Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 2 Q21-40

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 21

A company wants to centrally manage AWS CloudTrail logs from multiple accounts and regions for audit purposes. Which AWS service combination is best suited for this requirement?

A) AWS CloudTrail with an S3 bucket and AWS Organizations

B) AWS Config with CloudWatch Logs

C) Amazon GuardDuty with Security Hub

D) AWS KMS with IAM policies

Answer: A) AWS CloudTrail with an S3 bucket and AWS Organizations

Explanation:

AWS CloudTrail provides a detailed record of API calls and activities performed across AWS accounts. By enabling multi-region CloudTrail logging, the company ensures that all events, including global services and region-specific actions, are captured consistently. Using AWS Organizations allows centralized management of multiple accounts, enabling the deployment of organizational trails that automatically apply CloudTrail logging settings across all member accounts. This reduces administrative overhead and ensures a standardized approach to auditing across the organization.

Storing CloudTrail logs in an S3 bucket provides a secure, durable, and scalable storage solution. The bucket can be configured with access policies and lifecycle rules to protect logs from accidental deletion or tampering. For additional security, the bucket can be encrypted using SSE-KMS, ensuring that sensitive audit data is protected at rest. CloudTrail logs in S3 can also be integrated with Amazon Athena or Amazon OpenSearch for querying and analysis, providing insights into account activity and potential security incidents.

AWS Config focuses on tracking configuration changes and assessing compliance with policies. While Config can provide some insights into resource configurations and generate alerts when non-compliance occurs, it does not provide a complete log of all API activities and cannot replace CloudTrail for audit purposes. Config is better suited for compliance tracking and resource monitoring rather than comprehensive activity logging.

Amazon GuardDuty detects threats such as unauthorized access or unusual network activity, and AWS Security Hub aggregates security findings across multiple services. While these services are essential for security monitoring, they do not provide full historical records of all API calls for auditing purposes. They are designed for proactive detection and reporting of security threats, not for retaining a complete and queryable audit trail.

AWS KMS provides encryption key management but does not handle logging or centralized auditing of activities. IAM policies can control access to resources, including CloudTrail logs, but they do not provide logging capabilities themselves.

The combination of CloudTrail with S3 and AWS Organizations is the correct solution because it enables the company to centrally manage logs across multiple accounts, ensures consistent multi-region coverage, provides secure and durable storage, supports querying and analysis for audits, and facilitates regulatory compliance. This setup allows security and compliance teams to have a consolidated, tamper-resistant view of all account activity, simplifies the deployment across multiple accounts, and provides a foundation for automated monitoring and reporting.

Question 22

A company wants to restrict access to sensitive DynamoDB tables based on a user’s identity and the network location from which the request originates. Which solution achieves this requirement?

A) Use IAM policies with condition keys and VPC endpoints

B) Enable encryption on the DynamoDB table

C) Apply a Security Group to the DynamoDB table

D) Use AWS KMS to restrict key usage

Answer: A) Use IAM policies with condition keys and VPC endpoints

Explanation:

IAM policies provide fine-grained access control to AWS resources, including DynamoDB tables. Condition keys allow the organization to define additional restrictions based on attributes such as source IP addresses, VPC endpoints, and request context. By leveraging these condition keys, the company can ensure that only requests originating from approved networks or specific VPC endpoints are allowed to access the tables. This approach adheres to the principle of least privilege and enhances security by combining identity-based and network-based restrictions.

VPC endpoints enable private connectivity to AWS services without traversing the internet. By requiring requests to use specific VPC endpoints, traffic is contained within the AWS network, reducing exposure to external threats. When combined with IAM conditions, VPC endpoints help enforce strict access controls that consider both user identity and network location.

Encrypting the DynamoDB table using SSE-KMS protects data at rest but does not control who can access the table or restrict network origins. Encryption alone cannot enforce access policies or prevent unauthorized queries.

Security groups operate at the instance or network interface level and cannot be applied directly to DynamoDB tables. They cannot enforce identity-based access or control access from specific users or roles. Security groups only control inbound and outbound traffic to compute resources.

AWS KMS can enforce which users or roles can use encryption keys, but it does not restrict who can query or write to DynamoDB tables. Key policies only control access to the encryption mechanism, not the database itself.

