Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 1 Q1-20

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 1

A company wants to enforce strict password policies for their AWS IAM users across multiple accounts. Which AWS service can centrally manage and enforce such policies?

A) AWS Organizations

B) AWS IAM

C) AWS SSO

D) AWS KMS

Answer: C) AWS SSO

Explanation:

AWS Organizations is mainly used to manage multiple AWS accounts under a single organization. It allows centralized billing, applying Service Control Policies, and governance management. However, it cannot directly enforce password policies for IAM users across accounts.

AWS IAM allows creation and management of users, groups, and roles within a single account. IAM password policies can enforce complexity, rotation, and length requirements, but they only apply to the specific account. It does not automatically apply across multiple accounts.

AWS SSO (Single Sign-On) provides centralized identity and access management across multiple AWS accounts. It integrates with identity providers like Active Directory or Okta, allowing centralized enforcement of password policies, MFA, and permissions. This makes it ideal for organizations needing consistent security controls across accounts.

AWS KMS (Key Management Service) focuses on encryption key management. It does not manage authentication, credentials, or password policies.AWS Single Sign-On (SSO) is the correct solution for providing centralized access management across multiple AWS accounts and applications. AWS SSO allows organizations to manage user identities and permissions from a single location, enabling users to sign in once and gain access to all assigned AWS accounts and business applications without needing separate credentials for each account. This simplifies user management, improves security by reducing the need for multiple passwords, and ensures consistent access control across the organization. AWS SSO integrates with existing identity providers such as Microsoft Active Directory or external SAML-based providers, making it easy to implement single sign-on for both cloud and on-premises applications.

AWS Organizations is primarily used for managing multiple AWS accounts under a single organizational hierarchy. It allows centralized billing, policy enforcement, and account management but does not directly provide single sign-on capabilities for end users. AWS IAM (Identity and Access Management) controls access to AWS resources by managing users, groups, roles, and policies within a single account but can become cumbersome to manage across many accounts. AWS KMS (Key Management Service) is used to manage encryption keys for securing data but is unrelated to user authentication or centralized access.

AWS SSO provides a streamlined, secure, and centralized method for managing user access across multiple AWS accounts and applications. While AWS Organizations, IAM, and KMS provide important account, permission, and encryption management capabilities, only AWS SSO delivers single sign-on functionality to simplify access, improve security, and enhance the user experience. This makes option C the correct choice for centralized identity and access management.

AWS SSO is correct because it allows centralized enforcement of authentication and password policies, including MFA, across multiple accounts while integrating with IAM roles for permission control.

Question 2

Which of the following is the most secure method to grant temporary access to AWS resources for a third-party user without sharing long-term credentials?

A) Create an IAM user with a password and share the credentials

B) Use IAM roles with temporary security credentials

C) Share the root account access key

D) Use a static access key with limited permissions

Answer: B) Use IAM roles with temporary security credentials

Explanation:

Creating an IAM user with shared credentials is risky because the credentials are long-term and can be misused if exposed. Managing revocation is also complicated in multi-user scenarios.

IAM roles with temporary security credentials issued through AWS Security Token Service (STS) are time-limited and scoped to provide least-privilege access. They automatically expire, reducing the risk of credential leakage, and are ideal for third-party access or automation.

Sharing root account access keys is extremely unsafe because the root account has unrestricted access to all AWS resources. Any compromise could lead to catastrophic consequences.

Static access keys with limited permissions are safer than root credentials but still remain long-term, requiring careful rotation and management.

Using IAM roles with temporary credentials is the correct solution because it provides secure, temporary, and auditable access without exposing long-term secrets.Using IAM roles with temporary security credentials is the correct approach for granting secure, time-limited access to AWS resources. IAM roles allow an entity—such as a user, application, or service—to assume a role and receive temporary credentials that automatically expire after a defined period. This reduces the risk associated with long-lived credentials, as the temporary access cannot be used indefinitely if compromised. Roles can be configured with fine-grained permissions, ensuring that users or services only have access to the specific resources and actions required for their tasks. This approach also supports cross-account access and integration with external identity providers using AWS Security Token Service (STS), enabling secure and scalable access management without sharing permanent credentials.

Creating an IAM user with a password and sharing credentials is insecure because it exposes long-lived credentials that can be easily misused or compromised. Sharing the root account access key is highly discouraged, as the root account has full administrative privileges and any compromise can lead to complete account takeover. Using a static access key with limited permissions is slightly safer than sharing root credentials, but it still relies on long-lived credentials that can be exposed or leaked, requiring careful rotation and monitoring.

IAM roles with temporary security credentials provide secure, time-bound access to AWS resources, minimize the risk of credential compromise, and allow fine-grained permission control. The other options—sharing IAM user passwords, root access keys, or static keys—pose significant security risks and lack the flexibility and safety of temporary, role-based access. This makes option B the correct choice for securely granting access in AWS environments.

Question 3

An organization needs to encrypt sensitive data at rest in Amazon S3 and control access to encryption keys. Which combination of services meets this requirement?

A) S3 Server-Side Encryption with SSE-S3 and IAM policies

B) S3 Server-Side Encryption with SSE-KMS and AWS KMS

C) S3 Client-Side Encryption with SSE-C and IAM policies

D) S3 Server-Side Encryption with SSE-C and KMS

Answer: B) S3 Server-Side Encryption with SSE-KMS and AWS KMS

Explanation:

S3 SSE-S3 encrypts objects automatically but does not allow fine-grained control over encryption key usage or auditing. IAM policies can control bucket access but not key permissions.

SSE-KMS integrates with AWS KMS, allowing fine-grained control over key access, rotation, and auditing. Permissions can be scoped by user or role, and CloudTrail logs track key usage, providing regulatory compliance support.

S3 Client-Side Encryption with SSE-C requires the client to manage encryption keys. While it encrypts data, IAM policies cannot enforce or audit the client-provided key usage, increasing operational complexity and risk.

SSE-C combined with KMS is invalid because KMS does not manage SSE-C customer-provided keys directly, so it cannot provide centralized control.

SSE-KMS is correct because it provides encryption at rest with centralized, auditable key management, fine-grained access control, and compliance tracking.S3 Server-Side Encryption with SSE-KMS and AWS Key Management Service (KMS) is the correct choice for securing sensitive data in Amazon S3. SSE-KMS combines server-side encryption with the advanced key management capabilities of AWS KMS. When data is uploaded to an S3 bucket, it is automatically encrypted at rest using encryption keys managed by KMS. This approach allows organizations to maintain strong security controls over who can use or manage the encryption keys, enabling fine-grained access policies, key rotation, and detailed audit logging via AWS CloudTrail. By using SSE-KMS, data is protected with robust encryption while providing centralized management of keys, making it easier to comply with regulatory and organizational security requirements.

S3 Server-Side Encryption with SSE-S3 and IAM policies encrypts objects at rest using keys managed entirely by Amazon S3. While SSE-S3 provides basic encryption, it does not allow the same level of control, key management, or detailed auditing as SSE-KMS. Organizations that require stringent security, regulatory compliance, or the ability to manage encryption keys centrally benefit more from SSE-KMS.

S3 Client-Side Encryption with SSE-C requires the customer to provide and manage the encryption keys. While this method ensures encryption before data reaches S3, it places the responsibility of secure key management entirely on the customer. Loss or compromise of the keys could make data inaccessible or vulnerable, making it less practical for most enterprise scenarios.

S3 Server-Side Encryption with SSE-C and KMS is not a valid combination because SSE-C assumes that the customer provides and manages the encryption key, whereas KMS is designed to manage server-side encryption keys. These two approaches are mutually exclusive and cannot be combined.

SSE-KMS with AWS KMS provides automatic server-side encryption, centralized key management, access control, audit logging, and regulatory compliance, making it the most secure and manageable option for S3 data. Other encryption methods either provide less control, require customer-managed keys, or are not compatible, which is why option B is the correct choice.

Question 4

Which AWS service is best suited for monitoring, detecting, and responding to suspicious activity across multiple AWS accounts?

