Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 5 Q81-100

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 81

A company wants to automatically enforce encryption on all newly created DynamoDB tables and audit access to sensitive data. Which configuration achieves this?

A) Enable DynamoDB encryption with KMS and use CloudTrail logging

B) Use IAM policies only

C) Enable security groups

D) Use S3 bucket policies

Answer: A) Enable DynamoDB encryption with KMS and use CloudTrail logging

Explanation:

Enabling encryption on DynamoDB tables with AWS KMS ensures that all data at rest is encrypted using either AWS-managed or customer-managed keys. When KMS is used, administrators can control access to the encryption keys, audit usage, and optionally rotate keys to meet compliance requirements. CloudTrail logging tracks all API calls to DynamoDB, including reads, writes, and configuration changes, providing full visibility into data access and operations. Combining KMS encryption with CloudTrail ensures that data is securely protected at rest while enabling auditing and forensic analysis.

Using IAM policies alone only defines who can access tables, but does not guarantee that the data is encrypted. Without KMS encryption, sensitive data could be exposed if unauthorized access occurs. Enabling DynamoDB encryption with AWS Key Management Service (KMS) and using CloudTrail logging is the correct approach to secure sensitive data stored in DynamoDB. Encryption with KMS ensures that data at rest is protected using strong, industry-standard encryption algorithms. This prevents unauthorized users from accessing or reading the data directly from the storage layer. CloudTrail logging complements this by providing a detailed audit trail of all API calls and operations performed on the DynamoDB tables. It allows administrators to monitor who accessed or modified data, detect suspicious activity, and meet compliance requirements. Together, encryption and logging provide a comprehensive security solution that protects both the confidentiality and the accountability of data in DynamoDB.

Using IAM policies alone restricts which users or roles can access DynamoDB, but it does not encrypt the data at rest, leaving it potentially vulnerable if storage is compromised. Enabling security groups controls network access to services like EC2 instances, but does not secure the DynamoDB data itself. Using S3 bucket policies is specific to securing S3 data anddoes not affectn DynamoDB. Therefore, while IAM policies and security groups are important parts of a broader security strategy, they do not provide encryption or detailed auditing. Enabling DynamoDB encryption with KMS combined with CloudTrail logging is the best practice for protecting sensitive data and maintaining visibility over all access and changes, making it the correct choice.

Security groups control network traffic for EC2 or VPC-connected resources ,but do not affect DynamoDB table encryption or auditing. They operate at the network layer, not the data layer.

S3 bucket policies are irrelevant to DynamoDB because table data is not stored in S3. Bucket policies cannot enforce encryption or audit DynamoDB access.

Enabling DynamoDB encryption with KMS combined with CloudTrail logging is correct because it enforces encryption at rest, provides detailed auditing of all access and operations, supports compliance requirements, and ensures secure management of sensitive data.

Question 82

A company wants to enforce multi-factor authentication (MFA) for all IAM users when performing sensitive operations. Which configuration accomplishes this goal?

A) Use IAM policies with MFA condition keys

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) Use IAM policies with MFA condition keys

Explanation:

IAM policies can enforce MFA by including conditions like aws :MultiFactorAuthPresent. This ensures that users must provide an MFA token when executing sensitive actions, such as modifying resources or performing administrative tasks. MFA adds a second layer of authentication, reducing the risk of compromised credentials being misused. Administrators can apply MFA requirements selectively to specific users, groups, or operations, providing fine-grained security while maintaining operational flexibility. This approach aligns with security best practices for identity and access management and helps meet compliance standards.

Security groups control network traffic but cannot enforce authentication requirements like MFA. They operate at the network layer and do not influence identity verification or access control.

