img img
Practice Exams:
View All
  • Home
  • Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 7 Q121-140

Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 7 Q121-140

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 121

A company wants to prevent public access to all newly created S3 buckets while allowing internal users full access. Which AWS configuration achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations allows centralized governance across multiple accounts using Service Control Policies (SCPs). SCPs can block the creation of S3 buckets that do not meet encryption or public access requirements. AWS Config continuously monitors bucket configurations and enforces compliance through rules such as s3-bucket-public-read-prohibited and s3-bucket-server-side-encryption-enabled. Automated remediation using Systems Manager Automation can correct non-compliant buckets. This centralized approach ensures all accounts comply with security policies, reduces manual enforcement, and mitigates the risk of accidental public exposure.

IAM policies on individual accounts require manual configuration and do not provide centralized enforcement across multiple accounts. They can lead to inconsistencies and human error.

Enabling S3 versioning allows recovery of previous object versions but does not enforce encryption or restrict public access. Versioning addresses durability, not security.

Security groups control network traffic but do not manage S3 bucket permissions or encryption. They are irrelevant for this requirement.

Using AWS Organizations SCPs with AWS Config rules is correct because it enforces consistent policies across multiple accounts, ensures continuous monitoring and automated remediation, and prevents public exposure while allowing internal access.

Question 122

A company wants to automatically disable IAM users who have not logged in for 60 days. Which combination of AWS services accomplishes this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM stores metadata for each user, including last login timestamps. CloudWatch Events (EventBridge) can monitor this information and trigger a Lambda function when a user has been inactive for 60 days. Lambda can then automatically disable the account, reducing the risk of orphaned credentials. This approach automates identity lifecycle management, ensures timely enforcement of security policies, and maintains compliance. Automation eliminates human error and provides consistent enforcement across all accounts.

Security groups control network traffic but cannot monitor IAM user activity or disable accounts. They operate at the network layer.

CloudTrail logs API activity, including logins, but cannot disable inactive accounts automatically. It provides visibility but is reactive rather than preventive.

S3 bucket policies manage access to objects but do not affect IAM user account status. They cannot enforce inactivity rules.

IAM with CloudWatch Events and Lambda automation is correct because it provides proactive detection, automated remediation, centralized enforcement, and reduces security risks associated with inactive users.

Question 123

A company wants to enforce that all Lambda functions retrieving secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive information such as API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, ensuring credentials are not hardcoded. Secrets Manager supports automatic rotation, auditing through CloudTrail, and fine-grained access control using IAM policies. This reduces the risk of credential leakage, supports compliance, and integrates seamlessly with serverless applications. Administrators can specify which functions access which secrets, enforce least-privilege access, and monitor secret usage for auditing.

Storing secrets in plaintext environment variables exposes them to anyone with Lambda configuration access, creating a significant security risk.

Using S3 buckets for secret storage requires additional encryption and access controls and does not integrate seamlessly with Lambda, increasing operational complexity.

Security groups manage network traffic but cannot enforce secure secret retrieval or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, controlled access, automated rotation, auditability, and integration with Lambda, ensuring secure management of sensitive data and reducing operational risk.

Question 124

A company wants to detect anomalous API activity, such as unusual IAM or EC2 calls, across multiple AWS accounts and centralize alerts for security teams. Which AWS service combination is appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty continuously analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect anomalous activity, such as unusual IAM or EC2 calls. It leverages machine learning, anomaly detection, and threat intelligence to identify suspicious behavior and generate actionable findings with context and severity levels. Security Hub aggregates findings from multiple accounts into a centralized dashboard, enabling security teams to prioritize alerts, monitor trends, and trigger automated responses using CloudWatch Events or Lambda. This solution provides real-time detection, centralized visibility, and automated remediation, improving the organization’s security posture and reducing incident response times.

CloudTrail logs API activity but does not detect anomalies or generate actionable alerts on its own. It requires additional tooling to analyze logs.

IAM policies control permissions but cannot detect anomalous activity. They are preventive controls without monitoring capabilities.

Security groups manage network traffic and cannot monitor API calls or detect unauthorized activity. They operate at the network layer.

