Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 8 Q141-160

Practice Exams:

View All

Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 8 Q141-160

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 141

A company wants to ensure that all newly created RDS instances are encrypted and that automated backups and snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable RDS encryption at the instance level using a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level using a KMS key

Explanation:

Enabling encryption at the RDS instance level ensures that all stored data is encrypted using AWS KMS. When a customer-managed KMS key is specified, administrators can control access, rotate keys periodically, and monitor usage through CloudTrail. All automated backups, snapshots, and read replicas inherit the encryption automatically, maintaining consistent data protection. This reduces operational risk, supports regulatory compliance, and ensures that sensitive database data remains encrypted across all instances and backups. It also prevents the accidental creation of unencrypted databases.

IAM policies can control who can create or manage RDS instances but cannot enforce encryption at creation. Users could still launch unencrypted instances without proper defaults.

Security groups manage network access to RDS instances but do not enforce encryption of data at rest. They operate at the network layer and cannot secure stored data.

CloudTrail logging provides visibility into API calls but cannot enforce encryption. It is a monitoring tool rather than a preventive control.

Enabling RDS encryption at the instance level using a KMS key is correct because it ensures consistent encryption for primary data, backups, and snapshots, integrates with auditing, reduces operational risk, and aligns with security best practices.

Question 142

A company wants to ensure that all S3 buckets are encrypted by default and that public access is blocked across multiple accounts. Which AWS service combination achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations enables centralized governance across multiple accounts using Service Control Policies (SCPs). SCPs can enforce that S3 buckets are encrypted by default and block public access at the organizational level. AWS Config continuously monitors bucket configurations and enforces rules such as s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited. Automated remediation can fix non-compliant buckets, ensuring security policies are applied consistently. This centralized approach reduces manual effort, mitigates accidental exposure of sensitive data, and ensures compliance across all accounts.

IAM policies applied individually to each account require manual setup and maintenance, which can lead to inconsistencies and human errors.

Enabling S3 versioning only addresses durability and recovery, not encryption or public access restrictions.

Security groups manage network traffic but cannot enforce bucket-level encryption or block public access.

Using AWS Organizations SCPs with AWS Config rules is correct because it provides centralized enforcement, continuous monitoring, automated remediation, and ensures that S3 buckets across all accounts are encrypted and private.

Question 143

A company wants to automatically disable IAM users who have not logged in for 60 days. Which AWS service combination accomplishes this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM stores last login timestamps for users. CloudWatch Events (EventBridge) can monitor this metadata and trigger Lambda functions when a user has been inactive for 60 days. Lambda can disable these inactive users automatically, reducing the risk of orphaned accounts and potential security breaches. This solution provides automated identity lifecycle management, enforces organizational policies consistently, and reduces manual operational effort. Automated enforcement ensures timely action, mitigates security risks, and supports compliance with regulatory requirements.

Security groups manage network traffic and cannot detect inactive IAM users or disable accounts.

CloudTrail logs user activity and API calls but cannot automatically disable inactive accounts. It requires manual review and intervention.

S3 bucket policies control access to S3 objects but do not affect IAM user account activity.

IAM with CloudWatch Events and Lambda automation is correct because it provides proactive detection of inactive accounts, automated remediation, centralized enforcement, and reduced operational risk.

Question 144

A company wants to detect anomalous network traffic from EC2 instances that may indicate compromised hosts. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies only

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously monitors VPC Flow Logs, CloudTrail logs, and DNS logs to identify anomalous activity from EC2 instances. It can detect unusual traffic patterns, suspicious connections, or other signs of potential compromise. GuardDuty leverages machine learning, threat intelligence, and anomaly detection to provide actionable findings with context and severity. Findings can trigger automated responses via CloudWatch Events or Lambda, enabling rapid containment and remediation. GuardDuty operates across multiple accounts and regions, providing centralized, proactive threat detection without requiring modifications to EC2 instances or networks.

AWS Config tracks configuration changes but does not analyze network traffic or detect anomalies. Its focus is compliance and resource configuration monitoring.

IAM policies define access permissions but cannot monitor network activity or detect compromised instances. They are preventive, not detective controls.

CloudTrail logs API activity but does not provide real-time network anomaly detection. Analysis would require additional tooling.

Amazon GuardDuty is correct because it provides continuous, automated detection of network anomalies, actionable alerts, centralized monitoring, and integration with automated response workflows.

