CCNA Soa Security Compliance Questions

75 of 260 questions · Page 1/4 · Soa Security Compliance topic · Answers revealed

1
MCQmedium

A SysOps administrator is investigating why an EC2 instance cannot access an S3 bucket using an IAM role. The instance has an associated IAM role with a policy that allows s3:GetObject on the bucket. The bucket policy also allows access from the role. However, the instance's application still gets access denied. What is the most likely cause?

A.The IAM role does not have s3:ListBucket permission
B.The IAM role is not associated with the instance profile used by the EC2 instance
C.The bucket policy explicitly denies access to the role
D.The S3 bucket is in a different region, requiring a VPC endpoint
AnswerB

If the role is not attached to the instance profile, the instance cannot assume the role and will not have permissions.

Why this answer

The instance profile must be correctly attached to the EC2 instance. Option C is correct because if the role is not properly associated with the instance profile, the instance will not have the necessary credentials. Option A is wrong because the S3 endpoint is not required for access via the internet.

Option B is wrong because the bucket policy allows the role. Option D is wrong because the role already has the GetObject permission.

2
MCQmedium

A company has the following S3 bucket policy attached to a bucket named 'example-bucket'. A user is unable to download an object from the bucket using an HTTP URL (not HTTPS). What is the cause?

A.The bucket policy does not allow GetObject for anonymous users.
B.The Deny statement blocks all S3 actions when the request is not using HTTPS.
C.The bucket policy requires server-side encryption for all requests.
D.The Deny statement only applies to PutObject, not GetObject.
AnswerB

Deny overrides Allow when condition is met.

Why this answer

Option C is correct because the first statement denies all s3:* actions when SecureTransport is false (i.e., HTTP). The second statement allows GetObject to everyone, but the Deny statement takes precedence. Option A is wrong because the bucket policy does not require SSE.

Option B is wrong because the policy allows GetObject to everyone. Option D is wrong because the Deny is for all s3 actions, not just PutObject.

3
Multi-Selecteasy

A company wants to audit all API calls made in their AWS account for security analysis. They need to record both management events and data events. Which THREE steps should be taken to set up comprehensive logging? (Choose THREE.)

Select 3 answers
A.Enable AWS CloudTrail to record data events for S3 and Lambda.
B.Enable AWS CloudTrail to record management events.
C.Enable VPC Flow Logs to capture API call metadata.
D.Send the log files to Amazon CloudWatch Logs for real-time analysis.
E.Configure the trail to deliver log files to an S3 bucket.
AnswersA, B, E

Data events must be explicitly enabled.

Why this answer

Option A is correct: CloudTrail records management events by default. Option B is correct: To capture data events, you must enable them in the trail. Option C is correct: Storing logs in an S3 bucket is standard.

Option D is wrong because CloudWatch Logs is for log monitoring, not recording. Option E is wrong because VPC Flow Logs capture network traffic, not API calls.

4
MCQmedium

A company's security team requires that all Amazon S3 buckets are encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any S3 bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

A.Use AWS Trusted Advisor to identify unencrypted buckets and then manually enable encryption.
B.Use AWS Config managed rule 's3-bucket-server-side-encryption-enabled' with an automatic remediation action using AWS Systems Manager Automation.
C.Use AWS CloudTrail to detect PutBucket operations and trigger a Lambda function that enables encryption.
D.Create an IAM bucket policy that denies any PutObject request that does not include x-amz-server-side-encryption header.
AnswerB

AWS Config evaluates compliance and can trigger a Systems Manager Automation document that enables default encryption on the bucket automatically.

Why this answer

Option B is correct because AWS Config's managed rule 's3-bucket-server-side-encryption-enabled' continuously evaluates S3 buckets for encryption compliance, and its automatic remediation action can invoke an AWS Systems Manager Automation document to enable SSE-S3 encryption on noncompliant buckets without custom code. This fully meets the requirement to automatically detect and remediate unencrypted buckets using AWS managed services.

Exam trap

The trap here is that candidates often confuse enforcing encryption on object uploads (via bucket policies or CloudTrail/Lambda) with ensuring the bucket's default encryption setting is enabled, which is what AWS Config's managed rule and remediation specifically address.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor only provides a manual check and recommendation; it cannot automatically apply encryption, and the requirement specifies automatic detection and remediation. Option C is wrong because AWS CloudTrail logs PutBucket operations but does not detect existing unencrypted buckets, and using a Lambda function introduces custom code, which the solution should minimize. Option D is wrong because an IAM bucket policy that denies PutObject requests without the encryption header only enforces encryption on new object uploads, not on the bucket's default encryption setting, and does not detect or remediate existing unencrypted buckets.

5
MCQeasy

A company has a fleet of EC2 instances in an Auto Scaling group behind an Application Load Balancer. The security team requires that all traffic to the instances be encrypted in transit. Currently, the ALB terminates HTTPS and forwards HTTP to the instances. The security team wants to ensure that the traffic between the ALB and the instances is also encrypted. What should the SysOps administrator do to meet this requirement with minimal changes?

A.Replace the ALB with a Network Load Balancer and use TLS termination on the instances.
B.Place a CloudFront distribution in front of the ALB and use HTTPS for all origins.
C.Set up a VPN connection between the ALB and the instances.
D.Change the ALB listener to use HTTPS and configure the target group to use HTTPS with a self-signed certificate on the instances.
AnswerD

Encrypts traffic between ALB and instances.

Why this answer

Option B is correct because you can create a TLS listener on the ALB that targets a target group using HTTPS. Option A is wrong because NLB does not support HTTPS health checks? Actually, NLB can handle TLS, but it requires more configuration. Option C is wrong because CloudFront adds complexity.

Option D is wrong because VPN is not needed.

6
MCQeasy

A company is using AWS KMS to encrypt data at rest in S3. The security team wants to ensure that encryption keys are automatically rotated annually. Which type of KMS key should be used?

A.Use an asymmetric KMS key
B.Use a custom key store (CloudHSM)
C.Use an AWS managed key
D.Use a customer managed key with imported key material
AnswerC

AWS managed keys are automatically rotated every year.

Why this answer

AWS managed KMS keys (AWS managed keys) are automatically rotated every year (365 days) with no action required from the customer. This satisfies the security team's requirement for annual automatic key rotation without any manual intervention or additional configuration.

Exam trap

The trap here is that candidates often assume customer managed keys (with AWS generated material) also support automatic rotation, but the question specifically requires annual rotation without manual effort, and only AWS managed keys provide this by default without any setup.

How to eliminate wrong answers

Option A is wrong because asymmetric KMS keys do not support automatic key rotation; they are designed for encrypt/decrypt or sign/verify operations outside of AWS and must be manually rotated. Option B is wrong because a custom key store backed by CloudHSM does not support automatic key rotation; you must manage key rotation manually within the CloudHSM cluster. Option D is wrong because customer managed keys with imported key material do not support automatic rotation; AWS cannot rotate key material that was imported from an external source.

7
Multi-Selectmedium

A SysOps administrator needs to restrict access to an S3 bucket so that only users from the corporate network IP range (203.0.113.0/24) can read objects. Which TWO elements are required to implement this? (Choose two.)

Select 2 answers
A.An IAM policy that allows s3:GetObject from the corporate IP
B.Amazon CloudFront distribution with an origin access identity
C.The S3 endpoint URL (s3.amazonaws.com) accessible from the corporate network
D.An S3 bucket policy with a condition that uses aws:SourceIp
E.A VPC gateway endpoint for S3
AnswersC, D

Users must be able to reach the S3 endpoint.

Why this answer

Options A and B are correct. A bucket policy can use the aws:SourceIp condition to restrict access to the IP range. Additionally, if the users are accessing via the internet, they must use the S3 endpoint.

Option C is incorrect because VPC endpoints are for private connectivity, but the condition would be different. Option D is incorrect because IAM policies are for user permissions, not IP restrictions. Option E is incorrect because CloudFront is a CDN, not required.

8
MCQhard

Refer to the exhibit. An IAM policy allows running instances. A user attempts to launch a t2.micro instance with a 20 GiB gp2 volume and an additional 100 GiB io1 volume. What will happen?

A.The launch succeeds
B.The launch fails because the policy does not allow creating volumes over 100 GiB
C.The launch fails because the condition does not allow any volume
D.The launch fails because the io1 volume is not allowed
AnswerA

The instance type is t2.micro as required, and volumes are allowed.

Why this answer

The policy allows running t2.micro instances (first statement) and creating volumes (second statement) without restriction on volume type or size. However, the condition on the instance resource only restricts the instance type to t2.micro; the volume resource has no condition. Therefore, both volumes are allowed.

The instance launch succeeds. Option A is correct. Options B, C, D are incorrect.

9
MCQeasy

A company stores sensitive data in an RDS database. Which AWS service should be used to encrypt the database at rest?

A.AWS Certificate Manager (ACM)
B.AWS Identity and Access Management (IAM)
C.AWS Key Management Service (KMS)
D.AWS CloudHSM
AnswerC

KMS manages encryption keys for RDS.

Why this answer

Option C is correct because AWS KMS provides encryption keys for RDS encryption. Option A is wrong because ACM provides SSL/TLS certificates. Option B is wrong because CloudHSM is a hardware security module but not the primary service.

Option D is wrong because IAM manages identities.

10
MCQmedium

A company requires that all users in an AWS account must authenticate with multi-factor authentication (MFA) before they can perform any actions on Amazon EC2 instances. The SysOps administrator needs to implement this requirement using IAM policies. Which IAM policy condition key should be used to enforce MFA?

A.aws:SourceIp
B.aws:MultiFactorAuthPresent
C.aws:RequestedRegion
D.iam:PassedToService
AnswerB

This condition key checks if the requester authenticated with an MFA device. It can be used to require MFA for specific actions.