Amazon GuardDuty with Security Hub is correct because it provides automated threat detection, centralized alerting, actionable insights, and integration with remediation workflows across multiple accounts.

Question 125

A company wants to ensure that all API requests to S3 buckets are encrypted in transit. Which configuration enforces this requirement?

A) Require SSL connections in S3 bucket policies

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Require SSL connections in S3 bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies enforces encryption in transit by denying any requests made over HTTP. This ensures that all data transmitted to and from S3 is encrypted using HTTPS, protecting against eavesdropping, man-in-the-middle attacks, and data interception. Bucket policies provide centralized enforcement for all access methods, including API, SDK, and console operations. When combined with IAM and KMS policies, organizations can ensure both secure transport and access control for sensitive data. This approach aligns with regulatory compliance requirements and best practices for data security.

Enabling S3 versioning allows recovery of previous object versions but does not enforce encryption in transit. Versioning addresses durability and recovery, not network security.

Using IAM policies without encryption controls who can access S3 objects but does not enforce HTTPS connections. Users could still transmit data insecurely.

Enabling public access increases exposure and does not guarantee encryption in transit, creating security risks.

Requiring SSL connections in S3 bucket policies is correct because it enforces encryption in transit, ensures centralized enforcement, protects data from interception, and aligns with best practices for secure AWS operations.

Question 126

A company wants to enforce MFA for all IAM users performing sensitive actions and receive alerts when non-compliant requests occur. Which AWS configuration satisfies this requirement?

A) IAM policies with MFA condition keys and CloudWatch Events alerts

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM policies with MFA condition keys and CloudWatch Events alerts

Explanation:

IAM policies can enforce MFA using condition keys such as aws:MultiFactorAuthPresent. This ensures that users must provide an MFA token when performing sensitive operations, such as modifying resources or accessing confidential data. CloudWatch Events (EventBridge) can monitor API calls that do not satisfy the MFA requirement and trigger alerts to administrators. This combination enforces MFA proactively, detects violations in real time, and centralizes notification for the security team. Implementing MFA reduces the risk of credential compromise, ensures compliance with security standards, and provides both preventive and detective controls.

Security groups manage network traffic but cannot enforce MFA or monitor authentication. They operate at the network layer, not identity or access layer.

CloudTrail logs MFA usage and API activity but is reactive. Without CloudWatch Events, administrators would have to manually analyze logs to detect non-compliance.

S3 bucket policies can enforce MFA for S3 operations only but cannot enforce MFA for all AWS services or provide centralized alerts.

IAM policies with MFA condition keys and CloudWatch Events alerts are correct because they enforce MFA, detect violations automatically, provide centralized notification, and ensure adherence to security best practices.

Question 127

A company wants to monitor all configuration changes to RDS instances and generate alerts for unauthorized modifications. Which AWS service provides this capability?

A) AWS Config

B) CloudTrail only

C) IAM policies only

D) Security groups

Answer: A) AWS Config

Explanation:

AWS Config continuously monitors and records changes to AWS resources, including RDS instances. It maintains a history of configurations, allowing administrators to detect unauthorized modifications such as instance type changes, encryption disablement, or parameter group alterations. Config rules can evaluate compliance against predefined policies, and violations can trigger automated remediation or alerts through CloudWatch Events. This ensures proactive monitoring, continuous compliance, and rapid detection of deviations from organizational security policies. Config also provides a historical timeline for auditing and forensic analysis.

CloudTrail logs API activity and changes but is reactive. It provides visibility but does not automatically evaluate compliance or enforce remediation.

IAM policies control who can modify RDS instances but do not monitor actual changes. Permissions alone do not detect violations or misconfigurations.

Security groups manage network access and cannot monitor RDS configuration changes. They operate at the network layer and are unrelated to resource configuration auditing.

AWS Config is correct because it continuously monitors RDS configurations, enforces compliance rules, generates alerts, and supports automated remediation, ensuring proactive governance and security management.

