CCNA Security and Compliance Questions

35 of 260 questions · Page 4/4 · Security and Compliance · Answers revealed

226
Multi-Selecthard

A company has an AWS account with multiple IAM users. The security team wants to enforce that all users use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should the SysOps administrator take? (Choose THREE.)

Select 3 answers
A.Attach a service control policy (SCP) to the account to require MFA.
B.Enable MFA for each IAM user in the AWS Management Console.
C.Create an IAM policy that denies console access unless MFA is present.
D.Use AWS CloudTrail to monitor user logins and disable accounts without MFA.
E.Educate users on how to set up and use MFA devices.
AnswersB, C, E

MFA must be enabled per user.

Why this answer

Option A is correct because MFA must be enabled for each user. Option B is correct because IAM policies can require MFA for console access. Option D is correct because users need to know how to use MFA.

Option C is wrong because SCPs are for Organizations. Option E is wrong because CloudTrail does not enforce MFA.

227
MCQmedium

A company has an S3 bucket that stores sensitive customer data. The security team requires that all access to the bucket be logged for auditing. The SysOps administrator enabled S3 server access logging and configured the logs to be delivered to a different S3 bucket in the same account. However, after a week, the log bucket is empty. What is the most likely cause?

A.The log bucket has no lifecycle policy.
B.The source bucket has an ACL that denies the log delivery service.
C.The log bucket has a bucket policy that denies access to the log delivery service.
D.The log bucket is in a different region.
AnswerC

Prevents log delivery.

Why this answer

Option D is correct because if the log delivery bucket has a bucket policy that denies access to the log delivery service, the logs will not be written. The S3 log delivery service uses a specific principal. Option A is wrong because the ACLs are not the issue.

Option B is wrong because the log bucket is in the same account. Option C is wrong because CloudTrail is not required for S3 access logs.

228
MCQmedium

A SysOps administrator is troubleshooting an issue where an IAM user can launch EC2 instances but cannot terminate them. The user's permissions are based on an IAM group policy. Which action should the administrator take to resolve this?

A.Attach a managed policy that includes ec2:TerminateInstances directly to the user
B.Add the user to a different IAM group that has the required permissions
C.Check the user's permissions boundary for any restrictions
D.Review and modify the IAM group policy to include ec2:TerminateInstances action
AnswerD

The issue is likely that the group policy lacks the terminate action; modifying the group policy will resolve it for all users in the group.

Why this answer

The administrator should review the group policy to ensure it includes ec2:TerminateInstances. The issue is likely a missing action in the policy, not a service control policy (SCP) or session policy issue, and simply adding the user to a new group won't fix the underlying policy gap.

229
MCQhard

A company is using AWS CodePipeline to deploy a web application. The security team requires that all code changes be reviewed and approved before deployment to production. Which action should be taken to enforce this requirement?

A.Add a manual approval action in the CodePipeline pipeline before the production deployment stage.
B.Create an IAM policy that denies the codecommit:PutFile action unless the user is in a specific group.
C.Enable AWS CloudTrail and create a CloudWatch Events rule to notify the security team of any deployments.
D.Configure a CodeCommit repository to require pull requests for all changes.
AnswerA

This ensures that a designated approver must manually approve the deployment.

Why this answer

Option A is correct because adding a manual approval action in the CodePipeline pipeline before the production deployment stage enforces a required review and approval gate. This action pauses the pipeline at that point, waiting for an authorized user to manually approve the change before it proceeds to the production stage, directly meeting the security team's requirement.

Exam trap

The trap here is that candidates often confuse source-level controls (like pull request requirements or IAM policies) with pipeline-level approval gates, mistakenly thinking that preventing direct pushes or requiring pull requests alone satisfies the deployment approval requirement.

How to eliminate wrong answers

Option B is wrong because denying the codecommit:PutFile action prevents users from pushing code directly to the repository, but it does not enforce a review and approval process within the deployment pipeline; it only restricts write access. Option C is wrong because enabling CloudTrail and creating a CloudWatch Events rule only provides notification of deployments after they occur, not a pre-deployment approval gate. Option D is wrong because configuring a CodeCommit repository to require pull requests for all changes enforces code review at the source code level, but it does not add an approval step within the CodePipeline deployment pipeline itself.

230
MCQeasy

A SysOps administrator needs to grant a developer access to view only the logs of a specific Amazon RDS instance. Which IAM action should be allowed?

A.rds:DownloadDBLogFilePortion
B.rds:DescribeDBInstances
C.rds:DescribeDBLogFiles
D.rds:DescribeEvents
AnswerC

This action lists log files for a DB instance.

Why this answer

Option A is correct because rds:DescribeDBLogFiles lists the available log files for an RDS instance. Option B is wrong because rds:DownloadDBLogFilePortion downloads a log file, not just view. Option C is wrong because rds:DescribeDBInstances describes instance details, not logs.

Option D is wrong because rds:DescribeEvents describes events, not logs.

231
MCQeasy

A SysOps administrator needs to provide a developer from another AWS account access to an S3 bucket in the administrator's account. The developer must be able to list objects and get objects from the bucket. The administrator does NOT want to share AWS access keys. Which solution meets these requirements?

