Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 3 Q41-60

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 41

A company wants to enforce that all data stored in S3 is encrypted at rest, regardless of whether the data is uploaded via API, console, or SDK. Which solution ensures this requirement?

A) Apply a bucket policy requiring server-side encryption (SSE)

B) Enable versioning on all buckets

C) Use IAM roles to allow only specific users

D) Configure security groups for S3 access

Answer: A) Apply a bucket policy requiring server-side encryption (SSE)

Explanation:

A bucket policy requiring SSE enforces encryption at the storage level for all objects uploaded to an S3 bucket. By specifying SSE-S3, SSE-KMS, or SSE-C in the policy, administrators can ensure that any PUT or POST request without proper encryption is denied. This provides consistent encryption coverage for all access methods, including AWS Management Console, API, SDKs, and CLI tools. Additionally, integrating SSE with AWS KMS allows fine-grained access control, audit logging through CloudTrail, and automatic key rotation, providing both security and compliance benefits. This centralized enforcement reduces the risk of unencrypted sensitive data being exposed due to misconfigurations or human error.

Enabling versioning on buckets is useful for recovering previous versions of objects in case of accidental deletion or overwrites. However, versioning does not enforce encryption. It is primarily a data recovery mechanism and does not guarantee that all new objects are encrypted at rest.

Using IAM roles to allow only specific users provides control over who can upload or modify data, but does not guarantee that the data will be encrypted. Users could upload objects without SSE, and IAM roles alone cannot enforce encryption requirements.

Configuring security groups does not control encryption. Security groups only manage network traffic to and from resources like EC2 instances and do not apply to S3 storage permissions or encryption policies.

Applying a bucket policy requiring SSE is correct because it enforces encryption uniformly for all uploads, integrates with KMS for advanced security, ensures compliance with regulatory standards, and reduces the risk of data exposure. It provides both preventive controls and audit capabilities, making it the best solution for enforcing encryption at rest across all S3 access methods.

Applying a bucket policy requiring server-side encryption (SSE) is the most effective way to secure data stored in Amazon S3. Server-side encryption ensures that all objects uploaded to a bucket are automatically encrypted before being written to storage, using strong encryption algorithms such as AES-256 or AWS Key Management Service (KMS) managed keys. By enforcing encryption through a bucket policy, organizations can ensure that all users and applications interacting with the bucket adhere to a consistent security standard. This approach eliminates the risk of sensitive data being stored in plain text and provides a mechanism to enforce compliance with internal security policies and regulatory requirements.

Server-side encryption with S3 can be implemented in multiple ways. SSE-S3 uses encryption keys managed entirely by AWS, providing a straightforward and fully managed solution. SSE-KMS, on the other hand, leverages AWS Key Management Service to provide additional control over encryption keys, including auditing access and creating key rotation policies. By requiring SSE via bucket policy, administrators can ensure that only objects encrypted using the specified method are accepted, rejecting any upload that does not meet the policy requirement. This approach provides a centralized enforcement mechanism, reducing the possibility of human error or accidental misconfiguration by individual users or applications.

In contrast, simply enabling versioning on all buckets helps retain previous versions of objects to recover from accidental deletion or overwriting. While versioning improves data durability and recoverability, it does not inherently protect the data from unauthorized access or prevent the storage of unencrypted objects. Versioning is a complementary feature for data resilience, but cannot replace the fundamental need for encryption when it comes to securing sensitive information in S3.

Using IAM roles to allow only specific users provides fine-grained access control, restricting which users or applications can interact with the bucket or its objects. While IAM policies are critical for controlling access, they do not enforce encryption of data at rest. Users with permissions could still upload unencrypted objects unless the bucket policy explicitly requires SSE. IAM roles and policies are essential for access management, but are insufficient alone to meet encryption and compliance requirements without an SSE enforcement policy.

Configuring security groups for S3 access is not applicable in the context of S3 buckets because security groups are used to control network-level access for AWS compute resources such as EC2 instances. They do not provide object-level access controls or encryption enforcement for S3. Therefore, relying on security groups alone does not secure the bucket’s data or prevent unencrypted uploads.