Using IAM policies with condition keys and VPC endpoints is the correct solution because it provides a combination of identity-based and network-based controls. This approach ensures that only authorized users from specific networks can access sensitive tables, enforces least-privilege access, integrates with existing VPC infrastructure, supports auditing through CloudTrail, and reduces the risk of unauthorized access. It provides both security and operational flexibility for controlling access to critical data.

Question 23

A company wants to ensure that all AWS Lambda functions handling sensitive data have the necessary permissions to access encrypted secrets securely. Which combination of services achieves this?

A) AWS Secrets Manager with IAM roles

B) IAM users with long-term access keys

C) Storing secrets in S3 with SSE-S3

D) Using environment variables without encryption

Answer: A) AWS Secrets Manager with IAM roles

Explanation:

AWS Secrets Manager allows secure storage of sensitive information, such as database credentials, API keys, and tokens. Secrets are encrypted at rest using AWS KMS, and Secrets Manager automatically rotates credentials if configured. This reduces operational overhead and prevents hardcoding of secrets in code or environment variables.

IAM roles provide temporary credentials for Lambda functions, which are assumed at runtime. By granting a Lambda function permission to access specific secrets in Secrets Manager through its execution role, the function can retrieve secrets securely without embedding credentials. The combination of Secrets Manager and IAM roles ensures that secrets are accessed in a controlled, auditable, and secure manner.

Using IAM users with long-term access keys is insecure because credentials could be compromised or misused. Hardcoding such credentials in Lambda functions violates security best practices and does not provide automated rotation or centralized access control.

Storing secrets in S3 with SSE-S3 encrypts data at rest but does not provide rotation, fine-grained access policies, or auditing. Accessing secrets from S3 would require embedding credentials or using IAM roles with additional policies, which adds complexity and potential security risks.

Using unencrypted environment variables exposes secrets to anyone who has access to view Lambda configuration, which is a major security risk. Environment variables do not provide automatic rotation or auditing.

AWS Secrets Manager with IAM roles is the correct solution because it combines secure storage, encryption, automated rotation, fine-grained access control, and auditability. Lambda functions can access secrets only when needed, minimizing exposure, adhering to least-privilege principles, and maintaining compliance with regulatory requirements for sensitive data.

Question 24

A company wants to prevent unauthorized access to an S3 bucket while allowing only specific AWS accounts to read objects. Which approach is most effective?

A) Use a bucket policy specifying allowed AWS account IDs

B) Enable SSE-S3 encryption

C) Apply a security group to the S3 bucket

D) Enable versioning on the S3 bucket

Answer: A) Use a bucket policy specifying allowed AWS account IDs

Explanation:

Bucket policies are designed to control access at the bucket and object level. By specifying allowed AWS account IDs, the company can ensure that only users or roles from those accounts can access objects in the bucket. Policies can also restrict actions such as read, write, or delete, providing fine-grained control. Combined with logging and CloudTrail integration, this setup allows monitoring of access attempts and auditability, supporting compliance and governance requirements.

Enabling SSE-S3 encryption protects objects at rest but does not control who can access the data. Anyone with appropriate permissions could still read encrypted objects if they have access to the bucket. Encryption alone does not prevent unauthorized access.

Security groups apply to EC2 instances or network interfaces and cannot be applied to S3 buckets, which are managed services. Security groups cannot enforce account-level permissions for S3 access.

Enabling versioning helps recover previous object versions in case of accidental deletion or overwrites, but does not control access. Versioning only affects data retention and recovery, not authorization.

Using a bucket policy specifying allowed AWS account IDs is correct because it provides explicit control over which accounts can access the bucket, enforces least-privilege access, integrates with auditing mechanisms, and ensures compliance with security policies.

Question 25

A company wants to detect when EC2 instances are exposed to the public internet unintentionally and generate automated alerts. Which service combination achieves this?

A) AWS Config rules and Amazon SNS

B) Amazon GuardDuty only

C) Security groups only

D) AWS CloudTrail with IAM policies

Answer: A) AWS Config rules and Amazon SNS

Explanation:

AWS Config can continuously evaluate the configuration of AWS resources against pre-defined rules. For EC2 instances, Config rules can check whether instances have public IP addresses, are attached to public subnets, or have overly permissive security groups. If a rule detects non-compliant resources, it triggers an alert.

Amazon SNS (Simple Notification Service) can be integrated with AWS Config to send real-time notifications to administrators via email, SMS, or other endpoints. This ensures rapid response to exposure incidents, reducing security risk.