CloudTrail logging records API calls, including whether MFA was used, but it does not enforce MFA. Logging is reactive and requires manual intervention to detect violations. Using IAM policies with MFA (Multi-Factor Authentication) condition keys is the correct approach to enhance the security of AWS accounts and resources. MFA adds an extra layer of protection by requiring users to provide not only their password but also a one-time verification code from an authenticator device or app. By configuring IAM policies with MFA condition keys, administrators can enforce that certain sensitive actions—such as modifying IAM roles, deleting critical resources, or accessing confidential data—can only be performed if MFA has been successfully validated. This reduces the risk of unauthorized access, even if user credentials are compromised, and ensures that critical operations are executed securely.

Security groups, while important, are primarily designed to control inbound and outbound network traffic for resources like EC2 instances. They do not enforce authentication or verify user identity, so relying solely on security groups cannot prevent unauthorized actions at the account or API level. CloudTrail logging provides audit trails of all API activity, which is crucial for monitoring and compliance, but it is passive—it records actions after they occur rather than preventing unauthorized access in real time. S3 bucket policies control access to specific S3 resources but do not provide a mechanism to enforce MFA for broader account-level operations or other AWS services.

IAM policies with MFA condition keys actively enforce an additional security requirement for user actions, making them the most effective choice for preventing unauthorized access and protecting sensitive AWS resources. Security groups, CloudTrail logging, and S3 bucket policies are complementary security tools,but do not provide the direct enforcement of multi-factor authentication required for high-security operations. This makes option A the correct solution for enhancing account security with MFA enforcement.

S3 bucket policies can require MFA for specific S3 operations, such as object deletion, but they are limited to S3 and cannot enforce MFA across all AWS services or sensitive operations.

Using IAM policies with MFA condition keys is correct because it enforces an additional security layer for sensitive actions, reduces the risk of credential compromise, supports compliance requirements, and ensures proactive security across AWS services.

Question 83

A company wants to prevent unauthorized deletion of CloudTrail logs while allowing normal log delivery. Which configuration achieves this?

A) Enable S3 bucket policies with MFA delete and KMS encryption

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Enable S3 bucket policies with MFA delete and KMS encryption

Explanation:

CloudTrail logs are delivered to S3 buckets. Enabling MFA delete ensures that deletion of objects or modification of bucket versioning requires a multi-factor authentication token, preventing accidental or malicious deletions. Combining this with KMS encryption protects logs at rest, ensuring only authorized principals with decryption permissions can access them. This configuration maintains the integrity of audit logs, supports regulatory compliance, and allows normal log delivery without interference. Administrators retain operational flexibility while ensuring critical log data is protected.

Enabling versioning alone allows recovery of previous object versions but does not prevent unauthorized deletion. Versioning provides durability but lacks strict deletion protection .Enabling S3 bucket policies with MFA delete and KMS encryption is the correct approach to secure Amazon S3 data. KMS (Key Management Service) encryption ensures that all objects stored in the bucket are encrypted at rest using strong, managed encryption keys. This prevents unauthorized users from reading or accessing sensitive data, even if they gain access to the underlying storage. MFA delete adds layer of protection by requiring multi-factor authentication for any object deletion operations, including permanently deleting object versions. This prevents accidental or malicious deletions and ensures that only authorized users with MFA credentials can remove critical data. Together, encryption and MFA provide both data confidentiality and protection against unauthorized or accidental modifications, making them essential best practices for securing S3 buckets.

Simply enabling S3 versioning provides the ability to retain previous versions of objects, which helps recover from accidental deletions, but it does not prevent unauthorized access or enforce encryption. Using IAM policies without encryption can restrict which users have access to the bucket, but does not protect the data at rest from exposure if credentials are compromised. Enabling public access is the opposite of a security measure—it would make the bucket’s contents available to anyone on the internet, exposing sensitive data to risk.

Enabling S3 bucket policies with MFA delete and KMS encryption combines preventive and protective measures: encryption safeguards the confidentiality of data, and MFA delete enforces controlled deletion operations. This approach ensures that S3 data is secure, auditable, and protected against both accidental and malicious actions. The other options, while partially addressing certain aspects of data management, do not provide the same comprehensive security and control, making option A the correct choice for securing sensitive S3 data.