Enforcing server-side encryption through bucket policies also enhances auditability and compliance. For instance, when using SSE-KMS, all access and usage of the encryption keys are logged in AWS CloudTrail, providing a detailed audit trail of which users or roles accessed the keys and performed encryption or decryption operations. This allows organizations to demonstrate compliance with industry standards such as HIPAA, GDPR, or PCI-DSS, which often require encryption of sensitive data and auditability of access to encryption keys.

In addition, bucket policies requiring SSE help prevent human errors during manual uploads, automated processes, or third-party application integrations. Any attempt to upload an object without the required encryption is automatically rejected, reducing the risk of accidentally storing sensitive data in plain text. Combined with AWS monitoring and alerting services, this ensures continuous enforcement of data protection standards.

Applying a bucket policy requiring server-side encryption (SSE) provides comprehensive data protection in Amazon S3. It ensures all objects are encrypted at rest, enforces organizational and compliance standards, integrates with auditing tools like CloudTrail, and prevents unencrypted uploads regardless of user permissions or access methods. While versioning, IAM roles, and security groups are important security measures in AWS, they do not provide the same level of consistent, enforced encryption for S3 objects. Therefore, using bucket policies with SSE is the correct and best-practice solution for protecting sensitive data in S3.

Question 42

A company wants to automatically rotate IAM access keys for users and receive notifications when keys are about to expire. Which AWS service combination provides this functionality?

A) AWS IAM with CloudWatch Events and Lambda

B) Security groups with notifications

C) S3 bucket policies

D) AWS Config rules only

Answer: A) AWS IAM with CloudWatch Events and Lambda

Explanation:

AWS IAM allows the creation and management of access keys for users. Access key rotation is a best practice to reduce the risk of compromised credentials. While IAM does not automatically rotate keys, CloudWatch Events (EventBridge) can monitor IAM activity, such as the age of access keys, and trigger Lambda functions to notify administrators or automatically rotate keys. Lambda functions can generate alerts, rotate keys programmatically, and update dependent applications with new credentials, ensuring minimal operational disruption. This combination enables automated monitoring, proactive notifications, and programmatic key rotation.

Security groups control network traffic and are unrelated to access key management. They cannot detect, rotate, or notify about IAM key expiration.

S3 bucket policies manage access to bucket objects but do not interact with IAM access keys or provide rotation or expiration monitoring.

AWS Config rules can detect IAM resources that are non-compliant, such as unused or old access keys, but Config alone cannot perform automated rotation or notifications. It is a monitoring and compliance tool rather than a fully automated remediation system.

IAM combined with CloudWatch Events and Lambda is correct because it allows automated monitoring of access key age, generates timely alerts, and can rotate keys programmatically. This ensures credential security, reduces the risk of compromised keys, and aligns with best practices for access key management and operational efficiency.

Question 43

A company wants to ensure that all IAM roles used for automation have the least privileges necessary and are periodically reviewed. Which AWS mechanism supports this requirement?

A) IAM Access Advisor and AWS Config compliance checks

B) Security groups

C) S3 bucket policies

D) CloudTrail logs only

Answer: A) IAM Access Advisor and AWS Config compliance checks

Explanation:

IAM Access Advisor provides insights into the services accessed by IAM roles, showing last-used timestamps for permissions. By reviewing these logs, administrators can remove unused permissions and ensure that roles adhere to the principle of least privilege. AWS Config compliance checks can continuously monitor IAM roles against defined policies or rules to detect roles that are over-permissioned. Config can generate alerts or trigger automated remediation when roles exceed allowed privileges. Together, these tools provide proactive governance, auditing, and enforcement of least privilege.

Security groups manage network traffic for compute resources and do not control or audit IAM permissions. They cannot enforce least privilege for roles or provide visibility into unused permissions.

S3 bucket policies control access to S3 objects, but cannot analyze or restrict permissions for IAM roles beyond S3-specific actions. They do not support periodic privilege reviews.

CloudTrail logs all API activity, which includes IAM actions. While CloudTrail provides auditing capabilities, it does not automatically provide insights into unused permissions or generate remediation guidance. Reviewing CloudTrail logs manually is labor-intensive and error-prone.

IAM Access Advisor with AWS Config compliance checks is correct because it enables visibility into actual usage of permissions, supports continuous monitoring for over-permissioned roles, allows automated alerts or remediation, and enforces the principle of least privilege. This combination ensures operational security and aligns with governance and compliance best practices.