Question 145

A company wants to ensure that all Lambda functions retrieving secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive data such as API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, preventing hardcoded credentials. Secrets Manager supports automatic rotation, fine-grained IAM access control, and audit logging through CloudTrail. This ensures secure retrieval, reduces the risk of credential exposure, and supports compliance requirements. Administrators can enforce least-privilege access, monitor usage, and integrate secrets securely into serverless applications.

Storing secrets in plaintext environment variables exposes credentials to anyone with Lambda configuration access, increasing the risk of compromise.

Using S3 buckets for secret storage requires encryption, access management, and runtime integration, which is less secure and operationally complex compared to Secrets Manager.

Security groups control network traffic but cannot enforce secure secret retrieval or prevent hardcoding.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, controlled access, automated rotation, auditing, and secure runtime integration with Lambda, ensuring sensitive secrets are protected and managed efficiently.

Question 146

A company wants to enforce MFA for all IAM users when performing sensitive operations and receive alerts for violations. Which AWS configuration achieves this?

A) IAM policies with MFA condition keys and CloudWatch Events alerts

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM policies with MFA condition keys and CloudWatch Events alerts

Explanation:

IAM policies can enforce MFA using condition keys like aws:MultiFactorAuthPresent, ensuring users must authenticate with MFA when performing sensitive operations. CloudWatch Events (EventBridge) can monitor API calls that do not satisfy MFA requirements and trigger alerts to administrators. This combination enforces MFA proactively, detects violations in real time, and centralizes notifications for the security team. MFA provides a second layer of authentication, reducing the risk of credential compromise and ensuring compliance with security policies.

Security groups control network traffic but cannot enforce MFA or detect authentication violations. They operate at the network layer, unrelated to user identity.

CloudTrail logs MFA usage and API activity, but it is reactive. Without CloudWatch Events, administrators would have to manually analyze logs to detect violations.

S3 bucket policies can enforce MFA only for S3-specific operations and cannot provide organization-wide MFA enforcement or alerts for other AWS services.

IAM policies with MFA condition keys and CloudWatch Events alerts are correct because they enforce MFA across all sensitive actions, provide real-time detection of non-compliance, and centralize alerting, ensuring strong security practices.

Question 147

A company wants to monitor all changes to IAM roles and policies to detect unauthorized modifications. Which AWS service provides continuous monitoring and auditing?

A) AWS Config

B) CloudTrail only

C) Security groups only

D) S3 bucket policies

Answer: A) AWS Config

Explanation:

AWS Config continuously records configuration changes for IAM roles, policies, and other AWS resources. Config maintains a history of changes and evaluates compliance against rules, such as least-privilege enforcement or detecting overly permissive policies. Config can trigger automated remediation or alerts via CloudWatch Events when violations are detected. This ensures proactive detection of unauthorized modifications and supports regulatory compliance. It provides a centralized view of IAM changes across multiple accounts, allowing administrators to perform audits, detect misconfigurations, and enforce organizational policies consistently.

CloudTrail logs API calls related to IAM, providing visibility into who made changes. However, CloudTrail is reactive and does not automatically evaluate compliance or generate alerts.

Security groups control network traffic and cannot monitor IAM configurations or detect policy changes.

S3 bucket policies manage object access and do not provide monitoring of IAM roles or policies.

AWS Config is correct because it provides continuous monitoring, historical tracking, compliance evaluation, and automated alerting for IAM role and policy changes, ensuring proactive governance and security.

Question 148

A company wants to detect anomalous API activity, such as unusual IAM or EC2 calls, across multiple accounts and centralize alerts. Which AWS service combination is appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to identify anomalous API activity. It detects unusual behavior, such as unexpected IAM role modifications or EC2 calls, using machine learning, anomaly detection, and threat intelligence. GuardDuty generates findings with severity, context, and remediation recommendations. Security Hub aggregates findings from multiple accounts into a centralized dashboard, enabling security teams to monitor, prioritize, and respond to alerts efficiently. GuardDuty findings can trigger automated responses using CloudWatch Events or Lambda, enabling rapid containment and remediation.

CloudTrail logs API activity but does not analyze patterns or generate actionable alerts without additional tooling. It is reactive.

IAM policies define permissions but cannot detect anomalous activity. They are preventive, not detective, controls.