Amazon GuardDuty detects threats such as compromised credentials, unusual API calls, and network anomalies. While it can provide alerts if malicious activity is detected on publicly exposed instances, it does not proactively evaluate all instances for public exposure as a configuration issue.

Security groups control traffic at the instance level but require manual review to identify misconfigurations. They do not generate automated alerts or track compliance over time.

AWS CloudTrail logs API activity and IAM action,s but does not provide proactive detection or alerts for EC2 instances exposed to the public. CloudTrail is reactive and requires additional tools for real-time monitoring.

AWS Config rules with SNS is correct because it allows proactive, automated detection of public exposure for EC2 instances, integrates with alerting mechanisms for immediate notifications, supports auditing, and enables enforcement of security policies across the environment.

Question 26

A company wants to enforce encryption for all RDS snapshots while allowing automated backups. Which AWS configuration ensures this requirement?

A) Enable RDS encryption with AWS KMS and require encrypted snapshots

B) Use IAM policies to deny unencrypted backups

C) Encrypt snapshots manually after creation

D) Rely on default RDS encryption

Answer: A) Enable RDS encryption with AWS KMS and require encrypted snapshots

Explanation:

Enabling RDS encryption using AWS KMS ensures that all data stored in RDS, including snapshots and automated backups, is encrypted at rest. When encryption is enabled, every snapshot created from the instance inherits the encryption automatically. Using customer-managed KMS keys allows fine-grained access control, audit logging through CloudTrail, and rotation policies to maintain regulatory compliance. This ensures consistent encryption across all snapshots and backup activities without manual intervention.

Using IAM policies to deny unencrypted backups may prevent unauthorized snapshots but does not automatically enforce encryption at the storage level. Users could attempt workarounds, and it adds operational complexity because each snapshot request would need to be evaluated against policies.

Manually encrypting snapshots after creation introduces the risk of human error, delays, and inconsistent compliance. It is not feasible for large environments with frequent automated backups, as it creates operational overhead and leaves a time window where snapshots may exist unencrypted.

Relying on default RDS encryption is insufficient if customer-managed KMS keys are required for regulatory compliance or auditing. AWS-managed keys provide encryption but do not offer the same level of control, auditability, or rotation flexibility as KMS keys.

Enabling RDS encryption with AWS KMS and enforcing encrypted snapshots is the correct solution because it guarantees that all automated and manual snapshots are encrypted, integrates with monitoring and auditing, supports centralized key management, and reduces operational risk while ensuring compliance. This approach adheres to security best practices by providing consistent, automated encryption for sensitive data.

Question 27

A company wants to centrally manage and enforce Service Control Policies (SCPs) across all AWS accounts to prevent accidental use of high-risk services. Which service should they use?

A) AWS Organizations

B) AWS Config

C) AWS IAM

D) AWS Security Hub

Answer: A) AWS Organizations

Explanation:

AWS Organizations allows the creation of multiple AWS accounts under a single management hierarchy. Within Organizations, Service Control Policies (SCPs) can be applied at the organization root, organizational unit, or account level to enforce permission boundaries. SCPs do not grant permissions themselves but restrict the maximum permissions available to IAM users and roles in the accounts. By centrally applying SCPs, the organization can prevent accidental use of high-risk services, such as deleting critical resources or deploying unapproved services.

AWS Config is focused on tracking configuration changes and compliance but does not enforce account-level permissions or provide mechanisms to block services across accounts. It is useful for auditing and compliance but not for restricting access proactively.

AWS IAM manages users, groups, and roles within an individual account. While IAM can enforce permissions at the account level, it cannot centrally apply policies across multiple accounts. Managing IAM policies individually for multiple accounts increases administrative overhead and risks inconsistencies.

AWS Security Hub aggregates security findings from various AWS services to provide visibility into the security posture but does not enforce access controls or SCPs. It serves as a monitoring and reporting tool, not a preventive control mechanism.

AWS Organizations is correct because it provides a centralized mechanism to manage multiple accounts, enforce preventive security controls through SCPs, reduce administrative complexity, and ensure that high-risk services are restricted consistently across all accounts. This setup supports compliance and reduces the risk of accidental or unauthorized resource usage.

Question 28

A company needs to automatically remediate non-compliant S3 buckets that allow public access. Which AWS service combination is most suitable?

