Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 9 Q161-180

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 161

A company wants to enforce that all API requests to S3 buckets are encrypted in transit using HTTPS. Which configuration enforces this requirement?

A) Require SSL connections in S3 bucket policies

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Require SSL connections in S3 bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies ensures that all API requests use HTTPS, encrypting data in transit. Requests over HTTP are denied, preventing eavesdropping and man-in-the-middle attacks. Bucket policies provide centralized enforcement across all access methods, including console, SDK, and API calls. This ensures secure communication, compliance with regulatory standards, and prevents accidental unencrypted data transfer. When combined with server-side encryption, it provides both transport and data-at-rest security, mitigating risks associated with insecure network channels.

Enabling S3 versioning addresses object recovery and durability but does not enforce encryption in transit. Versioning ensures previous versions are retained but does not secure data transmission.

Using IAM policies without encryption only controls access permissions. It cannot guarantee that requests are encrypted over the network, leaving data potentially exposed during transmission.

Enabling public access opens data to the internet without enforcing HTTPS, increasing security risks. It does not provide encryption or protect against interception.

Requiring SSL connections in S3 bucket policies is correct because it enforces encryption in transit, centralizes control, protects sensitive data during transfer, and aligns with security best practices for network and storage security.

Question 162

A company wants to monitor all configuration changes to RDS instances and generate alerts for unauthorized modifications. Which AWS service provides this capability?

A) AWS Config

B) CloudTrail only

C) IAM policies only

D) Security groups

Answer: A) AWS Config

Explanation:

AWS Config continuously monitors and records configuration changes for AWS resources, including RDS instances. It maintains a detailed history of changes, allowing administrators to detect unauthorized modifications such as changes to instance type, parameter groups, or encryption settings. Config rules can evaluate resources against predefined compliance policies, and violations can trigger automated alerts via CloudWatch Events. This proactive monitoring ensures misconfigurations are detected promptly, enables auditing for compliance, and allows automated remediation to maintain security standards.

CloudTrail logs API calls related to RDS changes, providing visibility into actions taken, but does not evaluate compliance automatically or generate proactive alerts. Analysis is reactive and requires manual review.

IAM policies define who can modify RDS instances but cannot monitor changes or enforce compliance. They prevent unauthorized actions but do not detect misconfigurations.

Security groups manage network traffic and cannot monitor RDS instance configuration changes. They operate at the network layer, unrelated to database security or compliance.

AWS Config is correct because it provides continuous monitoring, historical tracking, compliance evaluation, alerting, and automated remediation for RDS configuration changes, ensuring security governance and operational compliance.

Question 163

A company wants to detect anomalous API activity across multiple AWS accounts, including unusual IAM or EC2 calls, and centralize alerts. Which AWS service combination is most appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect unusual API activity and potential threats, such as anomalous IAM or EC2 calls. It leverages machine learning, anomaly detection, and threat intelligence to generate findings with severity, context, and recommended remediation. Security Hub aggregates findings from multiple accounts into a centralized dashboard, enabling security teams to monitor trends, prioritize alerts, and respond efficiently. Automated remediation can be implemented via CloudWatch Events or Lambda, allowing rapid containment and mitigation of threats.

CloudTrail logs API activity but does not detect anomalies or generate actionable alerts on its own. Analysis requires additional tooling and is reactive rather than proactive.

IAM policies define permissions but cannot detect suspicious API behavior. They are preventive controls, not monitoring tools.

Security groups manage network traffic and cannot analyze API activity or detect anomalous behavior.

Amazon GuardDuty with Security Hub is correct because it provides centralized, proactive threat detection, actionable alerts, multi-account monitoring, and the ability to integrate automated remediation workflows, enhancing security posture.

Question 164

A company wants to ensure that all Lambda functions accessing secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive data such as API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, eliminating hardcoded credentials. Secrets Manager supports automatic rotation, fine-grained IAM-based access control, and audit logging via CloudTrail. This ensures credentials are securely retrieved, reduces the risk of exposure, supports compliance requirements, and enables secure serverless application development. Administrators can enforce least-privilege access, monitor usage, and integrate secrets securely into Lambda functions without manual intervention.

Storing secrets in plaintext environment variables exposes credentials to anyone with access to Lambda configuration, creating a significant security risk.

Using S3 buckets for secrets requires encryption, access management, and runtime integration, which is operationally complex and less secure than Secrets Manager.

