CCNA Soa Security Compliance Questions

75 of 260 questions · Page 2/4 · Soa Security Compliance topic · Answers revealed

76
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user's IP address is 10.0.1.5. What is the result when the user tries to download an object from the folder 'confidential' in 'example-bucket'?

A.The request is denied because of the explicit Deny statement.
B.The request is allowed because the Deny statement only applies if the IP is outside the range.
C.The request is allowed because the user's IP matches the allowed range.
D.The request is denied because the Deny statement applies only when the IP is outside the range.
AnswerA

Deny statements always override Allow statements.

Why this answer

Option B is correct because the explicit Deny for the 'confidential' folder overrides the Allow. Option A is wrong because the Deny takes precedence. Option C is wrong because the Deny is explicit and not conditional.

Option D is wrong because the Deny does not depend on IP address.

77
MCQmedium

An administrator notices that an EC2 instance has been compromised. The instance is part of an Auto Scaling group. What should the administrator do FIRST to contain the incident?

A.Update the Auto Scaling group's launch configuration to use a different AMI.
B.Terminate the instance immediately.
C.Detach the instance from the Auto Scaling group and apply a security group that denies all traffic.
D.Delete the Auto Scaling group.
AnswerC

Isolates the compromised instance.

Why this answer

Option A is correct because detaching the instance from the ASG and applying a deny-all security group isolates it. Option B is wrong because termination may lose evidence. Option C is wrong because changing the launch configuration doesn't affect running instances.

Option D is wrong because termination is not immediate containment.

78
MCQmedium

Account A owns an S3 bucket containing shared artifacts. Account B needs to read objects from the bucket. The Account A team wants to grant access without creating IAM users, sharing access keys, or creating a role in Account A that Account B assumes. How should the bucket be configured to allow Account B's IAM roles to read objects?

A.Add an S3 bucket policy on Account A's bucket with Principal set to Account B's account ID and s3:GetObject permission; ensure Account B's roles have s3:GetObject in their identity policies
B.Create an IAM role in Account A with s3:GetObject permission and a trust policy allowing Account B's roles to assume it
C.Generate a presigned URL for each object in Account A and share the URLs with Account B's services
D.Enable S3 Access Points on the bucket and create an access point that allows Account B's VPC to connect via PrivateLink
AnswerA

Cross-account S3 access requires both a resource-based policy (bucket policy) that grants Account B access, and identity-based policies in Account B that allow the action. The bucket policy's Principal field specifies Account B's account root ARN or specific role ARNs. When both sides allow, the call succeeds without any role chaining or credential sharing.

Why this answer

Option A is correct because it uses an S3 bucket policy with a Principal set to Account B's account ID, which grants cross-account access to all IAM principals (users and roles) in Account B. Account B's IAM roles must also have an identity policy that allows s3:GetObject, ensuring that the effective permissions require both the bucket policy and the role's policy to allow the action. This approach avoids creating IAM users, sharing access keys, or setting up a role in Account A for Account B to assume.

Exam trap

Cisco often tests the misconception that a bucket policy with a cross-account Principal automatically grants access to all IAM roles in that account, but candidates forget that the roles must also have an explicit allow in their identity policies for the action to succeed.

How to eliminate wrong answers

Option B is wrong because it requires creating a role in Account A that Account B assumes, which violates the requirement to avoid such a setup. Option C is wrong because presigned URLs grant temporary access but require generating and sharing a URL for each object, which is not a scalable or secure method for ongoing access by IAM roles, and it does not leverage IAM policies for authorization. Option D is wrong because S3 Access Points with VPC PrivateLink restrict access to a specific VPC, but they do not inherently grant cross-account access to IAM roles in Account B without additional bucket policies or resource policies, and the question does not specify VPC-based access.

79
Multi-Selecteasy

A company wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. Which TWO steps should be taken? (Choose two.)

Select 2 answers
A.Use AWS CloudTrail to monitor MFA usage.
B.Create an IAM policy that denies access without MFA.
C.Enable MFA for each IAM user in the AWS Management Console.
D.Enable MFA at the AWS account level.
E.Modify the IAM role trust policy to require MFA.
AnswersB, C

Enforces MFA.

Why this answer

Option A is correct because you must first enable MFA on each user's account. Option D is correct because you need an IAM policy that denies access if MFA is not present. Option B is wrong because AWS does not have a global MFA setting.

Option C is wrong because trust policy is for roles. Option E is wrong because CloudTrail does not enforce MFA.

80
Multi-Selecthard

A SysOps administrator needs to audit all changes to IAM resources in their AWS account. Which THREE AWS services can be used together to achieve this? (Choose THREE.)

Select 3 answers
A.AWS CloudTrail
B.Amazon GuardDuty
C.AWS Config
D.AWS Trusted Advisor
E.Amazon CloudWatch Logs
AnswersA, C, E

Records IAM API calls.

Why this answer

Option A is correct because AWS CloudTrail records IAM API calls. Option C is correct because AWS Config can track changes to IAM resources and trigger rules. Option D is correct because Amazon CloudWatch Logs can store and monitor CloudTrail logs.

Option B is wrong because Amazon GuardDuty is for threat detection, not auditing changes. Option E is wrong because AWS Trusted Advisor is for best-practice checks.

81
MCQhard

A company uses AWS Organizations and wants to restrict access to S3 buckets based on project tags. The security policy requires that users in the 'DataScientists' group can only access S3 buckets that have the tag 'Project: DataEngineering'. Which IAM policy condition key should the SysOps administrator use in a customer managed policy to enforce this restriction?

A.aws:ResourceTag
B.s3:ExistingObjectTag
C.s3:ResourceTag
D.iam:ResourceTag
AnswerA

The aws:ResourceTag condition key allows you to control access based on tags attached to the resource being accessed (e.g., S3 bucket tag). You can use it in the 'Condition' element of an IAM policy to enforce the tag requirement.

Why this answer

Option A is correct because the `aws:ResourceTag` condition key is used in IAM policies to control access based on the tags attached to the AWS resource (in this case, an S3 bucket). By specifying `aws:ResourceTag/Project` with a value of `DataEngineering`, the policy ensures that only S3 buckets with that exact tag are accessible to the 'DataScientists' group. This key is evaluated against the resource's tags at the time of the request, making it the appropriate choice for tag-based resource restrictions.

Exam trap

The trap here is that candidates often confuse `aws:ResourceTag` with service-specific keys like `s3:ExistingObjectTag`, mistakenly applying object-level conditions to bucket-level restrictions, or they assume `s3:ResourceTag` exists as a valid key when it does not.

How to eliminate wrong answers

Option B is wrong because `s3:ExistingObjectTag` is used to condition access based on tags on individual objects within an S3 bucket, not on the bucket itself, and thus cannot restrict access to buckets based on bucket-level tags. Option C is wrong because `s3:ResourceTag` is not a valid IAM condition key; AWS uses `aws:ResourceTag` for resource-level tags across services, and S3-specific condition keys like `s3:ExistingObjectTag` or `s3:RequestObjectTag` are for object-level operations. Option D is wrong because `iam:ResourceTag` is specific to IAM resources (such as users, roles, or policies) and cannot be used to restrict access to S3 buckets based on bucket tags.

82
MCQhard

An organization requires that all Amazon EC2 instances must be launched only with approved Amazon Machine Images (AMIs) that have been pre-approved by the security team. The SysOps administrator needs to enforce this policy for all current and future instances in the AWS account. Unapproved AMIs should be prevented from launching. Which solution meets these requirements with the least operational overhead?

A.Use AWS Config with the 'approved-amis-by-id' managed rule to evaluate and automatically remediate noncompliant instances.
B.Use an AWS Service Control Policy (SCP) to deny ec2:RunInstances if the AMI ID is not in an approved list.
C.Create an IAM policy that denies ec2:RunInstances for any AMI not on an approved list and attach it to all IAM users and roles.
D.Use AWS Systems Manager Patch Manager to approve AMIs and configure the fleet to use only approved images.
AnswerA

AWS Config can continuously monitor and automatically remediate instances launched with unapproved AMIs, requiring minimal manual effort.

Why this answer

AWS Config with the 'approved-amis-by-id' managed rule continuously evaluates EC2 instances against a list of approved AMI IDs. When a noncompliant instance is detected, you can configure automatic remediation (e.g., using AWS Systems Manager Automation to stop or terminate the instance). This approach enforces the policy for both existing and future instances with minimal operational overhead, as it requires no custom code or manual policy updates.

Exam trap

The trap here is that candidates often choose an IAM policy or SCP because they think preventing the launch is more effective than detecting and remediating, but AWS Config with automatic remediation provides a simpler, fully managed solution that requires no custom policy maintenance and works across all current and future instances without manual updates.

How to eliminate wrong answers

Option B is wrong because Service Control Policies (SCPs) are applied at the AWS Organizations level and can only deny actions based on conditions available at the time of the API call; they cannot dynamically evaluate a list of approved AMI IDs without a custom condition key, and they do not provide automatic remediation for already-running instances. Option C is wrong because IAM policies attached to users and roles cannot prevent launches by services or scripts that use instance profiles or assume roles with different permissions, and they require manual maintenance to keep the approved list updated across all principals. Option D is wrong because AWS Systems Manager Patch Manager is designed for patching operating systems and applications, not for approving or enforcing AMI usage at launch time; it cannot prevent an EC2 instance from being launched with an unapproved AMI.

83
Multi-Selectmedium

A company wants to audit all API calls made in their AWS account for compliance. Which THREE AWS services can be used together to capture and store these logs? (Choose three.)

Select 3 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon S3
E.Amazon GuardDuty
AnswersA, B, D

CloudWatch Logs can monitor and store logs for analysis.

Why this answer

Options A, C, and E are correct. AWS CloudTrail captures API calls, Amazon S3 stores the logs, and Amazon CloudWatch Logs can be used to monitor and alert on logs. Option B is wrong because AWS Config records resource configuration changes, not API calls.

Option D is wrong because Amazon GuardDuty is a threat detection service, not a logging service.

84
MCQhard

A SysOps administrator is managing an AWS account that contains multiple S3 buckets. The security team requires that all objects uploaded to any S3 bucket must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). The administrator wants to enforce this using a bucket policy that denies uploads without the x-amz-server-side-encryption header set to AES256. After implementing the policy on a test bucket, the administrator finds that some PutObject API calls from an application are failing even though the application is sending the correct header. The application uses the AWS SDK and the bucket is in the same region. What is the most likely cause?

A.The bucket has default encryption enabled, and the SDK is not sending the encryption header because it relies on default encryption.
B.The bucket policy is too restrictive; it should allow s3:PutObject without encryption for certain principals.
C.The bucket has an ACL that denies PutObject for the application's IAM role.
D.The application is using an IAM role that does not have permission to use the KMS key for encryption.
AnswerA

Default encryption does not send the header; the policy requires the header.

Why this answer

Option B is correct because if the bucket has default encryption enabled, the SDK might not send the header, relying on default encryption. The policy denies uploads without the header, causing failure even though default encryption would encrypt the object. Option A is wrong because bucket policies affect all principals.

Option C is wrong because if the header is present, KMS keys are not required. Option D is wrong because ACLs do not affect encryption enforcement.

85
MCQmedium

A SysOps administrator is investigating an unauthorized stop of an EC2 instance. The CloudTrail log entry shows the event. What is the first step to determine if the action was authorized?

A.Check the S3 bucket where CloudTrail logs are stored.
B.Verify the source IP address belongs to the company.
C.Check the EC2 instance's state change history.
D.Check the IAM permissions of the user 'Admin' at the time of the event.
AnswerD

Determine if the action was allowed.

Why this answer

Option B is correct because the event shows an IAM user "Admin" and a source IP. Checking the IAM permissions for that user at the time of the event will show if they had the ec2:StopInstances permission. Option A is wrong because the event is already in CloudTrail.

Option C is wrong because the instance state change is in CloudTrail. Option D is wrong because the user agent shows console.

86
MCQeasy

A SysOps administrator needs to ensure that an EC2 instance can access an S3 bucket without storing AWS credentials on the instance. What should the administrator do?

A.Create a bucket policy that allows access from the instance's public IP.
B.Create an IAM role with S3 access and attach it to the instance profile.
C.Store the access key and secret key in a file on the instance.
D.Configure the security group to allow outbound traffic to S3.
AnswerB

The instance can assume the role and obtain temporary credentials.

Why this answer

Option B is correct because an IAM role attached to the EC2 instance provides temporary credentials via the instance profile. Option A is wrong because storing access keys on the instance is insecure. Option C is wrong because security groups do not provide credentials.

Option D is wrong because a bucket policy alone does not provide credentials to the instance.

87
MCQhard

A company's security team wants to ensure that all new S3 buckets created in the AWS account are automatically encrypted with server-side encryption. What should a SysOps administrator do to enforce this?

A.Enable S3 Block Public Access at the account level.
B.Use AWS CloudTrail to monitor bucket creation and trigger a Lambda function to encrypt the bucket.
C.Enable default encryption on each existing bucket.
D.Use a service control policy (SCP) to deny creation of buckets without encryption.
AnswerD

SCPs can prevent creation of unencrypted buckets across the organization.

Why this answer

Option D is correct because a bucket policy can deny creation of buckets without encryption, and SCPs can enforce the policy across the organization. Option A is wrong because default encryption is set per bucket, not globally. Option B is wrong because CloudTrail does not enforce encryption.

Option C is wrong because S3 Block Public Access does not enforce encryption.

88
MCQeasy

Refer to the exhibit. An IAM role has the trust policy shown. Which entity can assume this role?

A.Only the IAM user with the ARN arn:aws:iam::123456789012:user/Admin
B.Any IAM user in any AWS account
C.Any IAM user in the AWS account 123456789012
D.Only users who have MFA enabled
AnswerC

The root principal includes all IAM users in the account.

Why this answer

Option B is correct because the trust policy allows the root user of the same account (arn:aws:iam::123456789012:root) to assume the role. This includes all IAM users in that account. Option A is incorrect because the policy does not specify any user ARN.

Option C is incorrect because the policy does not allow external accounts. Option D is incorrect because the condition is empty and does not require MFA.

89
MCQeasy

A SysOps administrator needs to ensure that an Amazon RDS instance is encrypted at rest. The instance is already provisioned unencrypted. What is the correct approach to enable encryption?

A.Create a snapshot of the instance and restore it with encryption enabled
B.Use AWS KMS to encrypt the underlying EBS volumes of the RDS instance
C.Enable encryption using the AWS CLI command modify-db-instance
D.Modify the RDS instance and enable encryption in the configuration
AnswerA

This is the correct procedure: snapshot, copy with encryption, restore from encrypted snapshot.

Why this answer

RDS encryption can only be enabled at creation time. For an existing unencrypted instance, you must create a snapshot, copy it with encryption, and restore from that encrypted snapshot. Modifying the instance or enabling encryption on the fly is not supported.

90
MCQhard

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all new S3 buckets created in any account have encryption enabled. Which approach should be used to enforce this policy?

A.Create a service control policy (SCP) that denies the s3:CreateBucket action unless the request includes the x-amz-server-side-encryption header with a valid encryption algorithm.
B.Create an IAM role in each member account with a policy that denies s3:CreateBucket without encryption, and require all users to assume that role.
C.Use AWS Config managed rule 's3-bucket-server-side-encryption-enabled' to detect non-compliant buckets and automatically remediate.
D.Enable AWS CloudTrail and create a CloudWatch Events rule that triggers a Lambda function to delete any bucket created without encryption.
AnswerA

SCPs allow central governance over actions across accounts, and can enforce conditions on API calls.

Why this answer

Option A is correct because SCPs can be applied to all accounts in the organization to deny creation of S3 buckets without encryption. Option B is wrong because IAM roles are per account and not centrally enforced. Option C is wrong because CloudTrail is for logging, not enforcement.

Option D is wrong because Config rules detect non-compliance but do not prevent creation.

91
MCQmedium

A company stores database credentials in AWS Secrets Manager. The security policy requires that the credentials be rotated automatically every 30 days. Which action should the SysOps administrator take to enforce this requirement?

A.Configure an AWS Lambda function to rotate the secret and set a CloudWatch Events rule to trigger it every 30 days.
B.Enable automatic rotation in the Secrets Manager console and specify a rotation interval of 30 days using a Lambda rotation function.
C.Use AWS Systems Manager Parameter Store to store the credentials and configure a State Manager association for rotation.
D.Create an IAM policy that forces users to rotate the secret manually every 30 days.
AnswerB

Correct. Secrets Manager natively supports automatic rotation with a configurable interval. You attach a Lambda function to perform the rotation, and the service handles scheduling.

Why this answer

Option B is correct because AWS Secrets Manager natively supports automatic rotation using a Lambda function. By enabling automatic rotation in the console and specifying a 30-day interval, the administrator meets the security policy without manual intervention. Secrets Manager handles the rotation schedule and invokes the Lambda function automatically.

Exam trap

The trap here is that candidates may think any automated scheduling (like CloudWatch Events) is sufficient, but AWS Secrets Manager's native rotation feature is the correct and simplest way to enforce automatic rotation without custom infrastructure.

How to eliminate wrong answers

Option A is wrong because while a Lambda function and CloudWatch Events rule could rotate the secret, this approach bypasses Secrets Manager's built-in rotation mechanism and requires custom scheduling logic, making it less reliable and harder to maintain. Option C is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it is designed for configuration management, not secret rotation. Option D is wrong because creating an IAM policy that forces manual rotation does not enforce automated rotation and relies on user compliance, which violates the requirement for automatic rotation every 30 days.

92
MCQmedium

Refer to the exhibit. A SysOps administrator runs the commands shown. Which key(s) have automatic key rotation enabled?

A.Only the first key
B.Only the second key
C.Neither key
D.Both keys
AnswerA

KeyRotationEnabled is true for the first key.

Why this answer

The output shows that key 1234abcd-12ab-34cd-56ef-1234567890ab has KeyRotationEnabled set to true, so it has automatic rotation enabled. Key 0987fedc-87fe-65dc-43ba-abcdef123456 has false. Option A is correct.

Options B, C, D are incorrect.

93
MCQeasy

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are encrypted at rest. The administrator wants to automatically remediate any bucket that is created without default encryption. Which AWS service should be used to achieve this with the least operational overhead?

A.AWS Config with a managed rule and auto-remediation via AWS Systems Manager Automation
B.AWS CloudTrail with Amazon CloudWatch Events and AWS Lambda
C.AWS Trusted Advisor with Amazon Simple Notification Service (SNS)
D.Amazon Inspector with AWS Systems Manager Patch Manager
AnswerA

AWS Config can evaluate resources against managed rules and trigger automated remediation actions, such as enabling S3 default encryption via SSM Automation.

Why this answer

AWS Config with the managed rule 's3-bucket-default-encryption-enabled' can detect S3 buckets that lack default encryption. By attaching an AWS Systems Manager Automation document (e.g., 'AWS-EnableS3BucketEncryption') as an auto-remediation action, the administrator can automatically apply AES-256 or AWS-KMS encryption to noncompliant buckets without manual intervention, minimizing operational overhead.