A) AWS Config with AWS Systems Manager Automation

B) Amazon GuardDuty with CloudTrail

C) IAM policies with manual review

D) AWS KMS with bucket policies

Answer: A) AWS Config with AWS Systems Manager Automation

Explanation:

AWS Config can continuously monitor S3 bucket configurations against compliance rules. Config rules such as “s3-bucket-public-read-prohibited” or “s3-bucket-public-write-prohibited” can detect buckets that allow public access. When a bucket is non-compliant, AWS Config can trigger remediation actions through AWS Systems Manager Automation, which executes predefined steps to bring the resource back into compliance, such as modifying the bucket ACL or removing public policies. This automated approach ensures continuous compliance without manual intervention, reduces operational risk, and supports auditing requirements.

Amazon GuardDuty detects anomalous or suspicious activity in AWS environments, such as unauthorized access attempts, compromised credentials, or unusual API calls. However, GuardDuty does not proactively monitor resource configurations or remediate misconfigured S3 buckets. It is a detection tool, not an enforcement mechanism.

IAM policies can restrict actions on buckets, but manual review is still required to identify misconfigured buckets and apply corrections. This approach is prone to human error, is resource-intensive, and does not support automated remediation.

AWS KMS can encrypt bucket contents but does not provide visibility or remediation for public access. Bucket policies alone can enforce access restrictions but require manual management and do not provide monitoring or automated detection of non-compliance.

AWS Config combined with AWS Systems Manager Automation is correct because it allows automated detection and remediation of misconfigured S3 buckets, enforces continuous compliance, reduces human error, and integrates with auditing and reporting tools for full visibility into security posture.

Question 29

A company wants to enforce MFA for all privileged IAM users and log all authentication attempts for auditing. Which combination of AWS services achieves this?

A) IAM with MFA enabled and CloudTrail logging

B) Security groups with MFA enforcement

C) AWS KMS with logging enabled

D) S3 bucket policies with MFA required

Answer: A) IAM with MFA enabled and CloudTrail logging

Explanation:

IAM supports enabling MFA for IAM users. MFA requires users to provide a second authentication factor, such as a virtual or hardware token, when performing privileged actions. This protects sensitive resources from unauthorized access even if credentials are compromised. Enabling MFA for all privileged users ensures that high-risk operations are secured according to AWS best practices.

CloudTrail records all API calls, including login attempts, MFA authentication events, and privileged actions performed by users. By logging authentication attempts, CloudTrail provides an auditable trail that can be used for compliance reporting, forensic investigation, and monitoring suspicious activity. CloudTrail logs can also trigger alerts via CloudWatch or SNS when unauthorized access attempts are detected.

Security groups control network traffic and cannot enforce authentication mechanisms like MFA. They are network-level controls, not identity-level security measures.

AWS KMS provides encryption key management and access control for keys but does not enforce MFA or log user authentication attempts. While KMS key usage is logged in CloudTrail, it only captures actions related to encryption, not general IAM user authentication.

S3 bucket policies can require MFA for certain operations, such as object deletion, but they only control specific bucket-level actions and do not enforce MFA for general privileged IAM user actions across AWS accounts.

IAM with MFA enabled combined with CloudTrail logging is correct because it secures privileged accounts with multi-factor authentication, records authentication events, provides auditability, supports compliance, and allows detection and investigation of unauthorized access attempts.

Question 30

A company wants to detect anomalous API activity in its AWS environment, such as unusual calls from regions the company does not operate in. Which service provides this capability?

A) Amazon GuardDuty

B) AWS CloudTrail

C) AWS Config

D) AWS Security Hub

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious or unauthorized activity. It analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect anomalies, such as API calls from unfamiliar geographic locations, unusual API activity for specific users or roles, or compromised credentials. GuardDuty uses machine learning, threat intelligence feeds, and anomaly detection algorithms to identify potentially harmful behavior that deviates from normal usage patterns.

AWS CloudTrail records all API calls and user activity but does not automatically detect anomalies or generate alerts. It provides raw log data that can be analyzed manually or with additional tools but lacks built-in threat detection capabilities.

AWS Config evaluates resource configurations against compliance rules and can detect misconfigurations but does not monitor API activity or detect anomalous behavior. It is focused on governance rather than security anomaly detection.

AWS Security Hub aggregates findings from services like GuardDuty, Macie, and Inspector to provide a centralized security posture overview. While it centralizes alerts, it does not independently detect anomalous activity—it relies on other detection services.

