A company has an AWS account with multiple VPCs connected via a transit gateway. The SysOps administrator needs to ensure that all traffic between VPCs is encrypted in transit. Which solution should the administrator implement?

A.Use VPC peering connections between the VPCs.
B.Use VPC endpoints to route traffic through AWS PrivateLink.
C.Set up AWS Site-to-Site VPN connections between the VPCs via the transit gateway.
D.Configure network ACLs to deny unencrypted traffic.
AnswerC

VPN provides encryption for traffic between VPCs.

Why this answer

Option B is correct because VPN connections between VPCs or using AWS VPN CloudHub can encrypt traffic. Option A is wrong because VPC Peering does not encrypt traffic. Option C is wrong because VPC endpoints are for accessing AWS services.

Option D is wrong because NACLs are stateless packet filters, not encryption.

← PreviousPage 3 of 4 · 260 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security and Compliance questions.