Why this answer

The `aws:MultiFactorAuthPresent` condition key checks whether the user authenticated using a valid MFA device before making the API request. By setting this condition to `true` in an IAM policy, you can enforce that all actions on EC2 instances require MFA authentication, meeting the company's requirement.

Exam trap

The trap here is that candidates often confuse `aws:MultiFactorAuthPresent` with `aws:SourceIp` or `iam:PassedToService`, thinking IP-based or role-passing conditions can enforce MFA, but only the MFA-specific condition key directly checks authentication strength.

How to eliminate wrong answers

Option A is wrong because `aws:SourceIp` restricts access based on the source IP address, not MFA status. Option C is wrong because `aws:RequestedRegion` limits actions to specific AWS regions, not MFA enforcement. Option D is wrong because `iam:PassedToService` controls which roles can be passed to AWS services, not MFA authentication.

11
MCQmedium

A company uses Amazon S3 to store sensitive customer data. A SysOps administrator needs to ensure that any S3 bucket that is incorrectly configured to allow public read access is automatically remediated within five minutes. The administrator wants to use native AWS services with minimal custom code. Which solution should be used?

A.Use AWS Config with the 's3-bucket-public-read-prohibited' managed rule and configure automatic remediation to block public access.
B.Create an Amazon EventBridge (CloudWatch Events) rule that triggers an AWS Lambda function to check and fix public read access.
C.Apply an S3 bucket policy to each bucket that denies public read access.
D.Use AWS Trusted Advisor to check for public read access and manually remediate when notified.
AnswerA

AWS Config continuously evaluates bucket configurations and can automatically remediate noncompliant buckets using pre-built automation.

Why this answer

AWS Config with the 's3-bucket-public-read-prohibited' managed rule can automatically evaluate S3 bucket configurations against the desired state. When a non-compliant bucket is detected, AWS Config can trigger an automatic remediation action (e.g., applying an S3 bucket policy or blocking public access) using AWS Systems Manager Automation documents, all within the required five-minute window and with minimal custom code.

Exam trap

The trap here is that candidates often choose EventBridge + Lambda (Option B) because it seems more flexible, but they overlook the 'minimal custom code' constraint and the fact that AWS Config's managed rule with automatic remediation is a fully native, code-free solution.

How to eliminate wrong answers

Option B is wrong because while EventBridge and Lambda can achieve the goal, they require custom code (Lambda function) and manual setup, which contradicts the 'minimal custom code' requirement. Option C is wrong because applying a bucket policy to each bucket is a manual, one-time action that does not provide automatic detection and remediation of newly created or misconfigured buckets. Option D is wrong because Trusted Advisor provides only manual checks and notifications; it cannot automatically remediate misconfigurations, and relying on manual remediation violates the 'automatically remediated within five minutes' requirement.

12
MCQhard

A company has an S3 bucket configured to log all access requests to another bucket. The security team notices that some delete requests are not being logged. What is the most likely cause?

A.The delete requests were made through AWS CloudTrail, which bypasses S3 access logging
B.The bucket policy denies logging of delete requests
C.The bucket has MFA Delete enabled, and the logging configuration does not capture MFA delete requests
D.S3 server access logs do not capture DELETE requests
AnswerC

MFA Delete requests may not be logged by S3 server access logs if the logging configuration is not set up to capture them.

Why this answer

S3 server access logs capture all requests that are made to a bucket, including delete requests. However, if the requester uses AWS Systems Manager or AWS CloudTrail to perform the deletion, it might not appear in S3 access logs if the logging bucket has a lifecycle policy that deletes logs before they are reviewed. But the most common reason for missing delete logs is that the requester used the S3 console with Multi-Factor Authentication (MFA) delete enabled, which requires additional authentication and might not be logged if the logging bucket itself has a policy that denies logging of MFA delete requests.

However, the question asks for the most likely cause. Option C is correct because if MFA delete is enabled on the bucket, delete requests require MFA, and S3 server access logs might not capture these requests if the logging configuration does not support it. Option A is wrong because AWS CloudTrail logs API calls, including delete requests, but they would be in CloudTrail, not missing from S3 logs.

Option B is wrong because S3 server access logs do capture delete requests. Option D is wrong because bucket policies do not prevent logging; they might deny access but the request would still be logged if denied.

13
Multi-Selectmedium

An organization needs to encrypt data in transit between an Amazon EC2 instance and an Application Load Balancer (ALB). Which THREE actions should be taken?

Select 3 answers
A.Enable encryption at rest on the EC2 instance's EBS volumes.
B.Ensure the EC2 instance has a valid SSL/TLS certificate installed.
C.Configure the security group to allow only encrypted traffic.
D.Configure the ALB listener to use HTTPS protocol.
E.Install an SSL/TLS certificate on the Application Load Balancer.
AnswersB, D, E

Required if ALB forwards traffic over HTTPS to the instance.

Why this answer

Correct options: B, C, D. Option B is correct because the ALB must have an SSL/TLS certificate to terminate HTTPS. Option C is correct because the ALB should use an HTTPS listener.

Option D is correct because the EC2 instance must have a certificate to support HTTPS if traffic is decrypted and re-encrypted, but if the ALB is configured to forward to the instance over HTTPS, the instance needs a certificate. Option A is wrong because security group rules do not encrypt traffic; they allow/deny. Option E is wrong because enabling encryption on the EC2 instance is not automatic; it requires application configuration.

14
MCQmedium

A company requires all S3 uploads to use server-side encryption with a specific customer managed KMS key. What is the most direct enforcement mechanism?

A.Add a bucket policy that denies PutObject unless the required SSE-KMS headers and key ID are present.
B.Enable S3 versioning only.
C.Enable S3 Transfer Acceleration.
D.Create an IAM user for every uploader with console access.
AnswerA

This enforces encryption requirements at write time.

Why this answer

Option A is correct because a bucket policy with a condition that denies `s3:PutObject` unless the required `x-amz-server-side-encryption` header is set to `aws:kms` and the `x-amz-server-side-encryption-aws-kms-key-id` header matches the specific customer managed KMS key ARN is the most direct enforcement mechanism. This policy-based approach ensures that any upload attempt lacking the required SSE-KMS headers and key ID is rejected at the S3 API level, regardless of the IAM permissions of the uploader.

Exam trap

The trap here is that candidates often confuse IAM permissions with bucket policy conditions, assuming that IAM policies alone can enforce encryption headers, when in fact only a bucket policy with the appropriate condition keys can directly deny uploads that lack the required encryption headers.

How to eliminate wrong answers

Option B is wrong because enabling S3 versioning only preserves object versions but does not enforce any encryption requirements on uploads. Option C is wrong because S3 Transfer Acceleration speeds up uploads over long distances but has no effect on encryption enforcement. Option D is wrong because creating an IAM user for every uploader with console access does not enforce server-side encryption; it only provides authentication and does not mandate the use of a specific KMS key or encryption headers.

15
MCQeasy

A company wants to allow an external auditor to assume an IAM role in their AWS account to review resources. What is the minimum information the auditor needs from the company to do this?

A.The Amazon Resource Name (ARN) of the IAM role to assume.
B.The IAM user name and password of the company's admin user.
C.The IAM policy document that grants the auditor access.
D.The AWS account ID and the region where resources are hosted.
AnswerA

The role ARN is necessary for the auditor's account to assume the role.

Why this answer

Option C is correct because the auditor needs the role ARN to assume the role. Option A is wrong because the IAM user name is for direct access, not role assumption. Option B is wrong because the account ID alone is insufficient.

Option D is wrong because the IAM policy is not needed; the auditor's account must have permissions.

16
MCQmedium

An organization requires that all Amazon S3 buckets be encrypted at rest by default. A SysOps administrator needs to enforce this using AWS Config. Which AWS Config managed rule should be used?

A.s3-bucket-encryption-enabled
B.s3-bucket-ssl-requests-only
C.s3-bucket-public-read-prohibited
D.s3-bucket-logging-enabled
AnswerA

Correct. This rule evaluates whether default encryption is configured on the bucket, meeting the requirement for encryption at rest.

Why this answer

The AWS Config managed rule `s3-bucket-encryption-enabled` checks whether S3 buckets have default encryption enabled (SSE-S3, SSE-KMS, or SSE-C). This directly enforces the requirement that all buckets are encrypted at rest by default, as it evaluates each bucket's encryption configuration and flags non-compliant resources.

Exam trap

The trap here is that candidates often confuse encryption in transit (SSL/TLS) with encryption at rest, leading them to select `s3-bucket-ssl-requests-only` instead of the correct rule for default encryption.

How to eliminate wrong answers

Option B is wrong because `s3-bucket-ssl-requests-only` enforces that bucket policies deny HTTP requests, not encryption at rest. Option C is wrong because `s3-bucket-public-read-prohibited` checks for public read access, not encryption. Option D is wrong because `s3-bucket-logging-enabled` verifies that server access logging is enabled, which is unrelated to encryption at rest.

17
Multi-Selecteasy

A company wants to ensure that their Amazon S3 bucket policy only allows access from a specific VPC endpoint. Which TWO condition keys can be used in the bucket policy? (Choose TWO.)

Select 2 answers
A.s3:SourceVpce
B.aws:SourceIp
C.aws:SourceVpc
D.ec2:Vpc
E.aws:SourceVpce
AnswersC, E

Restricts to a specific VPC.

Why this answer

Option B is correct because 'aws:SourceVpce' restricts to a specific VPC endpoint. Option C is correct because 'aws:SourceVpc' restricts to a specific VPC (all endpoints in that VPC). Option A is wrong because 'aws:SourceIp' is for IP addresses, not VPC endpoints.