Using IAM policies without encryption only controls access permissions but cannot enforce deletion safeguards or protect the confidentiality of logs. Logs could be deleted or modified by compromised credentials.

Enabling public access exposes logs to everyone on the internet, creating a significant security risk and providing no deletion protection.

S3 bucket policies with MFA delete and KMS encryption are correct because they secure log data against unauthorized deletion, enforce access controls, provide auditability, and maintain normal log delivery. This ensures compliance, operational security, and data integrity.

Question 84

A company wants to detect anomalous behavior in IAM usage, such as unusual API calls or privilege escalation attempts. Which AWS service combination provides real-time detection and centralized alerting?

A) Amazon GuardDuty with Security Hub

B) IAM policies only

C) CloudTrail logging only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty continuously analyzes account activity, including IAM API calls, VPC Flow Logs, and DNS requests, to detect anomalous behavior like unusual API patterns, privilege escalation attempts, or unauthorized access. It uses machine learning, threat intelligence, and anomaly detection to identify suspicious activity. GuardDuty findings provide severity levels, affected resources, and recommended actions. Security Hub aggregates findings across multiple accounts, offering centralized alerting, dashboards, and workflow automation using CloudWatch Events or Lambda. Together, GuardDuty and Security Hub allow real-time detection, centralized monitoring, and proactive response to threats impacting IAM roles or users.

IAM policies alone enforce permissions but do not detect anomalous activity or generate alerts. They are preventive controls, not monitoring tools .Amazon GuardDuty with Security Hub is the correct choice for proactively monitoring and securing AWS environments. GuardDuty is a threat detection service that continuously monitors AWS accounts, workloads, and data for malicious activity or unauthorized behavior. It analyzes logs from sources such as VPC Flow Logs, CloudTrail, and DNS logs to identify threats, including compromised instances, unusual API calls, or potential account breaches. Security Hub acts as a central dashboard that aggregates security findings from GuardDuty and other AWS services, providing a unified view of security alerts and compliance status across the environment. Together, GuardDuty and Security Hub enable automated detection, prioritization, and response to threats, helping organizations quickly identify and mitigate security risks.

Using IAM policies alone only defines what users and roles are allowed to do within an AWS account, but does not provide active monitoring for malicious activity or compromise. CloudTrail logging records API activity for auditing purposes,but it  is reactive; it captures events after they occur without automatically detecting threats or suspicious behavior. Security groups control network traffic at the instance or resource level, providing a layer of network security but not threat detection or proactive monitoring.

Amazon GuardDuty combined with Security Hub provides continuous, intelligent threat detection and centralized security visibility, enabling organizations to respond to incidents quickly and maintain a secure environment. The other options—IAM policies, CloudTrail logging, and security groups—are important components of an overall security strategy but do not offer the proactive detection and centralized alerting capabilities necessary to identify and address threats effectively. This makes option A the correct solution for comprehensive AWS security monitoring.

CloudTrail logs API activity, which is useful for auditing, but does not analyze patterns or produce actionable alerts. Additional processing is required for threat detection.

Security groups control network traffic but cannot monitor IAM usage or detect anomalous behavior. They are network-layer controls with no insight into identity or API activity.

Amazon GuardDuty with Security Hub is correct because it provides automated anomaly detection, centralized alerting, actionable findings, and integration with response workflows. This combination improves security posture, reduces detection time, and ensures proactive monitoring of IAM activity.

Question 85

A company wants to enforce that all access keys for IAM users are rotated regularly and administrators receive notifications before expiration. Which AWS service combination supports this requirement?

A) AWS IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) AWS IAM with CloudWatch Events and Lambda automation

Explanation:

IAM allows creation and management of user access keys. CloudWatch Events (EventBridge) can monitor access key metadata, such as age or last use, and trigger Lambda functions when keys approach expiration. Lambda automation can rotate keys automatically, update dependent applications, and send notifications to administrators. This ensures continuous credential hygiene, reduces the risk of compromised or stale keys, and maintains operational efficiency. Automating monitoring, notification, and rotation ensures compliance with security policies and reduces the potential for human error.

