Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 4 Q61-80

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 61

A company wants to prevent public access to all newly created S3 buckets across multiple accounts. Which approach provides centralized enforcement?

A) AWS Organization SCPs with AWS Config rules

B) Enable S3 bucket versioning only

C) Use IAM policies on each account separately

D) Security groups

Answer: A) AWS Organization SCPs with AWS Config rules

Explanation:

AWS Organizations Service Control Policies (SCPs) provide centralized governance for multiple AWS accounts. SCPs can enforce permissions at the organizational unit or account level, preventing users from creating public S3 buckets. By combining SCPs with AWS Config rules, the company can continuously monitor bucket configurations and automatically detect any publicly accessible buckets. Config rules such as s3-bucket-public-read-prohibited or s3-bucket-public-write-prohibited can trigger remediation actions using Systems Manager Automation to remove public access, ensuring compliance across all accounts. This centralized approach reduces administrative overhead and ensures consistent enforcement of security policies.

Enabling S3 bucket versioning provides object recovery but does not prevent public access. Versioning is unrelated to controlling permissions or accessibility.AWS Organization Service Control Policies (SCPs) combined with AWS Config rules are the correct approach for enforcing consistent security and compliance across multiple AWS accounts. SCPs allow administrators to define permissions at the organizational level, ensuring that all member accounts adhere to centrally managed policies. This prevents users or roles in any account from performing actions that violate organizational security requirements. AWS Config complements SCPs by continuously monitoring resource configurations against defined compliance rules, automatically detecting deviations, and generating alerts for remediation. Together, these tools provide a proactive, organization-wide approach to enforce security best practices and regulatory compliance, ensuring that all accounts operate within a controlled and auditable framework.

Simply enabling S3 bucket versioning only provides object-level protection by retaining previous versions of files, which helps recover from accidental deletions but does not enforce permissions or account-wide security standards. Using IAM policies on each account separately can secure individual accounts but lacks centralized control, making it difficult to ensure consistent security and compliance across an entire organization. Security groups control network traffic at the resource level but do not enforce account-wide policies or monitor configuration compliance.

Using AWS Organization SCPs with AWS Config rules provides a comprehensive solution for managing security and compliance across multiple AWS accounts. SCPs enforce permissions centrally, while Config rules monitor and validate resource configurations against established policies. The other options—S3 versioning, individual IAM policies, and security groups—offer specific protections but do not provide organization-wide enforcement or automated compliance monitoring. This makes option A the correct choice for ensuring consistent security and governance across a multi-account AWS environment.

Using IAM policies on each account separately requires manual enforcement and coordination, increasing the risk of misconfiguration. It lacks centralized control and may lead to inconsistent implementation across accounts.

Security groups manage network access to resources, but do not apply to S3 bucket accessibility. They cannot prevent public exposure of buckets or enforce organizational policies.

AWS Organization SCPs combined with AWS Config rules are correct because they provide centralized enforcement across multiple accounts, continuous monitoring, automated remediation, and consistent adherence to security standards. This approach minimizes human error and ensures that all S3 buckets remain private by default.

Question 62

A company wants to enforce encryption of all DynamoDB tables and track access patterns for auditing. Which combination of AWS services meets this requirement?

A) Enable DynamoDB encryption with KMS and use CloudTrail logging

B) Use IAM policies only

C) Enable security groups

D) Use S3 bucket policies

Answer: A) Enable DynamoDB encryption with KMS and use CloudTrail logging

Explanation:

DynamoDB supports encryption at rest using AWS KMS. Enabling KMS encryption ensures that all data stored in tables is encrypted with either AWS-managed or customer-managed keys. KMS provides fine-grained access control and integrates with CloudTrail to record all decryption requests, supporting auditing and compliance. Using CloudTrail in combination allows tracking of all API calls to DynamoDB, including reads, writes, and administrative operations. This provides visibility into who accessed what data and when, supporting forensic analysis, auditing, and security compliance.

