A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour. The company has flagged the finding as a false positive, but GuardDuty continues ...

The scenario involves a high number of connections to an Amazon EC2 instance acting as an FTP server, which GuardDuty is flagging as a brute force attack due to the volume of traffic. The company has already flagged the findings as false positives, but GuardDuty continues to raise the issue. The goal is to improve the signal-to-noise ratio without compromising visibility of legitimate threats. Analyzing the Options: A) Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed. - Explanation: Disabling the FTP rule in GuardDuty would stop detecting any FTP-related activity as suspicious, including potential future threats to the FTP server or any other FTP servers in the same region. While this might reduce false positives in the short term, it could also cause legitimate threats to go undetected, which compromises the security visibility of the environment. - Rejection Reason: This approach could lead to a loss of important security insights for FTP-related incidents. Disabling rules is too broad and doesn't specifically address the issue of false positives without compromising other potential threats. B) Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications. - Explanation: Adding the FTP server to a trusted IP list would ensure that GuardDuty does not flag the connections to the FTP server as potential brute-force attacks, since the IP list would be marked as trusted. However, this could lead to security concerns if new, legitimate sources or changes in traffic patterns are not monitored properly. - Rejection Reason: The problem is not necessarily that the source IP addresses are untrusted, but that the volume of connections is high, which can be a valid security concern. Trusting an IP list could suppress the detection of abnormal traffic patterns and prevent GuardDuty from alerting on legitimate attacks that may arise from trusted sources. Additionally, it doesn't improve the signal-to-noise ratio in a meaningful way. C) Create a suppression rule in GuardDuty to filter findings by a...

Author: Ryan · Last updated May 23, 2026

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories. A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security eng...

The security engineer needs to fulfill two requirements: 1. Encrypt the private repositories using AWS KMS. 2. Analyze container images for common vulnerabilities and exposures (CVEs). Let's break down the options: A) Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances' user data. Run an assessment with the CVE rules. - Explanation: - Enabling KMS encryption on existing ECR repositories is valid, as KMS can be used to encrypt the container images stored in Amazon ECR. - Installing the Amazon Inspector Agent on ECS instances is unnecessary here, as Amazon Inspector is typically used for scanning EC2 instances, not specifically container images. Amazon Inspector would also require additional setup on the ECS instances, but it's not the best tool for analyzing the CVEs in container images directly. - Rejection Reason: Although KMS encryption works, Amazon Inspector is not the best tool for scanning ECR repositories or images for CVEs. There are more efficient solutions for this task. B) Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images. - Explanation: - Recreating ECR repositories and enabling KMS encryption ensures that container images are encrypted as they are pushed into the repository. - Enabling ECR image scanning is the optimal solution for analyzing container images for CVEs. Amazon ECR integrates directly with Amazon Elastic Container Registry Image Scanning to detect known vulnerabilities in the container images based on CVE rules. - The solution includes scanning images after they are pushed, making it the ideal approach to identify CVEs in container images. - Selected Reason: This solution effectively meets both the requirements. It uses built-in functionality to scan container images for vulnerabilities while encrypting the reposit...

Author: Matthew · Last updated May 23, 2026

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other AWS services. The contractor's IAM account must not be able to gain access to any other AWS service, even if the IAM account is...

Requirements: - The contractor should only have access to Amazon EC2 in the AWS Management Console. - The contractor's IAM account should not gain access to any other AWS services, even if assigned additional permissions through IAM group membership. Option Analysis: A) Create an inline IAM user policy that allows for Amazon EC2 access for the contractor's IAM user. - Explanation: An inline policy directly attached to the IAM user can grant permissions for Amazon EC2 access. However, the issue here is that while the user would have access to EC2, it does not prevent future permissions from being added to the IAM user or group. This means that even if the contractor's IAM account is part of a group with additional permissions in the future, the user would gain access to other services. - Rejection Reason: The inline IAM user policy doesn't meet the requirement to strictly prevent access to all other services, even if additional permissions are added through group memberships. This is not the most restrictive solution. B) Create an IAM permissions boundary policy that allows Amazon EC2 access. Associate the contractor's IAM account with the IAM permissions boundary policy. - Explanation: An IAM permissions boundary is a policy that defines the maximum permissions a user or role can have, regardless of any permissions granted by their policies or group memberships. By associating a permissions boundary that allows access only to Amazon EC2, this will ensure that the contractor's IAM account cannot gain access to any other AWS services, even if additional permissions are added through IAM group membership. - Selected Reason: This is the best solution. The permissions boundary ensures that the contractor's IAM account can only have the defined EC2 access and nothing more, preventing any unintended permissions, even from group policies. ...

Author: SilverBear · Last updated May 23, 2026

A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accoun...

To ensure that all existing and future AWS accounts have CloudTrail logs sent to a centralized Amazon S3 logging bucket, the security team needs to implement a solution that automatically manages CloudTrail configuration across all accounts in the organization, including new accounts that are created. Option Analysis: A) Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge to send a notification if a trail is deleted or stopped. - Explanation: - Creating a new trail and configuring it to send logs to a centralized S3 bucket is a valid step. However, using Amazon EventBridge to monitor trail deletion or stoppage can only notify the security team after an issue occurs. - This approach does not proactively ensure that all accounts, including new accounts, always have a trail configured. It only provides notification after a trail is deleted or stopped, which still requires manual intervention to resolve the issue. - Rejection Reason: While EventBridge helps with notifications, this solution doesn't ensure a trail is always configured in the first place, nor does it automatically apply to new accounts. It focuses on detecting issues after they happen. B) Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail if needed. - Explanation: - Deploying a Lambda function in every account is a solution that would check for existing CloudTrail configuration and create a trail if necessary. However, this requires ongoing maintenance and monitoring to ensure that the Lambda function is properly deployed and working in every account. - Additionally, this approach does not scale as effectively as managing the trail configuration directly through AWS Organizations, and it introduces the complexity of managing Lambda functions across all accounts. - Rejection Reason: While functional, this approach requires more manual effort and monitoring compared to using AWS Organizations' built-in management capabilities. Lambda-based solutions are not as automated or scalable for managing CloudTrail configurat...

Author: Elizabeth · Last updated May 23, 2026

A company recently had a security audit in which the auditors identified multiple potential threats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3 API calls. The threats can come from different sources and can occur at any time. The company needs to i...