Security groups control network traffic and cannot monitor or rotate IAM credentials. They are irrelevant for access key lifecycle management.

CloudTrail logs API calls related to access keys, but does not automate rotation or notifications. It provides visibility but requires manual intervention to maintain compliance.

S3 bucket policies govern access to S3 object,s but cannot monitor or rotate IAM keys. They do not support credential lifecycle management.

AWS IAM with CloudWatch Events and Lambda automation is correct because it provides proactive monitoring, automated rotation, alerting, compliance enforcement, and reduced operational risk. This ensures secure management of IAM credentials and aligns with best practices for identity and access management.

Question 86

A company wants to ensure that all newly created S3 buckets have logging enabled and data encrypted at rest by default. Which approach achieves this across multiple accounts?

A) AWS Organization SCPs with AWS Config rules

B) Use IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organization SCPs with AWS Config rules

Explanation:

AWS Organizations Service Control Policies (SCPs) allow administrators to enforce baseline security requirements across multiple accounts. SCPs can prevent the creation of S3 buckets without encryption or logging enabled. AWS Config rules can continuously evaluate bucket configurations against compliance standards such as “s3-bucket-logging-enabled” and “s3-bucket-server-side-encryption-enabled.” When violations occur, Config can trigger remediation via Systems Manager Automation to enforce logging and encryption. This combination provides centralized governance, continuous compliance, and automated remediation, ensuring that all accounts adhere to security best practices without relying on individual account configuration.

Using IAM policies on each account requires manual enforcement and increases the risk of misconfiguration. IAM alone cannot guarantee compliance across multiple accounts or enforce bucket-level encryption and logging consistently.

Enabling S3 versioning ensures recovery of previous object versions but does not enforce encryption or logging. Versioning addresses durability rather than security or compliance.

Security groups control network traffic to resources butdo not affectn S3 bucket logging or encryption. They operate at the network layer and cannot enforce storage-level policies.

AWS Organization SCPs combined with AWS Config rules are correct because they centralize enforcement, monitor configuration compliance continuously, aautomateremediation, and ensure that all S3 buckets across multiple accounts meet security and compliance requirements.

Question 87

A company wants to ensure that all RDS instances are launched with encryption enabled and that backups inherit this encryption. Which configuration satisfies this requirement?

A) Enable RDS encryption at the instance level

B) Use IAM policies only

C) Enable security groups

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level

Explanation:

Enabling encryption at the RDS instance level ensures that all data stored in the database is encrypted using AWS KMS keys. This encryption extends to automated and manual backups, snapshots, and read replicas, maintaining consistent security across all associated data. KMS integration provides fine-grained access control, audit logging, and optional key rotation. Encrypting at the instance level guarantees that sensitive data remains secure, reduces the rthe isk of exposure, and aligns with compliance requirements.

Using IAM policies alone controls who can create or manage RDS instances, but does not enforce encryption. Users with sufficient permissions could create unencrypted instances if encryption is not mandatory.

Security groups control network access but do not encrypt data at rest or enforce backup encryption. They operate at the network layer, not the storage or database layer.

CloudTrail logging tracks API calls and configuration change,,s but cannot enforce encryption. Logging provides audit visibility but does not prevent non-compliant actions.

Enabling RDS encryption at the instance level is correct because it ensures that both primary data and all associated backups inherit encryption, integrates with KMS for access control, maintains compliance, and aligns with best practices for securing sensitive relational data.

Question 88

A company wants to automatically disable IAM users who have not logged in for 90 days to reduce the risk of orphaned accounts. Which AWS service combination achieves this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM stores metadata for each user, including the last login timestamp. CloudWatch Events (EventBridge) can monitor these timestamps and trigger Lambda functions when users exceed a defined inactivity period, such as 90 days. The Lambda function can automatically disable inactive accounts, reducing the risk of orphaned credentials being misused by malicious actors. This automation ensures compliance with organizational security policies, minimizes manual effort, and supports proactive identity lifecycle management.