Option D is wrong because 's3:SourceVpce' is not a valid condition key. Option E is wrong because 'ec2:Vpc' is for EC2, not S3.

18
MCQhard

A SysOps administrator is troubleshooting an issue where an IAM user is unable to launch an EC2 instance in a specific subnet. The user has the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:Subnet": "subnet-12345" } } } ] } What is the likely cause of the failure?

A.The policy does not allow the 'ec2:DescribeSubnets' action, so the user cannot list subnets.
B.The user is not specifying the subnet ID when launching the instance.
C.The policy denies all subnets except subnet-12345.
D.The condition key 'ec2:Subnet' is not supported for RunInstances.
AnswerB

The condition requires the subnet ID to be provided.

Why this answer

Option B is correct because the 'ec2:Subnet' condition key requires the user to specify the subnet ID in the RunInstances call. If the user does not specify a subnet (e.g., using the default VPC), the condition fails. Option A is wrong because the policy allows RunInstances, not just Describe.

Option C is wrong because the condition is explicitly for subnet-12345, so it does not deny all subnets. Option D is wrong because the condition key 'ec2:Subnet' is valid for RunInstances.

19
Multi-Selectmedium

Which THREE AWS services can be used to centrally manage and audit user permissions across multiple AWS accounts in AWS Organizations? (Choose THREE.)

Select 3 answers
A.AWS WAF
B.AWS CloudTrail
C.AWS Config
D.AWS Organizations
E.AWS IAM Access Analyzer
AnswersB, D, E

Logs API calls and can be aggregated across accounts.

Why this answer

Option A is correct because AWS CloudTrail logs API calls across accounts and can be aggregated. Option B is correct because AWS IAM Access Analyzer helps identify resources shared with external entities. Option D is correct because AWS Organizations provides a central view of accounts and SCPs.

Option C is wrong because AWS Config is for resource compliance, not user permissions. Option E is wrong because AWS WAF is a web application firewall.

20
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets in the organization have server-side encryption enabled. What is the MOST efficient way to achieve this?

A.Attach a service control policy (SCP) that denies s3:PutBucketEncryption and s3:CreateBucket actions unless encryption is specified.
B.Use AWS Trusted Advisor to check for unencrypted buckets and notify the account owners.
C.Use AWS Config rules to automatically remediate non-compliant buckets.
D.Apply a bucket policy to each bucket requiring server-side encryption for all uploads.
AnswerA

SCPs can deny actions that do not include encryption parameters, enforcing encryption across all accounts.

Why this answer

Option B is correct because SCPs can be applied to the root OU or specific accounts to deny actions that create or modify S3 buckets without encryption. Option A is wrong because service control policies only prevent actions; they don't automatically enable encryption. Option C is wrong because Config rules can detect non-compliant buckets but cannot enforce encryption automatically.

Option D is wrong because bucket policies are per-bucket and cannot be applied globally across all accounts.

21
MCQmedium

A company's security policy requires that all Amazon EC2 instances must have a specific tag 'Environment' with a value of either 'Production' or 'Development'. The SysOps administrator needs to detect any instance that is missing this tag or has an invalid value, and automatically email the operations team. Which AWS service should be used to achieve this with the least operational overhead?

A.AWS Config with the 'required-tags' managed rule and Amazon SNS
B.Amazon CloudWatch Events with an EC2 instance state change rule and AWS Lambda
C.AWS Trusted Advisor with a custom check
D.Amazon Inspector with a network assessment
AnswerA

AWS Config evaluates EC2 instances for the required tag and sends compliance changes to SNS, which can email the team.

Why this answer

AWS Config's 'required-tags' managed rule continuously evaluates EC2 instances against the specified tag key and allowed values, triggering an SNS notification when non-compliant resources are detected. This provides automated detection and alerting with minimal operational overhead, as it requires no custom code or infrastructure management.

Exam trap

The trap here is that candidates may confuse AWS Config's continuous compliance evaluation with event-driven services like CloudWatch Events, assuming that a state change rule can also check tags, but Config is purpose-built for resource configuration auditing without custom code.

How to eliminate wrong answers

Option B is wrong because CloudWatch Events with an EC2 instance state change rule only triggers on state transitions (e.g., running, stopped), not on tag compliance; it would require a custom Lambda function to check tags, adding operational overhead. Option C is wrong because AWS Trusted Advisor does not support custom checks; it only provides predefined best-practice checks. Option D is wrong because Amazon Inspector performs network assessments for vulnerabilities and unintended network access, not tag compliance.

22
MCQmedium

A company's security policy requires that IAM users rotate their access keys every 90 days. The SysOps administrator must automatically identify users whose access keys are older than 90 days and notify the security team. Which combination of AWS services should be used to meet this requirement with the least operational overhead?

A.AWS Config with the 'access-keys-rotated' managed rule and Amazon SNS
B.AWS CloudTrail and Amazon CloudWatch Logs with metric filters and alarms
C.IAM Access Analyzer and AWS Lambda
D.Amazon GuardDuty and Amazon EventBridge
AnswerA

AWS Config evaluates IAM access keys against the rule and sends compliance notifications to SNS, which can email the security team.

Why this answer

AWS Config's 'access-keys-rotated' managed rule checks whether IAM user access keys have been rotated within the specified number of days (default 90). When a non-compliant resource is detected, AWS Config can trigger an Amazon SNS notification directly, without any custom code or additional infrastructure. This combination provides a fully managed, serverless solution with the least operational overhead.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing custom Lambda or CloudTrail-based approaches, missing that AWS Config provides a fully managed, built-in rule specifically designed for this exact compliance check with zero custom code.

How to eliminate wrong answers

Option B is wrong because CloudTrail logs API calls but does not evaluate the age of access keys; metric filters and alarms would require custom log parsing and lack the built-in compliance check. Option C is wrong because IAM Access Analyzer focuses on analyzing resource-based policies for external access, not on key rotation age; using Lambda would add custom code and maintenance overhead. Option D is wrong because GuardDuty is a threat detection service for malicious activity, not for tracking key rotation compliance; EventBridge alone cannot perform the age evaluation.

23
MCQmedium

A company has a requirement to store audit logs for a minimum of 7 years to comply with regulatory standards. The logs are currently stored in Amazon S3. The SysOps administrator needs to ensure that logs are not deleted before the retention period expires. Which solution should be implemented?

A.Enable MFA Delete on the bucket to require multi-factor authentication for deletions.
B.Enable versioning on the bucket and use lifecycle policies to transition objects to S3 Glacier.
C.Create an S3 bucket policy that denies s3:DeleteObject for all principals.
D.Enable S3 Object Lock with a retention mode of GOVERNANCE or COMPLIANCE and set a retention period of 7 years.
AnswerD

Object Lock prevents deletion during retention period.

Why this answer

Option A is correct because S3 Object Lock with a retention period prevents deletion or overwrite until the period expires. Option B is wrong because MFA delete prevents accidental deletion but can be bypassed with root credentials. Option C is wrong because versioning alone does not prevent deletion; versions can be deleted after enabling versioning.

Option D is wrong because lifecycle policies can delete objects, not protect them.

24
MCQeasy

A company wants to securely store secrets such as database credentials and API keys used by applications running on Amazon EC2. Which AWS service should be used to manage and rotate these secrets automatically?

A.AWS Identity and Access Management (IAM)
B.AWS Secrets Manager
C.AWS Key Management Service (KMS)
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager is designed for secrets management with built-in rotation.

Why this answer

Option B is correct because AWS Secrets Manager is designed to manage secrets, including automatic rotation. Option A is wrong because AWS Systems Manager Parameter Store can store secrets but does not support automatic rotation natively (requires custom Lambda). Option C is wrong because AWS KMS is for encryption keys, not secrets management.

Option D is wrong because IAM stores credentials for AWS users, not application secrets.

25
MCQeasy

Refer to the exhibit. An IAM policy allows a user to run instances only of type t2.micro. What happens when the user tries to run a t2.small instance?

A.The request is allowed because the policy allows ec2:RunInstances.
B.The request is denied because there is an explicit deny on ec2:RunInstances.
C.The request is allowed because the condition only applies to the resource ARN, not the instance type.
D.The request is denied because t2.small does not match the condition.
AnswerD

The condition requires t2.micro, so t2.small is not allowed.

Why this answer

Option B is correct because the policy only allows t2.micro; any other instance type is implicitly denied. Option A is wrong because the policy does not allow t2.small. Option C is wrong because there is no explicit deny.

Option D is wrong because the policy does not allow all actions.

26
MCQeasy

A SysOps administrator needs to audit all changes to IAM policies in an AWS account. Which AWS service should be used to record these changes?

A.Amazon CloudWatch Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon S3
AnswerC

CloudTrail logs API activity for auditing.

Why this answer

Option A is correct because AWS CloudTrail records API calls, including IAM policy changes. Option B is wrong because AWS Config records resource configuration changes but not all API calls; it can track IAM policy changes via rules but CloudTrail is more direct for auditing API calls. Option C is wrong because CloudWatch Logs can store logs but does not capture them initially.

Option D is wrong because S3 is a storage service, not a logging service.

27
MCQmedium

A SysOps administrator is tasked with encrypting data at rest for an Amazon S3 bucket that stores sensitive customer information. The company requires that the encryption keys be managed by AWS and rotated automatically. Which encryption solution meets these requirements?

A.Use client-side encryption with AWS KMS.
B.Use server-side encryption with customer-provided keys (SSE-C).
C.Use server-side encryption with Amazon S3-managed keys (SSE-S3).
D.Use server-side encryption with AWS KMS (SSE-KMS).
AnswerC

SSE-S3 uses keys managed and automatically rotated by AWS.