Security groups manage network traffic and cannot monitor API activity or detect unusual behavior.

Amazon GuardDuty with Security Hub is correct because it provides continuous anomaly detection, centralized alerting, actionable insights, and integration with automated remediation workflows across multiple accounts, enhancing multi-account security posture.

Question 149

A company wants to automatically rotate IAM access keys for users and notify administrators before expiration. Which AWS configuration achieves this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM maintains metadata for each access key, including creation and last-used timestamps. CloudWatch Events (EventBridge) can monitor key age and trigger Lambda functions to rotate keys automatically. Lambda can generate new access keys, update dependent applications, and notify administrators before key expiration. This ensures secure credential management, reduces the risk of compromised or stale keys, and maintains compliance with organizational security policies. Automation eliminates human error, ensures timely rotations, and provides centralized enforcement across all accounts.

Security groups manage network traffic but cannot rotate IAM access keys or send alerts.

CloudTrail logs IAM API activity, including key usage, but cannot rotate keys or send proactive notifications. It is reactive and requires manual intervention.

S3 bucket policies manage object access but do not affect IAM key management or rotation.

IAM with CloudWatch Events and Lambda automation is correct because it automates rotation, provides proactive monitoring, sends alerts, and ensures secure and efficient access key management.

Question 150

A company wants to ensure that all Lambda functions retrieving secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive data such as API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, ensuring credentials are not hardcoded. Secrets Manager provides automatic secret rotation, fine-grained IAM access control, and audit logging through CloudTrail. This reduces the risk of credential exposure, supports compliance requirements, and enables secure serverless applications. Administrators can enforce least-privilege access, monitor usage, and integrate secrets securely.

Storing secrets in plaintext environment variables exposes credentials to anyone with Lambda configuration access, creating significant security risk.

Using S3 buckets for secrets requires additional encryption, access management, and runtime integration. It does not provide automated rotation or seamless Lambda integration.

Security groups control network traffic but cannot enforce secure secret retrieval or prevent hardcoding.

AWS Secrets Manager with IAM-based access is correct because it ensures encrypted storage, controlled access, automated rotation, auditability, and secure runtime integration with Lambda, providing secure and compliant secret management.

Question 151

A company wants to detect anomalous API activity, such as unusual IAM or EC2 calls, across multiple accounts and centralize alerts for the security team. Which AWS service combination is appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty continuously analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to identify unusual API activity, including anomalous IAM or EC2 calls. It leverages machine learning, anomaly detection, and threat intelligence to detect suspicious behavior and generate findings with severity, context, and recommended actions. Security Hub aggregates findings from multiple accounts into a centralized dashboard, allowing the security team to monitor trends, prioritize alerts, and coordinate responses efficiently. GuardDuty findings can also trigger automated remediation using CloudWatch Events or Lambda, enabling quick containment of potential threats.

CloudTrail logs API activity, providing visibility into user actions, but it does not analyze patterns or detect anomalies on its own. Analysis and alerting require additional tooling, making it reactive.

IAM policies define permissions and prevent unauthorized access but cannot detect anomalous API behavior. They are preventive rather than detective controls.

Security groups manage network traffic but cannot monitor API calls or detect abnormal actions. They operate at the network layer rather than the API or identity layer.

Amazon GuardDuty with Security Hub is correct because it provides proactive threat detection, centralized alerting, actionable insights, and the ability to integrate with automated response workflows across multiple accounts, improving organizational security posture and response times.

Question 152

A company wants to enforce MFA for all IAM users performing sensitive operations and receive alerts if MFA is not used. Which AWS configuration achieves this requirement?

A) IAM policies with MFA condition keys and CloudWatch Events alerts

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM policies with MFA condition keys and CloudWatch Events alerts

Explanation:

IAM policies can enforce MFA using condition keys such as aws:MultiFactorAuthPresent, ensuring that users must authenticate with MFA when performing sensitive actions. CloudWatch Events (EventBridge) can monitor API calls that do not satisfy MFA requirements and trigger alerts for administrators. This provides proactive enforcement of MFA, centralized monitoring, and real-time notification of policy violations. MFA adds an additional authentication factor beyond passwords, reducing the risk of credential compromise and improving compliance.

Security groups manage network traffic and cannot enforce authentication or detect MFA usage. They operate at the network layer.