A.Create an IAM user in the administrator's account and share the access key and secret key with the developer.
B.Attach a bucket policy to the S3 bucket that grants s3:ListBucket and s3:GetObject to the developer's IAM user ARN.
C.Generate pre-signed URLs for all objects and share them with the developer.
D.Grant the developer's AWS account root user access to the bucket using a bucket policy.
AnswerB

Cross-account access via bucket policy is secure and does not require sharing keys.

Why this answer

Option C is correct because an S3 bucket policy with a Principal ARN for the developer's IAM user grants cross-account access without sharing keys. Option A is wrong because sharing access keys is not recommended. Option B is wrong because pre-signed URLs are temporary and must be generated per object.

Option D is wrong because granting the developer's root user is overly permissive and not secure.

232
Multi-Selecteasy

A company needs to comply with PCI DSS requirements for its AWS environment. Which TWO services should the SysOps administrator use to automate compliance checks and generate reports? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch
B.AWS Config
C.AWS CloudTrail
D.AWS Trusted Advisor
E.AWS Audit Manager
AnswersB, E

Evaluates resource configurations against compliance rules.

Why this answer

Option C is correct because AWS Config rules can be used to check resource configurations against compliance standards. Option D is correct because AWS Audit Manager helps continuously audit and generate compliance reports. Option A is wrong because CloudWatch is for monitoring.

Option B is wrong because CloudTrail is for logging API calls. Option E is wrong because Trusted Advisor provides recommendations but not compliance automation.

233
MCQeasy

An organization wants to centrally manage access to multiple AWS accounts in an AWS Organizations setup. Which AWS service should the SysOps administrator use to define and enforce fine-grained permissions across accounts?

A.AWS Config rules
B.Service control policies (SCPs)
C.IAM roles with cross-account trust policies
D.AWS Single Sign-On (SSO)
AnswerC

IAM roles allow fine-grained permissions and can be assumed across accounts.

Why this answer

Option B is correct because AWS IAM Roles can be used with AWS Organizations to allow cross-account access with fine-grained permissions. Option A is wrong because AWS SSO is for user federation and single sign-on, not for defining fine-grained permissions. Option C is wrong because SCPs provide coarse-grained guardrails.

Option D is wrong because AWS Config is for compliance and resource tracking.

234
Multi-Selectmedium

A company has an S3 bucket that stores sensitive data. The security team requires that all access to the bucket be encrypted in transit. Which TWO actions should be taken to enforce this requirement? (Choose two.)

Select 2 answers
A.Enable default encryption (SSE-S3) on the bucket
B.Enable S3 Transfer Acceleration
C.Enable AWS CloudTrail to log all S3 API calls and set up a CloudWatch alarm for any HTTP access
D.Create an S3 bucket policy that denies s3:GetObject and s3:PutObject if the aws:SecureTransport condition is false
E.Use S3 VPC endpoints
AnswersC, D

CloudTrail logs can be used to detect HTTP requests.

Why this answer

Options A and C are correct. A bucket policy that denies requests without HTTPS ensures all access uses TLS. AWS CloudTrail can be used to monitor and detect HTTP requests, though it does not enforce.

Option B is incorrect because enabling default encryption does not enforce in-transit encryption. Option D is incorrect because S3 Transfer Acceleration does not enforce HTTPS; it uses TLS but does not prevent HTTP. Option E is incorrect because S3 endpoints support HTTPS, but the bucket policy is needed to enforce.

235
MCQmedium

A company has a VPC with a public and private subnet. The security team wants to restrict outbound traffic from EC2 instances in the private subnet to only allow traffic to an S3 bucket in the same account. Which of the following is the MOST secure way to achieve this?

A.Use an internet gateway and a route table that directs traffic to the internet gateway, and use network ACLs to allow only S3 IP ranges
B.Configure a NAT gateway in the public subnet and update the route table to send traffic to the NAT gateway, then use security groups to restrict outbound traffic
C.Use a VPC endpoint for S3 and attach a security group to the endpoint that allows only HTTPS traffic to the S3 prefix list
D.Create a gateway VPC endpoint for S3, attach a bucket policy that allows access only from the VPC endpoint, and use a VPC endpoint policy to restrict actions to the specific bucket
AnswerD

This ensures traffic stays within AWS and is restricted to the bucket.

Why this answer

Option D is correct because using a gateway VPC endpoint for S3 with a bucket policy that allows only the VPC's endpoint ID ensures that traffic can only come from within the VPC. Additionally, a VPC endpoint policy can restrict actions to the specific bucket. Option A is incorrect because NAT gateways allow all outbound traffic, not just to S3.

Option B is incorrect because security groups cannot filter based on S3 bucket names. Option C is incorrect because an internet gateway would allow general outbound traffic.

236
MCQhard

A company uses AWS Organizations and has multiple accounts. The security team requires that all Amazon S3 buckets across all accounts must be encrypted at rest with AWS KMS (SSE-KMS). The SysOps administrator needs to automatically detect non-compliant buckets and remediate them by enabling SSE-KMS. The solution must work across all existing and future accounts. Which AWS service should be used?

A.AWS Config with a managed rule and an automatic remediation action using AWS Systems Manager Automation.
B.AWS CloudTrail with a metric filter and Amazon CloudWatch alarm to trigger a Lambda function.
C.AWS Trusted Advisor to check S3 bucket encryption and send notifications.
D.Amazon Macie to discover sensitive data and then manually encrypt buckets.
AnswerA

AWS Config rules can evaluate resources for compliance. Automatic remediation can invoke a Systems Manager Automation document to enable SSE-KMS on non-compliant buckets. This can be applied organization-wide using AWS Config aggregators and StackSets.

Why this answer

AWS Config with the managed rule 's3-bucket-server-side-encryption-enabled' can evaluate all S3 buckets across accounts in an AWS Organization. When a non-compliant bucket is detected, an automatic remediation action using an AWS Systems Manager Automation document (e.g., 'AWS-EnableS3BucketEncryption') can enable SSE-KMS without manual intervention. This solution scales to existing and future accounts because AWS Config can be set up as an aggregator across the organization, and remediation actions apply automatically as new accounts are added.

Exam trap

The trap here is that candidates often confuse detection-only services (like Trusted Advisor or CloudTrail) with services that can both detect and automatically remediate, or they mistakenly think Macie handles encryption compliance when it actually focuses on data classification.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail with a metric filter and CloudWatch alarm only detects API calls (e.g., PutBucketEncryption) after they occur; it cannot proactively detect non-compliant buckets or automatically remediate them without a custom Lambda function, and it does not provide continuous compliance evaluation across all accounts. Option C is wrong because AWS Trusted Advisor checks S3 bucket encryption only for the root account or linked accounts in a support plan, but it does not support automatic remediation—it only sends notifications, and it cannot enforce encryption across all accounts in an organization. Option D is wrong because Amazon Macie is designed to discover sensitive data (e.g., PII) in S3 buckets, not to check or enforce encryption settings; it requires manual intervention to encrypt buckets and does not provide automated detection or remediation of non-compliant encryption.

237
MCQhard

A company manages multiple AWS accounts using AWS Organizations. The security team wants to restrict the use of Amazon EC2 instance types to only those that are approved for production workloads (e.g., m5.large, m5.xlarge). The policy should be applied to all member accounts in the organization, and it should prevent any non-approved instance type from being launched. The SysOps administrator should implement this with minimal operational overhead. Which solution should be used?

A.Create an IAM policy in each member account that denies ec2:RunInstances unless the instance type is in the approved list.
B.Create an AWS Organizations Service Control Policy (SCP) that denies ec2:RunInstances if the instance type is not in the approved list.
C.Use AWS Config with the managed rule 'ec2-instance-type-check' and an automatic remediation action that terminates non-compliant instances.
D.Use Amazon EventBridge to detect RunInstances API calls and invoke a Lambda function that terminates unapproved instances.
AnswerB

SCPs are applied at the organization or OU level and are inherited by all accounts. They provide preventive controls with minimal overhead.

Why this answer

Option B is correct because AWS Organizations Service Control Policies (SCPs) can centrally enforce restrictions across all member accounts without requiring per-account configuration. By creating an SCP that denies ec2:RunInstances when the instance type is not in the approved list, the security team can prevent non-approved EC2 instance types from being launched with minimal operational overhead, as SCPs are applied at the organization, OU, or account level and do not require managing IAM policies in each account.

Exam trap

The trap here is that candidates often confuse SCPs with IAM policies, thinking that SCPs grant permissions, but SCPs only act as a guardrail to restrict permissions, and they must be combined with appropriate IAM policies to allow actions; additionally, candidates may choose reactive solutions like AWS Config or EventBridge because they are familiar, but the question explicitly asks for a preventive control with minimal overhead.

How to eliminate wrong answers

Option A is wrong because creating an IAM policy in each member account introduces significant operational overhead, as it requires manual or automated deployment to every account, and IAM policies can be overridden by account administrators with full permissions, whereas SCPs provide a guardrail that cannot be bypassed by account-level IAM. Option C is wrong because AWS Config with the 'ec2-instance-type-check' rule is a detective control that only identifies non-compliant instances after launch, and automatic remediation via termination is reactive, not preventive, and can lead to resource churn and potential data loss; it also requires additional setup for remediation actions. Option D is wrong because using EventBridge to detect RunInstances API calls and invoking a Lambda function to terminate unapproved instances is a reactive, event-driven approach that still allows the instance to be launched momentarily, incurs additional cost and complexity, and does not prevent the API call from succeeding in the first place.

238
MCQmedium

A company stores sensitive data in an S3 bucket. The security team requires that all objects uploaded to the bucket be encrypted at rest using an AWS KMS customer-managed key. Which S3 bucket policy statement should be added to enforce this requirement?

A.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"}}}
B.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}
C.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"},"Null":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"true"}}}
D.{"Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::bucket/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"AES256"}}}
AnswerC

This denies uploads that do not use SSE-KMS and also ensures the KMS key ID is present (though not specific key). However, to enforce a specific key, a condition on the key ID is needed. This statement is a common baseline.

Why this answer

Option C is correct because the condition 's3:x-amz-server-side-encryption-aws-kms-key-id' checks that the specific KMS key is used, and the condition 's3:x-amz-server-side-encryption' ensures encryption is enforced. Option A is wrong because it allows SSE-S3. Option B is wrong because it allows SSE-KMS but does not restrict to a specific key.

Option D is wrong because it denies all uploads without encryption, but does not require the specific KMS key.

239
MCQmedium

A SysOps administrator needs to allow an IAM user to launch EC2 instances only in the us-east-1 region. The administrator creates a policy with a condition that uses the aws:RequestedRegion condition key. However, the user can still launch instances in other regions. What is the MOST likely reason?

A.The aws:RequestedRegion condition key is not supported for EC2
B.The condition key must be aws:Region instead of aws:RequestedRegion
C.The user has administrator access that overrides the policy
D.The policy does not include the ec2:RunInstances action with the condition
AnswerD

The policy may be missing the condition on the RunInstances action, or the condition key is not applied correctly.

Why this answer

Option A is correct because the ec2:RunInstances action is global; the aws:RequestedRegion condition works only for regional service endpoints. Some EC2 actions are global, and the condition may not apply. However, the primary reason is that the condition key aws:RequestedRegion is evaluated only for regional service calls; if the user uses a global endpoint, the condition might not match.

But more commonly, the policy might not include the condition for all EC2 actions. Option B is incorrect because the condition key is valid. Option C is incorrect because the policy can restrict to a region.

Option D is incorrect because the condition is available.

240
MCQhard

A company uses AWS Organizations to manage multiple AWS accounts. The security team wants to restrict access to a specific AWS service (Amazon EC2) in all accounts except for the 'production' account. The SysOps administrator needs to implement this restriction centrally. Which approach should the administrator use?

A.Create an IAM policy that denies Amazon EC2 actions and attach it to all users and roles in non-production accounts.
B.Attach a service control policy (SCP) to the organization root or to the OUs of non-production accounts that denies access to Amazon EC2.
C.Use AWS Config to create a rule that detects EC2 usage in non-production accounts and automatically terminates instances.
D.Create a resource-based policy on each EC2 instance that denies access from non-production accounts.
AnswerB

SCPs are a centralized way to set permission boundaries for all accounts in the organization. By denying EC2 actions via SCP on non-production OUs, the restriction is enforced even for the root user of those accounts, and it applies to all IAM principals.

Why this answer

Service control policies (SCPs) are the correct mechanism for centrally restricting permissions across accounts in AWS Organizations. By attaching an SCP that denies EC2 actions to the organization root or to the OUs containing non-production accounts, the security team can enforce this restriction at the account level, overriding any IAM policies within those accounts. This approach ensures that even if a user or role in a non-production account has an IAM policy granting EC2 access, the SCP will block it.

Exam trap

The trap here is that candidates often confuse IAM policies (which are identity-based and account-specific) with SCPs (which are account-wide and centrally managed), leading them to choose Option A because they think attaching a deny policy to users is sufficient, but they overlook that SCPs provide the only centralized, preventive control across multiple accounts in AWS Organizations.

How to eliminate wrong answers

Option A is wrong because IAM policies attached to users and roles are not centrally managed across multiple accounts; they must be applied individually in each account, which is not a centralized solution and can be bypassed by local administrators. Option C is wrong because AWS Config is a detective service that can detect and react to EC2 usage (e.g., via auto-remediation), but it does not prevent the initial creation or use of EC2 resources; it only responds after the fact, which is not a preventive restriction. Option D is wrong because resource-based policies on EC2 instances control access to the instance itself (e.g., who can start/stop it), not the ability to launch or manage EC2 services in an account; they are also not centrally managed across accounts.

241
MCQeasy

A company's security policy requires that only traffic from the corporate office IP range (203.0.113.0/24) can access an Amazon S3 bucket that stores internal reports. The SysOps administrator must enforce this restriction. Which policy type should be modified to implement this requirement?

A.IAM identity-based policy
B.VPC endpoint policy
C.S3 bucket policy
D.AWS Organizations SCP
AnswerC

S3 bucket policies can use a condition with aws:SourceIp to allow access only from specified IP ranges.

Why this answer

An S3 bucket policy is the correct choice because it allows you to explicitly deny or allow access to the S3 bucket based on the source IP address using the `aws:SourceIp` condition key. This policy is attached directly to the bucket and can restrict access to only the corporate office IP range (203.0.113.0/24), regardless of the IAM user or role making the request. It enforces the security requirement at the resource level, which is the most direct and effective method for controlling network-based access to an S3 bucket.

Exam trap

The trap here is that candidates often confuse IAM identity-based policies with resource-based policies, mistakenly thinking they can use IAM policies to restrict by source IP, when in fact only S3 bucket policies (or similar resource-based policies) support the `aws:SourceIp` condition for network-level access control.

How to eliminate wrong answers

Option A is wrong because IAM identity-based policies are attached to users, groups, or roles and control what actions those identities can perform, but they cannot restrict access based on the source IP address of the requestor; they lack the `aws:SourceIp` condition key for network-level control. Option B is wrong because a VPC endpoint policy controls access to S3 from a specific VPC endpoint, but it does not allow you to specify a source IP range like 203.0.113.0/24; it only restricts access based on the VPC or endpoint ID, not the client's IP address. Option D is wrong because AWS Organizations SCPs are used to set permission boundaries across accounts in an organization, but they cannot enforce IP-based restrictions on a specific S3 bucket; they operate at the account or organizational unit level, not at the resource level.

242
Multi-Selectmedium

A company is using AWS KMS to encrypt data at rest. Which TWO actions can be taken to audit the usage of a customer managed key?

Select 2 answers
A.Enable AWS CloudTrail to log KMS API calls.
B.Enable Amazon S3 server access logs to track KMS operations.
C.Use IAM Access Analyzer to review KMS key policies.
D.Stream CloudTrail logs to Amazon CloudWatch Logs and create metric filters for KMS events.
E.Use AWS Config rules to monitor KMS key usage.
AnswersA, D

CloudTrail records all KMS API operations for auditing.

Why this answer

Correct options: A and C. Option A is correct because CloudTrail logs KMS API calls like Encrypt and Decrypt. Option C is correct because CloudWatch Logs can be used to store and monitor KMS API logs.

Option B is wrong because AWS Config does not track KMS key usage; it tracks configuration changes. Option D is wrong because IAM access analyzer identifies resources shared with external entities, not key usage. Option E is wrong because S3 server access logs are for S3 access, not KMS.

243
MCQmedium

A SysOps administrator applies the IAM policy shown in the exhibit to an IAM user. The user tries to upload an object to the S3 bucket without specifying encryption. What will happen?

A.The upload succeeds without encryption.
B.The upload succeeds with SSE-KMS encryption.
C.The upload fails with an Access Denied error.
D.The upload succeeds with default encryption.
AnswerC

Condition not met.

Why this answer

Option B is correct because the policy requires SSE-S3 (AES256), and if the user does not specify encryption, the request does not satisfy the condition, so the action is denied. Option A is wrong because the condition is not met. Option C is wrong because the policy does not allow unencrypted uploads.

Option D is wrong because the condition is not met.

244
Multi-Selecthard

A company wants to use AWS WAF to protect a web application behind an Application Load Balancer. Which of the following can AWS WAF inspect? (Choose THREE.)

Select 3 answers
A.HTTP headers
B.Query string parameters
C.SSL certificate of the client
D.Request body of HTTPS requests
E.URI path
AnswersA, B, E

WAF can inspect headers like User-Agent.

Why this answer

AWS WAF can inspect HTTP headers (A), URI paths (B), and query string parameters (C). Option D is wrong because WAF does not inspect the body of HTTPS requests by default; it can inspect the body if the request is HTTP. Option E is wrong because WAF does not inspect SSL certificate details.

245
MCQhard

An application stores its RDS PostgreSQL credentials in AWS Secrets Manager. The security policy requires credentials to be rotated every 30 days automatically. During rotation, the application must continue to serve traffic with zero downtime. The application retrieves credentials by calling GetSecretValue at the start of each database connection. What must be configured to satisfy all requirements?

A.Enable automatic rotation in Secrets Manager with a 30-day schedule; use the AWS-provided Lambda rotation function for RDS PostgreSQL; ensure the application calls GetSecretValue per connection rather than caching credentials
B.Rotate credentials manually every 30 days by updating the secret value in the console and restarting the application
C.Create an EventBridge scheduled rule every 30 days that triggers a Lambda to generate a new RDS password and update both the database and the secret
D.Store credentials in an environment variable on the application's EC2 instance and rotate by updating the environment variable and reloading the application
AnswerA

The AWS-provided rotation Lambda handles the full four-step lifecycle. The 30-day rotation schedule triggers the Lambda automatically. Because the application fetches credentials fresh per connection, it starts using the new credentials immediately after AWSCURRENT switches, with no restart needed. Secrets Manager's rotation is designed for zero downtime — the new password is validated on the database before the old version is retired.

Why this answer

Option A is correct because AWS Secrets Manager's automatic rotation, combined with the AWS-provided Lambda rotation function for RDS PostgreSQL, ensures credentials are rotated every 30 days without manual intervention. The application's practice of calling GetSecretValue at the start of each database connection guarantees it always retrieves the current secret, avoiding stale credentials and achieving zero downtime during rotation.

Exam trap

The trap here is that candidates may think any automated rotation (like EventBridge + Lambda) suffices, but the question specifically tests the integration of Secrets Manager's native rotation with its versioning and staging labels to achieve zero downtime.

How to eliminate wrong answers

Option B is wrong because manual rotation every 30 days with a console update and application restart violates the zero-downtime requirement; restarting the application causes service interruption. Option C is wrong because while it implements rotation via EventBridge and Lambda, it does not use Secrets Manager's built-in rotation mechanism, missing the automatic version management and staging labels (AWSCURRENT, AWSPREVIOUS) that ensure seamless credential transition. Option D is wrong because storing credentials in an environment variable on EC2 and rotating by updating the variable and reloading the application introduces downtime and bypasses Secrets Manager's secure storage, auditing, and rotation capabilities.

246
Multi-Selectmedium

A SysOps administrator is configuring CloudTrail to log all management events and data events for S3 buckets. Which of the following are true about CloudTrail logging? (Choose THREE.)

Select 3 answers
A.Data events for S3 are logged by default for all buckets
B.CloudTrail logs include the identity of the user who made the API call
C.Management events are logged by default
D.CloudTrail can log events for all AWS services automatically
E.CloudTrail can deliver log files to CloudWatch Logs for real-time analysis
AnswersB, C, E

CloudTrail records the IAM user or role that made the call.

Why this answer

Data events for S3 can be logged, but they incur additional costs (option A). Management events are logged by default (option B). CloudTrail cannot log events across all AWS services automatically; it must be configured per service (option C is wrong).

Option D is correct because CloudTrail logs include API caller identity. Option E is correct because logs can be delivered to CloudWatch Logs.

247
MCQeasy

A SysOps administrator is troubleshooting an issue where an IAM user cannot launch an EC2 instance. The user has a policy that allows ec2:RunInstances. What is the most likely cause of the failure?

A.The user does not have permissions for supporting actions like CreateNetworkInterface.
B.The user is not using multi-factor authentication (MFA).
C.The user does not have permission to use the KMS key for encryption.
D.The policy is attached to a group instead of the user.
AnswerA

Launching an instance requires permissions for multiple EC2 actions.

Why this answer

Option D is correct because launching an EC2 instance requires permissions for multiple actions beyond RunInstances, such as creating network interfaces, volumes, etc. Option A is wrong because MFA would cause an access denied error, not a permissions issue. Option B is wrong because the policy allows the action; the issue is other required actions.

Option C is wrong because RunInstances does not require KMS keys unless encrypted volumes are specified.

248
MCQhard

An S3 bucket policy is shown in the exhibit. The AdminRole attempts to upload an object to my-bucket without specifying any server-side encryption header. What will happen?

A.The upload fails because the Allow statement requires encryption, but the Deny statement is evaluated first.
B.The upload succeeds because the Allow statement grants permission to the AdminRole.
C.The upload succeeds because the Deny statement does not apply to the AdminRole.
D.The upload fails because the Deny statement denies PutObject without encryption.
AnswerD

The Deny statement explicitly denies PutObject when encryption is not aws:kms.

Why this answer

Option C is correct. The Deny statement denies PutObject when encryption is not aws:kms. Since the request has no encryption header, it does not equal aws:kms, so the Deny applies and the upload fails.

The Allow statement allows the action only when encryption is aws:kms, so without encryption, it does not apply. Because the Deny overrides Allow, the upload is denied. Option A is wrong because the Allow does not apply.

Option B is wrong because the Deny applies. Option D is wrong because the Deny does not depend on the Allow.

249
MCQmedium

A company wants to provide temporary access to an S3 bucket for a third-party vendor. The vendor needs to upload files for one hour. Which approach should be used?

A.Create an IAM role and allow the vendor to assume it using their AWS account.
B.Create an IAM user with programmatic access and share the credentials with the vendor.
C.Create an S3 bucket policy that allows the vendor's IP address for one hour.
D.Generate a presigned URL for the S3 bucket that expires in one hour.
AnswerD

Presigned URLs provide temporary access to put objects in S3.

Why this answer

Option A is correct because presigned URLs can grant temporary access to a specific S3 object for a limited time. Option B is wrong because a bucket policy with a condition on the source IP would provide permanent access. Option C is wrong because creating an IAM user for the vendor is a long-term credential.

Option D is wrong because cross-account roles require the vendor to have an AWS account.

250
Multi-Selecthard

A company wants to audit all AWS account activity for compliance. Which THREE AWS services should be used together to achieve this? (Choose three.)

Select 3 answers
A.Amazon CloudWatch Logs
B.AWS Config
C.AWS Trusted Advisor
D.Amazon GuardDuty
E.AWS CloudTrail
AnswersA, B, E

Stores and monitors log files.

Why this answer

Options A, B, and E are correct. AWS CloudTrail records API activity, Amazon CloudWatch Logs can store logs, and AWS Config tracks resource configuration changes. Option C is incorrect because AWS Trusted Advisor is for recommendations, not auditing.

Option D is incorrect because Amazon GuardDuty is for threat detection.

251
MCQmedium

Refer to the exhibit. An IAM user has this policy attached. The user tries to start an EC2 instance that has no tags. What will happen?

A.The user will be allowed because the condition only applies if the tag exists
B.The user will be allowed because the resource ARN includes a wildcard
C.The user will be allowed because the policy does not explicitly deny the action
D.The user will be denied because the instance does not have the required tag
AnswerD

Condition requires the tag to be present and equal to 'Production'.

Why this answer

Option A is correct because the policy allows actions only on instances with the tag Environment=Production. Since the instance has no tags, the condition is not met, and the action is not allowed. The user will be denied.

Option B is incorrect because the condition uses StringEquals, which requires the tag to exist and match. Option C is incorrect because without the tag, the condition fails, resulting in implicit deny. Option D is incorrect because the policy does not allow all instances; it has a condition.

252
MCQeasy

A company is using Amazon RDS for MySQL and needs to encrypt data at rest. Which action should be taken to enable encryption?

A.Use the RDS console to enable encryption on the existing DB instance.
B.Use AWS KMS to create a customer master key and assign it to the existing DB instance.
C.Modify the existing RDS DB instance and enable encryption.
D.Create a new RDS DB instance with encryption enabled.
AnswerD

Encryption can only be enabled when the DB instance is created.

Why this answer

Amazon RDS for MySQL does not support enabling encryption on an existing DB instance. Encryption at rest must be enabled at the time of instance creation. Therefore, the correct action is to create a new RDS DB instance with encryption enabled, and then migrate the data from the unencrypted instance to the new encrypted one.

Exam trap

The trap here is that candidates assume encryption can be toggled on an existing RDS instance via a modification, similar to enabling encryption on an EBS volume, but RDS requires encryption to be set at launch and cannot be added later.

How to eliminate wrong answers

Option A is wrong because the RDS console does not allow enabling encryption on an existing DB instance; encryption can only be enabled during creation. Option B is wrong because while AWS KMS customer master keys are used for RDS encryption, you cannot assign a KMS key to an existing unencrypted DB instance; encryption must be enabled at launch. Option C is wrong because modifying an existing RDS DB instance does not support enabling encryption; the 'Modify' action does not include an encryption toggle for existing instances.

253
MCQhard

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application stores sensitive data in an S3 bucket. The security team has mandated that all data in transit to the S3 bucket must be encrypted using TLS. The SysOps administrator configured the application to use HTTPS endpoints for S3. However, a security audit reveals that some requests to S3 are still being sent over HTTP. The administrator checks the VPC Flow Logs and sees that the EC2 instances are communicating with the S3 bucket via a VPC endpoint. The company also uses an S3 bucket policy that allows access only from the VPC endpoint. What is the most likely reason that some requests are sent over HTTP?

A.The VPC endpoint is not encrypting traffic between the instances and the endpoint.
B.The VPC endpoint is configured for HTTP instead of HTTPS.
C.The S3 bucket policy does not require HTTPS for requests.
D.The application is not configured to use HTTPS for all S3 requests.
AnswerD

The application must use HTTPS endpoints; otherwise, traffic is HTTP.

Why this answer

Option B is correct because the VPC endpoint for S3 uses AWS API calls; the encryption (HTTPS) is handled at the application level, not the endpoint. If the application does not use HTTPS, the traffic will be plain HTTP. Option A is wrong because the bucket policy does not enforce encryption.

Option C is wrong because the endpoint is for S3, not for enforcing encryption. Option D is wrong because the VPC endpoint does not automatically encrypt traffic.

254
MCQeasy

A company's security team requires that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. The SysOps administrator needs to create an IAM policy that denies all console actions if the user has not authenticated with MFA. Which IAM condition key should the administrator use?

A.aws:MultiFactorAuthPresent
B.aws:SourceIp
C.iam:PassedToService
D.aws:RequestedRegion
AnswerA

This condition key returns true if the user authenticated with MFA. It is the correct key to use in an IAM policy to require MFA for console access.

Why this answer

Option A is correct because the `aws:MultiFactorAuthPresent` condition key evaluates to `true` when the user has authenticated using MFA. By using this key in a `Deny` statement, the policy can block all console actions unless MFA is present, enforcing the security team's requirement.

Exam trap

The trap here is that candidates confuse `aws:MultiFactorAuthPresent` with `aws:MultiFactorAuthAge` (which checks how long ago MFA was used) or assume `SourceIp` can enforce MFA, but only the `MultiFactorAuthPresent` key directly evaluates MFA status for console access.

How to eliminate wrong answers

Option B is wrong because `aws:SourceIp` is used to restrict access based on the user's IP address, not MFA status. Option C is wrong because `iam:PassedToService` is used to control which roles can be passed to AWS services, not for MFA enforcement. Option D is wrong because `aws:RequestedRegion` restricts actions to specific AWS regions, not MFA authentication.

255
MCQhard

Refer to the exhibit. A SysOps administrator applies this bucket policy to an S3 bucket. What is the effect of this policy?

A.Allows all requests regardless of encryption.
B.Denies all requests to the bucket.
C.Denies access to the bucket from any IP other than the VPC.
D.Allows all HTTPS requests and denies HTTP requests.
AnswerD

The policy denies HTTP, and HTTPS is implicitly allowed.

Why this answer

Option C is correct because the policy Denies all S3 actions on objects if the request is not using HTTPS (secure transport false). Requests over HTTP are denied. Option A is wrong because the policy allows HTTPS requests (no allow statement needed; default allow if no explicit deny).

Option B is wrong because the policy only denies if SecureTransport is false, not always. Option D is wrong because the policy does not affect bucket-level operations (note the resource is bucket/*).

256
MCQmedium

A company wants to allow its DevOps team to launch EC2 instances using a specific AMI ID and only in a particular VPC. Which IAM policy should be used?

A.{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*","Condition":{"StringNotEquals":{"ec2:Vpc":"vpc-12345678"},"StringNotEquals":{"ec2:ImageId":"ami-12345678"}}}
B.{"Effect":"Allow","Action":"ec2:RunInstances","Resource":"arn:aws:ec2:region::image/ami-12345678"}
C.{"Effect":"Allow","Action":"ec2:RunInstances","Resource":"*","Condition":{"StringEquals":{"ec2:Vpc":"vpc-12345678","ec2:ImageId":"ami-12345678"}}}
D.{"Effect":"Allow","Action":"ec2:RunInstances","Resource":"*","Condition":{"StringEquals":{"ec2:Vpc":"vpc-12345678"}}}
AnswerC

This allows RunInstances only when both the VPC and AMI match the specified values.

Why this answer

Option D is correct because it uses condition keys ec2:Vpc and ec2:ImageId to restrict the RunInstances action to the specified VPC and AMI. Option A is wrong because it only restricts the VPC but not the AMI. Option B is wrong because it restricts the AMI but not the VPC.

Option C is wrong because it uses a deny statement that would block all instances not matching both conditions, which may be too restrictive for other allowed actions.

257
MCQhard

A company has a VPC with public and private subnets. The private subnets contain RDS databases that should not be accessible from the internet. Which configuration ensures that the databases are only accessible from the application servers in the public subnets?

A.Attach an internet gateway to the VPC and route the private subnet's traffic to it.
B.Attach a NAT gateway to the private subnet and route traffic through it.
C.Configure a network ACL on the private subnet to allow inbound traffic from the public subnet CIDR.
D.Create a security group for the RDS instances that allows inbound traffic from the security group attached to the application servers.
AnswerD

Security groups can reference other security groups, allowing traffic only from instances with that security group.