Using IAM policies alone controls access but does not encrypt data at rest or provide detailed auditing of read operations. IAM manages permissions but does not protect data or track decryption events.

Security groups manage network traffic to resources like EC2 instances,but do not control access to DynamoDB tables or provide encryption. They operate at the network layer, not the data layer. Enabling DynamoDB encryption with AWS Key Management Service (KMS) and using CloudTrail logging is the recommended approach to secure sensitive data stored in DynamoDB. KMS encryption ensures that all data at rest is protected using strong, managed encryption keys, preventing unauthorized access to the raw data. Even if someone gains access to the underlying storage, encrypted data cannot be read without the proper keys. CloudTrail logging complements this by providing an audit trail of all API calls and operations performed on DynamoDB tables. It allows administrators to monitor who accessed or modified data, detect unusual activity, and meet compliance requirements. Together, KMS encryption and CloudTrail logging provide a comprehensive security solution that safeguards both the confidentiality and accountability of data in DynamoDB.

Relying solely on IAM policies restricts which users or roles can access DynamoDB, but it does not encrypt the data at rest, leaving it potentially vulnerable in the event of a compromise. Enabling security groups controls network access to services like EC2 instances, but does not secure the data stored in DynamoDB. Using S3 bucket policies is specific to S3 storage and does not affect DynamoDB. While IAM policies, security groups, and S3 bucket policies are important for overall AWS security, they do not provide the combined protection of encryption and activity logging offered by KMS and CloudTrail.

Enabling DynamoDB encryption with KMS ensures that data remains confidential and secure at rest, while CloudTrail logging provides visibility and accountability over all operations on the database. This combination offers robust, best-practice security for sensitive DynamoDB data, making option A the correct solution. The other options either provide partial protection or ado not applyto DynamoDB, highlighting the importance of encryption and auditing in securing cloud databases.

S3 bucket policies apply only to S3 objects and are not relevant for DynamoDB tables. They cannot enforce encryption or audit access to DynamoDB.

Enabling DynamoDB encryption with KMS and using CloudTrail logging is correct because it ensures that data is encrypted at rest, provides granular access control, maintains a complete audit trail, and aligns with security and compliance best practices. This combination protects sensitive information while allowing administrators to monitor access patterns and respond to anomalies.

Question 63

A company wants to ensure that IAM users who have not logged in for 90 days are automatically disabled. Which AWS service combination is suitable?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM stores metadata about user activity, including the last login timestamp. CloudWatch Events (EventBridge) can monitor this metadata and trigger a Lambda function when a user exceeds a defined inactivity period, such as 90 days. The Lambda function can automatically disable tnactive IAM uusers ensuring compliance with security policies and reducing the risk of orphaned accounts being compromised. This approach automates governance, enforces least privilege, and minimizes operational overhead.

Security groups control network traffic and cannot monitor IAM user activity or disable inactive accounts. They operate at the network level and do not interact with identity management.

CloudTrail logs all API activity, including IAM user logins. While CloudTrail provides visibility into user activity, it does not enforce automatic disabling or remediation. Manual analysis would be required, which is error-prone and reactive.

S3 bucket policies control access to objects but cannot monitor IAM user activity or disable accounts. They are resource-level permissions and unrelated to identity lifecycle management.

IAM combined with CloudWatch Events and Lambda automation is correct because it allows automated detection of inactive users, immediate remediation, compliance with organizational policies, reduced operational effort, and enhanced security by minimizing the attack surface from unused accounts.

Question 64

A company wants to prevent unauthorized deletion of CloudTrail logs while maintaining normal log delivery. Which configuration ensures this?

A) Enable S3 bucket policies with MFA delete and KMS encryption

B) Enable versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Enable S3 bucket policies with MFA delete and KMS encryption

Explanation:

CloudTrail logs are delivered to S3 buckets, which can be protected using bucket policies and additional controls. Enabling MFA delete requires a multi-factor authentication token to delete objects or change the versioning state, preventing accidental or malicious deletion of logs. Combining this with KMS encryption ensures that logs are encrypted at rest and can only be accessed by authorized principals with the proper KMS permissions. This configuration provides a secure and auditable environment, ensuring the integrity of CloudTrail logs while allowing normal delivery and retrieval of log data for operational and security analysis.