Question 128

A company wants to detect anomalous API activity across multiple accounts, such as unusual IAM or EC2 calls, and centralize alerts. Which AWS service combination is appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to identify anomalous activity such as unusual API calls or suspicious behavior in IAM or EC2. It uses machine learning, threat intelligence, and anomaly detection to generate findings with context, severity, and recommended remediation. Security Hub aggregates findings from multiple accounts into a centralized dashboard, enabling security teams to prioritize alerts, monitor trends, and initiate automated responses using CloudWatch Events or Lambda. This combination provides proactive, centralized threat detection and rapid incident response.

CloudTrail logs API activity but does not detect anomalies or provide actionable alerts without additional tooling. It is reactive.

IAM policies define permissions but cannot detect suspicious API activity. They are preventive controls without monitoring capabilities.

Security groups manage network traffic and cannot monitor API activity or detect anomalous calls.

Amazon GuardDuty with Security Hub is correct because it delivers continuous anomaly detection, centralized alerting, actionable insights, and integration with automated response workflows across multiple accounts, improving security posture.

Question 129

A company wants to ensure that all Lambda functions retrieve secrets securely and do not hardcode credentials. Which solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive information, such as API keys, tokens, and database credentials. Lambda functions can retrieve secrets at runtime using IAM roles, avoiding hardcoding credentials. Secrets Manager supports automatic secret rotation, fine-grained access control, and audit logging via CloudTrail. Administrators can enforce least-privilege access, monitor secret usage, and integrate the solution with serverless applications securely. This approach mitigates the risk of credential exposure, supports compliance requirements, and provides centralized management of sensitive data.

Storing secrets in plaintext environment variables exposes credentials to anyone with Lambda configuration access, increasing security risk.

Using S3 buckets alone requires additional encryption and access management and does not provide runtime integration with Lambda or automated secret rotation.

Security groups control network traffic but cannot enforce secure secret retrieval or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it ensures encrypted storage, controlled access, auditability, automated rotation, and integration with Lambda, providing a secure and compliant solution for managing sensitive secrets.

Question 130

A company wants to ensure that all S3 buckets are encrypted by default and public access is blocked across multiple accounts. Which AWS service combination achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations enables centralized governance using Service Control Policies (SCPs), which can enforce security policies across multiple accounts, such as mandatory encryption and blocking public access for S3 buckets. AWS Config continuously monitors bucket configurations and applies compliance rules like s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited. Automated remediation can correct non-compliant buckets. This centralized approach ensures consistent security standards across accounts, reduces manual effort, and mitigates accidental exposure of sensitive data.

IAM policies on individual accounts are applied per account, requiring manual configuration, which may lead to inconsistencies and human error.

Enabling S3 versioning only allows for object recovery but does not enforce encryption or prevent public access.

Security groups manage network traffic and cannot control S3 bucket permissions, encryption, or public access settings.

Using AWS Organizations SCPs with AWS Config rules is correct because it enforces centralized policies, ensures continuous monitoring, provides automated remediation, and guarantees that S3 buckets are encrypted and private across all accounts.

Question 131

A company wants to automatically rotate IAM access keys for users and notify administrators before expiration. Which AWS configuration achieves this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM maintains metadata for each access key, including creation date and last used timestamp. CloudWatch Events (EventBridge) can monitor the age of access keys and trigger Lambda functions for rotation automatically. The Lambda function can generate a new key, update dependent applications, and send notifications to administrators before expiration. This ensures continuous credential hygiene, reduces the risk of compromised keys, and enforces compliance with organizational security policies. Automation eliminates human error, ensures timely rotations, and provides centralized enforcement across all accounts.

Security groups control network traffic but cannot manage IAM credentials or rotate access keys. They operate at the network layer and do not enforce identity management controls.

CloudTrail logs IAM API activity, including access key usage, but does not rotate keys or send proactive notifications. It is reactive and requires manual intervention.

S3 bucket policies manage access to S3 objects but do not affect IAM key management. They cannot rotate credentials or trigger alerts.

IAM with CloudWatch Events and Lambda automation is correct because it automates key rotation, provides proactive monitoring, sends alerts, and ensures that access keys are securely managed, reducing operational risk and improving compliance.

Question 132

A company wants to detect anomalous network traffic from EC2 instances that may indicate compromised hosts. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies only

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously analyzes VPC Flow Logs, CloudTrail logs, and DNS logs to detect unusual network traffic patterns. For EC2 instances, this can include unexpected connections, suspicious traffic to unusual destinations, or behaviors indicative of compromise. GuardDuty leverages machine learning, anomaly detection, and threat intelligence to generate actionable findings with context and severity, helping security teams prioritize responses. Findings can trigger automated responses via CloudWatch Events or Lambda, enabling rapid remediation. GuardDuty is scalable across accounts and regions and provides centralized monitoring without requiring changes to EC2 instances or network configurations.

AWS Config monitors resource configurations but does not detect anomalous network traffic or analyze packet flows. Config focuses on compliance and resource changes, not security threats.

IAM policies define permissions but cannot monitor network traffic or detect compromised instances. They are preventive controls without visibility into anomalous activity.

CloudTrail logs API activity but cannot detect network anomalies in real time. Analysis requires additional tooling and is reactive rather than proactive.

Amazon GuardDuty is correct because it provides continuous, automated detection of anomalous network behavior, integrates threat intelligence, generates actionable findings, and supports centralized monitoring and response.

Question 133

A company wants to ensure that all RDS instances are encrypted and that snapshots inherit encryption automatically. Which AWS configuration meets this requirement?

A) Enable RDS encryption at the instance level using a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level using a KMS key

Explanation:

Enabling encryption at the RDS instance level ensures that all stored data is encrypted using AWS KMS. Customer-managed KMS keys allow administrators to control access, rotate keys, and audit usage. All automated backups, snapshots, and read replicas inherit encryption, maintaining data protection consistently across all associated resources. This approach reduces operational risk, ensures compliance with regulatory standards, and protects sensitive information. Encryption at creation also avoids manual errors that may result in unencrypted instances.

IAM policies can control who creates or manages RDS instances but cannot enforce encryption. Users could still launch unencrypted instances if encryption is optional.

Security groups manage network traffic to RDS instances but do not enforce encryption of stored data. They are network-layer controls.

CloudTrail logging provides visibility into API calls for auditing but does not enforce encryption or prevent unencrypted instance creation.

Enabling RDS encryption at the instance level with a KMS key is correct because it enforces encryption consistently, ensures backups and snapshots are protected, integrates with auditing, and aligns with security best practices.

Question 134

A company wants to enforce that all Lambda functions accessing secrets do not hardcode credentials and retrieve them securely. Which solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive information such as API keys, database credentials, or tokens. Lambda functions can retrieve secrets at runtime using IAM roles, preventing hardcoded credentials. Secrets Manager supports automatic secret rotation, fine-grained IAM access control, and audit logging through CloudTrail. Administrators can enforce least-privilege access, monitor usage, and integrate secure secret retrieval into serverless architectures. This reduces the risk of credential exposure, supports compliance, and provides centralized management for sensitive data.

Storing secrets in plaintext environment variables exposes credentials to anyone with Lambda configuration access, creating significant security risk.

Using S3 buckets for secrets requires encryption, access controls, and runtime integration management. It does not provide automated rotation or seamless Lambda integration.

Security groups control network traffic but cannot prevent hardcoding or enforce secure secret retrieval.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, controlled access, automated rotation, auditability, and runtime integration, ensuring secure and compliant secret management.

Question 135

A company wants to enforce that all API requests to S3 buckets are encrypted in transit using HTTPS. Which configuration enforces this requirement?

A) Require SSL connections in S3 bucket policies

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Require SSL connections in S3 bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies ensures that all API requests use HTTPS, encrypting data in transit. Requests over HTTP are denied, preventing eavesdropping or man-in-the-middle attacks. Bucket policies provide centralized enforcement across all access methods, including console, SDK, and API calls. This ensures secure communication, supports compliance requirements, and prevents accidental insecure transmissions. When combined with IAM policies and KMS encryption, it provides both transport security and access control.

Enabling S3 versioning allows object recovery but does not enforce encryption in transit. Versioning addresses durability, not network security.

Using IAM policies without enforcing encryption controls permissions but does not guarantee secure transport. Users could still make unencrypted HTTP requests.

Enabling public access exposes data and does not enforce HTTPS connections, increasing security risk.

Requiring SSL connections in S3 bucket policies is correct because it enforces encryption in transit, ensures centralized enforcement, protects sensitive data, and aligns with best practices for secure AWS operations.

Question 136

A company wants to automatically disable IAM users who have not logged in for 90 days to reduce orphaned account risks. Which AWS service combination accomplishes this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM stores metadata for each user, including the last login timestamp. CloudWatch Events (EventBridge) can monitor this information and trigger Lambda functions when users have been inactive for 90 days. Lambda can automatically disable the inactive users, reducing the risk of orphaned credentials being exploited. This solution automates identity lifecycle management, ensures timely enforcement of security policies, and maintains compliance without manual intervention. Automation guarantees consistent enforcement and reduces operational overhead while mitigating potential unauthorized access.

Security groups manage network traffic but cannot monitor IAM user activity or disable accounts. They are network-layer controls, unrelated to identity management.

CloudTrail logs API activity, including user logins, but cannot automatically disable inactive accounts. It provides visibility but requires manual review and intervention.

S3 bucket policies govern access to S3 objects but do not affect IAM user account status. They cannot enforce inactivity-based actions.

IAM with CloudWatch Events and Lambda automation is correct because it combines proactive detection, automated remediation, centralized enforcement, and risk reduction, ensuring orphaned accounts are mitigated efficiently and securely.

Question 137

A company wants to detect anomalous API activity, such as unusual IAM or EC2 calls, across multiple AWS accounts. Which AWS service combination is appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect anomalous API activity, such as unusual IAM or EC2 actions. It leverages machine learning, anomaly detection, and threat intelligence to generate findings with severity, context, and recommended remediation. Security Hub aggregates findings from multiple accounts into a centralized dashboard, allowing security teams to monitor, prioritize, and respond to alerts efficiently. GuardDuty findings can also trigger automated responses through CloudWatch Events or Lambda, enabling rapid remediation. This combination provides proactive threat detection, centralized visibility, and actionable insights across accounts.

CloudTrail logs API activity but does not analyze patterns or generate actionable alerts by itself. Additional tooling is required for anomaly detection.

IAM policies define permissions but cannot detect anomalous activity. They are preventive controls without monitoring capability.

Security groups manage network traffic and cannot detect API anomalies. They operate at the network layer, not identity or API activity layer.

Amazon GuardDuty with Security Hub is correct because it provides continuous anomaly detection, centralized alerting, actionable insights, and integration with automated remediation workflows, improving multi-account security posture.

Question 138

A company wants to ensure that all EBS volumes are encrypted at creation and that snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable EBS encryption by default and specify a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable EBS encryption by default and specify a KMS key

Explanation:

Enabling EBS encryption by default ensures that all newly created volumes are automatically encrypted. By specifying a customer-managed KMS key, administrators can control access, rotate keys periodically, and monitor key usage through CloudTrail. Snapshots of encrypted volumes inherit encryption automatically, maintaining data protection across backups and derived volumes. This ensures compliance, reduces operational risk, and mitigates exposure from unencrypted storage. It also eliminates reliance on users to manually enable encryption, reducing human error.

IAM policies can restrict who can create volumes but do not enforce encryption at creation. Users could still create unencrypted volumes if defaults are not enforced.

Security groups control network access to instances but do not encrypt EBS volumes or enforce encryption policies.

CloudTrail logging provides visibility into API calls for auditing but does not enforce encryption. It is a monitoring tool, not a preventive measure.

Enabling EBS encryption by default with a customer-managed KMS key is correct because it enforces encryption consistently, ensures snapshots inherit encryption, integrates with auditing, and reduces operational and compliance risks.

Question 139

A company wants to enforce MFA for all IAM users when performing sensitive operations and receive alerts for violations. Which AWS configuration achieves this?