Exam trap

The trap here is that candidates may assume AWS Config only provides detection and not remediation, overlooking the auto-remediation integration with Systems Manager Automation, or they may confuse AWS Config's managed rules with Trusted Advisor's advisory checks.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail with CloudWatch Events and Lambda requires custom code and event-driven architecture, which introduces more operational overhead than AWS Config's built-in auto-remediation. Option C is wrong because AWS Trusted Advisor only provides recommendations and alerts via SNS, not automated remediation. Option D is wrong because Amazon Inspector is designed for vulnerability assessment of EC2 instances and container workloads, not for S3 bucket encryption compliance.

94
MCQmedium

A company uses AWS Key Management Service (KMS) to encrypt data in Amazon S3. They want to ensure that the KMS key can only be used from within a specific VPC. How can this be accomplished?

A.Add a condition in the S3 bucket policy to allow only requests from the VPC.
B.Add a condition in the KMS key policy using 'aws:SourceVpc' to restrict usage to the VPC.
C.Use an IAM policy with a condition that requires the request to come from the VPC.
D.Configure a network ACL that blocks all traffic to KMS except from the VPC.
AnswerB

KMS key policy supports 'aws:SourceVpc' condition.

Why this answer

Option D is correct because a KMS key policy can use the 'aws:SourceVpc' condition to restrict usage to requests originating from a specific VPC. Option A is wrong because S3 bucket policies cannot restrict KMS key usage. Option B is wrong because IAM policies cannot restrict based on VPC for KMS actions.

Option C is wrong because network ACLs control network traffic, not KMS API calls.

95
Multi-Selectmedium

A company wants to ensure that its AWS resources are compliant with the CIS AWS Foundations Benchmark. Which TWO AWS services can be used to automate compliance checks and remediation?

Select 2 answers
A.AWS CloudTrail
B.Amazon Inspector
C.AWS Config
D.AWS Security Hub
E.Amazon GuardDuty
AnswersC, D

AWS Config allows you to create rules that evaluate resource configurations and can trigger remediation actions.

Why this answer

AWS Config rules can evaluate resource configurations against desired policies (e.g., CIS benchmarks) and trigger automatic remediation actions via Systems Manager Automation. AWS Security Hub provides a consolidated view of security findings across accounts and can also perform automated checks against standards like CIS. CloudTrail and GuardDuty are not specifically for compliance automation; Inspector is for vulnerability assessment, not compliance.

96
MCQmedium

A company's security policy requires that all Amazon S3 buckets must be encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3). A SysOps administrator needs to automatically detect any bucket that does not have encryption enabled and automatically apply SSE-S3 encryption. The solution should leverage AWS managed services and minimize custom code. Which combination of AWS services should be used?

A.AWS Config and AWS Lambda
B.Amazon GuardDuty and AWS Lambda
C.AWS CloudTrail and Amazon EventBridge
D.Amazon Macie and AWS Step Functions
AnswerA

AWS Config continuously evaluates S3 buckets against the managed rule for encryption. Non-compliant buckets can trigger a remediation action via an AWS Lambda function that applies SSE-S3 configuration. This minimizes custom code and uses managed services.

Why this answer

AWS Config can evaluate S3 bucket configurations against a managed rule (s3-bucket-server-side-encryption-enabled) to detect non-compliant buckets. When a non-compliant bucket is detected, AWS Config can trigger an AWS Lambda function via an Amazon EventBridge rule or a custom remediation action to automatically enable SSE-S3 encryption on the bucket. This combination uses managed services and minimizes custom code, meeting the security policy requirement.

Exam trap

The trap here is that candidates may confuse AWS Config's compliance evaluation with GuardDuty's threat detection or Macie's data classification, leading them to choose a service that cannot detect or remediate encryption settings.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, not for checking or enforcing S3 bucket encryption configurations. Option C is wrong because AWS CloudTrail records API activity but does not evaluate resource compliance or trigger automated remediation; Amazon EventBridge can route events but requires a separate service like AWS Config to detect non-compliance. Option D is wrong because Amazon Macie is a data discovery and protection service that uses machine learning to identify sensitive data, not to detect or enforce encryption settings; AWS Step Functions is an orchestration service that would require custom code to implement the detection logic.

97
MCQmedium

An organization has a policy requiring that all Amazon EC2 instances launched in the production account must have detailed monitoring enabled for Amazon CloudWatch. A SysOps administrator needs to enforce this rule automatically. Which solution will ensure that any EC2 instance launched without detailed monitoring is automatically remediated?

A.Use AWS Config with the managed rule 'ec2-instance-detailed-monitoring-enabled' and configure an automatic remediation action using AWS Systems Manager Automation to enable detailed monitoring on non-compliant instances.
B.Use AWS Trusted Advisor to check for instances without detailed monitoring and send a notification to the administrator via email.
C.Use an Amazon CloudWatch Events rule to detect RunInstances API calls and trigger a Lambda function that enables detailed monitoring on newly launched instances.
D.Use an IAM policy that denies the ec2:RunInstances action unless the user specifies the parameter to enable detailed monitoring.
AnswerA

This solution automatically detects and remediates non-compliant instances using native AWS Config features.

Why this answer

AWS Config with the managed rule 'ec2-instance-detailed-monitoring-enabled' continuously evaluates EC2 instances against the policy. When an instance is non-compliant (i.e., launched without detailed monitoring), the automatic remediation action uses an AWS Systems Manager Automation document to enable detailed monitoring on that instance, ensuring enforcement without manual intervention.

Exam trap

The trap here is that candidates often choose Option C (CloudWatch Events + Lambda) because it seems reactive and automatic, but they overlook that CloudWatch Events may not reliably capture all RunInstances API calls (e.g., when instances are launched by Auto Scaling or other services) and that the Lambda function would need to handle race conditions and permissions, whereas AWS Config remediation is purpose-built for continuous compliance enforcement.

How to eliminate wrong answers

Option B is wrong because AWS Trusted Advisor only provides recommendations and notifications; it cannot automatically remediate non-compliant resources. Option C is wrong because a CloudWatch Events rule triggered by RunInstances API calls cannot reliably catch instances launched without detailed monitoring if the monitoring parameter is not explicitly set in the API call (e.g., instances launched via Auto Scaling or other services may not trigger the rule as expected). Option D is wrong because an IAM policy that denies ec2:RunInstances unless the user specifies the detailed monitoring parameter can be bypassed by users who have permissions to modify the instance after launch, and it does not automatically remediate instances that are already running without detailed monitoring.

98
MCQhard

A company uses IAM roles to grant EC2 instances access to S3 buckets. After a recent security audit, the SysOps administrator must ensure that only instances with a specific tag (Environment=Production) can assume the role. How can this be achieved?

A.Create a new IAM role for each instance and attach the tag.
B.Use a service control policy (SCP) to deny the ec2:AssumeRole action for instances without the required tag.
C.Modify the instance profile to include the tag requirement.
D.Add a condition in the role's trust policy that checks for the instance's tag using the aws:ResourceTag condition key.
AnswerD

The trust policy can evaluate the instance's tags at the time of AssumeRole.

Why this answer

Option D is correct because IAM role trust policies can use the aws:ResourceTag condition key to restrict which EC2 instances (based on their tags) can assume the role. Option A is wrong because tags are not automatically included in the session; the trust policy must explicitly check tags. Option B is wrong because SCPs apply to accounts, not instances.

Option C is wrong because instance profiles cannot be modified to check tags.

99
MCQhard

A company has an S3 bucket configured with default encryption using SSE-S3. Users report that objects uploaded without specifying encryption are still encrypted, but some objects are accessible to unauthorized users. What is the most likely cause?

A.The bucket policy is not configured to deny unencrypted uploads.
B.The bucket policy does not restrict access based on user permissions.
C.The bucket does not have MFA Delete enabled.
D.The bucket's block public access settings are not configured.
AnswerB

Default encryption does not replace IAM or bucket policies for access control.

Why this answer

Option B is correct because default encryption only encrypts objects, it does not enforce access policies. Option A is wrong because bucket policies are needed for access control. Option C is wrong because enabling MFA Delete is about deletion, not access.

Option D is wrong because public access block prevents public access, but the issue is unauthorized access from within the account or cross-account.

100
Multi-Selecthard

A SysOps administrator is designing a VPC for a web application that must be secure. Which THREE security measures should the administrator implement? (Choose THREE.)

Select 3 answers
A.Configure network ACLs to filter traffic at the subnet level.
B.Enable VPC Flow Logs to capture traffic information.
C.Place all resources in public subnets to simplify access.
D.Use security groups to control inbound and outbound traffic at the instance level.
E.Use the default VPC for simplicity.
AnswersA, B, D

NACLs provide stateless filtering.

Why this answer

Option A is correct because security groups act as virtual firewalls. Option C is correct because NACLs provide an additional layer of security at the subnet level. Option E is correct because VPC Flow Logs help monitor traffic.

Option B is wrong because public subnets are not required for web applications. Option D is wrong because default VPC may not be secure.

101
MCQhard

A company has an S3 bucket with versioning enabled. They want to ensure that objects are not permanently deleted by users. What configuration should be applied?

A.Enable MFA Delete on the bucket
B.Configure a lifecycle policy to expire noncurrent versions
C.Enable S3 Object Lock in governance mode
D.Add a bucket policy that denies s3:DeleteObject
AnswerA

MFA Delete requires MFA to permanently delete versions, preventing accidental permanent deletion.

Why this answer

With versioning enabled, a delete request creates a delete marker instead of actually deleting the object. To prevent permanent deletion, you can enable MFA Delete, which requires multi-factor authentication to change the versioning state or permanently delete versions. Option C is correct.