Why this answer

Option B is correct because SSE-S3 provides server-side encryption with Amazon S3-managed keys, and AWS automatically rotates the keys. Option A is wrong because SSE-C requires the customer to manage and provide the encryption keys. Option C is wrong because SSE-KMS uses customer-managed KMS keys, which are not automatically rotated unless enabled.

Option D is wrong because client-side encryption is not managed by AWS.

28
Multi-Selecthard

A company's security team requires that all API calls to AWS services are encrypted in transit using TLS 1.2 or higher. Which TWO actions should be taken to enforce this?

Select 2 answers
A.Enable AWS CloudTrail to log all API calls.
B.Configure EC2 security groups to only allow HTTPS traffic.
C.Use AWS CloudTrail to monitor for API calls using TLS 1.0 and generate alerts.
D.Create an IAM policy that denies access unless the request uses TLS 1.2.
E.Create an SCP that denies AWS API calls using protocols lower than TLS 1.2.
AnswersC, E

CloudTrail can log TLS version; monitoring and alerting can detect non-compliance.

Why this answer

Option A and Option E are correct. Using an SCP that denies requests without TLS 1.2 and using CloudTrail to monitor for non-compliant requests are effective. Option B is wrong because IAM policies cannot enforce protocol versions.

Option C is wrong because enforcing HTTPS only is not enough; TLS version matters. Option D is wrong because EC2 security groups control network traffic, not API calls.

29
Multi-Selectmedium

A company needs to restrict access to an S3 bucket so that only users from a specific VPC can read objects. Which THREE configurations are required?

Select 3 answers
A.Create a bucket policy that denies access unless the request comes from a specific VPC endpoint.
B.Update the route table in the VPC to route S3 traffic through the VPC endpoint.
C.Create IAM users and assign them permissions to access the bucket.
D.Create a VPC endpoint for S3 in the specified VPC.
E.Attach a security group to the S3 bucket.
AnswersA, B, D

Bucket policy can use aws:SourceVpce condition key.

Why this answer

Options A, B, and D are correct. A bucket policy with a condition for vpc:SourceVpce, a VPC endpoint for S3, and the route table updates are required. Option C is wrong because S3 does not require a security group for VPC endpoints; network ACLs are not needed.

Option E is wrong because IAM users alone do not restrict by VPC.

30
MCQeasy

A company uses AWS Key Management Service (KMS) to encrypt data in S3. The security team wants to ensure that only a specific IAM role can decrypt objects in a particular S3 bucket. Which of the following is the MOST effective way to achieve this?

A.Create a separate KMS key for each bucket and assign the IAM role as a key user
B.Configure an S3 bucket policy that allows only the IAM role to perform s3:GetObject
C.Use a KMS key policy with a condition that requires the encryption context to match the bucket ARN, and grant the IAM role decrypt permissions
D.Use an S3 bucket policy that denies s3:GetObject unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header
AnswerC

Encryption context can restrict key usage to specific buckets.

Why this answer

Option B is correct because by adding a condition in the KMS key policy that requires the encryption context to match the bucket name, you can restrict decryption to only requests that include that context. The IAM role can then be allowed to use the key with that context. Option A is incorrect because bucket policies cannot restrict decrypt actions; they can only enforce encryption.

Option C is incorrect because S3 bucket policies do not control KMS decrypt permissions. Option D is incorrect because using a different key for each bucket is cumbersome and does not restrict to a specific role.

31
MCQmedium

A company is using AWS Organizations with SCPs to restrict access to services. The security team wants to ensure that no IAM user can create access keys, but the SCP is not working as expected. What is the most likely cause?

A.The SCP is applied to the root OU but not inherited by the account.
B.The SCP is applied to a member account, but the IAM user is in the management account.
C.The SCP has a Deny effect, but it takes 24 hours to apply.
D.The SCP only applies to root users, not IAM users.
AnswerB

SCPs do not affect the management account.

Why this answer

Option B is correct because SCPs apply only to member accounts, not the management account. Option A is wrong because SCPs do not affect service control policies themselves. Option C is wrong because SCPs do not take time to propagate.

Option D is wrong because SCPs affect all users in member accounts.

32
MCQmedium

Refer to the exhibit. A company has a CloudTrail trail in us-east-1 that logs events for that region only. The company operates in multiple regions and wants to ensure all API calls from all regions are logged. What is the most efficient way to achieve this?

A.Use Amazon CloudWatch Events to capture API calls from all regions.
B.Use S3 event notifications to trigger a Lambda function that logs API calls.
C.Create a new CloudTrail trail in each region.
D.Update the existing trail to be a multi-region trail.
AnswerD

A multi-region trail logs events from all regions.

Why this answer

Option C is correct because updating the trail to be multi-region is the most efficient way to log events from all regions. Option A is wrong because creating new trails in each region is less efficient. Option B is wrong because using S3 event notifications does not capture API calls.

Option D is wrong because CloudWatch Events is not used for logging API calls.

33
MCQhard

An application running on Amazon EC2 needs to access an S3 bucket. The SysOps administrator wants to ensure that only that specific EC2 instance can access the bucket, without storing any long-term credentials on the instance. What is the most secure way to achieve this?

A.Attach an IAM role to the EC2 instance using an instance profile and grant the role S3 access
B.Configure a resource-based policy on the EC2 instance to allow S3 access
C.Create an IAM user with S3 access and store the access keys in the instance's user data
D.Generate pre-signed URLs for each S3 object the application needs to access
AnswerA

This is the best practice: temporary credentials are automatically rotated, and no long-term keys are stored on the instance.

Why this answer

Using an instance profile with an IAM role is the most secure method. The instance profile is attached to the EC2 instance, and the role provides temporary credentials via the metadata service. The S3 bucket policy can then restrict access to that specific IAM role.

Storing access keys on the instance is insecure. Using pre-signed URLs is for individual objects, not ongoing access. A resource-based policy on the EC2 instance is not applicable.

34
Multi-Selecthard

A company is using AWS KMS to encrypt data. The security team wants to ensure that a specific IAM role can use a KMS key, but only when the request comes from a specific VPC. Which THREE conditions should be included in the KMS key policy? (Choose three.)

Select 3 answers
A.aws:SourceSubnet equals the subnet ID.
B.aws:SourceArn equals the IAM role ARN.
C.aws:SourceVpc equals the VPC ID.
D.aws:SourceIp equals the VPC CIDR.
E.aws:SourceVpce equals the VPC endpoint ID.
AnswersB, C, E

Identifies the role.

Why this answer

Option A is correct to specify the role. Option B is correct to restrict to the VPC endpoint. Option D is correct to restrict to the VPC.

Option C is wrong because source IP is not specific to VPC. Option E is wrong because subnet ID is not a condition key for KMS.

35
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to prevent any IAM user from creating access keys for themselves across all accounts. What is the most effective way to enforce this policy?

A.Attach an IAM policy to the root user that denies iam:CreateAccessKey.
B.Configure an IAM password policy that requires strong passwords.
C.Apply a service control policy (SCP) that denies iam:CreateAccessKey to all accounts in the organization.
D.Use AWS CloudTrail to monitor and alert on CreateAccessKey events.
AnswerC

SCPs can enforce restrictions across accounts in AWS Organizations.

Why this answer

Option C is correct because a service control policy (SCP) can deny the CreateAccessKey action across all accounts in the organization. Option A is wrong because an IAM policy on the root user only affects the root user, not IAM users. Option B is wrong because password policies do not control access keys.

Option D is wrong because CloudTrail can log but not prevent the action.

36
MCQhard

An organization uses AWS Organizations with multiple accounts. The security team wants to ensure that no IAM user in any member account can create access keys that are more than 90 days old. What is the most efficient way to enforce this?

A.Use a service control policy (SCP) to deny the iam:CreateAccessKey action unless a condition is met
B.Use CloudTrail to monitor CreateAccessKey events and trigger a Lambda function to disable old keys
C.Use AWS Config rules in each account to detect keys older than 90 days and automatically delete them
D.Create an IAM policy that denies CreateAccessKey if the user has any key older than 90 days
AnswerA

SCPs can be applied at the OU level to prevent key creation across accounts.

Why this answer

The most efficient way is to use a service control policy (SCP) that denies the creation of access keys if the user does not have an existing key older than 90 days, or by using a condition on the CreateAccessKey action. Option D is correct. Option A is wrong because it requires per-account Config rules.

Option B is wrong because CloudTrail does not enforce. Option C is wrong because it is reactive, not preventive.

37
MCQeasy

An administrator needs to grant an IAM user the ability to stop and start EC2 instances, but only for instances tagged with 'Environment:Production'. Which IAM policy element should be used to enforce this condition?

A.Effect
B.Resource
C.Action
D.Condition
AnswerD

Condition allows tag-based restrictions.

Why this answer

Option C is correct because the Condition element in an IAM policy allows specifying conditions like tags. Option A is wrong because Action specifies the allowed actions. Option B is wrong because Resource specifies the resources.

Option D is wrong because Effect specifies Allow or Deny.

38
MCQmedium

A company's security policy requires that all data stored in Amazon S3 must be encrypted at rest using keys managed by the company. Which encryption option should the SysOps administrator choose?

A.Server-Side Encryption with AWS KMS (SSE-KMS)
B.Server-Side Encryption with S3-Managed Keys (SSE-S3)
C.Server-Side Encryption with Customer-Provided Keys (SSE-C)
D.Client-Side Encryption
AnswerC

The company provides and manages the encryption keys.

Why this answer

Option D is correct because SSE-C allows the customer to provide their own encryption keys. Option A is wrong because SSE-S3 uses AWS-managed keys. Option B is wrong because SSE-KMS uses AWS KMS-managed keys.

Option C is wrong because client-side encryption is managed by the client, but not at-rest encryption managed by AWS.

39
MCQmedium

A company's compliance team requires that all changes to IAM policies be logged and immediately alerted. Which AWS solution should be used?

A.Use AWS Config rules to monitor IAM policy changes and send notifications.
B.Use Amazon CloudWatch Logs to capture IAM policy changes and create metric filters.
C.Use Amazon GuardDuty to detect unauthorized IAM policy changes.
D.Use AWS CloudTrail to log API calls and Amazon CloudWatch Events to send alerts.
AnswerD

CloudTrail logs the changes, and CloudWatch Events can trigger alerts in real time.

Why this answer

Option A is correct because CloudTrail logs IAM policy changes, and CloudWatch Events can trigger alerts. Option B is wrong because AWS Config records configuration changes but does not provide real-time alerting. Option C is wrong because CloudWatch Logs does not capture API calls.

Option D is wrong because GuardDuty is for threat detection.

40
MCQmedium

A CloudFormation template creates an S3 bucket with encryption and a bucket policy as shown in the exhibit. An administrator tries to upload an object using the AWS CLI without specifying any encryption. What will happen?

A.The upload succeeds because the bucket has default encryption enabled.
B.The upload fails because the bucket policy allows only objects with AES256 encryption, but the default encryption is sufficient.
C.The upload fails because the bucket policy denies PutObject without the encryption header.
D.The upload succeeds because the default encryption automatically adds the AES256 header.
AnswerC

The Deny statement explicitly denies PutObject when encryption is not AES256.

Why this answer

Option C is correct. The bucket policy denies PutObject if the encryption header is not AES256. Since the request has no encryption header, it does not equal AES256, so the Deny applies and the upload fails.

The bucket's default encryption (AES256) applies only if the request does not specify encryption; however, the bucket policy is evaluated before the default encryption is applied, so the Deny takes effect. Option A is wrong because the policy denies it. Option B is wrong because default encryption does not satisfy the policy condition.

Option D is wrong because the policy explicitly denies.

41
MCQeasy

A company has an S3 bucket that contains sensitive customer data. The security team requires that all data in transit to and from the bucket must be encrypted. Which bucket policy condition should be used?

A.aws:SecureTransport
B.s3:x-amz-server-side-encryption-aws-kms-key-id
C.s3:x-amz-server-side-encryption
D.aws:TLSSupport
AnswerA

This condition ensures that requests are made over HTTPS.

Why this answer

The correct condition is aws:SecureTransport, which checks if the request was sent over HTTPS. Option C is correct. Option A is wrong because it checks for encryption at rest.

Option B is wrong because it checks for TLS version. Option D is wrong because it checks for a specific cipher.

42
MCQmedium

A company wants to ensure that an EC2 instance can access an S3 bucket without storing AWS credentials on the instance. What should the SysOps administrator do?

A.Create an IAM role with permissions to the S3 bucket and attach it to the EC2 instance profile.
B.Attach an S3 bucket policy that grants access to the EC2 instance's public IP address.
C.Generate access keys for an IAM user and store them on the instance.
D.Use AWS STS to generate temporary credentials and store them in the instance's user data.
AnswerA

IAM roles grant temporary credentials to EC2 instances.

Why this answer

Option B is correct because an IAM role can be attached to the EC2 instance, granting temporary credentials. Option A is wrong because access keys are long-term credentials and should not be stored on instances. Option C is wrong because bucket policies cannot be attached to instances.

Option D is wrong because STS does not directly grant permissions without a role.

43
MCQhard

A SysOps administrator is managing a multi-account AWS environment using AWS Organizations. The security team has mandated that all Amazon S3 buckets across all accounts must be encrypted with SSE-KMS using a centrally managed KMS key. The administrator has created a KMS key in the master account and enabled key rotation. The key policy allows the root user of each member account to use the key. However, users in member accounts report that they cannot upload objects to their S3 buckets with SSE-KMS using the central key, even though they have s3:PutObject permissions. The administrator verifies that the KMS key policy includes the necessary permissions for the member accounts. What should the administrator do to resolve the issue?

A.Create a new KMS key in each member account and configure S3 bucket default encryption accordingly.
B.Ensure that the KMS key policy allows the master account to administer the key.
C.Attach an IAM policy to the users/roles in the member accounts that allows kms:GenerateDataKey using the central KMS key.
D.Update the S3 bucket policy to allow the s3:PutObject action only when encryption is set to SSE-KMS.
AnswerC

The IAM principal needs explicit KMS permission to use the key for encryption.

Why this answer

Option D is correct because the KMS key policy allows the root user, but that alone is insufficient; the IAM role or user in the member account must have explicit kms:GenerateDataKey permission. Option A is wrong because the key is already in the master account. Option B is wrong because enabling cross-account access is already done via key policy.

Option C is wrong because the issue is not about bucket policy (which may allow encryption but not KMS actions).

44
MCQmedium

A company uses AWS KMS to encrypt data stored in S3. The security team wants to rotate the KMS key automatically every year. The SysOps administrator enabled automatic key rotation for the KMS key. However, after a year, the security team finds that the key has not been rotated. What is the most likely cause?

A.The KMS key is disabled.
B.The KMS key policy does not allow rotation.
C.The KMS key has not been used in the last year.
D.The KMS key was created by importing key material.
AnswerD

Imported keys cannot be automatically rotated.

Why this answer

Option C is correct because automatic key rotation is not supported for imported key material. Option A is wrong because the key is enabled. Option B is wrong because the policy does not affect rotation.

Option D is wrong because rotation does not require deletion of old keys.

45
MCQhard

An IAM user has the policy shown in the exhibit. The user is trying to download an object from example-bucket from an IP address of 192.0.2.50. However, the request is denied. What is the most likely reason?

A.The condition key aws:SourceIp should be aws:SourceIpAddress.
B.The bucket has a bucket policy that denies access from the user's IP address.
C.The resource ARN does not include the bucket itself.
D.The condition syntax is incorrect because it should use StringEquals.
AnswerB

A bucket policy with an explicit Deny would override the IAM policy allow.

Why this answer

Option C is correct because the condition uses aws:SourceIp, which is valid for IAM policies but the bucket policy must also allow the action. Option A is wrong because the condition is correct for IAM policies. Option B is wrong because the action includes all objects.

Option D is wrong because the condition is syntactically correct.

46
MCQhard

A SysOps administrator needs to detect when an IAM user attempts to modify an Amazon S3 bucket policy in the production AWS account. The administrator wants to receive an email notification within 5 minutes of such an event. The solution must use AWS managed services with no custom code. Which combination of services should the administrator use?

A.AWS CloudTrail, Amazon CloudWatch Events (Amazon EventBridge), and Amazon SNS
B.AWS CloudTrail, Amazon CloudWatch Logs metric filter, and Amazon SNS
C.Amazon S3 event notifications and Amazon SNS
D.AWS CloudTrail, AWS Lambda, and Amazon SNS
AnswerA

CloudTrail logs the API call, EventBridge matches the event and triggers an SNS topic to send email. No custom code needed.

Why this answer

Option A is correct because AWS CloudTrail captures the S3 bucket policy modification as a management event, which can be sent to Amazon EventBridge (formerly CloudWatch Events) as a real-time event. EventBridge can then trigger an SNS topic to send an email notification within minutes, all using fully managed services with no custom code required.

Exam trap

The trap here is that candidates often confuse S3 event notifications (object-level) with CloudTrail (management-level), or they assume CloudWatch Logs metric filters are the only way to trigger alarms from logs, overlooking EventBridge's direct event-driven capability for real-time notification without custom code.

How to eliminate wrong answers

Option B is wrong because CloudWatch Logs metric filters operate on log data with a latency of up to 5 minutes for the metric to be created, and then an alarm must be evaluated, which can add additional delay; this does not guarantee notification within 5 minutes and is more complex. Option C is wrong because S3 event notifications are designed for object-level events (e.g., PUT, DELETE) and cannot detect IAM user attempts to modify bucket policies, which are management-level events. Option D is wrong because it requires AWS Lambda custom code to process the CloudTrail event and send the notification, violating the requirement to use only managed services with no custom code.

47
MCQeasy

A SysOps administrator needs to provide temporary access to an S3 bucket for a third-party auditor. The access must expire after 24 hours. Which solution should the administrator use?

A.Create an IAM user for the auditor and attach a policy granting access to the bucket.
B.Create a bucket policy that grants access to the auditor's AWS account.
C.Use AWS Security Token Service (STS) to issue temporary credentials that expire after 24 hours.
D.Generate a pre-signed URL for the bucket.
AnswerC

STS issues temporary credentials that can be configured to expire.

Why this answer

Option D is correct because STS is designed to issue temporary credentials with a specified expiration. Option A is wrong because IAM users have long-term credentials. Option B is wrong because bucket policies grant access to IAM principals, not temporary credentials.

Option C is wrong because pre-signed URLs grant access to a specific object, not the bucket.

48
MCQmedium

A company's security policy requires that all new Amazon S3 buckets must have server-side encryption with AWS Key Management Service (SSE-KMS) enabled by default. A SysOps administrator wants to enforce this requirement for all current and future S3 buckets in the account. Which AWS service or feature should be used to automatically apply this configuration?

A.Enable S3 default encryption at the account level in the S3 console.
B.Create an AWS CloudTrail trail that captures S3 API calls and triggers a Lambda function to enable encryption on any bucket that is created without it.
C.Use an AWS Organizations Service Control Policy (SCP) to deny the s3:PutBucketPublicAccessBlock action, forcing users to enable encryption.
D.Use AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule and configure automatic remediation to apply SSE-KMS when a non-compliant bucket is detected.
AnswerD

AWS Config can evaluate all buckets (current and future) against the rule. Automatic remediation can invoke an SSM Automation document or a Lambda function to enable SSE-KMS on the bucket, meeting the requirement with a managed service.

Why this answer

Option D is correct because AWS Config with the 's3-bucket-server-side-encryption-enabled' managed rule can evaluate S3 buckets for compliance with server-side encryption requirements. When a non-compliant bucket is detected, automatic remediation can be configured to apply SSE-KMS using an AWS Systems Manager Automation document, ensuring all current and future buckets meet the security policy without manual intervention.

Exam trap

The trap here is that candidates confuse S3 default encryption (which is bucket-level only) with account-level enforcement, or they mistakenly think SCPs can directly enable encryption rather than just deny actions, leading them to pick options that are reactive or misaligned with the requirement.

How to eliminate wrong answers

Option A is wrong because S3 default encryption can only be set at the bucket level, not at the account level; there is no account-level setting in the S3 console to enforce encryption on all buckets. Option B is wrong because while CloudTrail and Lambda can reactively fix buckets after creation, this approach is event-driven and not a proactive enforcement mechanism; it also relies on custom code and may introduce latency or gaps. Option C is wrong because the s3:PutBucketPublicAccessBlock action controls public access block settings, not server-side encryption; denying this action does nothing to enforce SSE-KMS, and SCPs cannot directly enable encryption on resources.

49
MCQmedium

A SysOps administrator needs to grant cross-account access to an S3 bucket in Account A for an IAM user in Account B. The bucket policy in Account A allows the IAM user's account root principal. What additional configuration is required?

A.Modify the AWS KMS key policy to allow the user in Account B
B.Add a bucket ACL granting access to the user in Account B
C.Add an AWS Organizations service control policy to allow access
D.Attach an IAM policy to the user in Account B that allows the required S3 actions
AnswerD

The user needs an IAM policy that grants the S3 actions.

Why this answer

D is correct because cross-account access to an S3 bucket requires both a bucket policy that grants access to the root principal of the target account (Account B) and an IAM policy attached to the user in Account B that explicitly allows the desired S3 actions. Without the IAM policy, the user in Account B has no permissions to perform any S3 operations, even though the bucket policy in Account A permits the account root. The IAM policy acts as the identity-based permission that authorizes the specific user to invoke the S3 API calls.

Exam trap

The trap here is that candidates assume the bucket policy alone is sufficient for cross-account access, forgetting that the IAM user in the target account must also have an explicit IAM policy allowing the S3 actions, as AWS requires both resource-based and identity-based permissions to be evaluated and both must allow the operation.

How to eliminate wrong answers

Option A is wrong because AWS KMS key policies are only relevant if the S3 bucket uses SSE-KMS encryption; the question does not mention encryption, and modifying the KMS key policy is not a general requirement for cross-account S3 access. Option B is wrong because bucket ACLs are legacy and cannot grant access to an IAM user in another account; they only support granting access to AWS accounts or predefined groups, not individual IAM users. Option C is wrong because AWS Organizations service control policies (SCPs) apply to all principals within an organization and are used to set permission boundaries, not to grant cross-account access; they cannot be used to allow a specific IAM user in another account.

50
MCQhard

A SysOps administrator is troubleshooting an issue where an IAM user cannot assume a role in another AWS account. The trust policy of the role allows the user's account to assume the role, and the user has a permissions policy that allows sts:AssumeRole. However, the user still gets an access denied error. What is the MOST likely cause?

A.The trust policy specifies the user's ARN instead of the account ARN
B.The user's permissions policy does not include sts:AssumeRole for the specific role ARN
C.The role requires MFA, but the user does not have MFA configured
D.The role's permissions policy does not include an external ID
AnswerB

The user must have an IAM policy that allows sts:AssumeRole on the target role.

Why this answer

Option C is correct because even if the trust policy allows the account, the role's permissions policy must grant the user the necessary actions. In this case, the role's permissions policy might not include the required permissions for the services the user is trying to use after assuming the role. However, the question is about the error being access denied at the AssumeRole call itself.

That would be due to the trust policy or the user's permissions. Option A is incorrect because MFA is not mentioned. Option B is incorrect because the role's trust policy allows the account.

Option D is incorrect because external ID is optional.

51
MCQmedium

A company's security policy requires that all IAM users must authenticate with multi-factor authentication (MFA) before they can perform any actions on Amazon EC2 instances. The SysOps administrator needs to enforce this requirement using IAM policies. Which IAM policy condition key should the administrator use in the policy?

A.aws:MultiFactorAuthPresent
B.aws:SourceIp
C.iam:PassedToService
D.ec2:SourceInstanceARN
AnswerA

Using the condition 'aws:MultiFactorAuthPresent': 'true' in an IAM policy ensures that the caller must have authenticated with MFA to allow the action.

Why this answer

Option A is correct because the `aws:MultiFactorAuthPresent` condition key allows the administrator to enforce MFA authentication by checking whether the user authenticated with a valid MFA device before allowing the action. When set to `true`, the policy denies access to EC2 actions unless the user has completed MFA. This directly satisfies the security policy requirement.

Exam trap

The trap here is that candidates confuse `aws:MultiFactorAuthPresent` with `aws:SourceIp` or `iam:PassedToService`, mistakenly thinking IP-based or role-passing conditions can enforce MFA, when only the MFA-specific condition key works.

How to eliminate wrong answers

Option B is wrong because `aws:SourceIp` is used to restrict access based on the originating IP address, not to enforce MFA authentication. Option C is wrong because `iam:PassedToService` is used to control which roles can be passed to AWS services (e.g., EC2), not to enforce MFA for user actions. Option D is wrong because `ec2:SourceInstanceARN` is a condition key for EC2-to-EC2 traffic or resource-based policies, not for IAM user authentication requirements.

52
MCQeasy

A company's security policy requires that the AWS account root user must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to continuously verify compliance and automatically notify the security team if the root user is not configured with MFA. Which AWS service can be used to create a compliance rule for this requirement?

A.AWS Trusted Advisor
B.AWS Config with the managed rule 'root-account-mfa-enabled'
C.AWS Identity and Access Management (IAM) Access Analyzer
D.Amazon Inspector
AnswerB

AWS Config continuously evaluates resources against rules. The 'root-account-mfa-enabled' managed rule checks if MFA is enabled on the root user and can trigger custom actions (e.g., SNS notification) when non-compliant.

Why this answer

AWS Config provides a managed rule called 'root-account-mfa-enabled' that continuously evaluates whether the root user has an MFA device configured. When the rule detects non-compliance, it can trigger an Amazon SNS notification to alert the security team, meeting the requirement for automated compliance verification and alerting.

Exam trap

The trap here is that candidates confuse AWS Trusted Advisor's security checks (which include a root MFA check but lack continuous evaluation and automated notification) with AWS Config's managed rules that provide ongoing compliance monitoring and event-driven alerts.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not offer continuous compliance rules with automated notifications for root user MFA status. Option C is wrong because IAM Access Analyzer analyzes resource policies for external access, not root user MFA configuration compliance. Option D is wrong because Amazon Inspector assesses vulnerabilities in EC2 instances and container workloads, not IAM user configurations.

53
Drag & Dropmedium

Drag and drop the steps to create an Amazon CloudWatch alarm that sends an email notification when CPU utilization exceeds 90% into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First set up the SNS topic, then create the alarm selecting the metric, define the condition, and finally add the notification action.

54
MCQhard

A SysOps administrator discovers that an EC2 instance was compromised because the SSH key pair was leaked. The administrator wants to ensure that future access to EC2 instances is secured using a method that does not rely on static keys. Which solution should the administrator implement?

A.Use a bastion host with a security group that allows SSH from a limited IP range.
B.Create a new key pair and distribute it securely to authorized users.
C.Use AWS Systems Manager Session Manager to connect to instances.
D.Use EC2 Instance Connect to connect to instances.
AnswerD

EC2 Instance Connect provides one-time SSH keys and uses IAM policies for access control.

Why this answer

Option C is correct because EC2 Instance Connect allows users to connect using IAM policies and does not require managing SSH keys. Option A is wrong because Systems Manager Session Manager also provides secure access without keys, but it requires the SSM Agent and instance IAM role. Option B is wrong because it is similar to SSH key pairs.

Option D is wrong because it still uses key pairs.

55
MCQeasy

A company wants to enforce that all IAM users in an AWS account must use multi-factor authentication (MFA) to access the AWS Management Console. Which IAM policy effect should be used to deny access if MFA is not present?

A.Allow with a condition that aws:MultiFactorAuthPresent is false
B.Allow with a condition that aws:MultiFactorAuthPresent is true
C.Deny with a condition that aws:MultiFactorAuthPresent is false
D.Deny with a condition that aws:MultiFactorAuthPresent is true
AnswerC

This explicitly denies access when MFA is not present, effectively enforcing MFA for all users.

Why this answer

The correct approach is to use a Deny effect in a condition that checks if MFA is present. Option B is correct because it denies access when the condition 'aws:MultiFactorAuthPresent' is false. Option A is wrong because Allow would grant access even without MFA.

Option C is wrong because it allows access only when MFA is present, but does not deny when missing. Option D is wrong because it allows access when MFA is not present.

56
Multi-Selecthard

Which TWO actions should a SysOps administrator take to secure an S3 bucket that stores sensitive data? (Choose two.)

Select 2 answers
A.Enable S3 Block Public Access settings on the bucket.
B.Enable cross-origin resource sharing (CORS) on the bucket.
C.Enable S3 Versioning.
D.Enable S3 server access logging.
E.Enable S3 Transfer Acceleration.
AnswersA, D

This prevents any public access to the bucket.

Why this answer

Options A and E are correct. Enabling S3 Block Public Access prevents public access, and enabling S3 server access logging provides audit logs. Option B is wrong because CORS is for cross-origin requests, not security.