A) IAM policies with MFA condition keys and CloudWatch Events alerts

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM policies with MFA condition keys and CloudWatch Events alerts

Explanation:

IAM policies can enforce MFA using condition keys like aws:MultiFactorAuthPresent for sensitive actions. CloudWatch Events can monitor API calls that do not satisfy MFA requirements and send alerts to administrators. This configuration provides proactive enforcement of MFA, real-time detection of violations, and centralized notification for security teams. MFA reduces the risk of credential compromise and ensures compliance with organizational policies. Combining preventive enforcement with detective monitoring ensures that security controls are applied consistently and violations are addressed immediately.

Security groups manage network traffic but cannot enforce authentication policies or monitor MFA usage. They operate at the network layer.

CloudTrail logs MFA usage and API activity, but alerts require additional tooling. It is reactive rather than proactive.

S3 bucket policies can enforce MFA for S3-specific operations but cannot enforce MFA across all AWS services or provide centralized alerts.

IAM policies with MFA condition keys and CloudWatch Events alerts are correct because they combine enforcement, monitoring, and alerting, ensuring adherence to security best practices.

Question 140

A company wants to monitor all changes to IAM roles and policies to detect unauthorized modifications. Which AWS service provides continuous monitoring and auditing?

A) AWS Config

B) CloudTrail only

C) Security groups only

D) S3 bucket policies

Answer: A) AWS Config

Explanation:

AWS Config continuously records configuration changes for IAM roles, policies, and other resources. It provides a historical timeline of changes and allows evaluation against compliance rules, such as enforcing least-privilege access or detecting overly permissive policies. Config can trigger automated remediation or alerts via CloudWatch Events when violations occur. Continuous monitoring ensures that unauthorized modifications are detected promptly, enabling immediate corrective actions. Config also integrates with auditing workflows for regulatory compliance and provides centralized visibility of IAM configuration across multiple accounts.

CloudTrail logs API calls related to IAM, providing visibility into who made changes, but it is reactive. It does not evaluate compliance or provide automated alerts.

Security groups control network traffic but cannot monitor IAM configurations or policy changes.

S3 bucket policies manage access to S3 objects and do not track IAM role or policy modifications.

AWS Config is correct because it delivers continuous monitoring, historical tracking, compliance evaluation, and automated alerting for IAM changes, ensuring proactive governance and operational security.

Related posts:

  1. Amazon  AWS Certified Machine Learning Engineer – Associate MLA-C01   Exam  Dumps and Practice Test Questions Set 2  Q 21- 40
  2. Amazon AWS Certified AI Practitioner AIF-C01 Exam Dumps and Practice Test Questions Set 6 Q101-120
  3. Amazon AWS Certified Data Engineer – Associate DEA-C01 Exam Dumps and Practice Test Questions Set 10 Q181-200
  4. Amazon AWS Certified Data Engineer – Associate DEA-C01 Exam Dumps and Practice Test Questions Set 2 Q21-40
  5. Amazon AWS Certified DevOps Engineer – Professional DOP-C02 Exam Dumps and Practice Test Questions Set 4 Q 61-80
  6. Amazon AWS Certified Solutions Architect – Associate SAA-C03 Exam Dumps and Practice Test Questions Set 8 Q141-160
  7. Amazon AWS Certified Solutions Architect – Professional SAP-C02 Exam Dumps and Practice Test Questions Set 8 Q141-160
  8. AWS Certification: Unlocking Opportunities for In-Demand Tech Careers
  9. Isaca CISM Certified Information Security Manager Exam Dumps and Practice Test Questions Set 8 Q141-160
  10. Top Reasons Why Businesses Opt for AWS VPC for Their Cloud Networking Requirements

Popular posts

Top Vendors On The IT Certification Market

Case Study Hillary’s HillRaisers raising cash for Obama inauguration

What are Azure Blueprints and How Do They Help with Compliance?

What is MCSA? An In-Depth Overview of Microsoft Certified Solutions Associate

Top 5 Agile Certifications You Should Pursue in 2020

Retired Microsoft Certifications: What You Need to Know

Microsoft’s New Security Certifications: SC-200, SC-300, SC-400, and SC-900 – Everything You Need to Know

Job Opportunities For MCSE Certification

Your Best Career Path With EC-Council Certification

2025 CCNA v1.1 Exam Changes: A Complete Guide to Preparing for the 200-301 Certification

Recent Posts

img