Requirements: The company needs a solution to continuously monitor its system and identify threats in near-real time for various potential threats such as abnormal instance traffic, DNS access peaks, unusual Amazon S3 API calls, and abnormal network interface traffic. The solution should be capable of handling diverse threat sources and varying threat occurrence times. Option Analysis: A) Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatch Logs to manage these logs from a centralized account. - Explanation: - CloudTrail logs provide detailed logs of API calls made on the account. - VPC flow logs offer visibility into network traffic. - DNS logs provide information on DNS queries made in the environment. - Amazon CloudWatch Logs can centralize the management of these logs and offer visibility into logs, but it lacks direct anomaly detection capabilities. You would need to manually configure custom metrics, alarms, and dashboards to monitor for specific patterns or threats. - Rejection Reason: While this solution allows central log management, it lacks the built-in threat detection and automated analysis capabilities of specialized security services. This would require manual intervention for detecting and responding to potential threats. B) Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie to monitor these logs from a centralized account. - Explanation: - Amazon Macie is a security service focused primarily on data security and privacy. It excels at discovering, classifying, and protecting sensitive data within Amazon S3, specifically for detecting PII (Personally Identifiable Information) data leaks. - While Macie is useful for monitoring data privacy threats, it is not designed for monitoring or detecting the network-level traffic anomalies (e.g., abnormal VPC flow logs, DNS queries, or instance traffic) described in the use case. - Rejection Reason: This option would not be ideal for identifying network or instance traffic anomalies, as Macie is focused more on data privacy rather than network-level or application security monitoring. C) Enable Amazon GuardDuty from a centralized account. Use Guard...

Author: ElectricLionX · Last updated May 23, 2026

A company that uses AWS Organizations is using AWS IAM Identity Center (AWS Single Sign-On) to administer access to AWS accounts. A security engineer is creating a custom permission set in IAM Identity Center. The company will use the permission set across multiple accounts. An AWS managed policy and a customer managed policy are attached to the permission set. The security engineer has full administrative permissions and is operating in the management account. When the se...

To address the failure in assigning the permission set to the IAM Identity Center user, we need to evaluate each option carefully, keeping in mind the structure and behavior of AWS IAM Identity Center, the role of managed policies, and how permission sets are applied across multiple AWS accounts. Option A: Create the customer managed policy in every account where the permission set is assigned. Give the customer managed policy the same name and same permissions in each account. - Reasoning: This option suggests replicating the customer managed policy in every account where the permission set is applied, with the same name and permissions. While this might work, it introduces unnecessary complexity. IAM Identity Center uses global permission sets that can be applied to multiple accounts in an organization. There's no need to duplicate policies in each account. Managing the same policy across multiple accounts can lead to inconsistent behavior and administrative overhead. - Rejected: Duplicating the policy across multiple accounts is inefficient and does not resolve the core issue of why the permission set assignment failed in the first place. IAM Identity Center permission sets are designed to be applied across accounts, without needing separate policy copies in each account. Option B: Remove either the AWS managed policy or the customer managed policy from the permission set. Create a second permission set that includes the removed policy. Apply the permission sets separately to the user. - Reasoning: This option suggests breaking the policies into separate permission sets and applying them separately. This could be an alternative approach but does not directly address the underlying issue with the permission set assignment failing. In most cases, IAM Identity Center is designed to handle multiple policies attached to a single permission set without the need to split them across multiple permission sets. - Rejected: Splitting policies into separate permission sets introduces complexity without directly addressing the problem. It is not the most efficient or scalable solution and doesn’t handle potential conflicts between the policies in a clean way. Option C: Evaluate...

Author: Kunal · Last updated May 23, 2026

A company has thousands of AWS Lambda functions. While reviewing the Lambda functions, a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitiv...

To address the security issue of sensitive information being stored as plaintext in AWS Lambda environment variables, the most important factor is to ensure that the sensitive information is stored securely, encrypted, and only accessible to the Lambda functions that need access to it. Let's evaluate each option: Option A: Set up IAM policies from the Lambda console to hide access to the environment variables. - Reasoning: IAM policies in the Lambda console cannot be used to hide environment variables. IAM can control which resources a user or service can access, but it cannot control the visibility of environment variables in the Lambda console itself. The visibility of environment variables in the Lambda console is a UI issue that IAM policies do not address. Moreover, hiding environment variables does not solve the core problem of storing sensitive data securely. - Rejected: This option does not solve the issue of storing sensitive information securely and is not a feasible solution. It only addresses access control from the UI perspective, not the actual security of the data. Option B: Use AWS Step Functions to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access. - Reasoning: While AWS Step Functions can be used to coordinate multiple AWS services, it is not designed for securely storing environment variables. Step Functions is primarily a workflow orchestration service, not a storage solution for sensitive data. Using Step Functions in this manner would add unnecessary complexity and might not offer the best security posture for storing sensitive information. - Rejected: Step Functions is not designed for storing sensitive data like environment variables. This approach introduces unnecessary complexity and is not cost-effective for this specific use case. Option C: Store the environment variables in AWS Secrets Manager, and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access. - Reasoning: AWS Secrets Manager is designed to ...

Author: Siddharth · Last updated May 23, 2026

A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best practices. Which...

To ensure that the Service Control Policies (SCPs) conform to best practices in AWS Organizations, it's essential to focus on the tools and processes that are specifically designed for analyzing and validating IAM and policy configurations within AWS Organizations. Let's evaluate each option: Option A: Use AWS IAM Access Analyzer to analyze the policies. View the findings from policy validation checks. - Reasoning: AWS IAM Access Analyzer is a tool designed to help you review and analyze IAM policies, including SCPs, for potential security issues. It can provide findings related to access analysis, ensuring that policies are following best practices, such as identifying overly permissive policies. This tool is directly relevant to validating the configuration of SCPs within AWS Organizations. - Selected Option: This is the most appropriate solution because IAM Access Analyzer is specifically designed to help you evaluate and refine IAM policies, including SCPs. It checks for security risks, ensures that policies follow best practices, and provides insights into access behavior, making it the best option for ensuring SCPs conform to best practices. Option B: Review AWS Trusted Advisor checks for all accounts in the organization. - Reasoning: AWS Trusted Advisor provides a set of best practice checks across various AWS resources and services, including cost optimization, performance, and security. However, Trusted Advisor is primarily focused on general AWS infrastructure optimization and does not specifically analyze IAM policies or SCPs. While it can help with general security best practices (e.g., ensuring that MFA is enabled), it does not directly validate SCP configurations or ensure their adherence to best practices. - Rejected: While Trusted Advisor is a valuable tool for general AWS account and resource best practices, it does not specifical...