Security groups manage network traffic and cannot monitor IAM user activity or disable accounts. They are irrelevant for identity lifecycle enforcement.

CloudTrail logs user activity, including logins, but does not automate the detection or disabling of inactive users. It is reactive and requires manual intervention to remediate stale accounts.

S3 bucket policies control access to S3 objects and do not manage IAM user activity or lifecycle. They are not relevant to disabling unused accounts.

IAM combined with CloudWatch Events and Lambda automation is correct because it provides proactive detection of inactive users, automated remediation, compliance enforcement, and reduces operational risk from orphaned credentials.

Question 89

A company wants to detect anomalous network traffic patterns from EC2 instances that might indicate compromised hosts. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies only

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously monitors VPC Flow Logs, DNS logs, and CloudTrail events to detect anomalies in network traffic, including unusual connections or patterns from EC2 instances that may indicate compromise or data exfiltration. GuardDuty uses machine learning, anomaly detection, and threat intelligence feeds to identify suspicious activity, such as communication with known malicious IP addresses or unexpected traffic volumes. Findings include context, affected resources, and recommended actions, enabling rapid incident response. Integration with Security Hub or CloudWatch Events allows alerts or automated remediation to minimize exposure and prevent further compromise.

AWS Config monitors resource configuration changes but does not analyze network traffic or detect anomalous activity. Config is focused on compliance and configuration governance.

IAM policies control permissions, but cannot detect network-based threats or compromised instances. They are preventive controls, not monitoring or detection mechanisms.

CloudTrail logs API calls and activity, but does not analyze VPC traffic or detect anomalies in real time. CloudTrail is reactive and requires additional processing for threat detection.

Amazon GuardDuty is correct because it provides real-time anomaly detection, contextual findings, alerting, and integration with automated remediation workflows. This improves security posture, reduces incident response time, and protects EC2 workloads from potential threats.

Question 90

A company wants to enforce that all Lambda functions accessing secrets use encrypted environment variables and IAM roles for secure access. Which configuration satisfies this requirement?

A) Use AWS KMS for Lambda environment variable encryption and IAM roles

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) Use AWS KMS for Lambda environment variable encryption and IAM roles

Explanation:

AWS KMS can encrypt Lambda environment variables, protecting sensitive data such as API keys, database credentials, or tokens at rest. IAM roles control which Lambda functions can decrypt the variables, ensuring that only authorized functions can access the secrets at runtime. This approach eliminates the risk of hardcoding credentials, supports secure secret management, and integrates with audit logging through CloudTrail. Optional KMS key rotation further enhances security by automatically updating encryption keys without changingthe  function code. Combining KMS encryption with IAM role-based access ensures strong data protection, controlled access, and operational compliance.

Storing secrets in plaintext environment variables exposes sensitive data to anyone with Lambda configuration access, significantly increasing the risk of leaks or misuse.

Using S3 buckets alone requires additional encryption and access management, lacks seamless integration with the Lambda runtime, and increases complexity and risk of misconfiguration.

Security groups control network traffic but cannot enforce encryption or access controls for Lambda environment variables. They operate at the network layer, not the application or identity layer.

Using AWS KMS for Lambda environment variable encryption combined with IAM roles is correct because it provides secure storage, controlled access, auditability, and alignment with security best practices. This ensures that sensitive secrets are protected, reduces operational risk, and supports compliance with organizational policies.

Question 91

A company wants to prevent public access to all newly created S3 buckets across multiple accounts while allowing internal users full access. Which AWS configuration achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations Service Control Policies (SCPs) provide centralized control over multiple AWS accounts, allowing administrators to enforce baseline security requirements. By applying SCPs, the company can prevent the creation of publicly accessible S3 buckets across all accounts. AWS Config rules, such as s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited, continuously evaluate bucket configurations and can trigger remediation actions using Systems Manager Automation. This ensures that any bucket violating the policy is corrected automatically, maintaining compliance and security. Internal users can retain access through IAM roles or bucket policies that explicitly allow their operations, providing a balance between security and operational flexibility.

IAM policies on each account require manual enforcement and can lead to inconsistent configurations, increasing the likelihood of misconfigured public access.

Enabling S3 versioning provides object recovery but does not prevent public exposure. Versioning is focused on durability and recovery, not access control.

Security groups control network traffic and cannot enforce S3 bucket access policies. They are network-layer controls and irrelevant for S3 permissions.

Using AWS Organizations SCPs with AWS Config rules is correct because it provides centralized enforcement, continuous monitoring, automated remediation, and ensures all buckets remain private while allowing internal access, aligning with best practices for multi-account security governance.

Question 92

A company wants to ensure that IAM users who have not logged in for 60 days are automatically disabled. Which combination of AWS services accomplishes this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM tracks metadata for each user, including the last login timestamp. CloudWatch Events (EventBridge) can monitor these timestamps and trigger a Lambda function when a user has been inactive for the defined period, such as 60 days. The Lambda function can automatically disable the user, preventing orphaned accounts from being exploited. This approach provides automated identity lifecycle management, reduces operational overhead, and enforces compliance with security policies. The automation ensures that only active users retain access, minimizing risk from dormant credentials.

Security groups manage network traffic but do not monitor IAM user activity or manage account status. They cannot enforce identity lifecycle policies.

CloudTrail logs API calls and login events, which is useful for auditing, but it cannot automatically disable inactive users. This approach is reactive rather than preventive.

S3 bucket policies govern access to S3 objects and are unrelated to IAM user lifecycle management. They cannot disable inactive accounts.

IAM combined with CloudWatch Events and Lambda automation is correct because it enables automated detection of inactive users, immediate remediation, compliance enforcement, and reduced security risk from orphaned accounts.

Question 93

A company wants to detect unusual API activity across multiple AWS accounts, including IAM and EC2 calls, and generate centralized alerts. Which AWS service combination is appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty continuously monitors account activity, including IAM API calls, EC2 actions, VPC Flow Logs, and DNS logs. It uses machine learning, threat intelligence, and anomaly detection to identify suspicious behavior such as privilege escalation attempts, unauthorized access, or anomalous network patterns. GuardDuty findings include severity, affected resources, and recommended remediation. Security Hub aggregates findings from multiple accounts, providing centralized dashboards and enabling automated workflows using CloudWatch Events or Lambda. This combination ensures proactive detection, centralized alerting, and the ability to respond quickly to threats.

CloudTrail logs all API activity but does not detect anomalies or provide actionable alerts. It is reactive and requires additional processing for threat detection.

IAM policies define access controls but cannot detect anomalous behavior or generate alerts. They are preventive controls, not monitoring solutions.

Security groups manage network traffic but cannot detect or respond to API anomalies. They operate at the network layer and do not provide identity or activity monitoring.

Amazon GuardDuty with Security Hub is correct because it provides automated threat detection, centralized alerting, actionable findings, and integration with response workflows, improving overall security posture across multiple accounts.

Question 94

A company wants to ensure that all Lambda functions accessing secrets do not hardcode credentials and use encryption. Which solution fulfills this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive information such as API keys, tokens, or database credentials. Lambda functions can retrieve secrets at runtime using IAM roles, ensuring credentials are never hardcoded. Secrets Manager supports automatic rotation of secrets, fine-grained access control through IAM, and audit logging via CloudTrail. This approach reduces the risk of accidental exposure, supports compliance requirements, and integrates seamlessly with serverless applications. By using IAM roles, administrators can restrict which functions can access specific secrets, ensuring least-privilege access.

Storing secrets in plaintext environment variables exposes them to anyone with Lambda configuration access, creating a significant security risk.

Using S3 buckets for secrets requires additional encryption and access management, increases complexity, and lacks seamless runtime integration with Lambda.

Security groups control network traffic but cannot manage secrets or enforce secure access to Lambda environment variables. They are irrelevant to secret management.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, controlled access, automatic rotation, auditability, and integration with Lambda. This ensures credentials remain secure, reduces operational risk, and aligns with security best practices.

Question 95

A company wants to ensure that all API requests to S3 buckets are encrypted in transit. Which configuration achieves this?

A) Require SSL connections in S3 bucket policies

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Require SSL connections in S3 bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies enforces encryption in transit by denying requests over unencrypted HTTP. This ensures that all data uploaded to or retrieved from S3 is transmitted securely using HTTPS, protecting against eavesdropping, man-in-the-middle attacks, and data interception. Bucket policies provide centralized enforcement for all access methods, including API calls, SDK requests, and console operations. By combining SSL enforcement with IAM or KMS controls, organizations can maintain confidentiality, integrity, and compliance for sensitive data in transit.

Enabling S3 versioning provides recovery of previous object versions but does not enforce encryption during transmission. Versioning addresses durability rather than network security.

IAM policies without encryption control who can access object,s but do not enforce secure transport. Users could still access data over unencrypted HTTP, exposing sensitive information.

Enabling public access allows anyone to reach the bucket without requiring secure connections, creating a major security risk.

Requiring SSL connections in bucket policies is correct because it guarantees encryption in transit, enforces security consistently across all users and applications, and aligns with best practices for protecting sensitive data against network-level threats.

Question 96

A company wants to ensure that all EBS volumes are encrypted by default using a customer-managed KMS key. Which AWS configuration accomplishes this?

A) Enable EBS encryption by default and specify a KMS key

B) Use IAM policies only

C) Configure security groups

D) Enable CloudTrail logging only

Answer: A) Enable EBS encryption by default and specify a KMS key

Explanation:

Enabling EBS encryption by default ensures that all newly created volumes are automatically encrypted without requiring user intervention. By specifying a customer-managed KMS key, the company can control key access, rotation, and audit logs. Any snapshot created from these volumes also inherits the encryption, maintaining data protection for backups. This configuration guarantees compliance with organizational security policies, reduces the risk of human error, and aligns with industry standards for protecting data at rest. Administrators can also monitor key usage, manage permissions, and rotate keys to maintain security hygiene.

IAM policies alone can control who can create EBS volumes, but they do not enforce encryption. Users could still create unencrypted volumes if encryption defaults are not enabled.

Security groups control network access to EC2 instances, but do not encrypt EBS volumes. They are network-layer controls and irrelevant for data-at-rest encryption.

CloudTrail logging provides visibility into API calls, including volume creation, but does not enforce encryption. Logging is reactive and cannot prevent unencrypted volumes from being created.

Enabling EBS encryption by default with a customer-managed KMS key is correct because it ensures consistent data protection, centralized key management, compliance, and automated enforcement of encryption policies.

Question 97

A company wants to monitor and respond to anomalous IAM activity, including unauthorized API calls, across multiple AWS accounts. Which AWS service combination is appropriate?

A) Amazon GuardDuty with Security Hub

B) IAM policies only

C) CloudTrail logging only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect anomalous IAM activity, such as unusual API calls, privilege escalation attempts, or logins from unusual locations. GuardDuty uses machine learning, anomaly detection, and threat intelligence to generate findings with context and recommended remediation. Security Hub aggregates these findings across multiple AWS accounts, providing a centralized dashboard for visibility and enabling automated workflows using CloudWatch Events or Lambda. Together, GuardDuty and Security Hub allow companies to detect anomalies in real time, correlate findings across accounts, and respond quickly to threats. This proactive approach strengthens security posture, reduces detection time, and ensures centralized monitoring of IAM activity.

IAM policies alone define permissions but cannot detect anomalous behavior or generate alerts. They are preventive controls but lack monitoring capabilities.

CloudTrail logs API activity and can provide a record for auditing purposes, but it does not detect anomalies or generate actionable alerts without additional processing.

Security groups manage network traffic and cannot monitor IAM activity or detect unauthorized API calls. They operate at the network layer rather than the identity layer.

Using Amazon GuardDuty with Security Hub is correct because it provides real-time detection, centralized visibility, actionable alerts, and the ability to respond automatically to anomalous IAM activity across multiple accounts.

Question 98

A company wants to prevent unauthorized deletion of RDS snapshots while allowing normal database operations. Which AWS feature satisfies this requirement?

A) Enable RDS snapshot delete protection

B) Use IAM policies only

C) Enable security groups

D) CloudTrail logging only

Answer: A) Enable RDS snapshot delete protection

Explanation:

RDS snapshot delete protection prevents accidental or unauthorized deletion of snapshots while allowing normal database operations, such as instance creation or backup. When enabled, snapshots cannot be deleted until the protection is manually disabled. This ensures that critical backups are preserved for disaster recovery, compliance, and operational continuity. Delete protection provides a safety mechanism against human error or malicious actions without restricting normal database functionality.

Using IAM policies alone can prevent deletion, but this approach may be too restrictive, limiting legitimate administrative tasks such as snapshot lifecycle management. It does not provide a fine-grained safeguard at the snapshot level.

Security groups control network access to RDS instances, but do not prevent snapshot deletion. They operate at the network layer rather than controlling storage operations.

CloudTrail logging records snapshot deletion events but does not prevent deletion. It is reactive and only provides auditing visibility without enforcing safeguards.

Enabling RDS snapshot delete protection is correct because it preserves critical backups, reduces operational risk, maintains normal database operations, and aligns with best practices for data protection and disaster recovery.

Question 99

A company wants to ensure that all API calls to S3 buckets are encrypted in transit to prevent interception. Which configuration enforces this requirement?

A) Require SSL connections in S3 bucket policies

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Require SSL connections in S3 bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies enforces encryption in transit by denying requests made over HTTP. This ensures that all data transmitted to and from S3 is encrypted using HTTPS, protecting against eavesdropping, man-in-the-middle attacks, and network-based interception. Bucket policies provide centralized enforcement, which applies to all access methods, including the API, SDK, and console. Combining this configuration with IAM permissions or KMS key policies ensures both secure transport and controlled access.

Enabling S3 versioning only allows recovery of previous object versions but does not enforce encryption in transit. Versioning focuses on durability and recovery rather than network security.

Using IAM policies without encryption controls who can access objects, but does not enforce secure transport. Users could still access data over unencrypted HTTP connections.

Enabling public access increases exposure and does not guarantee encryption in transit. Public buckets could allow insecure access, creating a security risk.

Requiring SSL connections in bucket policies is correct because it guarantees encrypted data in transit, ensures centralized enforcement, reduces the risk of data interception, and aligns with best practices for secure data handling.

Question 100

A company wants to automatically rotate IAM access keys and notify administrators before they expire. Which combination of AWS services achieves this?

A) AWS IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) AWS IAM with CloudWatch Events and Lambda automation

Explanation:

IAM stores metadata for access keys, including creation and last-used dates. CloudWatch Events (EventBridge) can monitor key age and trigger Lambda functions when keys approach expiration. Lambda can rotate keys automatically, update dependent applications, and notify administrators before expiration. This ensures continuous credential hygiene, reduces the risk of compromised or stale keys, and maintains operational efficiency. Automation eliminates human error and ensures that security policies are consistently applied across all IAM users.

Security groups manage network traffic and cannot monitor, rotate, or notify about IAM access keys. They are irrelevant to credential lifecycle management.

CloudTrail logs API activity related to IAM key,s but does not rotate keys or provide notifications. It is reactive and requires manual intervention for key management.

S3 bucket policies control access to objects in S3 and do not manage IAM keys or rotations. They are unrelated to credential lifecycle enforcement.

AWS IAM with CloudWatch Events and Lambda automation is correct because it provides proactive monitoring, automated rotation, notifications, compliance enforcement, and reduced operational risk, ensuring secure and efficient management of IAM access keys.