Question 44

A company wants to enforce that all new EC2 instances in a specific account have a standardized set of security patches applied automatically. Which solution achieves this?

A) AWS Systems Manager Patch Manager

B) Security groups only

C) CloudTrail logging

D) IAM policies

Answer: A) AWS Systems Manager Patch Manager

Explanation:

AWS Systems Manager Patch Manager automates patching of managed instances, including Amazon Linux, Ubuntu, and Windows servers. By defining patch baselines, administrators can specify which patches are required for compliance, automatically apply them to newly launched EC2 instances, and schedule recurring patching. Patch Manager integrates with Systems Manager, State Manager, er and Automation documents to ensure that instances remain compliant with security baselines. This approach reduces the operational burden of manual patching, ensures timely updates, and mitigates vulnerabilities.

Security groups only control network traffic and cannot enforce software patching. They cannot monitor patch compliance or apply updates to instances.

CloudTrail logs API calls, including EC2 launches, but does not apply patches or enforce configuration compliance. It is a monitoring and auditing service, not a remediation tool.

IAM policies manage access permissions and cannot enforce or apply operating system patches on instances. While they can restrict who can perform certain actions, they do not ensure compliance with patching baselines.

AWS Systems Manager Patch Manager is correct because it provides automated, consistent, and auditable patching across EC2 instances. It supports patch compliance reporting, integrates with other Systems Manager tools for enforcement, and aligns with best practices for vulnerability management.

Question 45

A company wants to ensure that sensitive RDS data is encrypted in transit and at rest and can be accessed only by specific application servers. Which configuration meets this requirement?

A) Enable RDS encryption with KMS and enforce SSL connections

B) Use unencrypted RDS instances with security groups

C) Store data in S3 instead of RDS

D) Enable IAM policies without encryption

Answer: A) Enable RDS encryption with KMS and enforce SSL connections

Explanation:

Enabling RDS encryption with AWS KMS ensures that data at rest is encrypted and that only authorized users and roles with proper KMS permissions can access it. Enforcing SSL (TLS) connections ensures that all data transmitted between RDS and application servers is encrypted in transit, preventing eavesdropping or man-in-the-middle attacks. Security groups can further restrict access to RDS instances by allowing only specific application servers, combining network-level and encryption-based access control. This configuration ensures end-to-end protection for sensitive data.

Using unencrypted RDS instances exposes data at rest to risk and does not meet security compliance standards. While security groups can restrict network access, data remains unprotected in storage.

Storing data in S3 instead of RDS may provide encryption at rest via SSE, but it does not address relational database functionality, transaction management, or the requirement for controlled access via application servers.

Enabling IAM policies without encryption only controls access to RDS but does not secure the actual data in transit or at rest. Sensitive information could be intercepted or compromised.

Enabling RDS encryption with KMS and enforcing SSL connections is correct because it ensures both data-at-rest and data-in-transit protection, integrates with fine-grained access controls, and aligns with best practices for securing sensitive relational data.

Question 46

A company wants to prevent unauthorized access to Lambda functions that process sensitive financial data. Which combination of measures provides the strongest protection?

A) IAM roles with least privilege, resource-based policies, and VPC endpoints

B) Security groups only

C) CloudTrail logging only

D) Lambda environment variables without encryption

Answer: A) IAM roles with least privilege, resource-based policies, and VPC endpoints

Explanation:

IAM roles with least privilege ensure that Lambda functions can only perform actions that are required for their specific workload. Assigning fine-grained permissions prevents the function from accessing unrelated resources, reducing potential attack surfaces. Resource-based policies can restrict which AWS principals or accounts are allowed to invoke the Lambda function, providing additional protection against unauthorized access from other accounts or users. This ensures that only trusted entities can execute sensitive operations.

VPC endpoints allow Lambda functions to access AWS services privately without traversing the public internet. This reduces exposure to external threats and ensures secure communication between the function and other AWS resources, such as S3 or DynamoDB. Combined with IAM and resource policies, VPC endpoints strengthen security by controlling both identity and network access.

Security groups alone are insufficient. They operate at the network interface level and control inbound/outbound traffic, but they cannot enforce identity-based access or restrict who can invoke Lambda functions.

CloudTrail logging captures API calls for auditing and monitoring, but does not prevent unauthorized access or provide enforcement mechanisms. It is a reactive tool rather than a proactive security control.