Enabling versioning alone allows recovery of previous object versions but does not prevent deletion of objects without MFA. Versioning increases data retention but is not sufficient for protection against unauthorized deletion.

Using IAM policies without encryption controls who can access the bucket, but does not provide additional protection against accidental or malicious deletion or unauthorized data access. Logs could still be deleted if an authorized user’s credentials are compromised.

Enabling public access exposes sensitive log data to the entire internet, which is insecure and violates best practices. It does not prevent deletion or unauthorized modification.

S3 bucket policies with MFA delete and KMS encryption are correct because they prevent unauthorized deletions, secure logs at rest, provide auditability, and maintain normal log delivery for monitoring and compliance purposes. This combination ensures the integrity and confidentiality of critical audit logs.

Question 65

A company wants toensuree that all AWS Lambda functions access secrets securely without hardcoding credentials. Which solution achieves this best?

A) Use AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext in environment variables

C) Use S3 buckets to store secrets

D) Use security groups only

Answer: A) Use AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager provides a secure way to store and manage sensitive information such as API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, ensuring that credentials are never hardcoded or exposed. Secrets Manager supports automatic rotation of credentials, fine-grained access control via IAM policies, and audit logging through CloudTrail. By integrating Secrets Manager with Lambda, the company ensures that sensitive data is accessed securely, reduces the risk of exposure, and maintains compliance with security best practices.

Storing secrets in plaintext environment variables exposes them to anyone who has access to Lambda configuration, violating security principles and increasing the risk of accidental leaks or malicious access.

Using S3 buckets to store secrets requires additional code for encryption and access control. While S3 can provide encryption at rest, it does not integrate seamlessly with Lambda for automated secret retrieval and rotation. Misconfigurations could lead to exposure of sensitive information.

Security groups control network traffic but do not provide mechanisms for securely storing or accessing secrets. They are unrelated to credential management.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, fine-grained access control, automated rotation, auditability, and seamless integration with Lambda. This ensures secure handling of sensitive data, eliminates the need to hardcode credentials, and aligns with security and compliance best practices.

Question 66

A company wants to automatically encrypt all new EBS volumes and snapshots with a customer-managed KMS key. Which AWS service configuration achieves this?

A) Create a default EBS encryption key in KMS and enable EBS encryption by default

B) Use IAM policies only

C) Enable security groups

D) Store snapshots in S3

Answer: A) Create a default EBS encryption key in KMS and enable EBS encryption by default

Explanation:

Enabling EBS encryption by default ensures that all newly created EBS volumes are automatically encrypted using a customer-managed KMS key. Any snapshots created from these volumes inherit the same encryption, providing consistent protection for data at rest. This approach eliminates the risk of unencrypted volumes due to human error or misconfiguration. Using a customer-managed KMS key allows fine-grained access control, centralized audit logging, and automatic key rotation, aligning with organizational security requirements and regulatory compliance. It also ensures that only authorized users and services can access encrypted volumes or snapshots.

Using IAM policies alone controls who can create or manage EBS volumes, but does not enforce encryption. Users could still create unencrypted volumes if encryption defaults are not set.

Security groups control network traffic for EC2 instance,s but do not influence volume encryption. They cannot protect data at rest or enforce encryption policies.

Storing snapshots in S3 is not relevant because EBS snapshots are stored in a managed service format, not directly in user-controlled S3 buckets. S3 storage controls cannot enforce encryption on EBS volumes or snapshots.

Creating a default EBS encryption key in KMS and enabling EBS encryption by default is correct because it guarantees that all new volumes and snapshots are encrypted automatically, provides centralized key management and access control, ensures auditability, and aligns with security best practices for protecting sensitive data.

Question 67

A company wants to enforce MFA for all IAM users when performing sensitive API operations. Which configuration achieves this?

A) Use IAM policies with MFA condition keys

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) Use IAM policies with MFA condition keys

Explanation:

IAM policies can enforce multi-factor authentication (MFA) by including condition keys such as aws: MultiFactorAuthPresent. This ensures that IAM users must provide an MFA token when performing sensitive operations like modifying resources or accessing critical data. MFA strengthens account security by adding layer of authentication beyond username and password, reducing the likelihood of credential compromise and unauthorized access. Policies can be applied globally or selectively to specific users, groups, or services, enabling granular control while enforcing security best practices.

Security groups control network traffic and cannot enforce authentication requirements like MFA. They operate at the network layer, not the identity layer, and do not prevent unauthorized API operations.

CloudTrail logging records API activity and can indicate whether MFA was used, but it does not enforce MFA requirements. This approach is reactive rather than preventive.

S3 bucket policies can require MFA for certain S3 operations, such as deleting objects, but they are limited to S3 resources and cannot enforce MFA for all AWS services or sensitive API operations.

Using IAM policies with MFA condition keys is correct because it proactively enforces a security layer, prevents unauthorized actions, supports compliance mandates, and aligns with best practices for identity and access management across all AWS services.

Question 68

A company wants to prevent unauthorized public access to RDS instances. Which configuration provides the most effective protection?

A) Deploy RDS instances in private subnets and use security groups

B) Use IAM policies only

C) Enable CloudTrail logging only

D) Use S3 bucket policies

Answer: A) Deploy RDS instances in private subnets and use security groups

Explanation:

Deploying RDS instances in private subnets within a VPC ensures that they are not directly accessible from the public internet. Security groups can further restrict inbound traffic to only trusted application servers or IP ranges. This combination enforces network-level access control, minimizing the risk of unauthorized exposure. It is an essential practice for protecting sensitive databases containing confidential or regulated data. Private subnet deployment prevents external threats and allows administrators to maintain complete control over access pathways.

IAM policies alone control who can modify or manage RDS instances, but do not prevent network-level exposure. Users with sufficient permissions could still create publicly accessible instances if subnet configuration is not enforced.

CloudTrail logs API calls, including changes to RDS instance configurations, but does not prevent public access. It provides auditing capabilities but cannot enforce preventive controls.

S3 bucket policies are irrelevant because RDS does not rely on S3 access policies, for instanc,e network protection. They cannot prevent unauthorized access to databases.

Deploying RDS instances in private subnets with security groups is correct because it enforces network isolation, restricts access to authorized systems, reduces the attack surface, and aligns with security best practices for database protection. This configuration ensures that sensitive data remains inaccessible from the public internet.

Question 69

A company wants to detect anomalous behavior in API usage for multiple AWS accounts and generate actionable alerts. Which AWS service combination achieves this?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty continuously monitors accounts for suspicious activity and potential threats using machine learning, anomaly detection, and threat intelligence feeds. It analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect unusual patterns such as unexpected API calls, privilege escalation attempts, or logins from unusual geographic locations. GuardDuty generates actionable findings with severity levels and context about affected resources, which can be integrated into Security Hub. Security Hub aggregates findings from multiple accounts, provides a centralized dashboard, and allows automated response workflows using CloudWatch Events and Lambda. This combination enables organizations to monitor security proactively, respond quickly, and maintain compliance across multiple accounts.

CloudTrail logs API calls but does not provide anomaly detection or actionable alerts. It is reactive and requires additional tooling for analysis and response.

IAM policies control access permissions but do not detect unusual behavior or generate alerts. They are preventive but lack monitoring and alerting capabilities.

Security groups control network traffic and cannot monitor API activity or detect anomalous behavior. They are irrelevant for identity or usage monitoring.

Amazon GuardDuty with Security Hub is correct because it provides continuous detection of suspicious activity, centralized visibility, alerting, and the ability to automate responses. This combination strengthens security posture, reduces detection time, and enables effective incident response across multiple AWS accounts.

Question 70

A company wants to automatically rotate IAM access keys and ensure notifications are sent before expiration. Which AWS service combination provides this functionality?

A) AWS IAM with CloudWatch Events and Lambda

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) AWS IAM with CloudWatch Events and Lambda

Explanation:

IAM allowthe s creation and management of access keys for users. CloudWatch Events (EventBridge) can monitor IAM metadata, such as the age of access keys, and trigger a Lambda function when keys are nearing expiration. The Lambda function can automatically notify administrators or rotate keys programmatically. This ensures continuous credential hygiene, reduces the risk of compromised or stale keys, and maintains operational efficiency. Automated rotation and notifications align with security best practices, ensuring keys are regularly updated without human error.

Security groups control network traffic and do not manage IAM access keys or provide rotation notifications. They cannot enforce credential lifecycle management.

CloudTrail logs API activity for access keys, but cannot automate rotation or notifications. It provides audit visibility but requires manual intervention for remediation.

S3 bucket policies manage access to S3 objects and cannot monitor or rotate IAM keys. They are irrelevant for credential management.

AWS IAM with CloudWatch Events and Lambda is correct because it provides automated monitoring, proactive notifications, and key rotation. This approach enforces security best practices, reduces operational risk, ensures compliance with credential policies, and maintains a secure environment for sensitive workloads.

Question 71

A company wants to ensure that all Lambda functions are executed only from specific VPCs to prevent access from the public internet. Which configuration achieves this requirement?

A) Configure Lambda functions to use VPC subnets with security groups

B) Use IAM policies only

C) Enable CloudTrail logging only

D) Store Lambda code in S3

Answer: A) Configure Lambda functions to use VPC subnets with security groups

Explanation:

Configuring Lambda functions to run within specific VPC subnets ensures that the functions are isolated from the public internet and can only access resources defined within the VPC. Security groups associated with the Lambda ENIs control inbound and outbound traffic, allowing connections only from authorized servers or services. This prevents unauthorized external access and enforces network-level controls for sensitive workloads. By integrating Lambda with private subnets, all data and operations remain within the organization’s controlled environment, enhancing security for applications that handle sensitive information.

IAM policies alone manage permissions for who can invoke or manage Lambda functions, but they do not control network traffic or prevent execution from public endpoints. Without VPC restrictions, a Lambda function could still access resources over the internet if the code is misconfigured.

CloudTrail logging provides visibility into Lambda invocation,s but cannot enforce network isolation. Logging is reactive and cannot prevent unauthorized network access.

Storing Lambda code in S3 ensures that code is available for deployment, but it does not affect network access or execution restrictions. S3 cannot prevent a Lambda function from running outside the desired VPC.

Configuring Lambda functions with VPC subnets and security groups is correct because it provides network-level isolation, prevents exposure to the public internet, allows granular control over inbound and outbound connections, and aligns with security best practices for running sensitive workloads.

Question 72

A company wants to ensure that all S3 buckets enforce encryption for objects uploaded via API, console, or SDK. Which solution provides consistent enforcement?

A) Apply a bucket policy requiring server-side encryption (SSE)

B) Enable S3 versioning

C) Use security groups

D) IAM policies only

Answer: A) Apply a bucket policy requiring server-side encryption (SSE)

Explanation:

Applying a bucket policy that enforces server-side encryption ensures that all objects uploaded to an S3 bucket are encrypted at rest using SSE-S3, SSE-KMS, or SSE-C. The policy denies any PUT or POST request that does not include the required encryption header. This guarantees consistent enforcement across all access methods, including the console, API, and SDK. By integrating SSE with AWS KMS, administrators can manage keys, control access, and audit usage, providing a secure and compliant data storage environment. Bucket policies provide centralized enforcement, preventing misconfigurations and ensuring that sensitive data remains encrypted.

Enabling S3 versioning allows recovery of previous object versions but does not enforce encryption. Versioning is focused on data durability and object restoration, not security.

Security groups control network traffic to resourc,es but cannot enforce encryption at the application or storage layer. They are irrelevant to S3 object encryption.

IAM policies can control who can upload objects or manage bucket,s but do not enforce encryption automatically. Users with sufficient permissions could bypass encryption requirements unless a bucket policy is applied.

Applying a bucket policy requiring SSE is correct because it ensures encryption is mandatory for all object uploads, provides centralized enforcement, integrates with KMS for access control, and aligns with security and compliance best practices for data protection.

Question 73

A company wants to detect and respond to unusual activity in IAM roles, such as privilege escalation attempts. Which AWS service combination is best suited for this?

A) Amazon GuardDuty with Security Hub

B) IAM policies only

C) CloudTrail logging only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty continuously monitors AWS accounts for suspicious or anomalous activity, including unusual IAM behavior like privilege escalation, unauthorized API calls, or usage from unexpected locations. GuardDuty uses machine learning and threat intelligence to identify potential threats and generate actionable findings with severity and context. These findings can be integrated into AWS Security Hub, which aggregates alerts across multiple accounts, provides centralized visibility, and allows automated remediation workflows using CloudWatch Events and Lambda. Together, GuardDuty and Security Hub enable proactive detection, centralized monitoring, and rapid response to threats affecting IAM roles.

IAM policies alone define what users and roles can do, but they do not monitor activity or detect anomalous behavior. Policies are preventive but lack monitoring and alerting capabilities.

CloudTrail logs all API activity, including IAM operations. While useful for auditing, CloudTrail alone does not analyze patterns, detect anomalies, or provide actionable alerts. Analysis requires additional processing and is reactive.

Security groups manage network traffic and cannot detect or respond to IAM role misuse or anomalous activity. They are irrelevant for identity-focused monitoring.

Amazon GuardDuty with Security Hub is correct because it provides continuous, automated threat detection, centralized findings, alerting, and the ability to implement remediation workflows. This combination enhances security posture, reduces detection time, and ensures proactive monitoring of IAM role activity.

Question 74

A company wants to ensure that all RDS instances are encrypted at rest and that backups inherit the same encryption. Which configuration satisfies this requirement?

A) Enable RDS encryption at the instance level

B) Use IAM policies only

C) Enable security groups

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level

Explanation:

Enabling encryption at the RDS instance level ensures that all data stored in the database is encrypted at rest using AWS KMS. All automated and manual backups, snapshots, and read replicas inherit this encryption automatically. Using a customer-managed KMS key allows fine-grained access control, centralized audit logging, and optional key rotation. This approach guarantees that sensitive data is protected consistently, reducing the risk of exposure and meeting compliance requirements. Encrypting the instance at creation ensures that encryption is applied to the primary storage and all derived copies of the data.

Using IAM policies alone controls who can manage or access the RDS instance, but it does not enforce encryption. Users could still create unencrypted instances if IAM is the only control applied.

Security groups control network access to RDS instances, but do not provide encryption at rest. They are focused on traffic management rather than data protection.

CloudTrail logging records all API actions related to RDS, which is useful for auditing but does not enforce encryption. It provides visibility but no preventive controls.

Enabling RDS encryption at the instance level is correct because it guarantees encryption at rest for the database and all associated backups, integrates with KMS for key management, ensures compliance, and aligns with best practices for securing sensitive relational data.

Question 75

A company wants to ensure that access keys for IAM users are rotated automatically and that administrators receive notifications before expiration. Which combination of AWS services accomplishes this?