Author: Harper · Last updated May 23, 2026

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that an...

To ensure that all existing Amazon RDS instances are encrypted using server-side encryption and that future deviations from the encryption policy are detected, the security engineer needs to take a combination of proactive steps to detect and remediate unencrypted RDS databases, as well as continuously monitor for compliance. Let's evaluate each option: Option A: Create an AWS Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team. - Reasoning: AWS Config is a service that tracks configuration changes to AWS resources. By creating an AWS Config rule to detect unencrypted RDS databases, the security engineer can ensure that any non-compliant databases are immediately detected. Amazon EventBridge can be used to monitor the state of the AWS Config rule, and Amazon SNS can notify the security team if any unencrypted RDS databases are created. This approach provides continuous monitoring and alerting, which helps detect non-compliance in a timely manner. - Selected Option: This is a good proactive monitoring solution, as it will notify the security team whenever a non-compliant (unencrypted) database is created, allowing quick remediation and ensuring policy compliance in real-time. Option B: Use AWS Systems Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team. - Reasoning: AWS Systems Manager State Manager can be used to ensure that configuration settings for managed resources remain consistent over time, but it is typically more useful for managing configuration drift of EC2 instances or other systems under management. While it could track changes in configuration, State Manager is not ideal for tracking the encryption status of RDS instances, which are not managed in the same way as EC2 instances. - Rejected: This is not the best fit for this specific use case, as AWS Systems Manager is better suited for configuration management of EC2 instances or other services, not for detecting encryption status changes in RDS databases. Option C: Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unen...

Author: FrostFalcon88 · Last updated May 23, 2026

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. The company uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt all Amazon Elastic Block Store (Amazon EBS) snapshots. The company performs a gap analysis of its disaster recovery procedures and backup strategies. A security engineer needs to implement...

To address the scenario where the company needs to recover EC2 instances in case the AWS account is compromised and the EBS snapshots are deleted, the security engineer must ensure that backup data (EBS snapshots) is protected, and that the backup remains intact even if the account's access is compromised. Let's evaluate each option: Option A: Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Use lifecycle policies to move snapshots to the S3 Glacier Instant Retrieval storage class. Use S3 Object Lock to prevent deletion of the snapshots. - Reasoning: EBS snapshots cannot be directly moved to an S3 bucket using lifecycle policies. EBS snapshots are managed within Amazon EBS and not stored as S3 objects, meaning they cannot be transferred to an S3 bucket directly. Additionally, S3 Object Lock is designed to prevent the deletion of objects in S3, but it does not apply to EBS snapshots themselves. - Rejected: This approach is not valid because EBS snapshots cannot be moved to an S3 bucket using lifecycle policies, and the protection mechanisms do not apply directly to EBS snapshots. Option B: Use AWS Systems Manager to distribute a configuration that backs up all attached disks to Amazon S3. - Reasoning: While AWS Systems Manager is a useful tool for managing configurations across EC2 instances, it is not designed for regular backup of EC2 instance data or EBS volumes to S3. This option is more appropriate for automation and configuration management rather than backup and disaster recovery of EBS snapshots. - Rejected: This option does not provide a comprehensive solution for protecting EBS snapshots or addressing the need for recovering EC2 instances if the account is compromised. Option C: Create a new AWS account that has limited privileges. Allow the new account to access the KMS key that encrypts the EBS snapshots. Copy the encrypted snapshots to the new account on a recurring basis. - Reasoning: This a...

Author: FrozenWolf2022 · Last updated May 23, 2026

A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances. The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team acces...

To isolate the target EC2 instance effectively and prevent any traffic to and from it, except for traffic from the forensics team, the security engineer needs a strategy that fully isolates the instance while allowing the required forensic access. Let's evaluate each option. Option A: Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules. - Reasoning: This option temporarily opens the instance to all traffic (both inbound and outbound) from anywhere on the internet, which would contradict the isolation objective. Even though the rules are deleted afterward, the period during which these rules are in place introduces a security risk. This is not a proper isolation solution and could expose the instance to unnecessary traffic before the rules are removed. - Rejected because it opens the instance to unnecessary traffic and doesn't ensure the required isolation during the process. Option B: Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance. - Reasoning: While removing port 22 security group rules would block SSH traffic, it doesn't fully isolate the instance in terms of network communication. It only addresses SSH access but doesn't address other potential network traffic (like web traffic or other ports). Additionally, this option relies on AWS Systems Manager (SSM) to give the forensics team access, which is a good practice but doesn’t necessarily block all other traffic, making it a partial solution. - Rejected because it doesn't isolate the instance completely and relies on specific config...

Author: Nia · Last updated May 23, 2026

A startup company is using a single AWS account that has resources in a single AWS Region. A security engineer configures an AWS CloudTrail trail in the same Region to deliver log files to an Amazon S3 bucket by using the AWS CLI. Because of expansion, the company adds resources in multiple Regions. The security engineer notices that the logs from...

In this scenario, the security engineer is dealing with a CloudTrail configuration issue where logs from multiple Regions are not reaching the S3 bucket. The goal is to fix the issue with the least amount of operational overhead, ensuring that all logs from all Regions are properly delivered to the designated S3 bucket. Option A: Create a new CloudTrail trail. Select the new Regions where the company added resources. - Reasoning: This option requires creating a new CloudTrail trail and manually selecting the Regions where resources were added. However, the issue here is that the current CloudTrail trail should already be able to capture logs from multiple Regions. This approach adds unnecessary complexity by creating additional trails for different Regions, which increases operational overhead by requiring management of multiple trails. - Rejected because it introduces more complexity and overhead by creating multiple trails. Option B: Change the S3 bucket to receive notifications to track all actions from all Regions. - Reasoning: This option pertains to configuring notifications for the S3 bucket, which would help in tracking actions on the S3 bucket itself. However, it does not address the core issue with CloudTrail logs not being delivered to the S3 bucket from the new Regions. The issue is that the existing CloudTrail trail is not covering multiple Regions, so simply changing the S3 bucket behavior wil...

Author: Jack · Last updated May 23, 2026

A company's public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue, the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB. The company discovers that some traffic is still coming directly into the ALB and is still being handled by the ...

To ensure that the EC2 instances behind the Application Load Balancer (ALB) receive traffic only from Amazon CloudFront and not directly from the internet, the company needs to configure the infrastructure to properly validate that incoming requests to the ALB come through CloudFront. This can be done by using a custom HTTP header and enforcing it on the ALB. Let's review each option. Option A: Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB. - Reasoning: This option suggests modifying the cache key policy to allow a custom HTTP header to be added by CloudFront. While this could theoretically work, the cache key policy primarily affects how CloudFront caches content and does not ensure that CloudFront traffic is differentiated from other traffic at the ALB level. It doesn’t directly address restricting the traffic to only come from CloudFront, making it less relevant to this use case. - Rejected because this option is more about caching and doesn't help with traffic validation to ensure requests come through CloudFront. Option B: Configure CloudFront to add a custom HTTP header to requests that CloudFront sends to the ALB. - Reasoning: This option makes sense because it specifies that CloudFront will add a custom HTTP header to all requests that it forwards to the ALB. This header can act as a marker indicating that the request is coming from CloudFront, allowing the ALB to identify and filter traffic from CloudFront and deny direct traffic. This is a good approach to ensure the traffic is indeed coming from CloudFront. - Selected because adding a custom HTTP header to requests ensures that only requests from CloudFront can be accepted by the ALB, facilitating the required security. Option C: Configure the ALB to forward only requests that contain the custom HTTP header. - Reasoning: This option works well in conjunction with Option B. After configuring CloudFront to add a custom ...

Author: Mia · Last updated May 23, 2026

A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account. The company has not monitored account activity in the past. The security consultant needs to determine whi...

To determine which resources have been deployed or reconfigured by the employee, the security consultant needs to find a way to quickly identify all the actions that were performed in the AWS account within the past 30 days. Here's an analysis of the available options: Option A: In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by resource. - Reasoning: AWS Cost Explorer helps track billing information and cost anomalies, but it does not track detailed activities like resource creation or configuration changes. It would only show cost-related data, not exactly what the employee did with the resources (e.g., creating or modifying them). - Rejected because this option does not track resource activity; it’s focused on costs and billing information, which won’t provide insight into what actions the employee performed in the account. Option B: Use AWS Cost Anomaly Detection to create a cost monitor. Access the detection history. Set the time frame to Last 30 days. In the search area, choose the service category. - Reasoning: AWS Cost Anomaly Detection focuses on detecting unexpected changes in costs and usage patterns. However, it does not track specific actions taken on resources. It’s more about identifying cost spikes rather than providing detailed activity logs or configurations made by users. - Rejected because it does not track user actions or resource-level changes, but only identifies unusual cost behaviors. Option C: In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that cont...

Author: Liam · Last updated May 23, 2026

A security engineer is checking an AWS CloudFormation template for vulnerabilities. The security engineer finds a parameter that has a default value that exposes an application's API key in plaintext. The parameter is referenced several times throughout the template. The security engineer must replace the parameter w...

To address the vulnerability of exposing an API key in plaintext in an AWS CloudFormation template, the security engineer needs to securely reference the API key throughout the template while maintaining security best practices. Let’s analyze each option: Option A: Store the API key value as a SecureString parameter in AWS Systems Manager Parameter Store. In the template, replace all references to the value with `{{resolve:ssm:MySSMParameterName:1}}`. - Reasoning: Storing sensitive data such as API keys as a `SecureString` parameter in AWS Systems Manager Parameter Store is a secure option. The value is encrypted, and access is controlled via IAM policies. The `{{resolve:ssm:MySSMParameterName:1}}` syntax in CloudFormation templates allows the value of the parameter to be securely retrieved during stack creation or updates. This solution is widely used and complies with best practices for managing secrets in AWS. - Selected because it provides secure storage and retrieval of sensitive data (API key) while allowing references throughout the CloudFormation template. Systems Manager Parameter Store provides built-in encryption and access control, making it a secure choice. Option B: Store the API key value in AWS Secrets Manager. In the template, replace all references to the value with `{{resolve:secretsmanager:MySecretId:SecretString}}`. - Reasoning: AWS Secrets Manager is designed to securely store and manage secrets, such as API keys, and supports automatic rotation and fine-grained access control. This option is also secure, and using the `{{resolve:secretsmanager:MySecretId:SecretString}}` syntax in CloudFormation templates is a secure way to reference secrets. However, Secrets Manager is typically used for storing secrets that require rotation, which might not be necessary for all use cases (such as a static API key). - Rejected because while this is a secure option, it may offer more features than necessary (automatic rotation, etc.), adding extra comp...

Author: ElectricLionX · Last updated May 23, 2026

A company's AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket. The security team controls the company's AWS account. The security team must prevent unauthorized access and tampering of the C...

To secure the AWS CloudTrail logs stored in an S3 bucket and prevent unauthorized access or tampering, the security team should take the following steps: A) Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS). - Why Selected: Server-side encryption with KMS-managed keys (SSE-KMS) ensures that the CloudTrail logs are encrypted both in transit and at rest. By using KMS, the security team gains full control over the encryption keys, providing an added layer of protection against unauthorized access. If a malicious actor gains access to the S3 bucket, they won't be able to read the logs without access to the KMS key, which is tightly controlled. - Why Not Rejected: Encryption with SSE-KMS is critical to protect sensitive log data, and it's a best practice for securing log files in AWS. This cannot be overlooked, as plaintext logs are a security vulnerability. C) Create an Amazon EventBridge rule to notify the security team of any modifications on CloudTrail log files. - Why Selected: An EventBridge rule that detects changes (e.g., PUT, DELETE, or POST operations) on CloudTrail log files in the S3 bucket helps the security team respond quickly to potential tampering or unauthorized access. The EventBridge rule sends a notification when any modifications occur, allowing the team to act swiftly if any unauthorized actions are detected. - Why Not Rejected: Monitoring for any changes is crucial in the context of security, particularly for logs that may serve as evidence in case of a breach. Without this alerting mechanism, modifications could go unnoticed. D) Implement least privilege access to the S3 bucket by configuring a bucket policy. - Why Selected: Least privilege access is essential for reducing the attack surface. By configuring a bucket policy to ensure that only authorized users or ser...

Author: Vivaan · Last updated May 23, 2026

A company has several petabytes of data. The company must preserve this data for 7 years to comply with regulatory requirements. The company's compliance team asks a security officer to develop a strategy that will prevent anyone f...

To meet the requirement of preserving several petabytes of data for 7 years while preventing anyone from changing or deleting the data, the most cost-effective and reliable solution needs to ensure that the data is both immutable and cost-efficient for long-term storage. Here is an analysis of each option: A) Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in compliance mode. Upload the data to the bucket. Create a resource-based bucket policy that meets all the regulatory requirements. - Why Selected: S3 Object Lock in compliance mode ensures that once data is uploaded to the S3 bucket, it cannot be modified or deleted until the retention period expires. Compliance mode is specifically designed for use cases like this, where the data must be preserved for regulatory reasons and protected from any changes or deletions, including by administrators. - Cost-Effectiveness: This solution provides direct control over the data in S3 and ensures its immutability without the need for external services. S3 is also designed for high durability and availability, which suits long-term retention. - Why Not Rejected: This option meets the compliance and immutability requirements effectively, and it is appropriate for long-term storage, especially since it avoids unnecessary transitions between storage classes, which could incur additional costs. B) Create an Amazon S3 bucket. Configure the bucket to use S3 Object Lock in governance mode. Upload the data to the bucket. Create a user-based IAM policy that meets all the regulatory requirements. - Why Rejected: S3 Object Lock in governance mode only prevents users (except those with special permissions) from deleting or modifying data but does not offer the same level of protection as compliance mode. In governance mode, authorized users with the right permissions can override the lock, which doesn't fully meet the regulatory requirement of immutability and protection from changes or deletions. - Cost Factor: While governance mode may be cheaper in certain use cases, it doesn't provide the level of security needed to meet strict regulat...

Author: NebulaEagle11 · Last updated May 23, 2026

A-company uses a third-party identity provider and SAML-based SSO for its AWS accounts. After the third-party identity provider renewed an expired signing certificate, users saw the following message when trying to log in: Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken) ...

To address the error "Response Signature Invalid" caused by the expired signing certificate of the third-party identity provider after it was renewed, the security engineer needs to fix the issue where the AWS Identity and Access Management (IAM) service is not using the updated public key from the identity provider. Here's the analysis of the options: A) Upload the third-party signing certificate’s new private key to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS Management Console. - Why Rejected: The private key should never be shared or uploaded to AWS. The public key (not the private key) is used to validate the SAML response signature. Thus, uploading the private key is both insecure and unnecessary. AWS only requires the public key for signature verification, so this solution is inappropriate for the issue at hand. B) Sign the identity provider's metadata file with the new public key. Upload the signature to the AWS identity provider entity defined in AWS Identity and Access Management (IAM) by using the AWS CLI. - Why Rejected: This solution would be used in cases where the identity provider's metadata file itself needs to be signed to prove its authenticity. However, the core issue here is related to the renewal of the signing certificate, and uploading the signature does not directly resolve the issue of AWS not having the new public key for signature validation. Therefore, this solution introduces unnecessary complexity without directly solving the problem. C) Download the updated SAML metadata file from the id...

Author: Evelyn · Last updated May 23, 2026

A company has several workloads running on AWS. Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management Console. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authenticati...

To secure employee-only access to the migrated legacy web application without modifying the application itself, the solution needs to integrate with the existing ADFS-based authentication system while minimizing changes to the architecture. Below is an analysis of the options: A) Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS. - Why Selected: This solution allows you to authenticate users with ADFS using Amazon Cognito without modifying the application. By placing the application behind an ALB and configuring Amazon Cognito for authentication, the ALB can be set up to authenticate users via SAML with ADFS. This effectively controls access to the application and ensures that only employees can access it, leveraging the existing ADFS infrastructure. - Benefits: Cognito can handle SSO via SAML, and using ALB allows for a scalable and easy-to-manage approach without needing to change the application itself. This is a clean and secure solution for integrating authentication into a web application hosted on EC2, with minimal changes required to the application or infrastructure. B) Implement AWS IAM Identity Center (AWS Single Sign-On) in the management account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource. - Why Rejected: AWS IAM Identity Center (AWS SSO) is primarily used for managing access to AWS resources like the AWS Management Console, AWS CLI, and AWS applications, rather than for web applications hosted on EC2. While AWS SSO can integrate with ADFS for AWS-based access, it doesn't natively support managing access for a legacy web application running on EC2. This solution does no...

Author: Madison · Last updated May 23, 2026

A company is using AWS to run a long-running analysis process on data that is stored in Amazon S3 buckets. The process runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are deployed in a private subnet of a VPC that does not have internet access. The EC2 instances and the S3 buckets are in the same AWS account. The EC2 instances access the S3 buckets through an S3 gateway endpoint that has the default access policy. Each EC2 instance is associated with an instance profile role that has a policy that explicitly allows the s3:GetObject action and the s3:PutObject action for only the required S3 buckets. The company learns that one or more of the EC2 ins...

To address the issue of exfiltration of data by compromised EC2 instances and ensure that the EC2 processing job remains functional, the security engineer must focus on restricting the ability of the compromised EC2 instances to access S3 buckets outside the company's organization while maintaining the necessary functionality for the internal EC2 instances to access their required S3 buckets. Analysis of the options: A) Update the policy on the S3 gateway endpoint to allow the S3 actions only if the values of the aws:ResourceOrgID and aws:PrincipalOrgID condition keys match the company's values. - Why Selected: The S3 gateway endpoint acts as the entry and exit point for traffic between the EC2 instances and S3. By updating the policy on the S3 gateway endpoint with conditions using the `aws:ResourceOrgID` and `aws:PrincipalOrgID` condition keys, the security engineer can ensure that S3 actions (such as `s3:GetObject` and `s3:PutObject`) are allowed only if the S3 resource and the principal (the EC2 instance) belong to the same AWS Organization (i.e., the company's organization). This prevents the compromised EC2 instances from exfiltrating data to external S3 buckets outside the company’s organization while preserving access to the internal S3 buckets for the processing job. - Key Factor: The use of condition keys on the S3 gateway endpoint policy is the most effective way to control access based on organization membership without requiring changes to the instance profiles or disrupting the existing EC2 instance behavior. B) Update the policy on the instance profile role to allow the S3 actions only if the value of the aws:ResourceOrgID condition key matches the company's value. - Why Rejected: While updating the policy on the instance profile role can restrict the S3 actions based on organization, it does not prevent the exfiltration of data via the compromised EC2 instances when the traffic is routed through the S3 gateway endpoint. The EC2 instance can still use th...

Author: Carlos Garcia · Last updated May 23, 2026

A company that operates in a hybrid cloud environment must meet strict compliance requirements. The company wants to create a report that includes evidence from on-premises workloads alongside evidence from AWS resources. A security engineer must implement a solution to collect, re...

To meet the strict compliance requirements and include evidence from both on-premises workloads and AWS resources, the best solution is to collect, review, and manage evidence across both environments in a centralized manner. Let’s analyze each option: A) Create an assessment in AWS Audit Manager from a prebuilt framework or a custom framework. Upload manual evidence from the on-premises workloads. Add the evidence to the assessment. Generate an assessment report after Audit Manager collects the necessary evidence from the AWS resources. - Explanation: AWS Audit Manager is specifically designed for collecting, reviewing, and managing evidence in a structured way to demonstrate compliance with various regulations and standards. It allows the integration of evidence from both AWS and non-AWS (on-premises) workloads. You can upload manual evidence from on-premises and let Audit Manager gather evidence from AWS resources automatically. It provides a comprehensive and automated reporting solution, making it ideal for hybrid cloud environments. - Reasoning: This solution fits the requirement of managing compliance in a hybrid environment. AWS Audit Manager is tailored to handle this scenario, making it the most appropriate choice. B) Install the Amazon CloudWatch agent on the on-premises workloads. Use AWS Config to deploy a conformance pack from a sample conformance pack template or a custom YAML template. Generate an assessment report after AWS Config identifies noncompliant workloads and resources. - Explanation: AWS Config is useful for tracking configuration compliance, but it's focused more on identifying non-compliant AWS resources rather than a full compliance assessment involving both on-premises and cloud resources. While CloudWatch agents and AWS Config can monitor and manage AWS resources and some on-premises workloads, this approach lacks an effective means to upload and manage manual evidence from on-premises resources and doesn't provide a unified reporting system for compliance. - Reasoning: This option is primarily focused on AWS environments and might be less suitable for comprehensive hybrid cloud compliance reporting. C) Set up the appropriate sec...

Author: Sara · Last updated May 23, 2026

To meet regulatory requirements, a security engineer needs to implement an IAM policy that restricts the use of AWS services to the us-...

To restrict the use of AWS services to the us-east-1 Region, the IAM policy must prevent the use of AWS resources in any other regions. Let's evaluate how different policy options can achieve this: 1. AWS IAM Policy with Region Restriction: To restrict service usage to the us-east-1 region, the IAM policy can specify a condition that limits actions to only this region. This can be done using the `Condition` element, specifically with the `aws:RequestedRegion` condition key. Here’s an example of such a policy: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "", "Resource": "", "Condition": { "StringNotEquals": { "aws:RequestedRegion": "us-east-1" } } } ] } ``` Explanation: - Condition: The `StringNotEquals` condition checks the region of the requested action against the `us-east-1` region. - Action: The `Deny` effect is applied to all actions (`Action: `), so if any resource is requested outside the `us-east-1` region, the action is denied. - Resource: This condition applies to all resources (`Resource: `). This IAM policy is ideal for restricting actions based on the region because it explicitly checks the `aws:RequestedRegion` and denies any actions that are not in the `us-east-1` region. 2. IAM Policy Restricting Specific Actions: Another option is to restrict specific actions rather than all actions. For example, you could deny acti...

Author: StarryEagle42 · Last updated May 23, 2026

A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the file...

To meet the requirements of using Amazon CloudFront to speed up content delivery while ensuring that none of the files are publicly accessible from the S3 bucket directly, we need to ensure that CloudFront can access the files, but the S3 bucket itself does not allow direct public access. Let's break down each option to see which solution is most appropriate: A) Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them. - Explanation: Configuring permissions on individual files would require manually specifying which files CloudFront can access and ensuring that others are denied. While this might seem like an approach to control access, managing permissions at the individual file level can become complex and error-prone, especially if there are many files. - Reasoning: This method is cumbersome and inefficient for large-scale use because you’d have to manage access for each file individually. This doesn't provide a scalable or maintainable solution compared to other methods. B) Create an origin access control (OAC). Associate the OAC with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAC can access the files in the S3 bucket. - Explanation: An origin access control (OAC) is the recommended way to securely allow CloudFront to access content in S3 while ensuring the S3 bucket itself is not publicly accessible. This mechanism ensures that only CloudFront, not users directly accessing S3, can retrieve the content. You configure the S3 bucket to trust the OAC, which CloudFront uses to pull the content. - Reasoning: This is the most appropriate solution because it is secure, scalable, and integrates with CloudFront's best practices for restricting access. The use of OAC prevents direct access to the files in the S3 bucket while allowing CloudFront to serve them to users. - Use Case: This is the ideal solution for this scenario, as it directly meets the requirements of restricting access t...

Author: Elijah · Last updated May 23, 2026

A security engineer logs in to the AWS Lambda console with administrator permissions. The security engineer is trying to view logs in Amazon CloudWatch for a Lambda function that is named myFunction. When the security engineer chooses the option in the Lambda console to view logs in CloudWatch, an "error loading Log Streams" message ...

In this scenario, the security engineer is experiencing an issue when trying to view logs for a Lambda function in CloudWatch, which results in an "error loading Log Streams" message. This suggests that the Lambda function's execution role does not have sufficient permissions to interact with CloudWatch logs, specifically to access or retrieve log streams. Let’s break down the options to understand how to correct the error. IAM Permissions for Lambda Execution Role: To view logs in CloudWatch, the Lambda function's execution role must have the necessary permissions to access CloudWatch Logs. These include: - `logs:DescribeLogGroups`: Allows the Lambda function to describe log groups in CloudWatch. - `logs:DescribeLogStreams`: Allows the Lambda function to list the log streams within a log group. - `logs:GetLogEvents`: Allows the Lambda function to retrieve log events from a specific log stream. - `logs:CreateLogGroup` and `logs:CreateLogStream`: Allow the creation of new log groups and log streams, respectively. Now, let's evaluate the options based on the error encountered and what is likely missing from the IAM policy. A) Move the logs:CreateLogGroup action to the second Allow statement. - Explanation: The `logs:CreateLogGroup` permission allows the creation of log groups, but this action is not required to view logs in CloudWatch. The error likely stems from missing permissions to view existing logs or describe log streams. Moving this action to another Allow statement would not resolve the issue of viewing logs. - Reasoning: The `logs:CreateLogGroup` permission isn't necessary for viewing existing logs, so this solution is not the right fix. B) Add the logs:PutDestination action to the second Allow statement. - Explanation: The `logs:PutDest...

Author: Aria · Last updated May 23, 2026

A company has a new partnership with a vendor. The vendor will process data from the company's customers. The company will upload data files as objects into an Amazon S3 bucket. The vendor will download the objects to perform data processing. The objects will contain sensitive data. A security engineer must implemen...

To meet the requirement of preventing sensitive data objects from residing in the Amazon S3 bucket for longer than 72 hours, the solution needs to ensure that the objects are automatically removed after the specified time period. Let's evaluate each option: A) Use Amazon Macie to scan the S3 bucket for sensitive data every 72 hours. Configure Macie to delete the objects that contain sensitive data when they are discovered. - Explanation: Amazon Macie is a data security and privacy service that helps identify and protect sensitive data in AWS. However, Macie primarily focuses on discovering and classifying sensitive data, not on automating the deletion of objects based on their age. While Macie can help identify sensitive data, it doesn't automatically manage object expiration based on their age or enforce a retention policy like this. - Reasoning: This option is not suitable for this scenario because Macie’s purpose is not to delete objects based on their age. It’s designed for data discovery and classification, not lifecycle management. B) Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours. - Explanation: Amazon S3 Lifecycle policies allow automatic management of objects in a bucket based on age, transition, or expiration. You can create a lifecycle rule to automatically delete objects that have been in the S3 bucket for more than 72 hours. This is a built-in feature of S3 and is designed for exactly this type of use case. - Reasoning: This solution directly meets the requirement. S3 Lifecycle rules are ideal for expiring objects after a specified time period, ensuring that sensitive data does not remain in the bucket longer than required. - Use Case: This is the most efficient and cost-effective solution for managing object expiration in S3. C) Create an Amazon EventBridge sch...

Author: Suresh · Last updated May 23, 2026

A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the ins...

To regain access to an Amazon EC2 instance that is EBS-backed and has lost its private key, we need to perform actions that allow the security engineer to access the instance's file system and modify its configurations (such as updating the `authorized_keys` file with a new public key). Here's the analysis of each option: Option A: Stop the instance. Detach the root volume. Generate a new key pair. - Explanation: This option involves stopping the instance, detaching the root volume, generating a new key pair, and likely using the new key to access the instance. - Rejected Reason: Detaching the root volume would require you to use another instance to modify the authorized keys file, and generating a new key pair alone does not provide a clear method to regain access to the EC2 instance. The new key would not automatically work unless the `authorized_keys` file is updated. It leaves out necessary steps for modifying the instance's file system. Option B: Keep the instance running. Detach the root volume. Generate a new key pair. - Explanation: Keeping the instance running while detaching the root volume is risky, as it may cause the instance to become inaccessible without the root volume. Moreover, like Option A, generating a new key pair alone doesn't solve the problem unless the instance's `authorized_keys` file is updated with a new public key. - Rejected Reason: Detaching the root volume while the instance is running will likely lead to a problem where the instance can no longer boot, as the root volume is essential for running the instance. This step can break the instance, and generating a new key pair does not resolve the access issue directly. Option C: When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance. - Explanation: This option allows you to detach the root volume from the original instance and attach it to another EC2 instance as a data volume. You can then modify the `authorized_keys` f...

Author: Andrew · Last updated May 23, 2026

A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings from ...

To automatically remediate findings from a third-party cloud security scanning solution integrated with AWS Security Hub, we need to use an automation approach that reacts to findings in Security Hub and performs actions to resolve them. Here's a breakdown of each option: Option A: Set up an Amazon EventBridge rule that reacts to new Security Hub findings. Configure an AWS Lambda function as the target for the rule to remediate the findings. - Explanation: This approach involves setting up an Amazon EventBridge rule to listen for Security Hub findings, and then using AWS Lambda to automatically remediate the findings. - Selected Reason: This option is a valid solution because Amazon EventBridge allows you to react to specific findings in Security Hub, and AWS Lambda can be used to perform the remediation actions (e.g., patching, stopping malicious activities, changing configurations). EventBridge provides fine-grained control over event handling, making it an excellent choice for automated remediation. Option B: Set up a custom action in Security Hub. Configure the custom action to call AWS Systems Manager Automation runbooks to remediate the findings. - Explanation: This option sets up a custom action in Security Hub that can trigger AWS Systems Manager Automation runbooks, which are predefined workflows to automate operational tasks. - Rejected Reason: While this option can trigger automated actions, the custom action approach requires manual intervention to activate the action. It is not fully automated, as you must initiate the custom action manually from within Secur...

Author: Oscar · Last updated May 23, 2026

An application is running on an Amazon EC2 instance that has an IAM role attached. The IAM role provides access to an AWS Key Management Service (AWS KMS) customer managed key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive data that is stored in the S3 bucket. A security engineer discovers a potential vulnerability on the EC2 instance that could result in the compromise of the sensitive data. Due to other crit...

The goal is to prevent the sensitive data from being exposed on the EC2 instance due to a potential vulnerability while maintaining operational continuity for other critical tasks. We need to act quickly to ensure the security of the data without shutting down the instance. Option A: Download the data from the existing S3 bucket to a new EC2 instance. Then delete the data from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to a new S3 bucket. - Explanation: This option involves manually moving the data and re-encrypting it with a new client-based key. - Rejected Reason: While effective, this is not the fastest option. It involves multiple steps: downloading data, re-encrypting, and uploading to a new bucket. Given the 2 TB of sensitive data, this could take a significant amount of time and is not a rapid response to the immediate security concern. Option B: Block access to the public range of S3 endpoint IP addresses by using a host-based firewall. Ensure that internet-bound traffic from the affected EC2 instance is routed through the host-based firewall. - Explanation: This option involves using a firewall to block outbound traffic from the EC2 instance, which would prevent access to the S3 bucket. - Rejected Reason: This is not an optimal solution. It only addresses one aspect (public access), and it doesn't directly impact the security of the sensitive data stored in the S3 bucket or address the potential vulnerability on the EC2 instance itself. It does not prevent the EC2 instance from accessing the sensitive data if the attacker exploits the vulnerability. Option C: Revoke the IAM role's active sessi...

Author: SolarFalcon11 · Last updated May 23, 2026

A company is building an application on AWS that will store sensitive information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach whi...