Amazon GuardDuty is correct because it proactively detects suspicious API activity, identifies threats in real time, generates actionable alerts, and integrates with CloudWatch, Security Hub, and automated remediation workflows. It provides continuous monitoring for unauthorized access and anomalous behavior, supporting security and compliance objectives.

Question 31

A company wants to ensure that all CloudTrail logs are immutable and protected from deletion or tampering. Which configuration achieves this?

A) Enable S3 Object Lock in compliance mode for the CloudTrail bucket

B) Use IAM policies to deny deletion of CloudTrail logs

C) Store logs in an unencrypted S3 bucket

D) Enable versioning without any additional protections

Answer: A) Enable S3 Object Lock in compliance mode for the CloudTrail bucket

Explanation:

S3 Object Lock allows administrators to store objects using a write-once-read-many (WORM) model. By enabling compliance mode, CloudTrail logs are protected against deletion or modification for a specified retention period. Even users with administrative privileges cannot alter or remove objects until the retention period expires. This ensures the integrity and immutability of audit logs, which is critical for regulatory compliance, forensic analysis, and long-term storage. CloudTrail logs stored with Object Lock provide strong guarantees that log data remains tamper-proof and can be used for auditing and investigation purposes without risk of modification.

Using IAM policies to deny deletion can reduce the risk of accidental deletion but is insufficient for full protection. Administrators could change or remove policies, and malicious users with sufficient privileges might bypass these restrictions. IAM policies alone do not provide the WORM-level guarantees needed for compliance-sensitive logs.

Storing logs in an unencrypted S3 bucket protects against deletion only in a limited sense. Without encryption or Object Lock, logs can still be modified or deleted by anyone with appropriate access. This approach fails to meet strict compliance requirements and exposes sensitive operational information to risk.

Enabling versioning alone allows administrators to recover previous versions of objects but does not prevent deletion or modification. Versioning helps mitigate accidental deletion but does not offer the strong tamper-proof guarantees needed for compliance audits. Malicious actors can still delete versions, and without Object Lock, there is no enforceable retention period.

Enabling S3 Object Lock in compliance mode for the CloudTrail bucket is correct because it provides a WORM model, enforces immutability for a defined retention period, protects logs from both accidental and malicious deletion, and meets regulatory requirements for audit log integrity. Combined with encryption and CloudTrail logging, this configuration ensures that log data is secure, immutable, and auditable, providing organizations with confidence in their forensic and compliance capabilities.

Question 32

A company wants to enforce that all EC2 instances launched in specific VPCs use approved AMIs. Which AWS service allows automated enforcement?

A) AWS Config with custom rules

B) Amazon GuardDuty

C) AWS CloudTrail

D) IAM roles

Answer: A) AWS Config with custom rules

Explanation:

AWS Config enables organizations to continuously evaluate resources against pre-defined or custom compliance rules. For enforcing approved AMIs, a custom Config rule can be created to validate whether EC2 instances launched in specified VPCs use approved AMI IDs. If an instance violates the rule, Config can trigger alerts, remediation actions using Systems Manager Automation, or both. This ensures continuous compliance, reduces the risk of using unapproved images, and aligns with security and operational policies.

Amazon GuardDuty is designed for threat detection rather than configuration compliance. While it detects anomalous activity, it does not enforce rules regarding AMI usage or provide automated remediation for configuration violations.

AWS CloudTrail records API calls, including EC2 launches and AMI usage, but it does not enforce compliance or provide real-time corrective actions. While CloudTrail logs can be analyzed for violations after the fact, it is a reactive solution and does not prevent misconfigurations proactively.

IAM roles can control permissions and who can launch EC2 instances, but they cannot enforce specific AMI usage or validate compliance with approved images. Permissions alone do not provide auditing or automated enforcement of configuration standards.

AWS Config with custom rules is correct because it provides automated, continuous monitoring and enforcement of approved AMI usage. It can proactively prevent non-compliant instances, trigger remediation actions, generate audit logs for compliance, and integrate with notifications to alert administrators, supporting both security and governance requirements.

Question 33

A company wants to detect and respond to compromised IAM credentials in real time. Which service combination achieves this effectively?