Option A is wrong because a bucket policy cannot prevent deletion of versioned objects; it can only deny the action, but users with delete permissions can still create delete markers. Option B is wrong because a lifecycle policy can delete objects after a period, but it does not prevent user deletions. Option D is wrong because S3 Object Lock prevents deletion during a retention period, but it is not specifically for preventing permanent deletion by users; it is for compliance.

102
MCQhard

A company's security policy requires that all Amazon S3 buckets must be encrypted at rest with AWS Key Management Service (AWS KMS) customer managed keys. A SysOps administrator discovers that some buckets are not encrypted. Which combination of AWS services should be used to automatically detect and remediate non-compliant buckets using infrastructure as code?

A.AWS Config with a managed rule and AWS Lambda for automatic remediation.
B.AWS CloudTrail and Amazon GuardDuty.
C.Amazon Inspector and AWS Systems Manager.
D.Amazon Macie and AWS CloudFormation.
AnswerA

AWS Config can continuously evaluate resources against rules and trigger Lambda functions for remediation. The managed rule 's3-bucket-server-side-encryption-enabled' can be configured with a parameter to require SSE-KMS. This fully automates detection and fixing.

Why this answer

AWS Config with a managed rule (e.g., s3-bucket-server-side-encryption-enabled) can continuously evaluate S3 buckets for compliance with the encryption policy. When a non-compliant bucket is detected, AWS Config can automatically invoke an AWS Lambda function to remediate the issue, such as enabling encryption with a customer managed KMS key. This combination provides automated detection and remediation using infrastructure as code, as the Config rule and Lambda function can be defined in AWS CloudFormation or similar IaC tools.

Exam trap

The trap here is that candidates may confuse detection services (like GuardDuty or Macie) with compliance evaluation services (AWS Config), or assume that CloudFormation alone can detect non-compliance without a continuous evaluation mechanism like AWS Config rules.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail and Amazon GuardDuty are used for auditing API activity and threat detection, not for automated compliance detection and remediation of S3 bucket encryption. Option C is wrong because Amazon Inspector is a vulnerability management service for EC2 instances and container workloads, not for S3 bucket encryption compliance, and AWS Systems Manager is for operational management, not automated encryption remediation. Option D is wrong because Amazon Macie is a data discovery and classification service for sensitive data, not for encryption compliance, and AWS CloudFormation alone cannot automatically detect non-compliant buckets without a trigger like AWS Config.

103
MCQmedium

A SysOps administrator is troubleshooting an IAM policy that is not granting the expected permissions. The policy has a Deny effect on a specific action, but the user is still able to perform that action. What is the most likely reason?

A.The Deny statement is listed after an Allow statement in the policy
B.IAM policies do not support deny statements with conditions
C.The Deny statement includes a condition that is not met by the request
D.The user has an attached AWS managed policy that allows the action
AnswerC

If the condition is not satisfied, the Deny statement is not applied.

Why this answer

IAM policy evaluation logic: by default, all requests are denied. An explicit allow overrides the default deny. An explicit deny overrides any allow.

If a Deny is not being enforced, it could be because the policy is not attached to the user, group, or role. However, if the policy is attached, the Deny should work. Another possibility is that the user is assuming a role that has an allow, and the Deny is on a different policy that is not evaluated because the role's trust policy might allow the action.

But the most likely reason in a troubleshooting scenario is that the policy contains a condition that is not being met, so the Deny is not applied. Option B is correct because if the Deny has a condition that is not satisfied, the Deny is not applied. Option A is wrong because the order of statements does not matter in IAM; all statements are evaluated.

Option C is wrong because an explicit Deny always overrides an Allow. Option D is wrong because IAM policies support conditions.

104
MCQmedium

A company's security team requires that all Amazon EC2 instances in a specific AWS account must have the tag 'Environment' set to either 'Production' or 'Test'. Any instance that is launched without this tag or with an invalid value must be automatically terminated within five minutes. Which combination of AWS services can enforce this requirement with minimal manual intervention?

A.AWS Config with a custom rule and AWS Lambda
B.AWS CloudTrail and Amazon CloudWatch Events
C.AWS Service Catalog and AWS Organizations
D.Amazon Inspector and AWS Systems Manager
AnswerA

A custom AWS Config rule can evaluate EC2 instances when they are created (configuration change trigger) and invoke an AWS Lambda function to terminate instances lacking the required tag or having an invalid value. This provides continuous compliance enforcement.

Why this answer

AWS Config with a custom rule can evaluate EC2 instances for the required 'Environment' tag with valid values. When a non-compliant instance is detected, AWS Config triggers an AWS Lambda function that terminates the instance within the required five-minute window. This combination provides automated, event-driven enforcement with minimal manual intervention.

Exam trap

The trap here is that candidates may think CloudTrail and CloudWatch Events alone can enforce tag compliance, but they lack the evaluation logic and automated remediation that AWS Config with a custom Lambda rule provides.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail records API calls and CloudWatch Events can trigger on those events, but they lack native tag validation logic; you would still need a Lambda function to evaluate tag values and terminate instances, making this an incomplete solution. Option C is wrong because AWS Service Catalog enforces compliance at provisioning time through predefined products, but it cannot retroactively terminate instances launched outside the catalog or enforce tag compliance on existing instances. Option D is wrong because Amazon Inspector is a vulnerability assessment service and AWS Systems Manager is for operational management; neither service has the capability to evaluate tags or terminate instances based on tag compliance.

105
MCQhard

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot access an S3 bucket using an instance profile. The instance profile has an IAM role with a policy that allows s3:GetObject on the bucket. The S3 bucket policy has a Deny for all principals except a specific service role. What is the most likely reason for the access failure?

A.The IAM role trust policy does not allow EC2 to assume the role.
B.The instance profile is not correctly attached to the EC2 instance.
C.The S3 bucket requires a VPC endpoint.
D.The S3 bucket policy Deny overrides the IAM role permissions.
AnswerD

Explicit Deny in bucket policy takes precedence.

Why this answer

Option C is correct because when a bucket policy explicitly denies access, it overrides any IAM permissions. Option A is wrong because instance profiles can be used with S3. Option B is wrong because S3 does not require a VPC endpoint.

Option D is wrong because the Deny in the bucket policy applies regardless of trust policy.

106
MCQhard

Refer to the exhibit. The security team wants to ensure that all objects uploaded to the S3 bucket 'my-secure-bucket' are encrypted at rest. Based on the CloudTrail log entry, what can be concluded about the object 'confidential.pdf'?

A.The object is encrypted with AWS KMS
B.The object is not encrypted
C.The object is encrypted with SSE-S3
D.The object was uploaded without an encryption header
AnswerC

The AES256 value corresponds to SSE-S3.

Why this answer

Option D is correct because the requestParameters show that the object was uploaded with the x-amz-server-side-encryption header set to AES256, and the response confirms encryption was applied. Option A is incorrect because the log does not indicate the key used; it could be SSE-S3. Option B is incorrect because the object is encrypted, as shown.

Option C is incorrect because the log shows the encryption header was provided.

107
MCQhard

A company has an AWS account with multiple VPCs connected via a transit gateway. The security team wants to centrally manage VPC security group rules and ensure compliance. Which approach is most effective?

A.Use AWS Firewall Manager to centrally define and enforce security group rules across all VPCs.
B.Create a single security group and attach it to all VPCs.
C.Define security group rules in AWS CloudFormation templates and deploy them to each VPC.
D.Use network ACLs instead of security groups for centralized management.
AnswerA

Firewall Manager provides centralized security group management across accounts and VPCs.

Why this answer

Option C is correct because AWS Firewall Manager allows centralized management of security group rules across accounts and VPCs. Option A is wrong because security groups are per-VPC and cannot be applied across multiple VPCs. Option B is wrong because network ACLs are stateless and not a replacement for security groups; also, they are per-subnet.

Option D is wrong because CloudFormation can deploy but not centrally manage ongoing rule enforcement.

108
MCQmedium

A company's security team notices that an IAM user has access keys that have not been rotated in over a year. Which action should the SysOps administrator take to enforce key rotation automatically?

A.Set up an AWS Config rule to detect old keys and trigger an AWS Lambda function to rotate them.
B.Apply a service control policy (SCP) that requires key rotation.
C.Configure an IAM policy that automatically rotates keys every 90 days.
D.Use AWS Trusted Advisor to automatically rotate the keys.
AnswerA

This is a best practice using Config and Lambda to automate key rotation.

Why this answer

Option C is correct because IAM access key rotation can be automated using an AWS Config rule that checks key age and triggers a Lambda function to rotate or disable old keys. Option A is wrong because IAM does not support automatic key rotation natively. Option B is wrong because Trusted Advisor provides recommendations but does not automate rotation.

Option D is wrong because SCPs are for organizational policies, not key rotation.

109
MCQmedium

A SysOps administrator is configuring a new AWS account and wants to set up a secure password policy for IAM users. The policy must require at least 12 characters, one uppercase letter, one number, and must prevent password reuse. Where should this policy be configured?

A.Apply a service control policy (SCP) that enforces password complexity.
B.In the IAM console under Account settings, set the password policy.
C.Set a password policy on the AWS account root user.
D.Create an IAM role with a password policy attached.
AnswerB

The account password policy applies to all IAM users.

Why this answer

Option A is correct because AWS IAM password policies are configured at the account level in the IAM console or via the update-account-password-policy API. Option B is wrong because there is no password policy for the root user. Option C is wrong because SCPs can restrict IAM actions but do not set password policy.

Option D is wrong because IAM roles do not have passwords.

110
MCQmedium

An application running on an Amazon EC2 instance needs to access an Amazon S3 bucket. The company security policy requires that credentials are not stored on the instance. What is the most secure way to grant access?

A.Create an IAM role with S3 access permissions and attach it to the EC2 instance profile.
B.Generate an access key and secret key for an IAM user, then store them in a configuration file on the instance.
C.Create an S3 bucket policy that allows access from the instance's public IP address.
D.Define the access keys as environment variables in the user data script when launching the instance.
AnswerA

Uses temporary credentials via instance metadata, no long-term credentials stored.

Why this answer

Option D is correct because an IAM role attached to the EC2 instance provides temporary credentials via the instance metadata service, avoiding long-term credentials. Option A is wrong because storing access keys in a file violates security policy. Option B is wrong because environment variables still expose credentials.

Option C is wrong because S3 bucket policies alone do not grant access to the instance; the instance needs an IAM role or user credentials.

111
Multi-Selecteasy

Which TWO measures help protect an AWS account root user? (Choose two.)

Select 2 answers
A.Use the root user regularly for administrative tasks.
B.Create an access key for the root user for programmatic access.
C.Grant other IAM users full administrator access.
D.Use a strong, complex password for the root user.
E.Enable multi-factor authentication (MFA) for the root user.
AnswersD, E

A strong password reduces the risk of unauthorized access.

Why this answer

Options A and B are correct. Enabling MFA and using a strong password are basic security measures for the root user. Option C is wrong because creating an access key for the root user is not recommended.

Option D is wrong because using root user regularly is not a security measure. Option E is wrong because delegating admin tasks to IAM users reduces root user usage.

112
MCQhard

A SysOps administrator must grant an IAM user the ability to start and stop specific EC2 instances, but NOT terminate them. The administrator creates a policy with the following statement. However, the user can still terminate instances. What is the MOST likely reason?

A.The policy does not restrict the ec2:TerminateInstances action to specific instances using a condition or ARN
B.The condition key ec2:ResourceTag is not a valid condition key for EC2 actions
C.The ec2:TerminateInstances action is not allowed in a customer-managed policy
D.The policy does not include an explicit deny for ec2:TerminateInstances
AnswerA

The policy allows ec2:TerminateInstances on all instances if the condition is not met, because the condition is only applied if the tag exists; if the tag does not exist, the Allow applies unconditionally.

Why this answer

Option A is correct because EC2 actions like StopInstances and StartInstances require a resource-level permission on the instance, but TerminateInstances also requires a resource-level permission. The policy includes ec2:TerminateInstances with a condition, but if the condition is not met, the effect is Allow (since the condition is not satisfied, the statement might still allow termination if the condition is ignored). However, the key issue is that the policy uses ec2:ResourceTag as a condition key, which is valid, but the condition uses StringEquals, which requires the instance to have that tag.

If the instance does not have the tag, the condition fails and the Allow does not apply, but there might be an implicit deny? Actually, the policy grants ec2:TerminateInstances with a condition that might not match, so the action is not allowed. But the user can still terminate, meaning the policy is too permissive. The most likely reason is that the policy allows ec2:TerminateInstances without proper resource restriction.

Option B is incorrect because the condition key is correct. Option C is incorrect because termination is explicitly allowed with a condition. Option D is incorrect because the policy explicitly allows StartInstances and StopInstances.

113
MCQhard

A SysOps administrator deploys the CloudFormation template shown in the exhibit. The stack creation fails with a security group error. What is the most likely cause?

A.The AMI ID is incorrect.
B.The security group ingress rule uses an invalid CIDR.
C.The template uses 'SecurityGroups' instead of 'SecurityGroupIds' for a VPC instance.
D.The security group ingress rule allows SSH from all IPs.
AnswerC

In VPC, you must use SecurityGroupIds.

Why this answer

Option C is correct because the security group ingress rule uses a CIDR that is not a specific IP range; although 10.0.0.0/8 is private, it is allowed, but the error might be due to missing VPC reference. However, more importantly, the security group is created without a VPC ID, which is required for EC2-Classic? Actually, in EC2-VPC, security groups must be in a VPC. The template does not specify a VPC, so it uses the default VPC.

But the most likely cause is that the security group ingress rule allows SSH from a large CIDR, which is a security risk but not a failure. Actually, the error is likely because the security group is not associated with a VPC? Wait, the template does not specify VpcId, so it uses the default VPC. But if the default VPC does not exist, it fails.

However, a more common issue is that the security group ingress rule uses a CidrIp that is not valid for the VPC. But the exhibit shows 10.0.0.0/8, which is valid. Actually, the most likely cause is that the security group is not associated with a VPC, but that is automatically handled.

Alternatively, the error could be because the security group name is already used. But the most plausible is that the security group ingress rule is malformed because it should specify CidrIp or SourceSecurityGroup, and it does. I'll go with option C: The security group ingress rule uses a CIDR that is not allowed in the VPC (10.0.0.0/8 is private, but it's allowed).

Hmm, let's reconsider. The template has a bug: it uses "SecurityGroups" (plural) instead of "SecurityGroupIds" or "SecurityGroups" is a list of group names, but it's referencing a Ref to a security group, which returns the group ID, not name. So the correct property is "SecurityGroupIds" for VPC.

That is a common mistake. So option A could be correct. I'll set option A as correct: The template uses "SecurityGroups" instead of "SecurityGroupIds" for a VPC instance.

So the answer is A.

114
MCQeasy

Developers are allowed to create IAM roles for their Lambda functions. However, the security team is concerned that developers could create roles with Administrator access, granting Lambda functions more permissions than the developers themselves have. What IAM feature prevents privilege escalation in this scenario?

A.Attach a permission boundary to each developer IAM user that limits them to creating roles with only the permissions they are allowed to grant
B.Enable IAM Access Analyzer to detect when developers create overly permissive roles
C.Require MFA for all IAM API calls so developers must re-authenticate before creating roles
D.Enable CloudTrail logging for all IAM API calls and set up a CloudWatch alarm for iam:CreateRole events
AnswerA

The permission boundary on the developer prevents them from passing permissions they do not have (iam:PassRole with a role whose boundary exceeds their own). When combined with an IAM policy that requires any role they create to have the same boundary attached, privilege escalation is prevented systematically.

Why this answer

Permission boundaries are an IAM feature that allow you to set the maximum permissions that an identity-based policy can grant to a principal. By attaching a permission boundary to each developer IAM user that restricts them to creating roles with only the permissions they are allowed to grant, you prevent the developer from creating a Lambda execution role with AdministratorAccess or any other policy that exceeds the boundary. This directly addresses the privilege escalation concern because the boundary acts as a ceiling on the permissions the developer can delegate to the role.

Exam trap

The trap here is that candidates often confuse detective controls (like Access Analyzer, CloudTrail, or alarms) with preventive controls, thinking that monitoring or alerting can stop the action, when only a preventive mechanism like a permission boundary can block the creation of an overly permissive role at the time of the API call.

How to eliminate wrong answers

Option B is wrong because IAM Access Analyzer is a post-creation analysis tool that identifies resources shared with external principals; it does not prevent a developer from creating an overly permissive role in the first place. Option C is wrong because requiring MFA for IAM API calls adds an authentication step but does not restrict the permissions that can be assigned to a role; a developer with valid MFA could still create an AdministratorAccess role. Option D is wrong because CloudTrail logging and CloudWatch alarms are detective controls that only alert after the role has been created; they do not prevent the privilege escalation from occurring.

115
Multi-Selectmedium

A company wants to use AWS KMS to encrypt data at rest for an S3 bucket. The security policy requires that the CMK be rotated every year. Which of the following are true about automatic key rotation for AWS KMS customer master keys (CMKs)? (Choose TWO.)

Select 1 answer
A.Automatic key rotation is supported for asymmetric CMKs
B.Automatic key rotation is supported for symmetric CMKs created in KMS
C.Automatic key rotation can be enabled for any CMK at any time
D.Automatic key rotation is supported for imported CMKs
E.When a CMK is rotated, the previous backing key is deleted
AnswersB

KMS can automatically rotate symmetric CMKs every year.

Why this answer

Automatic key rotation is supported only for symmetric CMKs created in KMS (option B). It is not supported for asymmetric CMKs (option A) or imported keys (option C). Option D is wrong because rotation creates new backing keys but does not delete old ones.

Option E is wrong because rotation is not automatic for imported keys.

116
MCQeasy

A company wants to centrally manage access to AWS accounts for its employees. Which AWS service should be used to create and manage users and groups across multiple accounts?

A.AWS IAM
B.AWS Directory Service
C.AWS IAM Identity Center
D.AWS Organizations
AnswerC

IAM Identity Center provides centralized user management across multiple accounts.

Why this answer

AWS IAM Identity Center (successor to AWS SSO) allows you to create users and groups and assign them access to multiple AWS accounts with a single sign-on. Option B is correct. Option A is wrong because IAM is per-account, not cross-account.

Option C is wrong because AWS Organizations manages accounts and policies, not users. Option D is wrong because AWS Directory Service is used for Microsoft Active Directory, not for cross-account access management.

117
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM users in any member account can create access keys for themselves. What is the MOST efficient way to enforce this policy across all accounts?

A.Create an SCP that denies the iam:CreateAccessKey action and attach it to the root organizational unit.
B.Apply an IAM policy to the master account's root user that denies access key creation.
C.Enable AWS Trusted Advisor security checks and follow the recommendations.
D.Use AWS Config to detect access key creation and automatically delete the keys using a Lambda function.
AnswerA

SCPs can deny actions across all accounts in the organization.