Security groups control network traffic but cannot enforce secure secret retrieval or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, controlled access, automated rotation, auditability, and secure runtime integration, ensuring sensitive secrets are protected and compliant.

Question 165

A company wants to automatically rotate IAM access keys for users and notify administrators before expiration. Which AWS configuration achieves this requirement?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM maintains metadata for each access key, including creation and last-used timestamps. CloudWatch Events (EventBridge) can monitor the age of keys and trigger Lambda functions for rotation automatically. Lambda can generate new keys, update dependent applications, and notify administrators before key expiration. This ensures secure credential management, reduces the risk of compromised or stale keys, and maintains compliance with organizational security policies. Automation eliminates human error, ensures timely rotation, and provides centralized enforcement across all accounts.

Security groups manage network traffic but cannot rotate IAM access keys or send notifications.

CloudTrail logs API activity, including key usage, but cannot automatically rotate keys or send alerts proactively. It is reactive and requires manual review.

S3 bucket policies manage object access but do not affect IAM key management or rotation.

IAM with CloudWatch Events and Lambda automation is correct because it automates rotation, provides proactive monitoring, sends alerts, and ensures secure and efficient access key management, improving operational security.

Question 166

A company wants to enforce MFA for all IAM users performing sensitive operations and receive alerts if MFA is not used. Which AWS configuration achieves this requirement?

A) IAM policies with MFA condition keys and CloudWatch Events alerts

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM policies with MFA condition keys and CloudWatch Events alerts

Explanation:

IAM policies can enforce MFA by using condition keys like aws:MultiFactorAuthPresent, requiring users to authenticate with MFA for sensitive operations. CloudWatch Events can monitor API calls that do not meet MFA requirements and trigger alerts to administrators in real time. This ensures proactive enforcement of MFA, immediate detection of violations, and centralized notification to the security team. MFA adds an additional authentication factor beyond passwords, reducing the risk of credential compromise and enhancing compliance.

Security groups control network traffic but cannot enforce authentication policies or detect MFA usage. They operate at the network layer.

CloudTrail logs MFA usage and API activity but is reactive; alerts require manual review if not combined with CloudWatch Events, delaying detection and response.

S3 bucket policies can enforce MFA only for S3-specific operations, not for global IAM-sensitive operations across the account.

IAM policies with MFA condition keys and CloudWatch Events alerts are correct because they combine preventive enforcement, proactive monitoring, and centralized alerting, ensuring that MFA is consistently applied for sensitive operations and violations are addressed promptly.

Question 167

A company wants to monitor all configuration changes to IAM roles and policies to detect unauthorized modifications. Which AWS service provides this capability?

A) AWS Config

B) CloudTrail only

C) Security groups only

D) S3 bucket policies

Answer: A) AWS Config

Explanation:

AWS Config continuously records and monitors configuration changes for AWS resources, including IAM roles and policies. It maintains a detailed history of all modifications, enabling administrators to detect unauthorized changes. Config evaluates resources against compliance rules, such as least-privilege enforcement or detecting overly permissive policies. When violations occur, Config can trigger automated remediation or alerts through CloudWatch Events. Continuous monitoring ensures unauthorized changes are detected promptly, supporting compliance and operational security. Config also provides centralized visibility across multiple accounts, facilitating audits and governance.

CloudTrail logs API activity, providing visibility into who made changes, but it does not evaluate compliance automatically or generate proactive alerts. Analysis is reactive and requires manual effort.

Security groups control network traffic and cannot monitor IAM configurations or detect policy modifications.

S3 bucket policies govern access to S3 objects and do not track IAM role or policy changes.

AWS Config is correct because it provides continuous monitoring, historical tracking, compliance evaluation, automated alerting, and supports auditing, ensuring governance over IAM roles and policies.

Question 168

A company wants to detect anomalous API activity across multiple AWS accounts, including unusual IAM or EC2 calls, and centralize alerts. Which AWS service combination is most appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect unusual API activity and potential threats, including anomalous IAM or EC2 calls. It uses machine learning, anomaly detection, and threat intelligence to generate actionable findings with severity, context, and remediation recommendations. Security Hub aggregates findings from multiple accounts into a centralized dashboard, enabling security teams to monitor, prioritize alerts, and respond efficiently. Automated remediation can be triggered using CloudWatch Events or Lambda, ensuring rapid containment of threats and improved operational response.

CloudTrail logs API activity but cannot analyze anomalies or generate actionable alerts independently. It is reactive and requires manual review.