Using unencrypted environment variables exposes sensitive data, such as credentials or tokens, to anyone who can view the Lambda configuration. This violates best practices and does not prevent unauthorized access to the function itself.

The combination of IAM roles with least privilege, resource-based policies, and VPC endpoints is correct because it provides multi-layered protection: enforcing access control by identity, limiting network exposure, and protecting sensitive data. Together, these controls prevent unauthorized execution of Lambda functions, reduce the risk of data breaches, and support compliance with security best practices.

Question 47

A company wants to automatically revoke access keys for IAM users who have been inactive for 90 days. Which AWS service combination achieves this?

A) AWS IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging without automation

D) S3 bucket policies

Answer: A) AWS IAM with CloudWatch Events and Lambda automation

Explanation:

IAM provides metadata for user activity, including the last usage of access keys. CloudWatch Events (EventBridge) can continuously monitor these metrics to detect when access keys have not been used for a specified period, such as 90 days. When a key exceeds the inactivity threshold, CloudWatch can trigger a Lambda function to automatically deactivate or delete the access key. This reduces the risk of stale credentials being compromised and ensures compliance with security policies for key rotation and access management.

Security groups operate at the network level and cannot detect inactive IAM keys or revoke them. They only manage inbound/outbound traffic to compute resources and provide no functionality for identity governance.

CloudTrail logging records all API activity, including key usage, but by itself does not automate revocation. Manual analysis of logs to identify inactive keys would be labor-intensive, error-prone, and reactive rather than proactive.

S3 bucket policies control access to objects within a bucket but do not manage IAM credentials or automate key revocation. They are resource-level permissions and unrelated to user inactivity.

Using AWS IAM with CloudWatch Events and Lambda automation is correct because it provides proactive, automated detection and remediation for inactive keys, enforces least privilege, reduces operational risk, and aligns with best practices for credential lifecycle management. It combines monitoring, alerting, and automated enforcement to maintain a secure environment.

Question 48

A company wants to detect unusual API activity across multiple AWS accounts and automatically generate security findings. Which service combination supports this requirement?

A) Amazon GuardDuty with AWS Security Hub

B) AWS Config only

C) CloudTrail without analysis

D) IAM roles with MFA

Answer: A) Amazon GuardDuty with AWS Security Hub

Explanation:

Amazon GuardDuty continuously monitors AWS accounts for anomalous and potentially malicious activity by analyzing CloudTrail logs, VPC Flow Logs, and DNS logs. GuardDuty uses machine learning and threat intelligence feeds to detect unusual patterns, such as API calls from unknown IP addresses, attempts to escalate privileges, or access from regions where the company does not operate. Findings generated by GuardDuty include detailed information about the event, affected resources, and severity.

AWS Security Hub aggregates findings from GuardDuty, Macie, Inspector, and other integrated services across multiple accounts. It provides a centralized dashboard for security teams to review, prioritize, and respond to alerts efficiently. Security Hub also supports automated response workflows through CloudWatch Events and Lambda, enabling remediation actions based on detected anomalies.

AWS Config monitors configuration compliance and resource changes, but does not detect real-time anomalous API activity. Config is reactive and focused on governance rather than threat detection.

CloudTrail provides logs of all API calls, but does not generate security findings or alerts by itself. Detecting anomalies from CloudTrail alone requires custom analysis and additional tooling.

IAM roles with MFA improve access security but do not detect or alert on anomalous API activity. They provide preventive controls but no monitoring or detection capabilities.

Amazon GuardDuty with Security Hub is correct because it provides automated, continuous detection of suspicious API activity across multiple accounts, centralized findings, and the ability to trigger automated remediation. This combination strengthens security posture, reduces detection time, and supports compliance monitoring.

Question 49

A company wants to automatically remediate IAM roles that have excessive permissions beyond the approved security baseline. Which AWS service combination is most suitable?

A) AWS Config with Systems Manager Automation

B) CloudTrail logging only

C) S3 bucket policies

D) Security groups

Answer: A) AWS Config with Systems Manager Automation

Explanation:

AWS Config allows organizations to continuously evaluate IAM roles against predefined compliance rules, such as detecting roles with permissions exceeding an approved baseline. Config provides managed rules or supports custom rules that can identify over-permissioned roles. When a role violates a policy, Config can trigger AWS Systems Manager Automation to remediate the issue, such as revoking unapproved permissions or replacing the role with a compliant version. This ensures that IAM roles remain aligned with security standards and reduces the risk of privilege escalation or misuse.