CloudTrail logs MFA usage and API activity but is reactive. Without CloudWatch Events, alerts would need manual review, delaying detection.

S3 bucket policies can enforce MFA only for S3-specific operations and cannot enforce organization-wide MFA policies or alert across all AWS services.

IAM policies with MFA condition keys and CloudWatch Events alerts are correct because they provide enforcement, detection, and notification, ensuring MFA is applied consistently across all sensitive actions and violations are promptly addressed.

Question 153

A company wants to ensure that all newly created RDS instances are encrypted and that automated backups and snapshots inherit encryption automatically. Which AWS configuration meets this requirement?

A) Enable RDS encryption at the instance level using a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level using a KMS key

Explanation:

Enabling encryption at the RDS instance level ensures that all stored data is encrypted using AWS KMS. Specifying a customer-managed KMS key allows administrators to control access, rotate keys, and audit key usage through CloudTrail. Automated backups, snapshots, and read replicas inherit encryption automatically, ensuring consistent data protection across all resources. This reduces the risk of accidental exposure, supports regulatory compliance, and eliminates the need for manual encryption enforcement.

IAM policies can restrict who can create RDS instances but do not enforce encryption. Users could create unencrypted instances if no encryption defaults are configured.

Security groups control network access but do not enforce encryption at rest or ensure snapshots inherit encryption.

CloudTrail logs API activity but cannot prevent unencrypted instance creation or ensure encryption is applied to backups.

Enabling RDS encryption at the instance level using a KMS key is correct because it ensures consistent encryption, protects backups and snapshots, integrates with auditing, and aligns with security best practices.

Question 154

A company wants to ensure that all EBS volumes are encrypted at creation and that snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable EBS encryption by default and specify a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable EBS encryption by default and specify a KMS key

Explanation:

Enabling EBS encryption by default ensures all new volumes are encrypted automatically using AWS KMS. By specifying a customer-managed KMS key, administrators can enforce access control, perform key rotation, and monitor usage through CloudTrail. Snapshots of encrypted volumes automatically inherit encryption, ensuring consistent protection across backups. This approach eliminates reliance on manual configuration, reduces human error, mitigates exposure risks, and supports compliance requirements. Default encryption simplifies operations while maintaining strong data protection.

IAM policies control permissions but do not enforce encryption at creation. Users could still create unencrypted volumes manually.

Security groups manage network traffic but cannot encrypt volumes or snapshots. They operate at the network layer and do not enforce storage security.

CloudTrail logs API activity but does not enforce encryption or automatically apply it to volumes and snapshots.

Enabling EBS encryption by default with a KMS key is correct because it ensures encryption at creation, inherits encryption for snapshots, supports auditing, and mitigates operational and compliance risks.

Question 155

A company wants to ensure that all Lambda functions retrieving secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager provides secure storage for sensitive information such as API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, preventing hardcoded credentials. Secrets Manager supports automatic rotation, fine-grained IAM access policies, and auditing through CloudTrail. This ensures secure retrieval of secrets, reduces the risk of exposure, supports compliance requirements, and enables secure integration with serverless applications. Administrators can enforce least-privilege access, monitor usage, and implement automated secret management.

Storing secrets in plaintext environment variables exposes credentials to anyone with Lambda configuration access, increasing security risk.

Using S3 buckets for secret storage requires encryption, access management, and runtime integration, which is less secure and operationally complex compared to Secrets Manager.

Security groups control network traffic but cannot enforce secure secret retrieval or prevent hardcoding.

Question 156

A company wants to detect anomalous network traffic from EC2 instances that may indicate compromised hosts. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies only

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously monitors VPC Flow Logs, CloudTrail logs, and DNS logs to identify anomalous behavior from EC2 instances. It can detect unusual traffic patterns, unexpected connections, or communication with known malicious IP addresses, indicating potential compromise. GuardDuty uses machine learning, anomaly detection, and threat intelligence to produce actionable findings with context, severity, and recommended remediation steps. Findings can trigger automated responses via CloudWatch Events or Lambda, enabling rapid containment and mitigation. GuardDuty operates across multiple accounts and regions, providing centralized and proactive threat detection without requiring changes to EC2 instances or network configurations.

AWS Config tracks resource configuration changes but does not analyze network traffic or detect anomalies. Its focus is on compliance and configuration management.

IAM policies define access permissions but cannot monitor network traffic or detect compromised instances. They are preventive, not detective, controls.