IAM policies define permissions and prevent unauthorized actions but do not detect unusual behavior. They are preventive controls, not monitoring tools.

Security groups manage network traffic and cannot detect anomalous API behavior. They operate at the network layer.

Amazon GuardDuty with Security Hub is correct because it provides proactive threat detection, centralized monitoring, actionable alerts, multi-account visibility, and integration with automated remediation workflows, improving overall security posture.

Question 169

A company wants to ensure that all newly created RDS instances are encrypted and that automated backups and snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable RDS encryption at the instance level using a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level using a KMS key

Explanation:

Enabling encryption at the RDS instance level ensures that all stored data is encrypted using AWS KMS. Customer-managed KMS keys allow administrators to control access, perform key rotation, and audit key usage through CloudTrail. Automated backups, snapshots, and read replicas inherit encryption automatically, ensuring consistent protection across all associated resources. This reduces operational risk, prevents accidental exposure of sensitive data, supports compliance, and eliminates the need for manual enforcement. Encryption at creation guarantees secure storage and simplifies operational procedures.

IAM policies can restrict who can create RDS instances but do not enforce encryption. Users could still launch unencrypted instances without defaults configured.

Security groups control network access but do not encrypt RDS instances or backups.

CloudTrail logs API calls for auditing but does not enforce encryption. It is a reactive tool rather than a preventive measure.

Enabling RDS encryption at the instance level with a KMS key is correct because it ensures encryption for primary data, backups, and snapshots, integrates with auditing, reduces operational risk, and aligns with security best practices.

Question 170

A company wants to ensure that all EBS volumes are encrypted at creation and that snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable EBS encryption by default and specify a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable EBS encryption by default and specify a KMS key

Explanation:

Enabling EBS encryption by default ensures that all newly created volumes are automatically encrypted. By specifying a customer-managed KMS key, administrators can enforce access control, perform key rotation, and audit usage through CloudTrail. Snapshots of encrypted volumes automatically inherit encryption, ensuring consistent data protection across backups. Default encryption reduces human error, prevents accidental unencrypted storage, simplifies compliance, and mitigates operational risk. This approach ensures that all storage is protected by default without relying on manual intervention.

IAM policies control access to volume creation but cannot enforce encryption by themselves. Users could still create unencrypted volumes if defaults are not applied.

Security groups manage network traffic but cannot enforce encryption on volumes or snapshots.

CloudTrail logs API activity but cannot enforce encryption or automatically apply it to volumes and snapshots.

Enabling EBS encryption by default with a KMS key is correct because it ensures encryption at creation, inherits encryption for snapshots, supports auditing, and mitigates operational and compliance risks.

Question 171

A company wants to detect anomalous network traffic from EC2 instances that may indicate compromised hosts. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies only

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously monitors VPC Flow Logs, CloudTrail logs, and DNS logs to identify anomalous activity from EC2 instances. It can detect unusual traffic patterns, communication with known malicious IP addresses, or behavior that deviates from baseline patterns, indicating potential compromise. GuardDuty uses machine learning, anomaly detection, and threat intelligence to produce actionable findings with context, severity, and recommended remediation steps. Findings can trigger automated responses through CloudWatch Events or Lambda, allowing rapid containment and mitigation. GuardDuty works across multiple accounts and regions, providing centralized, proactive threat detection without requiring modifications to instances or network configurations.

AWS Config tracks resource configuration changes but does not analyze network traffic or detect anomalies. Its focus is on compliance and configuration monitoring, not real-time threat detection.

IAM policies define access permissions but cannot monitor network traffic or detect compromised instances. They are preventive controls rather than monitoring tools.

CloudTrail logs API activity, but it cannot detect anomalous network traffic. It is reactive, and analysis requires additional tools to detect threats.

Amazon GuardDuty is correct because it provides continuous, automated detection of network anomalies, actionable alerts, centralized monitoring, and integration with automated response workflows, enabling proactive security management for EC2 instances.

Question 172

A company wants to ensure that all newly created S3 buckets are encrypted by default and public access is blocked across multiple accounts. Which AWS service combination achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations allows centralized governance across multiple accounts using Service Control Policies (SCPs). SCPs can enforce that all S3 buckets are encrypted by default and block public access upon creation. AWS Config continuously monitors bucket configurations and applies compliance rules, such as s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited. Non-compliant buckets can be automatically remediated, reducing the risk of accidental data exposure and ensuring consistent security standards across all accounts. This approach simplifies operational management, reduces manual errors, and enforces organization-wide compliance policies efficiently.

IAM policies applied individually to each account require manual setup, increasing the chance of misconfigurations and inconsistencies.

Enabling S3 versioning only addresses data recovery and durability, not encryption or public access restrictions.

Security groups control network traffic but cannot enforce bucket-level encryption or prevent public access.

AWS Organizations SCPs with AWS Config rules are correct because they enforce encryption and public access policies centrally, provide continuous monitoring, automate remediation, and ensure consistent security governance across multiple accounts.

Question 173

A company wants to automatically disable IAM users who have not logged in for 60 days to reduce orphaned account risks. Which AWS service combination accomplishes this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM maintains metadata for each user, including the last login timestamp. CloudWatch Events (EventBridge) can monitor this information and trigger Lambda functions for users inactive for 60 days. Lambda can automatically disable these users, reducing the risk of orphaned accounts being exploited. This approach automates identity lifecycle management, ensures consistent policy enforcement, reduces operational effort, and maintains compliance with organizational standards. Automation eliminates human error, ensuring timely enforcement and proactive risk mitigation for inactive accounts.

Security groups manage network traffic but cannot detect inactive IAM users or disable accounts.

CloudTrail logs user activity but cannot automatically disable inactive accounts. It provides audit data, but action must be manual without automation.

S3 bucket policies control access to objects but do not affect IAM user account status.

IAM with CloudWatch Events and Lambda automation is correct because it combines proactive detection, automated remediation, centralized enforcement, and risk reduction for orphaned accounts.

Question 174

A company wants to ensure that all EBS volumes are encrypted at creation and snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable EBS encryption by default and specify a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable EBS encryption by default and specify a KMS key

Explanation:

Enabling EBS encryption by default ensures that all new volumes are automatically encrypted. Using a customer-managed KMS key allows administrators to enforce access control, rotate keys, and monitor usage via CloudTrail. Snapshots of encrypted volumes inherit encryption automatically, ensuring consistent protection across backups and derivative volumes. This mitigates operational risk, reduces the chance of unencrypted data, simplifies compliance, and eliminates reliance on manual enforcement. Default encryption ensures secure storage, reduces human error, and protects sensitive data by design.

IAM policies control permissions for creating volumes but cannot enforce encryption at creation. Users could still create unencrypted volumes without defaults.

Security groups manage network traffic but cannot encrypt EBS volumes or snapshots.

CloudTrail provides audit logs of API activity but cannot enforce encryption or ensure snapshots inherit encryption.

Enabling EBS encryption by default with a KMS key is correct because it enforces encryption at creation, ensures inherited encryption for snapshots, supports auditing, and reduces operational and compliance risks.

Question 175

A company wants to ensure that all Lambda functions retrieving secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager provides secure storage for sensitive data like API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, eliminating hardcoded credentials. Secrets Manager supports automatic secret rotation, fine-grained IAM access control, and audit logging through CloudTrail. This ensures secure retrieval, reduces the risk of exposure, supports compliance, and enables secure serverless application development. Administrators can enforce least-privilege access, monitor usage, and integrate secrets seamlessly into Lambda functions.

Storing secrets in plaintext environment variables exposes credentials to anyone with Lambda configuration access, increasing security risk.

Using S3 buckets for secrets requires additional encryption, access management, and runtime integration, making it less secure and operationally complex than Secrets Manager.

Security groups control network traffic but cannot enforce secure secret retrieval or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, controlled access, automated rotation, auditing, and secure runtime integration, ensuring secrets are protected and compliant.

Question 176

A company wants to ensure that all API requests to S3 buckets are encrypted in transit using HTTPS. Which configuration enforces this requirement?

A) Require SSL connections in S3 bucket policies

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Require SSL connections in S3 bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies ensures that all requests to the bucket use HTTPS, encrypting data in transit. Any request over HTTP is denied, preventing potential eavesdropping or man-in-the-middle attacks. Bucket policies provide centralized enforcement across all access methods, including SDKs, APIs, and console access. This ensures secure communication, compliance with regulatory standards, and protection of sensitive data during transfer. When combined with server-side encryption, this configuration provides comprehensive security by protecting both data in transit and at rest.

Enabling S3 versioning only addresses object durability and recovery. It ensures that previous versions of objects are retained but does not enforce encryption during data transfer.

Using IAM policies without encryption only controls access permissions. It cannot ensure that requests are encrypted, leaving sensitive data potentially exposed during transit.

Enabling public access exposes data to the internet and does not enforce HTTPS, increasing the risk of interception. It does not protect data during transfer.

Requiring SSL connections in S3 bucket policies is correct because it enforces encryption in transit, centralizes control, ensures secure data transfer, and aligns with security best practices for S3 data.

Question 177

A company wants to monitor all configuration changes to RDS instances and generate alerts for unauthorized modifications. Which AWS service provides this capability?

A) AWS Config

B) CloudTrail only

C) IAM policies only

D) Security groups

Answer: A) AWS Config

Explanation:

AWS Config continuously tracks configuration changes for AWS resources, including RDS instances. It records details such as instance type, parameter group changes, and encryption settings. Config rules can be defined to evaluate resources against predefined security policies, and any non-compliance triggers automated alerts or remediation actions through CloudWatch Events. This ensures misconfigurations or unauthorized changes are detected promptly, reducing security risks and supporting regulatory compliance. Config also provides historical records for audits and allows centralized visibility across accounts.

CloudTrail logs API activity for RDS changes, giving visibility into who performed actions. However, it does not automatically evaluate compliance or trigger proactive alerts, making it reactive rather than preventive.

IAM policies define who can modify RDS instances but cannot monitor or enforce compliance on their own. They are preventive controls.

Security groups control network traffic but do not monitor RDS configuration changes. They operate at the network layer, unrelated to resource configuration compliance.

AWS Config is correct because it provides continuous monitoring, historical tracking, compliance evaluation, alerting, and automated remediation, ensuring secure governance of RDS instances.

Question 178

A company wants to detect anomalous API activity across multiple AWS accounts, including unusual IAM or EC2 calls, and centralize alerts. Which AWS service combination is most appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty continuously analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect suspicious API activity such as unusual IAM or EC2 calls. It uses threat intelligence, anomaly detection, and machine learning to generate findings with context, severity, and recommended remediation. Security Hub aggregates these findings from multiple accounts into a centralized dashboard, allowing security teams to prioritize and respond efficiently. Findings can trigger automated remediation via CloudWatch Events or Lambda, providing rapid response and containment. This combination enables proactive threat detection and multi-account visibility.

CloudTrail logs API activity but does not analyze for anomalies or provide actionable alerts without additional tools. It is reactive.

IAM policies define access permissions but cannot detect anomalous activity. They are preventive, not detective, measures.

Security groups manage network traffic but cannot monitor API activity or detect unusual behavior.

Amazon GuardDuty with Security Hub is correct because it provides centralized, automated detection of anomalies, actionable alerts, multi-account visibility, and integration with automated remediation workflows, enhancing organizational security posture.

Question 179

A company wants to ensure that all Lambda functions accessing secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager provides secure storage for sensitive information such as API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, eliminating the need for hardcoded credentials. Secrets Manager also supports automatic rotation, fine-grained IAM-based access control, and audit logging through CloudTrail. This reduces exposure risk, supports compliance, and enables secure serverless application deployment. Administrators can enforce least-privilege access, monitor usage, and integrate secrets securely without operational complexity.

Storing secrets in plaintext environment variables exposes credentials to anyone with Lambda configuration access, increasing security risks.

Using S3 buckets for secrets requires additional encryption, access control, and runtime integration, making it less secure and more complex than Secrets Manager.

Security groups control network traffic but cannot enforce secure retrieval of secrets or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, access control, automated rotation, auditability, and secure runtime integration, ensuring secrets are protected and compliant.

Question 180

A company wants to automatically rotate IAM access keys for users and notify administrators before expiration. Which AWS configuration achieves this requirement?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM stores metadata for each access key, including creation and last-used timestamps. CloudWatch Events can monitor key age and trigger Lambda functions to rotate keys automatically. Lambda can generate new keys, update dependent applications, and notify administrators before expiration. This ensures secure credential management, reduces the risk of compromised or stale keys, and maintains compliance with organizational security policies. Automation eliminates human error, ensures timely rotation, and provides centralized enforcement across all accounts.

Security groups manage network traffic but cannot rotate IAM access keys or send proactive notifications.

CloudTrail logs API activity but cannot automate key rotation or notifications. It provides audit data but requires manual action.

S3 bucket policies control object access and do not manage IAM keys or rotation.

IAM with CloudWatch Events and Lambda automation is correct because it automates rotation, provides proactive monitoring, sends alerts, and ensures secure and efficient access key management, improving operational security.