CloudTrail logs all API actions, including IAM modifications, but does not enforce compliance or automatically remediate over-permissioned roles. Manual analysis would be required, which is time-consuming and error-prone.

S3 bucket policies control access to specific S3 resources and cannot audit or remediate IAM role permissions. They do not provide a solution for excessive permissions in IAM roles.

Security groups manage network traffic and do not influence IAM role permissions. They cannot detect or remediate over-permissioned roles.

AWS Config with Systems Manager Automation is correct because it provides continuous monitoring, automated detection, and remediation of IAM roles that exceed the approved permissions baseline. This combination enforces least privilege, reduces operational risk, and supports compliance audits.

Question 50

A company wants to prevent accidental public exposure of sensitive RDS databases. Which solution provides the most effective protection?

A) Use RDS security groups, IAM policies, and VPC isolation

B) Enable CloudTrail logging only

C) Rely on default RDS settings

D) Use S3 encryption

Answer: A) Use RDS security groups, IAM policies, and VPC isolation

Explanation:

RDS security groups control inbound and outbound traffic to database instances. By restricting access to specific IP addresses or application servers, security groups prevent unauthorized network access and reduce the risk of accidental exposure.

IAM policies allow administrators to control which users or roles can modify database settings, create new instances, or adjust security groups. By enforcing strict IAM permissions, only authorized personnel can make configuration changes, further reducing the risk of accidental exposure.

VPC isolation ensures that databases are deployed within private subnets, without direct access from the public internet. Combined with private endpoints or VPC peering, this architecture limits exposure to trusted resources within the organization’s network.

Enabling CloudTrail logging only records changes and access events but does not prevent misconfigurations or accidental exposure. Logging is reactive, not preventive.

Relying on default RDS settings does not guarantee private deployment or secure network access. Defaults may allow public endpoints or less restrictive access, which can lead to accidental exposure.

Using S3 encryption is unrelated to RDS database network access. While it protects data in S3, it does not secure RDS database connectivity.

RDS security groups, IAM policies, and VPC isolation are correct because they combine network-level restrictions, identity-based access control, and architectural isolation. Together, they provide proactive protection against accidental exposure, enforce security best practices, and minimize the risk of unauthorized access to sensitive database instances.

Question 51

A company wants to ensure that all API calls to S3 buckets are encrypted in transit. Which configuration enforces this requirement?

A) Require SSL connections in bucket policies

B) Enable S3 versioning

C) Use IAM policies only

D) Apply security groups to S3

Answer: A) Require SSL connections in bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies enforces encryption in transit by ensuring that all requests use HTTPS. Any attempt to access the bucket using HTTP is denied, guaranteeing that data is encrypted between the client and the S3 service. This is critical for protecting sensitive data against eavesdropping, man-in-the-middle attacks, or accidental exposure. Bucket policies provide centralized enforcement, ensuring that the requirement applies consistently to all users and applications accessing the bucket. Compliance frameworks often mandate encryption in transit, making this configuration essential for regulatory adherence.

Enabling S3 versioning provides the ability to recover previous versions of objects, but does not enforce encryption in transit. It is a data durability mechanism and unrelated to securing data movement.

IAM policies control access to bucket actions and objects, but do not enforce transport-layer encryption. Users could still access the bucket using unencrypted protocols unless explicit policies or bucket configurations are applied.

Security groups manage network traffic for compute resources, but cannot enforce SSL connections to S3 buckets. Network controls are ineffective at the application protocol level for S3.

Requiring SSL connections in bucket policies is correct because it enforces secure communication for all S3 operations, protects sensitive data during transmission, provides centralized enforcement, and meets security and compliance requirements. This proactive approach ensures that no unencrypted data can be sent to or retrieved from the bucket.

Question 52

A company wants to automatically detect publicly accessible RDS instances and remediate them. Which AWS service combination achieves this goal?

A) AWS Config with Systems Manager Automation

B) Security groups only

C) CloudTrail logging only

D) IAM policies only

Answer: A) AWS Config with Systems Manager Automation

Explanation:

AWS Config allows organizations to monitor resource configurations continuously against predefined or custom rules. Managed rules like “rds-publicly-accessible-check” can identify RDS instances that are publicly exposed. When a non-compliant instance is detected, AWS Config can trigger remediation actions using Systems Manager Automation documents. Automation can modify instance settings, remove public access, or notify administrators for additional actions. This proactive approach ensures that public exposure is detected and mitigated quickly, reducing the risk of unauthorized access.

Security groups can restrict traffic, but do not automatically detect existing misconfigured RDS instances. Administrators would need to manually audit and remediate instances, which is time-consuming and error-prone.

CloudTrail logs all API actions and can show when an RDS instance was modified to allow public access. However, logs alone do not enforce compliance or provide automated remediation. Analysis of logs is reactive and does not prevent exposure.

IAM policies control who can modify RDS instances, but cannot automatically detect or remediate public access once it exists. Users with sufficient privileges could still configure instances incorrectly.

AWS Config with Systems Manager Automation is correct because it continuously monitors RDS configurations, identifies public exposure, triggers automated remediation, reduces human error, ensures compliance, and aligns with security best practices for protecting sensitive databases.

Question 53

A company wants to ensure that all CloudTrail logs are encrypted at rest and access is restricted to authorized users. Which configuration satisfies this requirement?

A) Enable CloudTrail encryption with KMS and restrict S3 access using bucket policies

B) Enable versioning on the S3 bucket only

C) Use IAM policies without encryption

D) Enable S3 public access

Answer: A) Enable CloudTrail encryption with KMS and restrict S3 access using bucket policies

Explanation:

Enabling CloudTrail encryption with AWS KMS ensures that logs are encrypted at rest using either AWS-managed or customer-managed keys. This protects sensitive auditing data from unauthorized access. Restricting access with S3 bucket policies allows only authorized users or roles to read, write, or manage logs. Combining encryption and access control ensures that audit trails are both secure and compliant with organizational or regulatory standards. CloudTrail logs contain sensitive information about API calls and system activity, making encryption and access restrictions essential for security and privacy.

Enabling versioning on the S3 bucket allows recovery of previous objects but does not encrypt logs or enforce access control. Versioning alone cannot prevent unauthorized access or modification.

IAM policies without encryption control, which allow users can access CloudTrail logs, but do not protect the data itself at rest. If credentials are compromised, the logs may be exposed.

Enabling public access on the S3 bucket exposes sensitive CloudTrail logs to everyone, which is insecure and violates best practices. It dramatically increases the risk of audit trail compromise.

CloudTrail encryption with KMS combined with S3 bucket policies is correct because it protects logs at rest, enforces strict access control, ensures auditability, and aligns with compliance and security best practices. This approach safeguards sensitive operational and security data against unauthorized access or tampering.

Question 54

A company wants to prevent unauthorized deletion of critical EBS snapshots while allowing administrators to manage them normally. Which feature achieves this?

A) Enable EBS snapshot delete protection

B) Use IAM policies to deny all deletion actions

C) Enable versioning on EBS volumes

D) Store snapshots in S3 with Object Lock

Answer: A) Enable EBS snapshot delete protection

Explanation:

EBS snapshot delete protection prevents accidental or unauthorized deletion of snapshots by ensuring that deletion commands are blocked unless the protection is disabled. Administrators can still perform other actions, such as creating or restoring snapshots, while the protection guarantees the snapshot remains intact until explicitly unprotected. This provides a balance between operational flexibility and security, ensuring critical backups are safeguarded against accidental or malicious removal.

Using IAM policies to deny all deletion actions is overly restrictive. While it prevents deletion, it also limits legitimate operational tasks and increases administrative overhead whenever a snapshot needs to be removed intentionally.

Enabling versioning on EBS volumes does not exist in the same way it does for S3. EBS snapshots do not have native versioning to protect against deletion, making this approach ineffective.

Storing snapshots in S3 with Object Lock is not applicable because EBS snapshots are managed AWS resources and not stored directly in user-controlled S3 buckets. Object Lock cannot protect snapshots outside of S3.

Enabling EBS snapshot delete protection is correct because it provides an efficient mechanism to safeguard critical snapshots, prevents accidental deletion, maintains operational flexibility, aligns with best practices for backup management, and reduces the risk of data loss while allowing administrators to manage snapshots effectively.

Question 55

A company wants to detect anomalous behavior in IAM usage, such as unusual API calls or logins from unexpected locations. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) CloudTrail only

D) Security groups

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously monitors AWS accounts for suspicious activity and unauthorized behavior. It uses machine learning, anomaly detection, and threat intelligence feeds to detect unusual IAM activity, such as unexpected API calls, attempts to escalate privileges, or logins from unusual geographic locations. GuardDuty generates actionable findings that provide detailed context, including affected resources, user information, and severity levels. Integration with CloudWatch Events or Security Hub allows automated alerting and response to anomalous behavior.

AWS Config monitors resource configurations and compliance, but does not detect unusual API behavior or suspicious login activity. Config is focused on governance and configuration changes, not real-time threat detection.

CloudTrail logs all API calls, including IAM activity. While essential for auditing, CloudTrail alone does not analyze patterns or detect anomalies. Analyzing CloudTrail data requires additional tools and manual effort, making it reactive rather than proactive.

Security groups control network access and cannot monitor IAM usage or detect anomalous API behavior. They are network-level controls, not identity-focused threat detection tools.

Amazon GuardDuty is correct because it provides continuous, automated monitoring of IAM activity, identifies suspicious patterns, generates detailed findings, integrates with alerting and remediation workflows, and helps organizations respond proactively to potential threats. It enhances security posture and supports compliance requirements effectively.

Question 56

A company wants to ensure that all newly created S3 buckets are automatically checked for public access and remediated if found. Which AWS service combination achieves this?

A) AWS Config with Systems Manager Automation

B) CloudTrail logging only

C) IAM policies only

D) Security groups

Answer: A) AWS Config with Systems Manager Automation

Explanation:

AWS Config allows organizations to continuously evaluate resource configurations against pre-defined or custom rules. Managed rules such as “s3-bucket-public-read-prohibited” and “s3-bucket-public-write-prohibited” detect buckets that are publicly accessible. When a bucket violates these rules, Config can trigger remediation through Systems Manager Automation documents. These automation documents can modify bucket policies or ACLs to remove public access automatically. This approach provides proactive, continuous compliance without manual intervention.

CloudTrail logs all API calls, including bucket creation or modification. While CloudTrail provides an audit trail of actions, it does not enforce compliance or automatically remediate public access. Analysis of logs is reactive, requiring manual review or custom scripts to identify non-compliance.

IAM policies can restrict which users can create buckets or apply policies, but they cannot enforce or remediate public access if the bucket is misconfigured. Users with sufficient privileges could still inadvertently configure a bucket as public.

Security groups control network access to compute resources, but do not apply to S3 buckets. They cannot prevent or remediate publicly accessible buckets.

AWS Config with Systems Manager Automation is correct because it provides continuous monitoring of newly created S3 buckets, identifies public access violations in real-time, and triggers automated remediation. This combination ensures buckets remain secure, reduces the risk of data exposure, supports compliance audits, and minimizes human error in enforcing security policies.

Question 57

A company wants to ensure that all IAM users must use multi-factor authentication (MFA) before performing sensitive operations. Which AWS mechanism is most appropriate?

A) IAM policies enforcing MFA

B) Security groups

C) S3 bucket policies

D) CloudTrail logging only

Answer: A) IAM policies enforcing MFA

Explanation:

IAM policies can enforce MFA for specific users or groups when performing sensitive AWS actions. By including conditions like aws: MultiFactorAuthPresent in permission policies, administrators can ensure that users must authenticate using MFA before executing privileged actions. This strengthens identity security by requiring an additional authentication factor, reducing the risk of compromised credentials being used to perform sensitive operations. The policy can be applied selectively to specific services, users, or groups, aligning with the principle of least privilege and security best practices.

Security groups control network traffic and cannot enforce authentication mechanisms like MFA. They operate at the network layer and are unrelated to identity authentication policies.

S3 bucket policies can require MFA for certain actions, such as object deletion, but cannot enforce MFA across all AWS services or control general IAM user behavior. They are resource-level access controls and are limited in scope.

CloudTrail logs all API activity, including whether MFA was used for authentication. While CloudTrail enables auditing, it does not enforce MFA requirements. It is reactive and does not prevent non-compliant actions in real-time.