A) AWS CloudTrail

B) Amazon GuardDuty

C) AWS Config

D) AWS Security Hub

Answer: B) Amazon GuardDuty

Explanation:

AWS CloudTrail records API activity and changes but does not automatically detect malicious behavior. It is primarily used for auditing and forensic investigations rather than real-time threat detection.

Amazon GuardDuty continuously monitors AWS accounts for threats and anomalies using machine learning and threat intelligence feeds. It detects unauthorized activity and generates actionable security findings for rapid response.

AWS Config tracks changes in resource configurations and evaluates compliance with policies. While valuable for governance, it does not actively detect malicious behavior or account compromise.

AWS Security Hub aggregates findings from GuardDuty, Config, and other security services to provide a centralized view of security posture. However, it does not perform the actual threat detection itself.

GuardDuty is correct because it actively detects threats and suspicious activity across accounts, providing actionable alerts for security teams.

Question 5

A developer wants to encrypt data in transit between an application and Amazon RDS without changing the application logic. Which solution provides strong encryption with minimal effort?

A) Enable SSL/TLS on RDS and require database clients to use SSL

B) Use AWS KMS to encrypt data before sending to RDS

C) Encrypt data on the client side using AES before sending

D) Enable S3 Server-Side Encryption

Answer: A) Enable SSL/TLS on RDS and require database clients to use SSL

Explanation:

Enabling SSL/TLS on RDS ensures that all data in transit is encrypted. Minimal changes are required in the application, usually just enabling SSL in the database client.

Using KMS to encrypt data before sending requires modifying the application to handle encryption and decryption, manage keys, and maintain secure storage, adding complexity.

Client-side encryption using AES also requires the application to handle key management and encryption logic, increasing the risk of errors and operational overhead.

S3 Server-Side Encryption is unrelated to RDS and only protects data at rest in S3, not in transit between applications and RDS.

SSL/TLS is the correct solution because it ensures strong encryption in transit with minimal application changes and integrates seamlessly with RDS for secure communications.

Question 6

A company wants to enforce multi-factor authentication (MFA) for all IAM users but also needs API access for automated systems. Which approach provides both security and operational continuity?

A) Require MFA for all IAM users and generate long-term access keys for automation

B) Use IAM roles for automation and enforce MFA only for human users

C) Disable MFA enforcement to simplify automated workflows

D) Use a single IAM user with MFA enabled for both humans and automation

Answer: B) Use IAM roles for automation and enforce MFA only for human users

Explanation:

Requiring MFA for all IAM users and creating long-term access keys for automation increases security risks because long-term credentials can be exposed or leaked. Long-term keys for automation contradict the principle of least privilege and make credential rotation and auditing difficult. If a key is compromised, it could result in unauthorized access to resources.

Using IAM roles for automation while enforcing MFA only for human users allows secure separation of human and machine access. Automation systems can assume roles with temporary security credentials issued via AWS STS, which expire automatically, reducing the risk of long-term exposure. Human users are still required to authenticate using MFA, maintaining compliance and security best practices. This approach allows operational continuity without compromising account security.

Disabling MFA enforcement for all users simplifies automation but significantly weakens security. Without MFA, human users’ accounts are more vulnerable to compromise, increasing the risk of unauthorized access to sensitive resources. This approach violates AWS security best practices and regulatory compliance requirements.

Using a single IAM user with MFA enabled for both humans and automation is not viable because automation systems cannot easily provide MFA tokens programmatically. It either breaks automation workflows or forces human interaction for automated tasks, which is impractical for continuous or scheduled processes.

IAM roles with temporary credentials combined with MFA for human users are the best solution. This design adheres to AWS best practices for security, minimizes risk exposure, separates human and machine access, and ensures operational workflows continue without interruption. It supports auditing, compliance, and secure access management while preventing long-term credential misuse.

Question 7

A security engineer wants to detect unauthorized attempts to access sensitive S3 buckets and receive actionable alerts. Which AWS service is the most appropriate?

A) AWS CloudTrail

B) Amazon GuardDuty

C) AWS Config

D) AWS Macie

Answer: B) Amazon GuardDuty

Explanation:

AWS CloudTrail records all API activity within AWS accounts and provides a historical audit trail. While useful for forensic investigations and compliance auditing, CloudTrail alone does not analyze activity for threats or generate actionable alerts in real time. Manual analysis is required to identify suspicious behavior.

Amazon GuardDuty is specifically designed to detect suspicious or unauthorized activity in AWS environments. It continuously monitors CloudTrail logs, VPC Flow Logs, and DNS logs to identify threats such as unusual API calls, anomalous network behavior, or compromised credentials. GuardDuty produces actionable findings with severity levels and can integrate with AWS Security Hub for centralized management, enabling rapid incident response.

AWS Config tracks configuration changes and evaluates resource compliance. It ensures that S3 buckets adhere to policies but does not detect or alert on unauthorized access attempts. Config is focused on governance rather than active threat detection.

AWS Macie identifies sensitive data in S3 and monitors access patterns. It can detect anomalous access to data such as PII or confidential information but is primarily focused on data classification and compliance, not general access monitoring or threat detection across all S3 activities.

Amazon GuardDuty is the correct choice because it provides proactive threat detection, integrates with multiple logging sources, and generates actionable security alerts. It enables security teams to respond quickly to suspicious S3 access attempts, ensuring sensitive data remains protected while minimizing false positives through machine learning and threat intelligence feeds.

Question 8

A company needs to ensure that all sensitive data in RDS is encrypted at rest and that encryption keys can be rotated and audited. Which solution meets these requirements?

A) Enable RDS storage-level encryption with default keys

B) Use RDS encryption with AWS KMS-managed keys

C) Encrypt data manually before writing to the database

D) Enable SSL/TLS for RDS connections

Answer: B) Use RDS encryption with AWS KMS-managed keys

Explanation:

Enabling RDS storage-level encryption with default keys provides basic encryption at rest but does not allow detailed control, auditing, or key rotation policies. It is sufficient for standard encryption needs but lacks fine-grained management and compliance features.

Using RDS encryption with AWS KMS-managed keys allows centralized management of encryption keys, including rotation policies, auditing of key usage, and detailed access control. Each encryption key can be managed according to the principle of least privilege, and CloudTrail logs provide auditability for all key operations. This meets regulatory compliance requirements and ensures sensitive data is protected both technically and operationally.

Encrypting data manually before writing to the database offloads encryption responsibility to the application layer. While it provides security, it introduces complexity in key management, requires custom coding for encryption and decryption, and increases the risk of implementation errors. This approach is operationally intensive and difficult to audit.

Enabling SSL/TLS for RDS connections secures data in transit but does not encrypt data at rest. This solution does not meet the requirement for storage-level encryption or key management.

RDS encryption with KMS-managed keys is the correct choice because it ensures strong encryption at rest, allows auditable key management and rotation, integrates seamlessly with AWS services, and minimizes operational overhead while complying with security best practices.

Question 9

A company wants to log all administrative actions performed on IAM users and roles for auditing purposes. Which service provides this capability?

A) AWS Config

B) AWS CloudTrail

C) Amazon GuardDuty

D) AWS Security Hub

Answer: B) AWS CloudTrail

Explanation:

AWS Config monitors configuration changes of AWS resources and evaluates them against defined compliance rules. It can detect when IAM policies or roles change but does not provide detailed logging of API calls, making it insufficient for complete auditing of administrative actions.

AWS CloudTrail records all API activity in AWS accounts, including management events such as creating or deleting IAM users, modifying roles, or attaching policies. It captures detailed information, including the identity of the requester, timestamp, and source IP, providing a full audit trail for security and compliance purposes. CloudTrail logs can be stored in S3, integrated with CloudWatch for alerts, and analyzed for unusual activities.

Amazon GuardDuty detects anomalous activity or security threats but does not provide comprehensive logging of every administrative action. It is focused on threat detection rather than detailed auditing.

AWS Security Hub aggregates security findings from multiple sources, including GuardDuty, Macie, and Config, but does not record raw administrative actions itself. It is mainly a dashboard for security posture.

AWS CloudTrail is the correct choice because it provides a comprehensive, centralized, and auditable log of all IAM administrative activities, enabling compliance monitoring, forensic investigations, and real-time analysis of changes within the account.

Question 10

A company wants to restrict S3 bucket access to specific VPCs while maintaining encryption for all objects. Which configuration achieves this goal?

A) Use bucket policies to allow access only from specific VPC endpoints and enable SSE-KMS

B) Use IAM user policies to restrict access and enable SSE-S3

C) Enable public access block and use SSE-C

D) Configure a Security Group to restrict access to S3

Answer: A) Use bucket policies to allow access only from specific VPC endpoints and enable SSE-KMS

Explanation:

Bucket policies can enforce fine-grained access control by allowing access only from specific VPC endpoints. This ensures that only resources within authorized VPCs can reach the bucket. Enabling SSE-KMS ensures encryption at rest with centralized key management, rotation, and auditing, meeting security requirements.

IAM user policies control access at the user level but do not enforce network-level restrictions such as limiting access to specific VPCs. SSE-S3 provides encryption but lacks fine-grained access control for VPC restrictions.

Enabling public access block prevents external public access but does not limit access to specific VPCs. SSE-C encrypts data but requires client-managed keys and does not enforce network-level controls.

Security Groups control network access to EC2 instances but cannot restrict access to S3 buckets directly, as S3 is a managed service that operates outside the traditional VPC firewall model.

Using bucket policies with VPC endpoint restrictions and SSE-KMS is correct because it combines network-level access control with strong, auditable encryption, ensuring secure and compliant access to S3 objects.

Question 11

A company wants to ensure that all objects uploaded to S3 are automatically encrypted using a customer-managed key without relying on manual enforcement. Which approach is most appropriate?

A) Use bucket policies to deny uploads without SSE-KMS

B) Enable SSE-S3 encryption for the bucket

C) Use client-side encryption with SSE-C

D) Require IAM users to apply encryption manually

Answer: A) Use bucket policies to deny uploads without SSE-KMS

Explanation:

Using bucket policies to deny uploads that are not encrypted with SSE-KMS ensures that all data is encrypted with a customer-managed key before it is stored. This approach enforces encryption automatically, removing reliance on users to remember to encrypt files. It also allows fine-grained control over who can use specific KMS keys and provides auditability through CloudTrail logs, which helps in compliance reporting.

Enabling SSE-S3 encryption provides server-side encryption with Amazon-managed keys. While this ensures encryption at rest, it does not use customer-managed keys, limiting control over key rotation, access permissions, and auditing. Organizations requiring strict compliance or regulatory adherence often need KMS-managed keys.

Client-side encryption with SSE-C relies on the client to provide encryption keys for each request. While this encrypts data before it reaches S3, it places the burden of key management on users and does not provide centralized enforcement, which increases operational risk and complexity.

Requiring IAM users to apply encryption manually is error-prone and does not guarantee compliance. Users may forget or misconfigure encryption, leaving data unprotected.

Bucket policies with enforced SSE-KMS are the correct solution because they provide automatic encryption with customer-managed keys, centralized control, fine-grained permissions, and auditing, ensuring all data is consistently protected in accordance with best practices.

Question 12

A security team needs to receive notifications whenever a new IAM role is created in an AWS account. Which combination of services provides automated detection and alerting?

A) AWS Config and Amazon SNS

B) Amazon GuardDuty and AWS CloudTrail

C) AWS IAM and CloudWatch Logs

D) AWS KMS and AWS CloudTrail

Answer: A) AWS Config and Amazon SNS

Explanation:

AWS Config can track changes in IAM roles and policies. By creating a rule to detect the creation of new IAM roles, it continuously monitors the environment for configuration changes. When the rule is triggered, AWS Config can send a notification using Amazon SNS, which allows real-time alerts to email, SMS, or other endpoints, providing immediate awareness to the security team.

Amazon GuardDuty is focused on detecting suspicious or malicious activity rather than configuration changes. While it can detect anomalous API calls, it does not provide explicit alerts for all role creation events. CloudTrail logs all API activity, including IAM role creation, but alone it requires manual monitoring or additional tooling to generate notifications.

AWS IAM manages users, groups, and roles but does not inherently provide alerting mechanisms for changes. CloudWatch Logs can collect and analyze logs, but integration with Config or custom rules is required for automated alerts.

AWS KMS is focused on encryption and key management, not auditing IAM role creation, so pairing it with CloudTrail does not provide direct notifications or automated alerts for new IAM roles.

AWS Config and Amazon SNS is the correct choice because it enables real-time detection of configuration changes like IAM role creation and provides immediate alerts, supporting rapid response and compliance monitoring.

Question 13

A company wants to centrally enforce encryption of all EBS volumes and monitor compliance across multiple AWS accounts. Which solution is most effective?

A) Use AWS Config rules with an aggregator for multiple accounts

B) Enable encryption during EBS creation manually for each account

C) Use IAM policies to require encryption

D) Rely on AWS KMS default keys without monitoring

Answer: A) Use AWS Config rules with an aggregator for multiple accounts

Explanation:

AWS Config allows the creation of rules that verify whether EBS volumes are encrypted. By using an aggregator, an organization can consolidate compliance data from multiple accounts into a single view. This setup ensures continuous monitoring, automated reporting, and centralized auditing, which is crucial for compliance requirements.

Enabling encryption manually for each EBS volume is error-prone, does not scale well across multiple accounts, and cannot provide ongoing monitoring for newly created volumes.

IAM policies can enforce actions at the API level, such as preventing unencrypted EBS volume creation, but they do not provide monitoring, auditing, or historical compliance reporting. This leaves a gap in observability for existing or previously created volumes.

Relying on AWS KMS default keys without monitoring only ensures encryption at the time of creation but does not provide compliance visibility or auditing across multiple accounts, which is often required for regulatory adherence.

Using AWS Config rules with an aggregator is correct because it provides automated, continuous compliance checks for EBS encryption, supports multi-account monitoring, and allows centralized auditing and reporting for governance purposes.

Question 14

A company wants to enforce that only traffic from specific IP ranges can access a particular S3 bucket while ensuring encryption at rest. Which configuration achieves this?

A) Use a bucket policy restricting access to specific IPs and enable SSE-KMS

B) Use IAM policies to restrict access and enable SSE-S3

C) Enable public access block and SSE-C encryption

D) Configure a security group to restrict access to S3

Answer: A) Use a bucket policy restricting access to specific IPs and enable SSE-KMS

Explanation:

Bucket policies allow precise control over access, including restricting requests to specific IP ranges. By combining this with SSE-KMS, all objects stored in the bucket are encrypted with customer-managed keys, enabling fine-grained access control, auditing, and rotation policies. This ensures that only authorized networks can access the bucket and data is protected at rest.

IAM policies can control access at the user or role level but cannot restrict traffic based on network origin, so IP restriction cannot be enforced using IAM alone. SSE-S3 provides encryption at rest but lacks key-level control for auditing and rotation.

Enabling public access block prevents anonymous or public access but does not restrict access to specific IP ranges. SSE-C requires users to provide encryption keys for each request, adding complexity and not enforcing network-level restrictions.

Security groups apply to EC2 instances but cannot control access directly to S3, since S3 endpoints are managed outside the traditional VPC firewall model.

Using bucket policies with IP restrictions and SSE-KMS is correct because it provides both network-based access control and strong encryption at rest, ensuring compliance and security requirements are met.

Question 15

A company needs to ensure that only specific roles can assume an IAM role for accessing sensitive data. Which mechanism provides this control?

A) IAM trust policies

B) IAM user policies

C) Bucket policies

D) Security groups

Answer: A) IAM trust policies

Explanation:

IAM trust policies define which principals (users, roles, or accounts) are allowed to assume a particular IAM role. By specifying trusted entities, an organization can ensure that only authorized roles or users can temporarily assume the role to access sensitive data. Trust policies are essential for implementing the principle of least privilege and managing cross-account access securely.

IAM user policies attach permissions directly to users but do not control who can assume roles. They manage what users can do within their own credentials rather than managing role assumption.

Bucket policies control access to S3 resources, not IAM roles, so they cannot enforce which roles can assume other roles.

Security groups control network traffic to resources such as EC2 instances and do not manage IAM permissions or role assumption.

IAM trust policies are correct because they specifically define which entities are allowed to assume a role, enabling precise control over temporary access to sensitive data while adhering to security best practices.

Question 16

A company wants to ensure that all API requests to AWS services are logged for auditing and troubleshooting purposes. Which AWS service provides this capability?

A) AWS CloudTrail

B) AWS Config

C) Amazon GuardDuty

D) AWS Security Hub

Answer: A) AWS CloudTrail

Explanation:

AWS CloudTrail is a service designed to log all API activity within an AWS account. It records every action made by users, roles, and services, including who made the request, the source IP address, and the timestamp. This provides a comprehensive audit trail for compliance, forensic investigation, and operational troubleshooting. CloudTrail supports multi-region logging, enabling organizations to capture activity across all regions in a centralized S3 bucket. Logs can also be integrated with CloudWatch for real-time monitoring and alerting, allowing rapid detection of suspicious activity or misconfigurations.

AWS Config tracks changes in resource configurations and evaluates them against compliance rules. While it can detect unauthorized configuration changes, it does not provide a complete record of every API request, making it unsuitable for comprehensive auditing of all actions.

Amazon GuardDuty is primarily a threat detection service. It analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect anomalies and potential security threats. GuardDuty provides alerts for suspicious activity but does not itself log all API requests for auditing purposes.

AWS Security Hub aggregates findings from multiple security services, including GuardDuty, Macie, and Inspector. It provides a centralized view of security posture and compliance but does not perform raw API logging. Security Hub relies on other services for the underlying audit data.

CloudTrail is the correct solution because it provides complete visibility into all API calls across AWS accounts, supports auditing and compliance, integrates with monitoring tools, and enables forensic analysis. It ensures organizations can track, investigate, and respond to operational and security events with confidence.

Question 17

A company wants to prevent accidental deletion of critical S3 buckets while ensuring authorized users can still perform operations. Which approach achieves this?

A) Enable S3 versioning and MFA delete

B) Use IAM policies to deny all delete operations

C) Disable bucket deletion from the console

D) Enable public access block

Answer: A) Enable S3 versioning and MFA delete

Explanation:

Enabling S3 versioning allows previous versions of objects to be retained even if they are overwritten or deleted, providing protection against accidental data loss. MFA delete adds an extra layer of security by requiring multi-factor authentication to permanently delete objects or the bucket itself. This ensures that only authorized users with MFA credentials can perform destructive operations, mitigating the risk of accidental deletion.

Using IAM policies to deny all delete operations is too restrictive. While it prevents accidental deletions, it also blocks legitimate administrative operations, reducing flexibility and potentially impacting operational efficiency.

Disabling bucket deletion from the console is a UI-level restriction and does not prevent deletions via APIs, CLI, or SDKs. It is not a robust method for ensuring data protection across all access points.

Enabling public access block prevents public access but does not control deletion actions. It only restricts who can access the bucket from outside the account, providing no protection against accidental or malicious deletions by authorized users.

S3 versioning combined with MFA delete is correct because it provides both protection against accidental deletions and ensures that destructive actions are performed only by authorized users with MFA. It balances security and operational flexibility, aligning with AWS best practices for protecting critical data.

Question 18

A company wants to centrally enforce and audit the use of KMS keys for encrypting data in multiple AWS accounts. Which solution provides this capability?