A) Amazon GuardDuty with CloudWatch Events

B) AWS Config and S3 versioning

C) IAM policies with MFA enforcement only

D) AWS KMS with CloudTrail logging

Answer: A) Amazon GuardDuty with CloudWatch Events

Explanation:

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts for suspicious activity, including signs of compromised IAM credentials. It uses machine learning, anomaly detection, and threat intelligence feeds to detect unusual API calls, unauthorized access attempts, or abnormal patterns in IAM usage. GuardDuty generates findings that indicate potential compromise, such as credential misuse or access from unusual geographic locations.

By integrating GuardDuty findings with CloudWatch Events (now called EventBridge), the organization can implement automated responses to threats. CloudWatch Events can trigger Lambda functions, SNS notifications, or Systems Manager Automation workflows to remediate compromised credentials, such as revoking access keys, disabling users, or notifying security teams. This combination allows both detection and immediate automated response, reducing the window of exposure for compromised credentials.

AWS Config and S3 versioning focus on configuration compliance and data recovery, respectively. While valuable for monitoring and recovery, they do not provide real-time detection of compromised IAM credentials or automated threat response capabilities.

IAM policies with MFA enforcement enhance security by requiring additional authentication for privileged users but do not provide real-time monitoring or detection of credential compromise. MFA helps prevent misuse but does not alert administrators to actual incidents.

AWS KMS with CloudTrail logging ensures that encryption key usage is auditable, but does not provide real-time detection of compromised IAM credentials. It focuses on encryption operations rather than credential monitoring.

Amazon GuardDuty with CloudWatch Events is correct because it provides continuous detection of compromised credentials, generates actionable alerts, and enables automated remediation to minimize risk. This proactive approach ensures that credential compromises are detected quickly and mitigated effectively.

Question 34

A company wants to automatically remediate public access to S3 buckets that contain sensitive data. Which AWS service combination supports automated detection and remediation?

A) AWS Config with Systems Manager Automation

B) Amazon GuardDuty with Security Hub

C) IAM policies only

D) CloudTrail with encryption enabled

Answer: A) AWS Config with Systems Manager Automation

Explanation:

AWS Config continuously monitors the configuration of AWS resources and evaluates them against defined compliance rules. For S3 buckets, Config provides managed rules such as “s3-bucket-public-read-prohibited” or “s3-bucket-public-write-prohibited,” which detect buckets that allow public access. When a bucket violates the rule, Config can trigger remediation actions through AWS Systems Manager Automation. Automation documents can perform corrective steps, such as modifying bucket ACLs or policies, to remove public access automatically.

Amazon GuardDuty detects threats such as unauthorized access attempts and anomalous API activity. Security Hub aggregates findings for centralized visibility. While these services enhance threat detection and provide visibility, they do not actively remediate misconfigured resources like publicly accessible S3 buckets.

IAM policies can restrict access but require manual configuration for each user and do not provide automated remediation for existing non-compliant resources. Manual intervention introduces delays and the risk of human error.

CloudTrail logs API activity and allows auditing, but does not automatically remediate misconfigured S3 buckets. Encryption ensures data is protected at rest, but does not prevent public access or remediate compliance violations.

AWS Config with Systems Manager Automation is correct because it enables proactive detection of public access violations, provides automated remediation, reduces operational overhead, ensures continuous compliance, supports auditing, and aligns with security best practices.

Question 35

A company wants to prevent accidental deletion of EBS snapshots while ensuring operational flexibility for administrators. Which configuration achieves this?

A) Enable EBS snapshot delete protection

B) Use IAM policies to deny all delete actions

C) Rely on versioning of EBS volumes

D) Use S3 Object Lock for snapshot storage

Answer: A) Enable EBS snapshot delete protection

Explanation:

EBS snapshot delete protection prevents snapshots from being accidentally deleted while still allowing administrators to manage other operations, such as creating new snapshots or restoring volumes. Delete protection can be enabled at the snapshot level, ensuring that snapshots are retained securely until explicitly disabled. This provides a balance between security and operational flexibility, allowing legitimate administrative tasks while safeguarding critical backups.

Using IAM policies to deny all delete actions is overly restrictive. While it prevents deletion, it also blocks necessary administrative operations and reduces flexibility. Administrators would have to modify policies each time legitimate deletion is required, adding complexity and increasing the risk of misconfigurations.

EBS volumes do not support native versioning like S3. While snapshots can be taken at intervals, there is no automated versioning system that protects against deletion. This approach would not provide guarantees against accidental removal of snapshots.

S3 Object Lock applies only to objects stored in S3 and cannot be applied directly to EBS snapshots, which are managed service resources outside of S3’s WORM model. Object Lock is therefore unsuitable for EBS snapshot protection.

Enabling EBS snapshot delete protection is correct because it safeguards snapshots against accidental deletion while maintaining flexibility for operational tasks, aligns with AWS best practices, supports compliance requirements, and reduces the risk of losing critical backups while allowing administrators to manage other snapshot operations efficiently.

Question 36

A company wants to enforce that all Lambda functions accessing sensitive data use environment variables that are encrypted and auditable. Which AWS service combination is most appropriate?

A) AWS KMS with Lambda environment variable encryption

B) Storing secrets in plaintext in the Lambda configuration

C) Using S3 buckets to store environment variables

D) Enabling IAM policies without encryption

Answer: A) AWS KMS with Lambda environment variable encryption

Explanation:

AWS Lambda supports encrypting environment variables at rest using AWS KMS. By integrating KMS keys, the values are encrypted automatically, and only authorized Lambda functions or IAM principals with proper permissions can decrypt them at runtime. This ensures that sensitive information such as API keys, database credentials, and other secrets are not exposed to unauthorized users. Logging access to KMS keys via CloudTrail provides full auditing capabilities, allowing the company to track which functions accessed secrets and when. This combination aligns with best practices for securing sensitive data in serverless environments.

Storing secrets in plaintext in Lambda environment variables is insecure. Any user with access to the Lambda function configuration can view the sensitive information. It violates security best practices and increases the risk of accidental exposure or compromise.

Using S3 buckets to store environment variables introduces operational complexity. While S3 can encrypt objects with SSE-KMS, retrieving the secrets requires additional code and network calls within Lambda functions, increasing latency and the risk of misconfiguration. It also introduces potential exposure if access controls are mismanaged.

Enabling IAM policies without encryption provides access control but does not protect the data itself. Secrets could still be read by anyone with access to the Lambda configuration, and auditability is limited compared to using KMS with CloudTrail.

AWS KMS with Lambda environment variable encryption is correct because it provides strong encryption, auditable access, seamless integration with Lambda, and ensures compliance with security and regulatory standards. It balances security and operational efficiency by protecting sensitive data while allowing functions to access it securely.

Question 37

A company wants to detect unusual data access patterns in S3 buckets, such as mass downloads or access from unexpected regions. Which AWS service is most suitable?

A) Amazon Macie

B) AWS Config

C) AWS CloudTrail only

D) S3 bucket versioning

Answer: A) Amazon Macie

Explanation:

Amazon Macie is a machine learning-based data security and privacy service designed to discover, classify, and monitor sensitive data stored in S3. Macie analyzes access patterns and can detect anomalous behavior, such as unusual download volumes, access from regions outside the company’s operations, or access by users who typically do not interact with specific datasets. Macie generates detailed findings and integrates with Amazon CloudWatch and Security Hub to alert administrators in real time. This proactive detection helps prevent data leaks, ensures compliance with regulations like GDPR or HIPAA, and reduces the risk of unauthorized access to sensitive information.

AWS Config tracks configuration compliance but does not analyze data content or access patterns. It can detect misconfigured buckets or public access policies but cannot identify unusual behavior based on user activity or data volume trends.

AWS CloudTrail records API calls, providing a log of every action taken in AWS, including S3 object access. While CloudTrail data can be analyzed for anomalies, it requires additional processing and tooling such as Athena or custom scripts to detect unusual access. It is not as streamlined or automated for sensitive data monitoring as Macie.

S3 bucket versioning helps retain previous versions of objects for recovery purposes but does not monitor access patterns or detect anomalies. It protects against accidental deletions or overwrites but does not address suspicious activity.

Amazon Macie is correct because it combines sensitive data discovery, real-time anomaly detection, and alerting mechanisms. It provides actionable insights into unusual data access patterns, supports automated response, integrates with other AWS security services, and reduces the risk of sensitive data exposure while ensuring regulatory compliance.

Question 38

A company wants to enforce that all IAM users accessing production accounts use MFA and generate real-time alerts for non-compliant logins. Which solution is most effective?