Why this answer

A service control policy (SCP) can be applied at the root or to specific OUs to deny IAM actions across all member accounts. Option A is correct because it centrally restricts the action. Option B is wrong because it only works for the master account.

Option C is wrong because it requires individual account configuration. Option D is wrong because Trusted Advisor only provides recommendations, not enforcement.

118
MCQeasy

A SysOps administrator needs to audit all API calls made in the AWS account, including actions performed by the root user. Which service should be enabled?

A.AWS Config
B.VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records all API activity in the account, including root user actions, and is the correct service for auditing.

Why this answer

AWS CloudTrail records all API calls, including those by the root user, and delivers log files to an S3 bucket. CloudWatch Logs is for log monitoring, not auditing API calls. AWS Config records resource configuration changes, not API calls.

VPC Flow Logs capture network traffic, not API calls.

119
MCQmedium

A SysOps administrator is asked to ensure that all objects in an S3 bucket are encrypted at rest using a customer-managed KMS key. The bucket currently has default encryption set to SSE-S3. What must be done to meet the requirement?

A.Update the bucket's default encryption to SSE-KMS using the customer-managed key, and re-upload existing objects.
B.Add a bucket policy that denies s3:PutObject without the x-amz-server-side-encryption header.
C.Apply a service control policy to enforce SSE-KMS across the organization.
D.Enable S3 Versioning and set the bucket's default encryption to SSE-KMS.
AnswerA

Default encryption must be changed, and existing objects need to be copied to be encrypted with the new key.

Why this answer

Option B is correct because changing the default encryption to SSE-KMS with the customer key will encrypt new objects. Existing objects must be copied to re-encrypt with the new key. Option A is wrong because bucket policies can enforce encryption but do not change default encryption.

Option C is wrong because SCPs are not for bucket-level settings. Option D is wrong because enabling versioning does not change encryption.

120
MCQeasy

A company uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances. The security team wants to ensure that all traffic between the ALB and the instances is encrypted. Which configuration step is required?

A.Configure the ALB listener to use HTTPS with a security policy.
B.Configure the target group to use HTTPS protocol and install SSL/TLS certificates on the instances.
C.Place the instances in a private subnet and use a NAT gateway for outbound traffic.
D.Create a security group rule that allows only HTTPS traffic from the ALB to the instances.
AnswerB

This ensures traffic from ALB to instances is encrypted over HTTPS.

Why this answer

Option B is correct because configuring the target group with HTTPS health checks and expecting HTTPS traffic ensures that the ALB communicates with the instances over HTTPS. Option A is wrong because the listener handles client-facing encryption, not backend. Option C is wrong because security groups control access but not encryption.

Option D is wrong because the ALB does not have a NAT gateway.

121
MCQhard

A SysOps administrator is investigating a security incident where an unauthorized key pair was created. The CloudTrail lookup command output is shown. The administrator wants to find the source IP address of the 'admin' user who created the key pair. Which field in the 'CloudTrailEvent' JSON should the administrator examine?

A.requestParameters
B.userIdentity
C.sourceIPAddress
D.eventTime
AnswerC

Contains the source IP of the request.

Why this answer

Option B is correct because the source IP address is contained in the 'sourceIPAddress' field within the CloudTrail event JSON. Option A is wrong because 'userIdentity' contains information about the user, not the IP. Option C is wrong because 'eventTime' is the timestamp.

Option D is wrong because 'requestParameters' contains the parameters of the API call, not the IP.

122
MCQeasy

A SysOps administrator needs to ensure that data in an S3 bucket is encrypted at rest. The bucket already has server-side encryption with S3 managed keys (SSE-S3) enabled. Which additional step is required to enforce encryption for all objects?

A.Add a bucket policy that denies PutObject without encryption.
B.Enable CloudTrail to log unencrypted uploads.
C.Enable default encryption on the bucket.
D.Enable versioning on the bucket.
AnswerA

Enforces encryption at upload time.

Why this answer

Option B is correct because a bucket policy can deny PutObject requests without the x-amz-server-side-encryption header. Option A is wrong because SSE-S3 is already enabled. Option C is wrong because CloudTrail does not enforce encryption.

Option D is wrong because versioning does not enforce encryption.

123
MCQhard

An organization uses AWS KMS to encrypt data in S3. A SysOps administrator needs to ensure that KMS keys cannot be deleted accidentally. What is the MOST effective way to protect against accidental key deletion?

A.Disable the KMS key so it cannot be used but can still be deleted.
B.Create a backup of the KMS key in another AWS Region.
C.Use a service control policy (SCP) to deny the kms:ScheduleKeyDeletion action.
D.Set a high waiting period (e.g., 30 days) for key deletion and require multi-factor authentication (MFA) for the deletion.
AnswerD

The waiting period and MFA provide a safety window and additional authorization.

Why this answer

Option B is correct because enabling key deletion in KMS requires a waiting period (customizable) during which the key is disabled and can be canceled. Option A is wrong because disabling the key does not prevent deletion; the key can still be scheduled for deletion. Option C is wrong because SCPs cannot prevent key deletion if the key is in the same account.

Option D is wrong because a backup of the key is not possible; KMS keys are not exportable.

124
Multi-Selecthard

A SysOps administrator is designing a solution to manage secrets (e.g., database credentials) for a multi-tier application running on EC2 instances. The solution must rotate secrets automatically and provide fine-grained access control. Which TWO services should be used together? (Choose TWO.)

Select 2 answers
A.AWS KMS
B.AWS CloudHSM
C.AWS Secrets Manager
D.AWS Systems Manager Parameter Store
E.IAM roles for EC2
AnswersC, E

Secrets Manager supports automatic rotation.

Why this answer

Option A is correct: AWS Secrets Manager can rotate secrets automatically. Option D is correct: IAM roles for EC2 provide fine-grained access control without storing credentials on the instance. Option B is wrong because SSM Parameter Store can store secrets but does not support automatic rotation.

Option C is wrong because KMS encrypts but does not rotate. Option E is wrong because CloudHSM is a hardware security module, not a secret management service.

125
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all IAM users in member accounts must use MFA. They create an SCP that denies all actions if the IAM user does not have MFA. However, the SCP does not apply to the root user. The SysOps administrator finds that some IAM users in member accounts are still able to access the console without MFA. What is the most likely reason?

A.The SCP is applied to an OU that does not contain the affected accounts.
B.The IAM user has a resource-based policy that allows access.
C.The SCP only applies to the root user, not IAM users.
D.The SCP is not inherited by child OUs.
AnswerA

SCP only applies to accounts in the OU.

Why this answer

Option B is correct because SCPs do not affect the management account. The root user is in the management account, but the question says "member accounts". However, if the SCP is applied to an OU that does not include the affected accounts, it will not apply.

Option A is wrong because SCPs are inherited. Option C is wrong because SCPs are not overridden by resource policies. Option D is wrong because SCPs apply to all IAM users and roles.

126
Drag & Dropmedium

Drag and drop the steps to configure an Amazon Route 53 failover routing policy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create health checks first, then create primary and secondary records with failover types, then test.

127
Multi-Selecthard

A company uses AWS Organizations and wants to restrict the use of specific AWS services across all member accounts. Which TWO methods can be used to enforce these restrictions? (Choose TWO.)

Select 2 answers
A.Create IAM policies in each account that deny the service actions and attach them to all IAM users and roles.
B.Use AWS Config rules to automatically disable non-compliant services.
C.Use AWS Service Catalog to block the use of disallowed services.
D.Attach a service control policy to the root organizational unit that denies the service actions.
E.Configure VPC endpoints to block traffic to the disallowed services.
AnswersA, D

IAM policies can deny actions, but must be applied universally.

Why this answer

Option A is correct because SCPs can deny access to services at the organization level. Option C is correct because IAM policies in each account can deny actions, but they need to be applied consistently. Option B is wrong because AWS Config rules can detect but not enforce restrictions.

Option D is wrong because AWS Service Catalog provisions services, it does not restrict them. Option E is wrong because VPC endpoints are for network connectivity, not service restrictions.

128
Multi-Selectmedium

Which TWO actions can be taken to secure an S3 bucket that contains sensitive data? (Choose two.)

Select 2 answers
A.Enable versioning on the bucket
B.Add a bucket policy that allows only HTTPS requests
C.Enable default encryption for the bucket
D.Enable AWS CloudTrail for the bucket
E.Block all public access at the account level
AnswersC, E

Ensures data is encrypted at rest.

Why this answer

Blocking public access at the account level prevents any public access to buckets. Enabling default encryption ensures data is encrypted at rest. Option A and Option D are correct.

Option B is wrong because versioning does not directly secure data; it protects against accidental deletion. Option C is wrong because enabling CloudTrail only logs access, it does not secure the bucket. Option E is wrong because adding a bucket policy that allows only HTTPS ensures encryption in transit, but it is not the most direct security measure.

129
MCQhard

A company uses AWS CloudTrail to log API activity. The security team needs to be alerted when an IAM user creates a new access key. Which combination of services should the SysOps administrator use to meet this requirement?

A.CloudWatch Logs Insights query on CloudTrail logs with an alarm
B.An AWS Config rule that checks for new access keys and sends an SNS notification
C.A CloudWatch Events rule that matches the CreateAccessKey API call and sends an SNS notification
D.S3 event notifications to an SNS topic
AnswerC

CloudWatch Events can filter CloudTrail events and trigger actions like SNS.

Why this answer

Option C is correct because CloudWatch Events (now Amazon EventBridge) can match CloudTrail events (like CreateAccessKey) and trigger an SNS notification. Option A is wrong because S3 events are not triggered by CloudTrail logs. Option B is wrong because Config rules evaluate resource configurations, not API calls.

Option D is wrong because CloudWatch Logs Insights is a query tool, not an alerting mechanism.

130
MCQmedium

A company wants to allow an external auditor to read objects in a specific S3 bucket for 30 days. The auditor does not have an AWS account. Which method should be used?

A.Create a bucket policy that allows the auditor's IP address.
B.Create an IAM user for the auditor and share the credentials.
C.Generate presigned URLs for the objects.
D.Use CloudFront signed URLs.
AnswerC

Provides time-limited access.

Why this answer

Option C is correct because presigned URLs grant temporary access to specific objects without requiring AWS credentials. Option A is wrong because bucket policies require the auditor to have AWS credentials. Option B is wrong because IAM users require credentials.

Option D is wrong because CloudFront does not provide temporary access by itself.

131
MCQmedium

A SysOps administrator notices that an Amazon CloudWatch Logs log group is growing rapidly and suspects that an EC2 instance is sending sensitive data to the logs. What is the most effective way to detect and redact sensitive data in real-time?

A.Use CloudWatch Logs Insights to query and mask sensitive data.
B.Enable S3 event notifications to trigger a Lambda function for redaction.
C.Create a CloudWatch Logs subscription filter that invokes a Lambda function for redaction.
D.Send logs to Amazon Kinesis Data Firehose and use Lambda for redaction.
AnswerC

CloudWatch Logs subscription filters can stream logs to Lambda in real-time for processing.

Why this answer

Option D is correct because CloudWatch Logs subscription filters can send logs to Lambda for real-time processing, including redaction. Option A is wrong because CloudWatch Logs Insights is for querying, not real-time redaction. Option B is wrong because Kinesis Data Firehose can transform data but requires a Lambda function for custom redaction.

Option C is wrong because S3 event notifications are not real-time for log streams.

132
MCQmedium

A company uses S3 to store sensitive data. To meet compliance requirements, all S3 buckets must be encrypted at rest. The security team notices that some objects in a bucket are not encrypted. What is the MOST efficient way to enforce encryption for all future objects?

A.Use AWS Config managed rule to identify unencrypted objects and re-upload them manually
B.Use S3 Inventory to list unencrypted objects and apply encryption via S3 Batch Operations
C.Enable default encryption on the bucket using AES-256
D.Create an S3 bucket policy that denies PutObject if the x-amz-server-side-encryption header is not present
AnswerD

Bucket policy enforces encryption at upload time, rejecting unencrypted requests.

Why this answer

Option D is correct because using a bucket policy to deny PutObject requests without the x-amz-server-side-encryption header ensures that any object uploaded without encryption is rejected. Option A is incorrect because S3 default encryption applies only to new objects, but objects can still be uploaded without encryption if the request explicitly specifies otherwise. Option B is incorrect because S3 inventory does not enforce encryption; it only reports.

Option C is incorrect because manually re-uploading is not efficient and does not prevent future violations.

133
MCQhard

A company uses AWS Organizations with SCPs to restrict member accounts. The security team wants to prevent all users in the 'Developers' OU from deleting S3 buckets, except for the root user of the management account. How should this be implemented?

A.Create an IAM policy that denies s3:DeleteBucket and attach it to all IAM users. The root user is not affected by IAM policies.
B.Attach an SCP that denies s3:DeleteBucket to the Developers OU. The management account root is not affected by SCPs.
C.Attach an SCP that denies s3:DeleteBucket except when called by root user.
D.Attach an SCP that denies s3:DeleteBucket to the Developers OU. The root user in member accounts is not affected.
AnswerB

SCPs do not apply to the management account.

Why this answer

Option A is correct because SCPs can deny actions to all principals including root, but the management account is not affected by SCPs. Option B is wrong because IAM policies cannot block root user. Option C is wrong because SCPs cannot exclude root user in member accounts.

Option D is wrong because SCPs apply to all IAM users, not just non-root.

134
MCQeasy

A company wants to provide temporary security credentials to a mobile application so it can access an S3 bucket. Which AWS service should be used to issue these credentials?

A.Amazon Cognito
B.AWS Key Management Service (KMS)
C.AWS Security Token Service (STS)
D.AWS Identity and Access Management (IAM)
AnswerC

STS issues temporary credentials for IAM roles or federated users.

Why this answer

Option A is correct because AWS STS (Security Token Service) generates temporary credentials. Option B is wrong because IAM users have long-term credentials. Option C is wrong because Amazon Cognito can issue credentials but is typically used for user pools; STS is the direct service.

Option D is wrong because KMS is for encryption keys.

135
MCQmedium

A SysOps administrator needs to audit all IAM user activity in the AWS account for the last 90 days. Which AWS service should be used?

A.AWS Config
B.AWS Trusted Advisor
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerC

CloudTrail records all API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail records API calls including IAM actions for the last 90 days by default in the event history. Option A is wrong because AWS Config records resource configuration changes, not user activity. Option B is wrong because Amazon GuardDuty is for threat detection.

Option D is wrong because AWS Trusted Advisor is for cost optimization and best practices.

136
MCQmedium

A SysOps administrator runs the AWS CLI command shown in the exhibit. What is the purpose of this command?

A.To retrieve details about the most recent console login events.
B.To count the number of console logins in the last 5 minutes.
C.To retrieve a list of all API calls made by the user john.doe.
D.To disable CloudTrail logging for console login events.
AnswerA

The command retrieves ConsoleLogin events with a limit of 5.

Why this answer

Option D is correct. The command looks up CloudTrail events with the event name 'ConsoleLogin', which are sign-in events to the AWS Management Console. Option A is wrong because it filters by event name, not user.

Option B is wrong because it looks up events, not modifies. Option C is wrong because it returns events, not just counts.

137
MCQhard

A company operates a web application behind an Application Load Balancer (ALB). The SysOps administrator needs to block incoming requests from specific geographic locations (countries X and Y) and also enforce a rate limit of 100 requests per IP address per 5-minute window to mitigate DDoS attacks. The solution must be centrally configured and apply to all requests handled by the ALB. Which AWS service should be used to implement these requirements?

A.AWS WAF
B.Amazon CloudFront geo restriction
C.AWS Shield Advanced
D.Security Groups
AnswerA

AWS WAF offers both geo-match conditions to block requests from specific countries and rate-based rules to limit request rates from an IP address. It integrates directly with ALB and provides a single, centrally managed solution.

Why this answer

AWS WAF is the correct service because it provides both geographic (geo-match) blocking and rate-based rules that can be associated directly with an Application Load Balancer. Geo-match conditions allow you to block requests from specific countries (X and Y), while rate-based rules can limit requests to 100 per 5-minute window per source IP. This solution is centrally configured at the ALB level, applying to all incoming requests without requiring additional infrastructure.

Exam trap

The trap here is that candidates often confuse AWS WAF with CloudFront geo restriction or AWS Shield Advanced, not realizing that only WAF provides both geo-blocking and rate-based rules that can be directly associated with an ALB without requiring CloudFront.

How to eliminate wrong answers

Option B (Amazon CloudFront geo restriction) is wrong because CloudFront geo restriction only works when CloudFront is the front-end service, not directly with an ALB; it cannot be applied to an ALB alone and does not support rate limiting. Option C (AWS Shield Advanced) is wrong because while it provides enhanced DDoS protection and cost protection, it does not offer granular geo-blocking or configurable rate-based rules; it is a managed threat protection service, not a web application firewall. Option D (Security Groups) is wrong because security groups operate at the network layer (Layer 3/4) and cannot inspect application-layer attributes like geographic origin or enforce rate limits based on HTTP request counts.

138
MCQmedium

A SysOps administrator needs to ensure that all Amazon S3 buckets in an AWS account are encrypted at rest using server-side encryption. Which combination of actions should be taken to enforce this policy?

A.Enable default encryption on each S3 bucket and create a CloudWatch alarm to notify if unencrypted objects are uploaded.
B.Use an S3 bucket policy with a Deny statement for s3:PutObject without encryption applied to all buckets via a single policy.
C.Use AWS CloudTrail to monitor PutObject calls and trigger an AWS Lambda function to delete unencrypted objects.
D.Use an S3 bucket policy on each bucket that denies s3:PutObject if the x-amz-server-side-encryption header is not present.
AnswerD

This denies uploads without encryption, enforcing encryption at upload.

Why this answer

Option D is correct because using an S3 bucket policy with a Deny for s3:PutObject without the x-amz-server-side-encryption header enforces encryption at upload time. Option A is wrong because bucket policies cannot be applied to all buckets at once; each bucket needs its own policy. Option B is wrong because enabling default encryption on existing buckets does not prevent unencrypted uploads (default applies if no header is specified).

Option C is wrong because CloudTrail can log but not enforce encryption.

139
MCQeasy

A company needs to audit all changes to IAM policies in their AWS account. Which AWS service should be used to track these changes?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch
D.AWS Trusted Advisor
AnswerB

CloudTrail logs all API calls for audit.

Why this answer

AWS CloudTrail logs all API calls, including IAM policy changes. Option B is correct. Option A is wrong because AWS Config records resource configuration but not API calls.

Option C is wrong because CloudWatch is for monitoring metrics. Option D is wrong because Trusted Advisor provides best practice checks.

140
MCQeasy

A company wants to grant an IAM role in Account A access to an S3 bucket in Account B. What must be configured?

A.A trust policy in Account B allowing the IAM role to access the bucket.
B.A bucket policy in Account B granting access to the IAM role, and a trust policy in Account A allowing the role to assume the permissions.
C.A bucket policy in Account B allowing access from the IAM role.
D.An IAM role in Account A with a policy allowing access to the bucket.
AnswerB

This is the standard cross-account access setup.

Why this answer

Option D is correct because both a bucket policy in Account B and a trust policy in Account A are required for cross-account access. Option A is wrong because a bucket policy alone is insufficient; the role must trust the bucket. Option B is wrong because an IAM role policy in Account A alone is insufficient; the bucket policy must allow access.

Option C is wrong because a trust policy is needed in Account A, not Account B.

141
MCQmedium

A company requires that all Amazon S3 buckets in its AWS account must be encrypted using AWS KMS (SSE-KMS). The SysOps administrator needs to detect any bucket that does not have KMS encryption enabled and automatically remediate it by enabling encryption. Which AWS service should be used to implement this automated compliance enforcement?

A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerA

AWS Config can continuously monitor and evaluate S3 bucket configurations. With a managed rule for server-side encryption, it can detect non-compliant buckets. Combined with automatic remediation actions, AWS Config can enable encryption on non-compliant buckets without manual intervention.

Why this answer

AWS Config is the correct service because it can continuously monitor S3 bucket configurations against a desired encryption state using managed rules like 's3-bucket-server-side-encryption-enabled' or custom Lambda rules. When a non-compliant bucket is detected, AWS Config can trigger an automatic remediation action via Systems Manager Automation to enable SSE-KMS encryption, enforcing compliance without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config's detective and remediation capabilities with CloudTrail's logging or Trusted Advisor's advisory-only checks, assuming any 'security' service can enforce compliance, but only AWS Config provides automated remediation via rules and Systems Manager.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail is a service for auditing API calls and logging activity, not for detecting or remediating configuration drift in real time. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS, VPC flow logs, and CloudTrail events for malicious activity, not for enforcing encryption policies on S3 buckets. Option D is wrong because AWS Trusted Advisor provides best-practice recommendations and checks for cost optimization, security, and performance, but it cannot automatically remediate non-compliant resources; it only reports findings.

142
MCQmedium

A SysOps administrator needs to ensure that all traffic to an Application Load Balancer (ALB) uses encryption. How can this be enforced?

A.Configure the security group to allow only HTTPS traffic (port 443).
B.Create a listener that redirects HTTP requests (port 80) to HTTPS (port 443).
C.Use AWS WAF to block HTTP requests.
D.Configure the ALB to use a custom SSL certificate.
AnswerB

Correct. An ALB listener rule can redirect HTTP to HTTPS, ensuring clients use encrypted connections.

Why this answer

Option B is correct because an Application Load Balancer can be configured with a listener rule that redirects incoming HTTP (port 80) requests to HTTPS (port 443). This ensures that all traffic to the ALB is encrypted in transit, as any unencrypted HTTP request is automatically redirected to the secure HTTPS protocol. The redirect action is a native ALB feature and does not require additional services or complex configurations.

Exam trap

The trap here is that candidates often confuse security group rules with application-layer behavior, mistakenly believing that restricting the security group to port 443 alone will enforce encryption, when in fact it only controls network access and does not prevent unencrypted traffic on that port.

How to eliminate wrong answers

Option A is wrong because security groups operate at the network layer and can only allow or deny traffic based on IP addresses, ports, and protocols; they cannot enforce encryption or redirect traffic. Even if the security group allows only port 443, a client could still send unencrypted HTTP traffic to that port, and the ALB would accept it if a listener exists for HTTP on port 443. Option C is wrong because AWS WAF is a web application firewall that inspects HTTP/HTTPS requests for malicious patterns, but it cannot enforce encryption or redirect HTTP to HTTPS; it operates after the listener has accepted the connection.

Option D is wrong because configuring a custom SSL certificate on the ALB enables HTTPS but does not automatically redirect HTTP traffic to HTTPS; without a redirect rule, clients can still send unencrypted HTTP requests to the ALB.

143
Matchingmedium

Match each AWS cost management tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Visualize and analyze costs

Set custom cost and usage alerts

Detailed billing data

Discount in exchange for commitment

Flexible pricing model

Why these pairings

These are AWS cost management features.

144
MCQmedium

A company wants to restrict access to an AWS Systems Manager Parameter Store parameter to only requests originating from the corporate network IP range (10.0.0.0/8). The SysOps administrator needs to implement this restriction using an IAM policy. Which condition key should be used?

A.aws:SourceIp
B.aws:SourceVpc
C.aws:RequestedRegion
D.aws:UserAgent
AnswerA

This condition key checks the IP address of the requester, making it suitable for IP-based access restrictions.

Why this answer

The correct answer is A because the `aws:SourceIp` condition key is designed to restrict access based on the requester's IP address. In this scenario, the corporate network IP range is 10.0.0.0/8, which is a private IPv4 address range. When used in an IAM policy, `aws:SourceIp` evaluates the source IP of the request as seen by AWS, allowing you to permit or deny access to Systems Manager Parameter Store based on that IP range.

Exam trap

The trap here is that candidates often confuse `aws:SourceIp` with `aws:SourceVpc`, mistakenly thinking that restricting by VPC is equivalent to restricting by IP range, but `aws:SourceVpc` requires the request to originate from a VPC endpoint or VPC, not a specific IP range.

How to eliminate wrong answers

Option B is wrong because `aws:SourceVpc` is used to restrict access based on the VPC from which the request originates, not the IP address range; it requires the request to come from a specific VPC endpoint or VPC, not a corporate network IP range. Option C is wrong because `aws:RequestedRegion` restricts access based on the AWS Region specified in the request, not the source IP address; it is used for regional access control, not network-based restrictions. Option D is wrong because `aws:UserAgent` restricts access based on the user agent string in the request, which identifies the client application or tool (e.g., AWS CLI, SDK), not the network IP range.

145
Matchingmedium

Match each AWS compute service to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual machines in the cloud

Serverless function execution

Container orchestration with Docker

Managed Kubernetes clusters

Serverless compute for containers

Why these pairings

These are the main AWS compute options.

146
MCQeasy

Refer to the exhibit. A SysOps administrator runs the command to list running EC2 instances. What is the purpose of the '--query' parameter?

A.It filters the results on the server side.
B.It limits the API call to only running instances.
C.It filters the output to show only specified fields.
D.It saves the output to a file.
AnswerC

JMESPath query selects specific fields.

Why this answer

Option D is correct because the '--query' parameter filters and formats the output using JMESPath. Option A is wrong because it does not filter before API call. Option B is wrong because it only formats output, not saves to a file.

Option C is wrong because it does not change the API call.

147
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to restrict all accounts from using specific AWS services unless explicitly allowed. Which feature should be used?

A.Service control policies (SCPs)
B.Resource-based policies
C.IAM permissions boundaries
D.AWS Config rules
AnswerA

SCPs allow you to centrally control the maximum available permissions for all accounts in your organization.

Why this answer

Service control policies (SCPs) are used in AWS Organizations to define the maximum permissions for accounts in the organization. SCPs can deny or allow services at the organization, OU, or account level. IAM policies are for individual users/roles, not for account-wide restrictions.

Resource-based policies are for specific resources. AWS Config rules evaluate compliance but do not restrict usage.

148
MCQhard

A company has an EC2 instance that needs to access an S3 bucket. The instance is launched in a private subnet with no internet gateway. What is the most secure way to provide access to S3 without traversing the internet?

A.Use a NAT gateway in a public subnet
B.Create an S3 VPC gateway endpoint
C.Set up an AWS Direct Connect connection
D.Attach an internet gateway to the VPC and a public IP to the instance
AnswerB

S3 VPC endpoint allows private access to S3 without internet.

Why this answer

To provide access to S3 from a private subnet without an internet gateway, you can use an S3 VPC endpoint (Gateway type). This allows instances in the VPC to access S3 privately using the AWS network. Option C is correct.

Option A is wrong because a NAT gateway would route traffic through the internet, which is less secure and requires an internet gateway. Option B is wrong because an internet gateway is needed for a NAT instance. Option D is wrong because AWS Direct Connect does not eliminate the need for a VPC endpoint; it provides a dedicated connection but still requires routing through the internet unless a VPC endpoint is used.

149
MCQmedium

Refer to the exhibit. A SysOps administrator creates this stack. Which of the following is true about the bucket?

A.The bucket has versioning enabled
B.The bucket is publicly accessible
C.The bucket does not have versioning enabled
D.The bucket allows public read access
AnswerA

VersioningConfiguration Status is Enabled.

Why this answer

The template enables versioning and sets all public access block settings to true. This means the bucket is private and cannot be made public. Versioning is enabled.

Option B is correct. Option A is wrong because public access is blocked. Option C is wrong because the bucket is not publicly accessible.

Option D is wrong because versioning is enabled.

150
MCQmedium

A company requires that all S3 buckets be tagged with a 'CostCenter' tag. A SysOps administrator needs to enforce this and prevent creation of untagged buckets. Which approach should be used?

A.Apply a service control policy (SCP) that denies s3:CreateBucket unless the request includes the required tag
B.Create an IAM policy that allows s3:CreateBucket only if the bucket has the tag, and attach it to all users
C.Enable AWS CloudTrail to log bucket creation and review logs daily
D.Use an AWS Config rule to automatically delete untagged buckets
AnswerA

SCPs can enforce tagging at the organizational level by denying bucket creation without the required tag.

Why this answer

AWS Organizations SCPs can be used to deny actions that do not meet certain conditions, such as requiring specific tags. An SCP with a condition for 'aws:RequestTag' can enforce tagging at bucket creation. IAM policies can also enforce tagging for specific users, but SCPs apply to all accounts in the organization.

AWS Config rules can detect non-compliant resources but cannot prevent creation. CloudTrail is for logging, not enforcement.

← PreviousPage 2 of 4 · 260 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Soa Security Compliance questions.