A) Use AWS Organizations with KMS key policies and CloudTrail logging

B) Enable SSE-S3 on all buckets without monitoring

C) Use client-side encryption only

D) Allow all IAM users to create and manage keys

Answer: A) Use AWS Organizations with KMS key policies and CloudTrail logging

Explanation:

AWS Organizations allows centralized management of multiple AWS accounts. By combining it with KMS key policies, the company can control who can use and manage encryption keys across all accounts. CloudTrail logging provides auditable records of all key usage and management actions, ensuring accountability and compliance with security standards. This setup enables enforcement of consistent encryption policies, proper segregation of duties, and traceability across multiple accounts.

Enabling SSE-S3 on all buckets provides encryption at rest but uses Amazon-managed keys, giving limited control over key access, rotation, and auditing. This approach does not provide centralized policy enforcement across accounts.

Client-side encryption places the responsibility of key management on end users or applications. While it protects data, it is difficult to enforce, monitor, or audit consistently across multiple accounts, creating operational and compliance challenges.

Allowing all IAM users to create and manage keys undermines security. It increases the risk of mismanagement, unauthorized access, and compliance violations. Centralized control is necessary to maintain consistent and auditable key usage.

Using AWS Organizations with KMS key policies and CloudTrail logging is correct because it provides centralized enforcement, auditable key usage, and cross-account compliance monitoring, ensuring secure and standardized management of encryption keys.

Question 19

A company wants to restrict EC2 instances from sending outbound traffic to the internet except through a central proxy. Which AWS mechanism enforces this?

A) Configure VPC route tables and NAT gateways

B) Use security groups to block outbound traffic except to the proxy

C) Use network ACLs to restrict traffic

D) Deploy VPC endpoints for all services

Answer: B) Use security groups to block outbound traffic except to the proxy

Explanation:

Security groups act as virtual firewalls for EC2 instances. By configuring them to allow outbound traffic only to the central proxy server, the company ensures that all internet-bound traffic is routed through the proxy. Security groups are stateful, which means return traffic is automatically allowed, simplifying configuration while enforcing strict outbound rules.

Configuring VPC route tables and NAT gateways controls how traffic is routed from private subnets to the internet. However, route tables alone cannot restrict destinations for outbound traffic, so malicious or unauthorized traffic could bypass the intended proxy.

Network ACLs operate at the subnet level and can restrict traffic but are stateless, requiring careful configuration for return traffic. They are more complex to manage and less flexible than security groups for enforcing instance-level outbound restrictions.

Deploying VPC endpoints allows private connectivity to AWS services without using the internet, but it does not restrict general internet-bound traffic. VPC endpoints are service-specific and cannot enforce centralized proxy routing for all outbound requests.

Security groups restricting outbound traffic to the proxy are correct because they enforce instance-level control, ensure all internet traffic is routed through the proxy, and simplify management while providing a stateful, auditable mechanism for outbound restrictions.

Question 20

A company needs to detect sensitive data such as PII in S3 buckets and automatically generate alerts when it is accessed inappropriately. Which service is most suitable?

A) AWS Macie

B) AWS Config

C) Amazon GuardDuty

D) AWS CloudTrail

Answer: A) AWS Macie

Explanation:

AWS Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in S3, such as personally identifiable information (PII). Macie continuously monitors access patterns and generates alerts when sensitive data is accessed in ways that may indicate risk, such as by unauthorized users or from unusual locations. This provides organizations with actionable intelligence to protect sensitive information and comply with data privacy regulations like GDPR and HIPAA.

AWS Config tracks configuration changes and evaluates compliance rules but does not analyze the content of S3 objects or detect sensitive data exposure. It is more suitable for auditing and compliance of infrastructure configurations.

Amazon GuardDuty detects suspicious activity, compromised credentials, and network anomalies but does not classify data content or provide alerts for inappropriate access to sensitive information stored in S3.

AWS CloudTrail logs API calls and user actions for auditing purposes but does not classify or monitor sensitive data. While CloudTrail can be integrated with Macie or other tools for analysis, it cannot provide automatic detection of PII or alerting on risky access by itself.

AWS Macie is correct because it combines data classification, continuous monitoring, and automated alerts, allowing organizations to detect, protect, and respond to potential misuse of sensitive data in S3 efficiently.