IAM policies enforcing MFA are correct because they provide proactive enforcement, ensuring that all sensitive operations require a second authentication factor. This reduces the risk of credential compromise, supports compliance requirements, and aligns with security best practices for identity and access management.

Question 58

A company wants to enforce encryption of all RDS database snapshots, including manual and automated snapshots. Which configuration ensures this?

A) Enable RDS encryption at the instance level

B) Use IAM policies only

C) Enable CloudTrail logging

D) Use security groups

Answer: A) Enable RDS encryption at the instance level

Explanation:

Enabling encryption at the RDS instance level ensures that all database snapshots—both automated and manual—are encrypted at rest using AWS-managed or customer-managed KMS keys. Any snapshot created from an encrypted instance inherits the encryption setting automatically. This guarantees that sensitive data remains protected even when backups are exported, copied, or shared across regions. Additionally, encrypted snapshots cannot be decrypted without the corresponding KMS key, providing strong security and compliance enforcement.

IAM policies alone control access to RDS instances or snapshot actions, but do not enforce encryption. Users with sufficient privileges could still create unencrypted snapshots if instance encryption is not enabled.

CloudTrail logs all API calls related to RDS snapshot creation. While useful for auditing, it does not enforce encryption. CloudTrail provides visibility, but cannot prevent unencrypted snapshot creation.

Security groups control network access to the RDS instance, but do not enforce encryption at rest. They are unrelated to snapshot security and data protection.

Enabling RDS encryption at the instance level is correct because it ensures all snapshots inherit encryption automatically, protects sensitive data at rest, integrates with KMS for fine-grained access control and auditing, and aligns with regulatory compliance and security best practices.

Question 59

A company wants to detect compromised EC2 instances based on unusual outbound network traffic patterns. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously monitors AWS accounts for suspicious activity, including unusual outbound network traffic from EC2 instances. GuardDuty uses machine learning models, anomaly detection, and threat intelligence to identify patterns indicative of compromised instances, such as communication with known malicious IP addresses, unusual DNS queries, or abnormal traffic volumes. Findings include detailed context, severity, affected resources, and recommended actions, enabling rapid response. Integration with CloudWatch Events or Security Hub allows automated alerts or remediation workflows, minimizing the window of exposure.

AWS Config monitors configuration compliance but does not analyze network traffic or detect anomalous behavior. Config is focused on governance and resource settings, not threat detection.

IAM policies control user and role permissions, but do not monitor traffic patterns or detect compromised instances. They prevent unauthorized actions but cannot identify behavioral anomalies.

CloudTrail logs API calls, providing an audit trail, but does not analyze network traffic or detect compromise. Detecting anomalies requires additional processing and is reactive.

Amazon GuardDuty is correct because it provides real-time monitoring of network behavior, detects unusual outbound traffic indicative of compromise, generates actionable security findings, integrates with alerting and remediation workflows, and enhances the organization’s overall security posture.

Question 60

A company wants to enforce that all Lambda functions accessing sensitive data must have encrypted environment variables and restricted access. Which configuration satisfies this requirement?

A) AWS KMS for environment variable encryption and resource-based policies

B) Use IAM policies only

C) Store secrets in plaintext in environment variables

D) Security groups only

Answer: A) AWS KMS for environment variable encryption and resource-based policies

Explanation:

AWS KMS can encrypt Lambda environment variables, ensuring that sensitive data like credentials, API keys, or tokens are stored securely. Only authorized Lambda functions with permissions to decrypt the KMS key can access these values at runtime. Resource-based policies further restrict which AWS principals or accounts can invoke the Lambda function, ensuring that only authorized entities can execute sensitive workloads. This approach provides both data protection and access control, reducing the risk of exposure.

Using IAM policies alone controls who can manage or invoke the function, but does not encrypt environment variables. Sensitive information may still be visible in plaintext to users with Lambda configuration access.

Storing secrets in plaintext exposes critical data to anyone with access to the Lambda configuration. It violates security best practices and significantly increases the risk of accidental or malicious exposure.

Security groups control network access for resources, but do not protect environment variables or restrict the invocation of Lambda functions. They are unrelated to identity-based or encryption controls.

AWS KMS for environment variable encryption combined with resource-based policies is correct because it ensures sensitive data is encrypted at rest, restricts function invocation to authorized principals, integrates with audit logging via CloudTrail, supports compliance requirements, and aligns with best practices for securing serverless workloads.