Option C is wrong because S3 Transfer Acceleration is for faster uploads, not security. Option D is wrong because versioning helps with data protection but not direct security control.

57
MCQhard

A company hosts a critical web application on EC2 instances behind an Application Load Balancer. The security team enabled AWS WAF on the ALB to block SQL injection and XSS attacks. They also use AWS Shield Advanced for DDoS protection. Recently, the application experienced intermittent performance degradation during normal traffic patterns. The security team reviewed the WAF logs and found that legitimate user requests with query strings containing the word "select" (e.g., ?category=select+option) were being blocked. The team wants to ensure that only actual SQL injection attempts are blocked, not legitimate requests with similar patterns. What course of action should the SysOps administrator take to resolve this issue while maintaining security?

A.Disable the SQL injection rule in AWS WAF and rely solely on AWS Shield Advanced for protection.
B.Enable AWS Shield Advanced's automatic mitigation feature to handle all layer 7 attacks.
C.Create a custom WAF rule that inspects specific query string parameters with a more precise regex pattern to reduce false positives.
D.Replace the WAF SQL injection rule with a rate-based rule to limit request rates from specific IPs.
AnswerC

A custom rule with a targeted regex pattern can differentiate between actual SQL injection and legitimate uses of words like 'select'.

Why this answer

Option C is correct because AWS WAF allows you to create custom rules with conditions that can be scoped to specific parts of the request (e.g., URI path, query string). By creating a custom rule that targets the specific parameter (e.g., 'category') and uses a more precise regex pattern (like looking for SQL keywords in specific contexts), you can reduce false positives while still blocking actual SQL injection attempts. Option A is wrong because disabling the SQL injection rule entirely removes protection.

Option B is wrong because switching to rate-based rules does not address SQL injection false positives. Option D is wrong because Shield Advanced does not have the ability to fine-tune WAF rules; it focuses on DDoS protection.

58
Multi-Selecthard

Which THREE are valid methods to control access to an S3 bucket? (Choose three.)

Select 3 answers
A.VPC Flow Logs
B.Access control lists (ACLs)
C.Bucket policies
D.IAM user policies
E.CloudWatch Logs
AnswersB, C, D

Legacy access control mechanism.

Why this answer

Option A is correct because bucket policies are a method. Option B is correct because IAM policies can grant access to S3. Option D is correct because ACLs are a legacy method.

Option C is wrong because VPC Flow Logs are not access control. Option E is wrong because CloudWatch Logs are not access control.

59
MCQmedium

A company has a production AWS account with multiple IAM users. The security team wants to implement a policy that prevents users from launching EC2 instances without an IAM role that grants access to an S3 bucket containing sensitive data. The policy should also allow users to launch instances with other roles. A SysOps administrator creates an IAM policy that denies ec2:RunInstances if the instance does not have a specific IAM instance profile. However, users are still able to launch instances without any role. What is the most likely reason, and what should be done to fix it?

A.The condition key 'ec2:InstanceProfileArn' is misspelled; it should be 'ec2:IamInstanceProfile'.
B.The policy should be attached to the user's group instead of the user.
C.The policy needs to be applied as a service control policy (SCP) to be effective.
D.The condition key is incorrect; the policy should use 'ec2:InstanceProfile' condition key with a specific ARN.
AnswerD

The correct condition key is ec2:InstanceProfileArn.

Why this answer

Option C is correct because the condition key for instance profile is ec2:InstanceProfileArn, not ec2:IamInstanceProfile. Option A is wrong because the condition 'Null' does not evaluate to true for missing profile; the condition must check for specific ARN. Option B is wrong because SCPs are not involved unless using Organizations.

Option D is wrong because attaching the policy to the user does not fix the condition key issue.

60
MCQmedium

A SysOps administrator notices that an EC2 instance running a web server is receiving unexpected traffic from an IP address that is known to be malicious. The administrator wants to block this IP address at the instance level. Which solution should be used?

A.Modify the network ACL to deny traffic from that IP.
B.Use AWS WAF to block the IP address.
C.Install a third-party firewall on the instance.
D.Update the security group to deny traffic from that IP.
AnswerA

NACLs support deny rules and can block IPs at subnet level.

Why this answer

Option D is correct because a network ACL is stateless and can block inbound traffic at the subnet level, but for instance-level blocking, a security group or host-based firewall is needed. However, among the options, a network ACL can block the IP at the subnet level, which is the closest AWS-native solution without installing software. Option A is wrong because security groups do not support deny rules.

Option B is wrong because NACLs can block IPs. Option C is wrong because WAF is for web application layer, not IP blocking at instance level.

61
Multi-Selectmedium

A company needs to audit all changes to AWS resources. Which THREE AWS services should be used together to achieve this? (Choose three.)

Select 3 answers
A.Amazon Inspector
B.AWS CloudTrail
C.Amazon CloudWatch Events
D.AWS Trusted Advisor
E.AWS Config
AnswersB, C, E

Records API calls.

Why this answer

Option A is correct because AWS Config records resource configuration changes. Option B is correct because CloudTrail records API calls. Option D is correct because CloudWatch Events can trigger notifications.

Option C is wrong because Inspector is for security assessments. Option E is wrong because Trusted Advisor is for best practices.

62
Multi-Selectmedium

A company wants to ensure that data in transit between an EC2 instance and an RDS database is encrypted. Which TWO actions should the SysOps administrator take? (Choose TWO.)

Select 2 answers
A.Use VPC peering to connect the EC2 instance and RDS database.
B.Enable SSL/TLS for the RDS DB instance.
C.Set up a VPN connection between the EC2 instance and the RDS database.
D.Enable encryption at rest for the RDS DB instance.
E.Configure the application to use SSL/TLS when connecting to the database.
AnswersB, E

RDS supports SSL/TLS for encrypting connections.

Why this answer

Option A is correct because RDS supports SSL/TLS for encrypting connections. Option D is correct because the client must use SSL/TLS to connect. Option B is wrong because encryption at rest is separate from in transit.

Option C is wrong because VPC peering does not encrypt traffic. Option E is wrong because VPN encrypts traffic but is not needed if SSL/TLS is used within the same VPC.

63
MCQmedium

A SysOps administrator needs to grant an IAM user the ability to rotate their own access keys. What is the minimum set of permissions required?

A.iam:ListAccessKeys, iam:CreateAccessKey, iam:DeleteAccessKey, iam:PutUserPolicy
B.iam:ListAccessKeys, iam:CreateAccessKey, iam:DeleteAccessKey, kms:*
C.iam:GetUser, iam:CreateAccessKey, iam:DeleteAccessKey, iam:UpdateAccessKey
D.iam:ListAccessKeys, iam:CreateAccessKey, iam:DeleteAccessKey, iam:UpdateAccessKey
AnswerD

These actions allow a user to manage their own access keys.

Why this answer

The minimum permissions are iam:ListAccessKeys, iam:CreateAccessKey, iam:DeleteAccessKey, and iam:UpdateAccessKey. Option B is correct. Option A is wrong because it includes iam:PutUserPolicy which is unnecessary.

Option C is wrong because it grants global key management. Option D is wrong because it includes iam:GetUser which is not needed.

64
Multi-Selectmedium

Which TWO actions should a SysOps administrator take to secure an AWS account root user? (Choose two.)

Select 2 answers
A.Delete the root user after creating an admin IAM user.
B.Apply a service control policy (SCP) to restrict the root user.
C.Enable multi-factor authentication (MFA) for the root user.
D.Enable CloudTrail to monitor root user activity.
E.Do not create access keys for the root user.
AnswersC, E

Adds an extra layer of security.

Why this answer

Option A is correct because MFA on root user is a best practice. Option C is correct because access keys should not be created for root user; instead use IAM users. Option B is wrong because CloudTrail is not specific to root user.

Option D is wrong because root user cannot be deleted. Option E is wrong because SCPs do not apply to root user in management account.

65
MCQhard

A SysOps administrator needs to restrict access to an Amazon S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy statement should be added to the bucket policy?

A.Condition: { StringEquals: { 'aws:SourceVpc': 'vpc-12345' } }
B.Condition: { StringEquals: { 'ec2:Vpc': 'vpc-12345' } }
C.Condition: { IpAddress: { 'aws:VpcSourceIp': '10.0.0.0/16' } }
D.Condition: { StringEquals: { 'aws:SourceVpce': 'vpce-12345' } }
AnswerD

'aws:SourceVpce' restricts to a specific VPC endpoint.

Why this answer

Option B is correct because the condition 'aws:SourceVpce' with the VPC endpoint ID restricts access to requests originating from that endpoint. Option A is wrong because 'aws:SourceVpc' restricts to a VPC, not a specific endpoint. Option C is wrong because 'aws:VpcSourceIp' is not a valid condition key.

Option D is wrong because 'ec2:Vpc' is not a valid condition key for S3.

66
MCQhard

A company uses AWS KMS to encrypt EBS volumes attached to EC2 instances. The security team wants to ensure that only specific IAM roles can decrypt the volumes. Which configuration meets this requirement?

A.Use a service control policy to deny kms:Decrypt for all users.
B.Apply a bucket policy on the EBS snapshot bucket.
C.Modify the KMS key policy to allow only specific IAM roles to use kms:Decrypt.
D.Attach an instance profile with a policy that denies ec2:DetachVolume.
AnswerC

KMS key policies can restrict decryption to specific IAM roles.

Why this answer

Option D is correct because a key policy in KMS can define which IAM roles can use the key for decryption. Option A is wrong because instance profiles do not control decrypt permissions. Option B is wrong because bucket policies are for S3, not EBS.

Option C is wrong because SCPs can restrict but are not granular for specific roles.