A) IAM with MFA enforcement and CloudWatch integration

B) Security groups with MFA rules

C) AWS Config rules only

D) S3 bucket policies requiring MFA

Answer: A) IAM with MFA enforcement and CloudWatch integration

Explanation:

IAM supports enabling multi-factor authentication (MFA) for users, which adds an additional layer of security beyond passwords. MFA enforcement ensures that only users who provide a second authentication factor can perform privileged operations in production accounts. By integrating with CloudWatch Events or EventBridge, organizations can monitor authentication attempts in real time. Any login attempts that do not meet MFA requirements or show anomalous behavior can trigger automated alerts, notifications via SNS, or remediation workflows such as temporary account suspension or alerting the security team. This combination ensures continuous enforcement of security policies while providing immediate visibility into potential violations.

Security groups control network traffic and cannot enforce authentication mechanisms like MFA. They operate at the network level, not the identity level, and cannot generate alerts for non-compliant login attempts.

AWS Config rules can detect configuration changes and assess compliance against policies. While useful for auditing and reporting, Config does not provide real-time monitoring or alerting for failed MFA logins or non-compliant authentication events.

S3 bucket policies can require MFA for specific actions like object deletion but do not enforce MFA at the account or IAM user level, nor do they provide centralized logging or alerting for failed authentication attempts.

IAM with MFA enforcement and CloudWatch integration is correct because it provides strong security for user access, real-time monitoring of authentication events, automated alerting for non-compliant logins, auditing through CloudTrail, and supports immediate security response. This approach protects production accounts and aligns with compliance best practices.

Question 39

A company wants to detect and remediate unencrypted EBS volumes automatically. Which service combination is suitable for this task?

A) AWS Config rules with Systems Manager Automation

B) IAM policies restricting encryption

C) CloudTrail logging only

D) Security groups with encryption rules

Answer: A) AWS Config rules with Systems Manager Automation

Explanation:

AWS Config allows organizations to continuously monitor AWS resources against predefined or custom compliance rules. For EBS volumes, Config can detect unencrypted volumes using managed rules such as “encrypted-volumes.” When a volume is detected as non-compliant, Config can trigger remediation actions via AWS Systems Manager Automation. Automation documents can perform tasks like creating encrypted snapshots, replacing the unencrypted volume, or notifying administrators for manual intervention. This ensures consistent enforcement of encryption policies without manual effort, reduces security risks, and provides an auditable history of compliance actions.

IAM policies can enforce who can create volumes but cannot ensure that all existing volumes are encrypted. Users with appropriate permissions may still create unencrypted volumes unless additional monitoring and remediation mechanisms are in place.

CloudTrail logs all API actions, including volume creation, but does not enforce encryption or provide automated remediation. Analysis of CloudTrail logs for compliance would require custom tooling and would be reactive rather than proactive.

Security groups control network traffic and cannot enforce encryption of storage resources. They are irrelevant for EBS encryption enforcement.

AWS Config rules combined with Systems Manager Automation is correct because it allows automated detection and remediation, continuous compliance monitoring, auditable enforcement of encryption policies, and reduces operational risk. It ensures that all EBS volumes comply with security and regulatory requirements.

Question 40

A company wants to enforce that only approved IAM roles can assume a high-privilege administrative role in the account. Which AWS mechanism is most appropriate?

A) IAM trust policies

B) Security groups

C) Bucket policies

D) AWS KMS key policies

Answer: A) IAM trust policies

Explanation:

IAM trust policies define which principals—users, groups, or roles—are allowed to assume a specific IAM role. For high-privilege administrative roles, trust policies restrict role assumption to only approved roles or accounts, ensuring that only authorized entities can perform sensitive operations. This aligns with the principle of least privilege and provides a mechanism for cross-account or intra-account access control. Trust policies work in combination with permission policies to enforce both who can assume a role and what actions can be performed once the role is assumed.

Security groups operate at the network level, controlling traffic to resources like EC2 instances, but cannot enforce IAM role assumption or identity-level access controls.

Bucket policies control access to S3 resources and cannot enforce which roles can assume IAM roles. They are resource-level permissions and do not interact with role trust relationships.

AWS KMS key policies manage access to encryption keys and define which users or roles can use or manage keys. While KMS key policies provide fine-grained control over encryption key usage, they do not control the assumption of IAM roles for administrative privileges.

IAM trust policies are correct because they provide centralized, auditable, and enforceable control over which roles can assume high-privilege roles. Combined with CloudTrail logging, they support monitoring and compliance, ensuring that only authorized and approved principals can gain elevated access while reducing the risk of privilege escalation or unauthorized operations.