CloudTrail logs API activity but does not provide real-time network anomaly detection. Analysis would require additional tooling and is reactive rather than proactive.

Amazon GuardDuty is correct because it provides continuous, automated detection of network anomalies, actionable alerts, centralized monitoring, and integration with automated response workflows to secure EC2 instances effectively.

Question 157

A company wants to ensure that all newly created S3 buckets are encrypted by default and public access is blocked across multiple accounts. Which AWS service combination achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations allows centralized governance using Service Control Policies (SCPs) to enforce security rules across multiple accounts. SCPs can require encryption by default and block public access when S3 buckets are created. AWS Config continuously monitors bucket configurations and applies compliance rules, such as s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited. Automated remediation ensures non-compliant buckets are corrected, reducing operational risk and maintaining consistent security standards. This centralized approach minimizes manual effort, prevents accidental public exposure of sensitive data, and supports regulatory compliance across multiple accounts.

IAM policies applied individually to each account require manual configuration and maintenance, which can lead to inconsistencies and errors.

Enabling S3 versioning addresses data durability and recovery but does not enforce encryption or block public access.

Security groups manage network traffic but cannot enforce bucket-level encryption or public access restrictions.

AWS Organizations SCPs with AWS Config rules are correct because they enforce centralized policies, provide continuous monitoring, automate remediation, and ensure consistent security for S3 buckets across all accounts.

Question 158

A company wants to automatically disable IAM users who have not logged in for 60 days to reduce orphaned account risks. Which AWS service combination accomplishes this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM stores metadata for each user, including the last login timestamp. CloudWatch Events (EventBridge) can monitor this metadata and trigger a Lambda function when a user has been inactive for 60 days. Lambda can automatically disable the user, mitigating the risk of orphaned accounts being exploited. This solution automates identity lifecycle management, ensures consistent policy enforcement, and reduces operational overhead. It also supports compliance by ensuring timely action on inactive accounts. Automation ensures that human error does not result in security lapses and that inactive accounts are managed proactively.

Security groups manage network traffic but cannot detect inactive users or disable accounts.

CloudTrail logs user activity and API calls but cannot automatically enforce disabling inactive accounts. It provides visibility but requires manual intervention.

S3 bucket policies control access to S3 objects but do not manage IAM users or enforce inactivity rules.

IAM with CloudWatch Events and Lambda automation is correct because it provides proactive detection, automated remediation, centralized enforcement, and reduces risk associated with orphaned accounts.

Question 159

A company wants to ensure that all EBS volumes are encrypted at creation and that snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable EBS encryption by default and specify a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable EBS encryption by default and specify a KMS key

Explanation:

Enabling EBS encryption by default ensures that all newly created volumes are encrypted automatically. By specifying a customer-managed KMS key, administrators can enforce access control, rotate keys, and audit key usage through CloudTrail. Snapshots of encrypted volumes automatically inherit encryption, ensuring consistent protection across backups. This reduces operational risk, prevents unencrypted storage, and simplifies compliance management. Default encryption eliminates the possibility of human error when creating volumes manually, ensuring that all storage is secure by default.

IAM policies can control who can create volumes but cannot enforce encryption at creation. Users could still create unencrypted volumes if no defaults are configured.

Security groups manage network traffic but cannot enforce encryption on volumes or snapshots. They operate at the network layer, unrelated to storage encryption.

CloudTrail logs API activity but does not enforce encryption or automatically apply it to volumes and snapshots.

Question 160

A company wants to ensure that all Lambda functions retrieving secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive data such as API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, eliminating the need to hardcode credentials. Secrets Manager supports automatic secret rotation, fine-grained IAM-based access control, and audit logging through CloudTrail. This reduces the risk of credential exposure, supports compliance requirements, and enables secure serverless application development. Administrators can enforce least-privilege access, monitor usage, and integrate secrets securely into Lambda functions.

Storing secrets in plaintext environment variables exposes credentials to anyone with access to Lambda configuration, creating a significant security risk.

Using S3 buckets for secret storage requires encryption, access management, and runtime integration, which is operationally complex and less secure than Secrets Manager.

Security groups control network traffic but cannot enforce secure secret retrieval or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it provides secure storage, controlled access, automated rotation, auditability, and secure runtime integration, ensuring sensitive secrets are protected and compliant.

Related posts: