Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 6 Q101-120

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 101

A company wants to ensure that all Lambda functions accessing sensitive data have execution logs centralized for auditing and troubleshooting. Which AWS service should be used?

A) Amazon CloudWatch Logs

B) S3 bucket policies

C) Security groups

D) IAM policies only

Answer: A) Amazon CloudWatch Logs

Explanation:

Amazon CloudWatch Logs allows centralized collection, monitoring, and analysis of log data from AWS services including Lambda. When a Lambda function executes, all logs, including function outputs, error messages, and execution context, can be streamed automatically to CloudWatch Logs. Administrators can set up metric filters to detect errors, trigger alarms, or automate remediation using CloudWatch Events and Lambda. This centralized approach ensures that logs are easily accessible for auditing, troubleshooting, compliance, and operational monitoring. Logs can also be retained according to retention policies and exported to S3 or third-party systems for long-term storage or analysis.

S3 bucket policies control access to S3 objects but do not provide log collection, monitoring, or alerting capabilities. They are storage access controls, not a logging solution.

Security groups manage network access to resources but do not collect or store execution logs. They operate at the network layer and cannot provide auditing of Lambda activity.

IAM policies control permissions for who can execute or manage Lambda functions but do not collect logs. They are preventive controls without logging or monitoring functionality.

Using Amazon CloudWatch Logs is correct because it enables centralized log collection, monitoring, alerting, retention, and integration with other AWS services for automated responses. This provides comprehensive visibility into Lambda execution, which is essential for secure and compliant management of sensitive workloads.

Question 102

A company wants to enforce encryption for all data stored in DynamoDB tables and control which users can decrypt the data. Which configuration meets this requirement?

A) Enable DynamoDB encryption at rest using AWS KMS and IAM key policies

B) Use IAM policies only

C) Enable VPC endpoints only

D) Use CloudTrail logging only

Answer: A) Enable DynamoDB encryption at rest using AWS KMS and IAM key policies

Explanation:

DynamoDB supports encryption at rest using AWS KMS keys. By enabling encryption with a customer-managed KMS key, the company ensures that all data stored in the table is encrypted automatically. IAM key policies can specify which users, roles, or services can access or decrypt the KMS key, providing fine-grained access control. This approach secures sensitive data at rest, ensures compliance with regulatory requirements, and allows centralized audit and key management. By controlling KMS key access, administrators can enforce least-privilege access, track usage through CloudTrail logs, and rotate keys periodically to maintain security hygiene.

IAM policies alone can restrict access to DynamoDB tables but cannot enforce encryption at rest. Users could still read or write unencrypted data if KMS is not enabled.

Enabling VPC endpoints controls network access to DynamoDB, improving security by keeping traffic within the AWS network, but it does not encrypt data at rest or control key access.

CloudTrail logging provides a record of API calls for auditing purposes but does not enforce encryption or control decryption permissions. Logging is reactive, not preventive.

Enabling DynamoDB encryption with KMS and applying IAM key policies is correct because it ensures encryption at rest, centralized key management, controlled access to decryption, auditing, and compliance with security best practices.

Question 103

A company wants to detect unauthorized changes to S3 bucket configurations, such as public access or encryption modifications. Which AWS service provides continuous monitoring for these changes?

A) AWS Config

B) CloudTrail only

C) IAM policies only

D) Security groups only

Answer: A) AWS Config

Explanation:

AWS Config continuously monitors and records the configuration of AWS resources, including S3 buckets. It can detect changes to public access settings, bucket policies, encryption configurations, and versioning. Administrators can define Config rules to evaluate compliance, such as ensuring encryption is always enabled or public access is blocked. When violations occur, Config can trigger automated remediation using Systems Manager Automation. This provides visibility, audit trails, and operational controls for enforcing security and compliance requirements. Config also maintains a historical timeline of resource configurations, which is useful for forensic investigations and auditing.

CloudTrail logs API calls for S3 bucket modifications, which provides visibility into who made changes, but it does not continuously evaluate compliance or enforce remediation. It is reactive rather than preventive.

IAM policies control who can modify buckets but cannot detect changes after they occur. They enforce permissions but do not monitor or remediate non-compliant configurations.

Security groups manage network access to resources and do not provide monitoring or configuration auditing for S3 buckets.

AWS Config is correct because it provides continuous monitoring, compliance evaluation, automated remediation, and historical tracking of S3 bucket configurations. This ensures security policies are enforced and deviations are detected proactively.

Question 104

A company wants to enforce that all API requests to S3 buckets are encrypted in transit using HTTPS. Which configuration satisfies this requirement?

A) Require SSL connections in S3 bucket policies

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Require SSL connections in S3 bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies enforces encryption in transit by denying requests over HTTP. This ensures that all data uploaded to or retrieved from S3 is transmitted securely via HTTPS, protecting against eavesdropping, man-in-the-middle attacks, and data interception. Bucket policies provide centralized enforcement that applies to all access methods, including SDK, console, and API calls. By combining this with IAM policies and optionally KMS encryption, the organization ensures both secure transport and access control for sensitive data. This configuration is essential for regulatory compliance and secure operational practices.

Enabling S3 versioning allows recovery of previous object versions but does not enforce encryption during transit. Versioning addresses durability, not security of data transmission.

IAM policies without encryption control who can access objects but do not ensure secure transport. Users could still make unencrypted requests, exposing sensitive information.

Enabling public access allows unrestricted access to buckets, increasing exposure and potentially allowing insecure HTTP requests.

Requiring SSL connections in bucket policies is correct because it guarantees encryption in transit, enforces centralized security controls, protects sensitive data, and aligns with best practices for secure AWS operations.

Question 105

A company wants to enforce MFA for all IAM users performing sensitive operations and receive alerts for any non-compliant attempts. Which AWS configuration satisfies this requirement?

A) IAM policies with MFA condition keys and CloudWatch Events alerts

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM policies with MFA condition keys and CloudWatch Events alerts

Explanation:

IAM policies can enforce MFA by using condition keys such as aws:MultiFactorAuthPresent for sensitive operations. This ensures users must provide an MFA token when performing actions like modifying resources or accessing confidential data. CloudWatch Events can monitor failed attempts or API calls without MFA and trigger alerts to administrators. This combination provides proactive enforcement of MFA, real-time detection of non-compliance, and centralized visibility for security teams. It reduces the risk of credential compromise, ensures regulatory compliance, and supports operational security best practices.

Security groups control network traffic but do not enforce authentication requirements or monitor MFA usage. They are irrelevant to identity-level security enforcement.

CloudTrail logs API activity, including MFA usage, but it is reactive. Without CloudWatch Events or automated alerts, administrators would need to manually review logs to detect non-compliance.

S3 bucket policies can require MFA for specific S3 operations but cannot enforce MFA across all AWS services or provide centralized alerts.

IAM policies with MFA condition keys and CloudWatch Events alerts are correct because they provide enforcement, monitoring, and alerting for sensitive operations. This ensures users comply with MFA requirements, reduces security risk, and supports proactive operational security management.

Question 106

A company wants to automatically disable IAM users who have not logged in for 90 days to reduce the risk of orphaned accounts. Which AWS service combination accomplishes this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM maintains metadata for each user, including the last login timestamp. CloudWatch Events (EventBridge) can monitor this metadata and trigger Lambda functions for users who have not logged in for 90 days. Lambda can automatically disable inactive accounts, reducing the risk of orphaned credentials being misused. This solution enables automated identity lifecycle management, reduces operational overhead, and ensures compliance with organizational security policies. Automation ensures timely enforcement of security controls without manual intervention, mitigating the potential for unauthorized access through stale accounts.

Security groups control network access and cannot monitor user activity or disable IAM accounts. They operate at the network layer and do not provide identity management capabilities.

CloudTrail logs user activity, including logins, but does not automatically disable accounts. This method is reactive and requires manual review to enforce inactivity policies.

S3 bucket policies manage access to S3 objects but do not influence IAM user account status. They cannot disable unused users.

IAM with CloudWatch Events and Lambda automation is correct because it provides proactive detection, automated remediation, centralized enforcement, and reduces the security risk of inactive IAM users while ensuring compliance and operational efficiency.

Question 107

A company wants to enforce that all EC2 instances launched in production use encrypted EBS volumes. Which configuration ensures this requirement?

A) Enable EBS encryption by default and specify a KMS key

B) Use IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable EBS encryption by default and specify a KMS key

Explanation:

Enabling EBS encryption by default guarantees that every newly created volume is encrypted without manual intervention. By specifying a customer-managed KMS key, the company can control access, rotation, and auditing of encryption keys. All snapshots and derived volumes automatically inherit encryption. This configuration ensures that sensitive production data is protected at rest and meets compliance requirements. It reduces the risk of human error, ensures consistent security enforcement, and integrates with monitoring services for auditing key usage and access.

Using IAM policies alone controls who can create EC2 instances but does not enforce encryption. Users could still create unencrypted volumes if defaults are not enforced.

Security groups control network access but do not encrypt EBS volumes or enforce encryption policies. They are network-layer controls unrelated to storage security.

CloudTrail logging tracks volume creation events but cannot prevent unencrypted volumes from being launched. It provides visibility but does not enforce security.

Enabling EBS encryption by default with a customer-managed KMS key is correct because it enforces encryption consistently, integrates with key management, provides auditing capabilities, and ensures compliance with organizational security requirements.

Question 108

A company wants to monitor all changes to IAM policies and roles to detect unauthorized modifications. Which AWS service provides continuous monitoring and auditing?

A) AWS Config

B) CloudTrail only

C) Security groups only

D) S3 bucket policies

Answer: A) AWS Config

Explanation:

AWS Config continuously records configuration changes for AWS resources, including IAM roles, policies, and user permissions. It tracks modifications, deletions, and additions, providing a historical timeline and enabling compliance assessments. Config rules can evaluate IAM configurations against organizational standards, such as enforcing least-privilege access or detecting over-permissive policies. When violations occur, automated remediation using Systems Manager Automation can restore compliant settings. Continuous monitoring ensures that unauthorized modifications are detected promptly and allows administrators to take corrective actions before security breaches occur.

CloudTrail logs API calls related to IAM, providing visibility into changes and who performed them. However, CloudTrail is reactive and does not evaluate compliance or automatically detect non-conformant configurations.

Security groups control network traffic but cannot monitor IAM configurations. They are irrelevant for detecting unauthorized IAM changes.

S3 bucket policies govern access to S3 objects and do not provide monitoring or auditing for IAM roles or policies.

AWS Config is correct because it provides continuous monitoring, historical tracking, compliance evaluation, automated remediation, and visibility into unauthorized IAM changes, ensuring proactive governance and operational security.

Question 109

A company wants to detect anomalous API activity, such as unusual IAM or EC2 calls, across multiple AWS accounts. Which AWS service combination is appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect anomalous API activity. It uses machine learning, threat intelligence, and anomaly detection to identify suspicious activity such as unusual IAM or EC2 calls, privilege escalation attempts, or unauthorized access. Security Hub aggregates findings from multiple accounts into a centralized dashboard, enabling administrators to monitor security alerts and prioritize remediation. GuardDuty findings include context, affected resources, and recommended actions, which can be automated via CloudWatch Events or Lambda to reduce incident response times. This combination provides real-time threat detection, centralized visibility, and proactive remediation across multiple accounts.

CloudTrail logging provides a record of API activity but does not analyze data or generate actionable alerts. It is reactive and requires additional tooling to detect anomalies.

IAM policies define permissions but cannot detect anomalous activity. They are preventive controls without monitoring capability.

Security groups manage network traffic and cannot monitor API activity or detect anomalous calls. They operate at the network layer, not the identity or API layer.

Amazon GuardDuty with Security Hub is correct because it delivers automated anomaly detection, centralized alerting, actionable insights, and integration with response workflows, improving the security posture across accounts.

Question 110

A company wants to enforce that all Lambda functions accessing secrets never hardcode credentials and retrieve them securely. Which solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive information such as API keys, tokens, or database credentials. Lambda functions can retrieve secrets at runtime using IAM roles, ensuring credentials are not hardcoded in function code. Secrets Manager supports automatic rotation, fine-grained access control via IAM policies, and audit logging through CloudTrail. This reduces the risk of credential exposure, enforces least-privilege access, and aligns with compliance requirements. By controlling which Lambda functions can access specific secrets, administrators maintain a secure and auditable system for managing sensitive data in serverless applications.

Storing secrets in plaintext environment variables exposes them to anyone with Lambda configuration access, significantly increasing the risk of leaks or misuse.

Using S3 buckets alone requires additional encryption and access management, lacks seamless runtime integration, and increases complexity and potential misconfigurations.

Security groups control network traffic but cannot enforce secure secret retrieval or prevent hardcoding. They operate at the network layer, not the application or identity layer.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, controlled access, auditability, automated rotation, and integration with Lambda. This ensures secure secret management, reduces operational risk, and aligns with security best practices.

Question 111

A company wants to ensure that all S3 buckets across multiple accounts are configured with default encryption and prevent public access. Which AWS configuration achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations allows centralized governance across multiple AWS accounts through Service Control Policies (SCPs). SCPs can prevent the creation of S3 buckets that do not meet encryption or public access requirements. AWS Config continuously monitors bucket configurations and enforces rules such as s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited. If a bucket violates these rules, automated remediation using Systems Manager Automation can enforce encryption and remove public access. This combination ensures that all accounts adhere to organizational security standards without relying on individual account configurations.

IAM policies on individual accounts require manual enforcement and may lead to inconsistent security practices. They cannot enforce default encryption across multiple accounts centrally.

Enabling S3 versioning only allows recovery of previous object versions but does not enforce encryption or block public access. Versioning is a durability feature, not a security control.

Security groups manage network traffic but cannot control bucket-level policies or encryption. They operate at the network layer and do not address storage security.

Using AWS Organizations SCPs with AWS Config rules is correct because it provides centralized enforcement, continuous compliance monitoring, automated remediation, and ensures that all S3 buckets are encrypted and private across multiple accounts.

Question 112

A company wants to ensure that all EBS volumes are encrypted at creation and that snapshots inherit this encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable EBS encryption by default and specify a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable EBS encryption by default and specify a KMS key

Explanation:

Enabling EBS encryption by default ensures that all newly created EBS volumes are automatically encrypted. By specifying a customer-managed KMS key, administrators can control access to the encryption key, rotate keys periodically, and monitor usage through CloudTrail. Any snapshot created from an encrypted volume automatically inherits encryption, maintaining data protection across backups and derived volumes. This ensures compliance with regulatory standards and reduces the risk of data exposure from unencrypted storage.

IAM policies alone can control who can create or attach volumes but do not enforce encryption. Users could create unencrypted volumes if encryption defaults are not enforced.

Security groups control network access to EC2 instances but do not encrypt EBS volumes or enforce encryption policies.

CloudTrail logging provides visibility into API calls for auditing purposes but cannot prevent unencrypted volume creation. Logging is reactive and does not enforce encryption automatically.

Enabling EBS encryption by default with a customer-managed KMS key is correct because it ensures consistent encryption at rest, inherits encryption for snapshots, integrates with auditing, reduces operational risk, and supports compliance requirements.

Question 113

A company wants to monitor and alert on any unauthorized changes to IAM roles and policies. Which AWS service provides continuous monitoring and automated alerts?

A) AWS Config

B) CloudTrail only

C) Security groups only

D) S3 bucket policies

Answer: A) AWS Config

Explanation:

AWS Config continuously records configurations of AWS resources, including IAM roles and policies. It tracks any modifications, deletions, or additions, maintaining a historical timeline for auditing. Config rules can evaluate changes against predefined security standards, such as preventing overly permissive IAM policies. When violations are detected, Config can trigger automated remediation using Systems Manager Automation or notify administrators via CloudWatch Events. Continuous monitoring ensures unauthorized modifications are detected promptly and corrective actions can be applied automatically, maintaining compliance and security posture.

CloudTrail logs API activity and provides a record of who made changes, but it is reactive. Alerts require additional processing, and there is no built-in evaluation of policy compliance.

Security groups control network traffic but cannot monitor IAM configurations or detect unauthorized policy changes.

S3 bucket policies control access to objects in S3 but do not monitor or alert on IAM role or policy modifications.

AWS Config is correct because it provides real-time monitoring, historical tracking, compliance evaluation, and automated alerting for IAM changes, ensuring proactive security management and operational visibility.

Question 114

A company wants to enforce MFA for all IAM users when performing sensitive actions and notify administrators if any requests are made without MFA. Which configuration satisfies this requirement?

A) IAM policies with MFA condition keys and CloudWatch Events alerts

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM policies with MFA condition keys and CloudWatch Events alerts

Explanation:

IAM policies can enforce MFA using condition keys such as aws:MultiFactorAuthPresent for sensitive operations, ensuring users provide an MFA token. CloudWatch Events can monitor API calls that do not satisfy the MFA condition and trigger alerts to administrators. This approach ensures proactive enforcement of MFA, real-time detection of non-compliant attempts, and centralized alerting for security teams. Combining MFA enforcement with monitoring reduces the risk of credential compromise and meets compliance requirements by providing both preventive and detective controls.

Security groups manage network traffic but cannot enforce authentication policies or monitor MFA usage. They operate at the network layer and do not influence identity verification.

CloudTrail logs MFA usage and API calls, but it is reactive. Without CloudWatch Events or automation, administrators would have to manually review logs to identify non-compliant attempts.

S3 bucket policies can enforce MFA for S3 operations but cannot enforce MFA across all AWS services or provide centralized alerts.

IAM policies with MFA condition keys and CloudWatch Events alerts are correct because they enforce MFA, detect violations, provide centralized notifications, and support operational security best practices.

Question 115

A company wants to detect anomalous API activity, such as unusual IAM or EC2 calls, across multiple accounts and centralize alerts for security teams. Which AWS service combination is appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect anomalous API activity, including unusual IAM or EC2 actions. It leverages machine learning, anomaly detection, and threat intelligence to generate findings with context, severity, and recommended remediation. Security Hub aggregates findings from multiple accounts into a centralized dashboard, allowing security teams to monitor alerts, prioritize responses, and trigger automated remediation through CloudWatch Events or Lambda. This combination enables real-time detection, proactive response, and centralized management of security alerts across multiple accounts, improving visibility and reducing response times for security incidents.

CloudTrail logs API activity but does not analyze patterns or provide actionable alerts. It is reactive and requires additional tooling to detect anomalies.

IAM policies control permissions but cannot detect anomalous activity. They are preventive controls without monitoring capabilities.

Security groups control network traffic and cannot detect anomalous API calls or unauthorized access attempts.

Amazon GuardDuty with Security Hub is correct because it provides automated anomaly detection, centralized alerting, actionable insights, and integration with remediation workflows, ensuring strong security posture across accounts.

Question 116

A company wants to enforce encryption for all RDS instances and ensure that automated backups and snapshots inherit this encryption. Which AWS configuration meets this requirement?

A) Enable RDS encryption at the instance level using a KMS key

B) Use IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level using a KMS key

Explanation:

Enabling encryption at the RDS instance level ensures that all data stored in the database is encrypted using AWS KMS. This encryption automatically extends to automated backups, snapshots, and read replicas, maintaining consistent security across all associated data. Using a customer-managed KMS key allows administrators to control access to the encryption key, monitor usage, rotate keys periodically, and audit actions through CloudTrail. This approach ensures that sensitive database data is protected at rest, aligns with compliance requirements, and mitigates the risk of unauthorized access.

IAM policies alone can restrict who can create or modify RDS instances but do not enforce encryption. Users with sufficient permissions could create unencrypted instances if encryption is not mandatory.

Security groups control network traffic to the RDS instances but do not enforce data-at-rest encryption. They operate at the network layer and cannot secure stored data.

CloudTrail logs RDS API activity for auditing purposes but does not enforce encryption. It is a monitoring tool rather than a preventive control.

Enabling RDS encryption at the instance level using a KMS key is correct because it ensures that primary data, backups, and snapshots are all encrypted consistently. It integrates with key management, auditing, and compliance requirements while reducing operational risk from unencrypted data.

Question 117

A company wants to automatically rotate IAM access keys for users and alert administrators before the keys expire. Which AWS configuration achieves this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM stores metadata for each access key, including creation and last-used timestamps. CloudWatch Events can monitor the age of keys and trigger Lambda functions to rotate them automatically. The Lambda function can update dependent applications, rotate the key securely, and send alerts to administrators before expiration. This configuration ensures continuous credential hygiene, reduces the risk of compromised or stale keys, and enforces compliance with organizational security policies. Automation eliminates human error, ensures timely rotations, and maintains operational efficiency.

Security groups manage network traffic but cannot manage IAM keys or rotate credentials. They operate at the network layer and are unrelated to identity management.

CloudTrail logging records API activity related to IAM keys but does not rotate keys or send alerts. It is reactive, requiring manual intervention to enforce rotations.

S3 bucket policies control access to S3 objects and are not related to IAM credential management.

IAM with CloudWatch Events and Lambda automation is correct because it provides automated key rotation, proactive monitoring, alerting, compliance enforcement, and reduced operational risk, ensuring secure and efficient management of IAM access keys.

Question 118

A company wants to detect anomalous network traffic from EC2 instances that may indicate compromised hosts. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies only

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously analyzes VPC Flow Logs, DNS logs, and CloudTrail events to detect unusual network traffic, such as unexpected connections or traffic patterns indicative of compromised EC2 instances. GuardDuty leverages machine learning, anomaly detection, and threat intelligence to identify suspicious activity. It provides findings with context, affected resources, and recommended remediation actions. GuardDuty integrates with CloudWatch Events and Security Hub for alerting and automated response, allowing rapid containment of potential threats. This solution is proactive, scalable, and suitable for monitoring multiple accounts and regions.

AWS Config monitors configuration changes but does not analyze network traffic for anomalies. Config is focused on compliance and resource configuration, not threat detection.

IAM policies define permissions but cannot monitor network traffic or detect compromised instances. They are preventive controls, not monitoring solutions.

CloudTrail logs API calls and activities but does not detect anomalous network behavior in real time. It is reactive and requires additional processing for threat detection.

Amazon GuardDuty is correct because it provides automated, continuous monitoring of network traffic, anomaly detection, threat intelligence integration, and actionable alerts for EC2 instances, enhancing security posture and incident response capabilities.

Question 119

A company wants to ensure that all S3 buckets are encrypted by default and that public access is blocked across multiple accounts. Which AWS service combination achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations allows centralized governance for multiple accounts using Service Control Policies (SCPs). SCPs can enforce restrictions, such as preventing the creation of S3 buckets without encryption or with public access. AWS Config continuously monitors bucket configurations and applies rules like s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited. Config can also trigger automated remediation through Systems Manager Automation if buckets are non-compliant. This combination ensures consistent application of security policies across all accounts, reduces manual effort, and mitigates the risk of accidental data exposure.

IAM policies on individual accounts require manual enforcement, which may lead to inconsistent application of encryption and public access policies.

Enabling S3 versioning only allows recovery of previous object versions but does not enforce encryption or block public access.

Security groups control network traffic but do not affect S3 bucket permissions or encryption.

Using AWS Organizations SCPs with AWS Config rules is correct because it provides centralized enforcement, continuous monitoring, automated remediation, and ensures that all S3 buckets across accounts are encrypted and private.

Question 120

A company wants to enforce that Lambda functions accessing secrets never hardcode credentials and retrieve them securely. Which solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive information such as API keys, tokens, or database credentials. Lambda functions can retrieve secrets at runtime using IAM roles, ensuring that credentials are not hardcoded in the code. Secrets Manager supports automatic secret rotation, audit logging through CloudTrail, and fine-grained access control using IAM policies. This reduces the risk of credential exposure, supports compliance, and integrates seamlessly with serverless architectures. Administrators can control which Lambda functions access specific secrets, enforce least-privilege access, and monitor access for security audits.

Storing secrets in plaintext environment variables exposes them to anyone with Lambda configuration access, creating a significant security risk.

Using S3 buckets for secret storage requires additional encryption and access management, lacks seamless integration with Lambda, and increases operational complexity.

Security groups control network traffic but do not enforce secure secret retrieval or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, controlled access, automatic rotation, auditability, and integration with Lambda. This ensures secure secret management, reduces operational risk, and aligns with best practices.