67
MCQmedium

A company's security policy requires that all Amazon S3 buckets must have server-side encryption (SSE-S3 or SSE-KMS) enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and remediate it by enabling SSE-S3. Which AWS service should be used to implement this automated compliance enforcement?

A.AWS Config
B.Amazon Inspector
C.AWS Trusted Advisor
D.Amazon Macie
AnswerA

AWS Config with a managed rule can detect non-compliant buckets and trigger automatic remediation via Systems Manager or Lambda.

Why this answer

AWS Config is the correct service because it provides managed rules (e.g., s3-bucket-server-side-encryption-enabled) that can continuously evaluate S3 bucket configurations against the security policy. When a non-compliant bucket is detected, AWS Config can trigger an automatic remediation action via Systems Manager Automation to enable SSE-S3, enforcing compliance without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation and remediation capabilities with Trusted Advisor's advisory checks, leading them to choose Trusted Advisor despite its lack of automated enforcement.

How to eliminate wrong answers

Option B is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container workloads for software vulnerabilities and unintended network exposure, not for evaluating S3 bucket encryption settings. Option C is wrong because AWS Trusted Advisor provides best-practice checks and recommendations but does not offer automated remediation or continuous compliance enforcement; it is a reactive advisory tool. Option D is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data in S3, not to enforce encryption policies or remediate non-compliant buckets.

68
Multi-Selecthard

A SysOps administrator needs to securely transfer a large dataset from an on-premises server to an Amazon S3 bucket. The data is sensitive and must be encrypted in transit and at rest. Which THREE steps should the administrator take? (Choose three.)

Select 3 answers
A.Create an S3 endpoint policy that only allows access from the on-premises IP range
B.Enable default encryption on the S3 bucket using SSE-KMS
C.Use the AWS CLI with the --sse aws:kms option to enforce encryption during upload
D.Disable public access to the S3 bucket
E.Use an S3 bucket policy that denies requests unless they are made over HTTPS
AnswersA, B, C

This restricts access to the bucket to only the on-premises network, enhancing security.

Why this answer

To securely transfer data, you should enable S3 bucket-side encryption (SSE-KMS or SSE-S3) for encryption at rest, use an S3 endpoint policy to restrict access (e.g., only allow from specific VPC), and use AWS CLI with --sse flag to enforce server-side encryption during upload. While HTTPS is mandatory, it's implicitly used; the explicit steps are the other three. Using public endpoints would expose data; disabling HTTPS would break encryption in transit.

69
MCQeasy

A SysOps administrator needs to ensure that an Amazon EC2 instance can access an Amazon S3 bucket without storing long-term credentials on the instance. Which approach should be used?

A.Configure a security group rule that allows outbound traffic to S3.
B.Assign a bucket policy that grants access to the EC2 instance's public IP address.
C.Create an IAM role with S3 permissions and attach it to the EC2 instance profile.
D.Create an IAM user with programmatic access and store the credentials in a file on the instance.
AnswerC

IAM role provides temporary credentials via instance metadata.

Why this answer

Option B is correct because an IAM role attached to an EC2 instance allows the instance to obtain temporary credentials from the instance metadata service. Option A is wrong because storing IAM user credentials on the instance is insecure and not a best practice. Option C is wrong because a bucket policy alone does not grant access to a specific EC2 instance without the instance having AWS credentials.

Option D is wrong because security groups control network traffic, not API-level access to S3.

70
MCQeasy

A SysOps administrator needs to share an encrypted AMI with a different AWS account. The AMI uses an AWS KMS key (customer managed key) for EBS encryption. What must be done to allow the target account to launch EC2 instances from the AMI?

A.Share the underlying EBS snapshot with the target account.
B.Re-encrypt the AMI using a new KMS key that is shared with the target account.
C.Modify the AMI launch permissions and add the target account as a principal in the KMS key policy with kms:Decrypt permission.
D.Modify the AMI launch permissions to include the target account.
AnswerC

Both AMI and KMS permissions are required.

Why this answer

To share an encrypted AMI with a different account, both the AMI permissions and the KMS key permissions must be updated. Option C is correct because it grants the required permissions. Option A is wrong because modifying launch permissions is not enough; KMS key permissions are also needed.

Option B is wrong because sharing the snapshot separately does not grant KMS access. Option D is wrong because re-encrypting with a new key is unnecessary if permissions are properly set.

71
Multi-Selecthard

A company uses AWS CloudTrail to log API calls. The SysOps team needs to ensure that any attempt to disable CloudTrail logging is immediately detected and triggers an automated response. Which combination of services should be used? (Choose two.)

Select 2 answers
A.AWS Config
B.AWS Lambda
C.Amazon Inspector
D.Amazon Simple Queue Service (SQS)
E.Amazon EventBridge (CloudWatch Events)
AnswersB, E

Lambda can be triggered by EventBridge to automatically re-enable CloudTrail logging.

Why this answer

The correct answer is A and D. CloudWatch Events (Amazon EventBridge) can match a pattern for StopLogging API calls and trigger a Lambda function to take corrective action (e.g., re-enable logging). Options B and C are wrong because AWS Config records resource changes but is not real-time for event-driven responses.

Option E is wrong because SQS alone does not process events.

72
Multi-Selecteasy

Which THREE security best practices should be followed when managing IAM users? (Choose three.)

Select 3 answers
A.Attach policies directly to users
B.Rotate access keys regularly
C.Use the root user for daily administration
D.Grant least privilege permissions
E.Enable MFA for all users
AnswersB, D, E

Limits exposure of compromised keys.

Why this answer

Granting least privilege, enabling MFA, and rotating access keys regularly are key security best practices. Option A, Option B, and Option D are correct. Option C is wrong because using the root user for daily tasks is a security risk.

Option E is wrong because IAM policies should be attached to groups or roles, not directly to users, to simplify management.

73
MCQmedium

A company's security policy requires that all IAM users must have multi-factor authentication (MFA) enabled. A SysOps administrator needs to automatically detect IAM users without MFA and generate a compliance report. Which AWS service should be used to meet this requirement with minimal operational overhead?

A.AWS Config
B.AWS CloudTrail
C.IAM Access Analyzer
D.AWS Trusted Advisor
AnswerA

AWS Config has a managed rule for IAM user MFA that can automatically evaluate and report compliance.

Why this answer

AWS Config provides managed rules such as `iam-user-mfa-enabled` that can continuously evaluate IAM users against the requirement for MFA. When a user is found without MFA, AWS Config can trigger an automatic remediation action or generate a compliance report via its dashboard or Amazon SNS notifications, meeting the detection and reporting need with minimal operational overhead.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation with CloudTrail's auditing or Trusted Advisor's checks, not realizing that only AWS Config offers a managed rule specifically for IAM user MFA enforcement with automated reporting.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail records API activity and does not perform ongoing resource configuration compliance checks; it cannot detect the absence of MFA on IAM users. Option C is wrong because IAM Access Analyzer analyzes resource policies for external access, not user-level MFA status. Option D is wrong because AWS Trusted Advisor provides best-practice checks but does not have a specific check for IAM user MFA enforcement; it focuses on root account MFA and other high-level recommendations.

74
MCQhard

A company's security policy requires that all IAM users must authenticate using multi-factor authentication (MFA) before accessing the Amazon S3 bucket containing confidential finance data. The SysOps administrator needs to create an IAM policy that denies access to the S3 bucket if the user has not authenticated using MFA. Which IAM condition key should the administrator include in the policy?

A.aws:MultiFactorAuthPresent
B.aws:UserAgent
C.aws:SourceIp
D.aws:RequestedRegion
AnswerA

This Boolean condition key checks if MFA was used during authentication. Denying access when it evaluates to false enforces MFA.

Why this answer

The `aws:MultiFactorAuthPresent` condition key evaluates to `true` when the requesting IAM user has authenticated using a valid MFA device. By including this key in a `Deny` statement with a condition that it is `false`, the policy effectively blocks any S3 access unless MFA was used. This directly enforces the security policy requirement.

Exam trap

The trap here is that candidates may confuse `aws:MultiFactorAuthPresent` with `aws:MultiFactorAuthAge` or assume that simply having MFA enabled on the user account automatically sets the key, when in fact the key is only present if MFA was used during the current session authentication.

How to eliminate wrong answers

Option B is wrong because `aws:UserAgent` checks the user agent string of the request, which is irrelevant to authentication method. Option C is wrong because `aws:SourceIp` restricts access based on the requester's IP address, not MFA status. Option D is wrong because `aws:RequestedRegion` limits access to specific AWS regions, which does not enforce MFA authentication.

75
MCQeasy

A company's security policy requires that all Amazon S3 buckets must have server-side encryption enabled. The SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and notify the security team. Which AWS service should be used to detect non-compliant buckets?

A.Amazon Inspector
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerB

AWS Config has managed rules to evaluate resource settings, including S3 bucket encryption. It can automatically detect non-compliant buckets and send notifications.

Why this answer

AWS Config is the correct service because it continuously monitors and evaluates the configuration of AWS resources against desired policies. By using an AWS Config managed rule such as `s3-bucket-server-side-encryption-enabled`, you can automatically detect any S3 bucket that lacks server-side encryption and trigger an SNS notification to the security team.

Exam trap

The trap here is confusing AWS Config's configuration compliance monitoring with AWS CloudTrail's API logging or GuardDuty's threat detection, leading candidates to choose a service that records actions rather than one that evaluates resource states.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container workloads for software vulnerabilities and unintended network exposure, not for S3 bucket encryption compliance. Option C is wrong because AWS CloudTrail records API activity and provides audit logs, but it does not evaluate resource configurations against compliance rules or detect non-compliant buckets. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, not for checking S3 bucket encryption settings.

Page 1 of 4 · 260 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Soa Security Compliance questions.