A) AWS IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) AWS IAM with CloudWatch Events and Lambda automation

Explanation:

IAM allows creation and management of user access keys. CloudWatch Events (EventBridge) can monitor access key metadata, such as age or last use, and trigger Lambda functions when a key approaches expiration. Lambda automation can rotate keys programmatically, update dependent applications, and send notifications to administrators. This ensures credential hygiene, reduces the risk of compromised keys, maintains compliance with organizational policies, and minimizes manual operational effort. By automating both monitoring and rotation, companies enforce a consistent key management lifecycle.

Security groups control network traffic but do not manage IAM credentials or rotation. They cannot enforce key lifecycle policies.

CloudTrail logs API calls related to access keys, but does not automatically rotate keys or send notifications. It is reactive and requires manual intervention for remediation.

S3 bucket policies govern access to S3 objects but are unrelated to IAM user access key rotation or notification.

AWS IAM with CloudWatch Events and Lambda automation is correct because it provides automated detection, rotation, and alerting for access keys, ensures secure credential management, reduces operational risk, and aligns with best practices for identity and access management.

Question 76

A company wants to prevent accidental or unauthorized deletion of EBS snapshots. Which AWS feature provides this protection while allowing normal use of the snapshot?

A) Enable EBS snapshot delete protection

B) Use IAM policies to deny all deletion actions

C) Enable EBS volume encryption

D) Store snapshots in S3 with Object Lock

Answer: A) Enable EBS snapshot delete protection

Explanation:

EBS snapshot delete protection prevents accidental or unauthorized deletion of snapshots while still allowing legitimate operations such as creating or restoring snapshots. When enabled, the snapshot cannot be deleted until the protection is manually disabled. This ensures that critical backup data is preserved, which is essential for disaster recovery, compliance, and operational continuity. The feature provides a balance between security and operational flexibility, allowing administrators to perform standard tasks without risking the removal of important snapshots.

Using IAM policies to deny all deletion actions is overly restrictive. While it prevents deletion, it can impede legitimate administrative tasks such as lifecycle management or removing outdated snapshots. It lacks the fine-grained control provided by delete protection.

Enabling EBS volume encryption protects data at rest but does not prevent snapshot deletion. Encryption focuses on confidentiality rather than preventing operational errors or malicious deletions.

Storing snapshots in S3 with Object Lock is not applicable. EBS snapshots are managed within the EC2 service and cannot be directly placed under S3 Object Lock. Object Lock applies to S3 objects only and does not provide snapshot-level protection.

Enabling EBS snapshot delete protection is correct because it preserves critical backups, reduces the risk of data loss due to human error or malicious actions, maintains operational flexibility, and aligns with best practices for data protection and disaster recovery.

Question 77

A company wants to ensure that all API calls to S3 buckets are encrypted in transit. Which configuration enforces this requirement?

A) Require SSL connections in S3 bucket policies

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Require SSL connections in S3 bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies enforces encryption in transit by denying requests over unencrypted HTTP. This ensures that all data sent to and from S3 is encrypted using HTTPS, preventing interception, eavesdropping, or man-in-the-middle attacks. This control is critical for securing sensitive data during transmission and maintaining compliance with data protection standards. Bucket policies provide centralized enforcement, making it impossible for users to bypass encryption regardless of the access method, whether API, SDK, or console.

Enabling S3 versioning provides object recovery and auditing of change,s but does not enforce encryption in transit. Versioning focuses on durability, notthe  security of network communication.

IAM policies control permissions to access S3 objects, but do not enforcetransport-layerr encryption. Users could still send requests via HTTP unless bucket-level restrictions are applied.

Enabling public access opens buckets to the internet and does not provide encryption enforcement. Public access increases exposure risk and violates security best practices.

Requiring SSL connections in bucket policies is correct because it guarantees encryption in transit, centralizes enforcement, protects sensitive data from network-based threats, and ensures compliance with regulatory requirements.

Question 78

A company wants to monitor all configuration changes to EC2 instances, including security group modifications and instance launches. Which AWS service provides continuous monitoring and auditing for these changes?

A) AWS Config

B) CloudTrail only

C) IAM policies

D) Security groups

Answer: A) AWS Config

Explanation:

AWS Config continuously monitors and records resource configurations, including EC2 instances, security groups, and related network or storage components. Config provides a historical timeline of changes and enables compliance auditing by evaluating resource configurations against predefined or custom rules. Administrators can receive notifications when resources drift from desired configurations, detect unauthorized changes, and trigger automated remediation using Systems Manager Automation. This proactive monitoring ensures that EC2 instances remain compliant with security policies and provides full visibility for audits and forensic analysis.

CloudTrail logs API calls, such as RunInstances or ModifySecurityGroups, providing a record of actions, but does not track configuration drift over time. CloudTrail is reactive and requires external tools to analyze configuration trends.

IAM policies define permissions for who can modify EC2 instance,s but do not provide monitoring or historical records of configuration changes. They enforce control but lack visibility and auditing capabilities.

Security groups regulate network access to EC2 instances but do not monitor instance configurations. They provide runtime protection but cannot track changes or record configuration history.

AWS Config is correct because it provides continuous monitoring, historical records, compliance evaluation, and automated remediation for EC2 configurations. This ensures operational security, governance, and audit readiness across the organization.

Question 79

A company wants to detect anomalous API activity, such as unusual IAM calls or data exfiltration attempts, across multiple AWS accounts. Which AWS service combination is suitable?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty provides continuous threat detection by analyzing CloudTrail logs, VPC Flow Logs, and DNS logs. It identifies unusual API calls, privilege escalation attempts, and anomalous access patterns. GuardDuty findings include severity, context, and recommended remediation. Security Hub aggregates findings from multiple accounts, offering a centralized dashboard and enabling cross-account threat visibility. Integration with CloudWatch Events or Lambda allows automated responses, such as revoking compromised credentials or alerting administrators. This combination provides real-time threat detection, centralized monitoring, and actionable remediation workflows, enhancing the company’s security posture and reducing incident response time.

CloudTrail logs all API calls, which is valuable for auditing, but does not detect anomalies or generate actionable alerts. It is reactive and requires additional tooling for analysis.

IAM policies control who can perform actio,ns but cannot detect unusual API behavior or generate findings. They are preventive but lack monitoring and detection capabilities.

Security groups manage network traffic and cannot monitor API activity or detect anomalies. They operate at the network layer, not the identity or API layer.

Amazon GuardDuty with Security Hub is correct because it combines automated anomaly detection, centralized alerting, and remediation capabilities. This ensures proactive detection of threats across multiple accounts and improves the organization’s overall security and compliance posture.

Question 80

A company wants to enforce that all Lambda functions accessing sensitive data must have encrypted environment variables. Which configuration meets this requirement?

A) Use AWS KMS for Lambda environment variable encryption and IAM roles for access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) Use AWS KMS for Lambda environment variable encryption and IAM roles for access

Explanation:

AWS KMS can encrypt Lambda environment variables, ensuring that sensitive data such as API keys, database credentials, or tokens are protected at rest. Only authorized Lambda functions with the correct IAM role permissions can decrypt these values at runtime. Resource-based policies or IAM permissions further restrict which principals can invoke the Lambda function, ensuring only authorized entities can access sensitive operations. This approach reduces the risk of exposure, maintains compliance, and aligns with security best practices for serverless workloads. KMS provides centralized key management, auditability, and optional key rotation.

Storing secrets in plaintext environment variables exposes sensitive information to anyone with access to Lambda configuration, creating a significant security risk.

Using S3 buckets alone requires additional management for encryption and access control, lacks seamless integration withthe  Lambda runtime, and increases complexity and risk of misconfiguration.

Security groups control network access but do not protect environment variables or prevent unauthorized Lambda invocation. They cannot enforce encryption or access restrictions at the application level.

Using AWS KMS for Lambda environment variable encryption with IAM roles is correct because it provides strong encryption, controlled access, auditability, and integration with AWS best practices. This ensures that sensitive secrets are securely managed, reducing operational risk and enhancing compliance.