Why this answer

Option D is correct because security groups act as a virtual firewall at the instance level, and you can reference another security group as a source. By creating a security group for the RDS instances that allows inbound traffic from the security group attached to the application servers, you ensure that only those application servers (regardless of their IP addresses) can reach the databases. This approach is more dynamic and secure than using CIDR-based rules, as it automatically accommodates changes in the application servers' IP addresses or scaling events.

Exam trap

The trap here is that candidates often confuse security groups with network ACLs, assuming that a network ACL rule allowing inbound traffic from the public subnet CIDR is sufficient, but they overlook that network ACLs are stateless and do not provide the same granular, instance-level control as security groups, nor do they automatically adapt to changes in application server IPs.

How to eliminate wrong answers

Option A is wrong because attaching an internet gateway to the VPC and routing private subnet traffic to it would expose the RDS databases to the internet, violating the requirement that they should not be accessible from the internet. Option B is wrong because a NAT gateway is used to allow outbound internet traffic from private subnets, not to control inbound access; it would not restrict inbound traffic to only the application servers. Option C is wrong because a network ACL is stateless and requires explicit allow rules for both inbound and outbound traffic; while it could allow inbound traffic from the public subnet CIDR, it would not restrict access to only the application servers (any instance in that CIDR range could connect), and it would not automatically adapt to changes in application server IPs.

258
MCQhard

A company's security team notices that an IAM user has been making unauthorized API calls from an IP address outside the company's VPN. The team wants to immediately block all API calls from that specific IP address for all users. Which action should be taken?

A.Create a new IAM policy that denies access from the IP address and attach it to all users.
B.Create an IAM policy that denies access from the IP address and attach it to the organization root.
C.Create a service control policy (SCP) that denies access from the IP address and attach it to the root organizational unit.
D.Create a service control policy (SCP) that denies access from the IP address and attach it to the IAM user.
AnswerC

This blocks the IP for all accounts in the organization, including existing and new accounts.

Why this answer

Option D is correct because an SCP applied at the root OU can deny access based on source IP for all accounts in the organization. Option A is wrong because modifying the AWS-managed policy is not allowed. Option B is wrong because a service control policy cannot be attached to a user directly.

Option C is wrong because IAM policies can only be attached to users, groups, or roles, not to an organization root.

259
MCQeasy

An organization wants to ensure that no Amazon S3 bucket in the entire AWS Organization can be made public. The security team requires a preventive control that cannot be overridden by individual account administrators. Which AWS service or feature should be used?

A.Create a Service Control Policy (SCP) in AWS Organizations that denies permissions to modify S3 bucket public access settings.
B.Enable AWS Config rules in each account to detect public S3 buckets and automatically remediate them using AWS Lambda.
C.Use an IAM policy attached to all IAM users in each account that denies s3:PutBucketPolicy.
D.Apply Amazon S3 Block Public Access at the account level in each individual AWS account.
AnswerA

SCPs are applied at the organization or OU level and cannot be overridden by account administrators. They can explicitly deny actions that would make buckets public, providing a preventive control across all accounts.

Why this answer

A Service Control Policy (SCP) in AWS Organizations is a preventive guard that applies to all accounts within the organization. It can explicitly deny actions like s3:PutBucketPublicAccessBlock, s3:PutBucketPolicy, and s3:PutObjectAcl, preventing any principal (including root users) from making S3 buckets public. Unlike detective or account-level controls, SCPs cannot be overridden by individual account administrators, meeting the requirement for a non-overridable preventive control.

Exam trap

The trap here is that candidates often choose account-level S3 Block Public Access (Option D) because it seems like a direct preventive control, but they overlook that it can be overridden by account administrators, whereas an SCP is a centralized, non-overridable guardrail that applies across the entire AWS Organization.

How to eliminate wrong answers

Option B is wrong because AWS Config rules are detective and reactive, not preventive; they detect public buckets after the fact and can auto-remediate, but they do not block the initial action and can be overridden by account administrators. Option C is wrong because IAM policies attached to users do not apply to the root user or to services running with assumed roles, and they can be modified by account administrators, so they are not a non-overridable preventive control across the entire organization. Option D is wrong because S3 Block Public Access at the account level can be disabled or modified by any user with the necessary permissions (including account administrators), so it does not provide a centrally enforced, non-overridable control.

260
Multi-Selectmedium

A company has an S3 bucket that stores sensitive data. The security team requires that all data be encrypted at rest and that all access be logged. Which TWO actions should the SysOps administrator take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Enable S3 Transfer Acceleration.
B.Enable S3 Replication to replicate objects to another bucket.
C.Enable default encryption on the S3 bucket.
D.Enable S3 Object Lock.
E.Enable S3 server access logs.
AnswersC, E

Default encryption ensures all objects are encrypted at rest.

Why this answer

Option A is correct: Enabling default encryption ensures objects are encrypted with SSE-S3 or SSE-KMS. Option D is correct: Enabling S3 server access logs logs all requests. Option B is wrong because S3 Replication does not provide encryption.

Option C is wrong because S3 Transfer Acceleration is about speed, not security. Option E is wrong because S3 Object Lock is for write-once-read-many (WORM) protection, not encryption or logging.

← PreviousPage 4 of 4 · 260 questions total

Ready to test yourself?

Try a timed practice session using only Security and Compliance questions.