The goal is to protect sensitive information in a way that minimizes management overhead while ensuring the security of the credentials through regular rotation. The options vary in terms of encryption methods, credential management, and the use of services such as AWS RDS, EC2, Secrets Manager, and Systems Manager. Let's break down the options: Option A: Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database. - Explanation: This option includes enabling RDS encryption, EBS encryption, and TLS. However, it suggests storing the database credential in the EC2 user data field, which is insecure and not recommended for sensitive data. The credential should not be stored in the user data field because it could be exposed to anyone with access to the EC2 instance metadata. - Rejected Reason: Storing credentials in EC2 user data poses a security risk. Even though the Lambda function can rotate credentials, using the EC2 user data for storage contradicts best practices for credential management. Option B: Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database. - Explanation: This option uses EC2 for hosting the database and encrypts the EBS volume with third-party encryption, while storing credentials in AWS CloudHSM, which provides hardware-based security for secrets. However, managing database credentials and rotating them manually through CloudHSM requires significant overhead and is more complex compared to other AWS services designed specifically for this purpose. - Rejected Reason: While CloudHSM provides secure key management, it’s more complex to manage, especially for credential rotation. CloudHSM is typically used for cryptographic operations rather than storing and rotating application credentials. Using a solution like AWS Secrets Manager is much simpler and integrates well with automatic credential rotation. Option C: Enable Amazon RDS encryption to encrypt the datab...

Author: Henry · Last updated May 23, 2026

A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company has set up Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers. A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers. The logs must show details of the source IP address o...

To meet the security mandate for logging and querying DNS traffic to on-premises DNS servers, the solution must log DNS queries, including the source IP address and the requested DNS names, while providing a way to run queries on these logs. Let's review each option: Option A: Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the traffic source, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as the mirror target. Use CloudWatch Insights on the mirror session logs to run queries on the source IP address and DNS name. - Explanation: This option uses VPC Traffic Mirroring, which can capture network traffic, including DNS queries, and send it to CloudWatch Logs. CloudWatch Insights can then be used to query the logs. - Rejected Reason: While VPC Traffic Mirroring can capture DNS traffic, it's generally more suitable for debugging or detailed network traffic analysis rather than specifically logging DNS queries. Also, this method does not directly provide a solution tailored for logging DNS queries at the DNS service level, which is the requirement here. It would involve more complexity and overhead than necessary for logging DNS queries to on-premises servers. Option B: Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name. - Explanation: VPC flow logs can capture information about the IP traffic in your VPCs, but they don't specifically capture DNS query details, such as the DNS names being requested. The flow logs capture metadata like source IP, destination IP, and traffic type but not the actual DNS queries. - Rejected Reason: VPC flow logs do not capture the DNS query content or the specific DNS names being requested. This option would not meet the requirement to log the DNS name requested by Route 53 Resolver. Option C: Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amaz...

Author: Vivaan · Last updated May 23, 2026

A security engineer is configuring account-based access control (ABAC) to allow only specific principals to put objects into an Amazon S3 bucket. The principals already have access to Amazon S3. The security engineer needs to configure a bucket policy that allows principals to put objects into the S3 bucket only if the value of the Team tag on the object matches the value of the Team tag that is associated with the principal. During testing, the security engineer notices that a pr...

Let's go through the options one by one, focusing on the key factors in the context of ABAC (Attribute-Based Access Control) and S3 bucket policies, and the specific scenario where the tag values do not match: A) The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions. - Explanation: Identity-based policies are attached directly to the principal (user/role) and specify the actions that the principal can perform. If the identity-based policy has a statement that allows the `s3:PutObject` action with no conditions, this will grant access to the principal without considering any tags. - Rejection: This option doesn't address the mismatch of tag values directly, but rather points to the fact that the principal might have an unrestricted permission to perform `PutObject` on the S3 bucket, regardless of the tag condition. B) The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow. - Explanation: Identity-based policies can override resource-based policies if they explicitly allow the action. This could explain why the principal can still perform the `PutObject` action even though the bucket policy includes a condition related to tags. - Rejection: While it's true that an explicit "Allow" in the identity-based policy can override a resource-based policy's restrictions, this is more likely the case if the identity-based policy allows the `PutObject` operation with no conditions or conflicts with the tag-based condition in the bucket policy. C) The S3 bucket's resource policy does not deny access to put objects. - Explanation: If the S3 bucket policy doesn’t include a `Deny` statement for the `PutObject` action with the tag conditio...

Author: ShadowWolf101 · Last updated May 23, 2026

A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on t...

Let's review each option carefully, taking into account the scenario where the security engineer needs to deny access from a specific range of IP addresses that are originating port scans: A) Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range. - Explanation: The AWS WAF provides an IP set match rule that allows you to block traffic from specific IP addresses or IP address ranges. This would work perfectly in this case because the security team has already identified the offending IP addresses. Using an IP set rule in the AWS WAF will effectively block traffic from these IPs at the web application level. - Why this is selected: This approach directly addresses the requirement to deny access from specific IPs. The WAF rule can be configured to specifically block the offending IP range, and since the Application Load Balancer is already associated with an AWS WAF web ACL, this solution integrates seamlessly into the existing infrastructure. B) Add a rule to all security groups to deny the incoming requests from the IP address range. - Explanation: Security groups in AWS are stateful and operate at the instance level. Security groups do not allow for an explicit Deny rule (only an Allow rule can be configured). Therefore, while you could modify security group rules to allow only specific IP addresses and implicitly block others, you cannot directly create a Deny rule for the identified IP range. - Why this is rejected: Security groups are not designed to explicitly deny traffic. Additionally, modifying security groups on all instances might require significant changes across multiple applications and could lead to unintended disruptions. C) Modify the AWS WAF web ACL with a ra...

Author: Leah · Last updated May 23, 2026

A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross-account IAM roles have been created in each account targeted for audit. The auditor is having trouble accessing ...

Let's go through each option step by step to determine the most likely causes for the auditor having trouble accessing some AWS accounts: A) The external ID used by the auditor is missing or incorrect. - Explanation: When using cross-account IAM roles, an external ID is often used as an added layer of security to prevent the "confused deputy" problem. The external ID is provided by the trusting (destination) account and must be used correctly by the auditor when assuming the role. If the external ID is missing or incorrect, the auditor won't be able to assume the role, resulting in access issues. - Why this is selected: This is a common problem in cross-account IAM role scenarios. If the external ID is missing or incorrect, the auditor won't be able to successfully assume the role and access the resources in the target account. B) The auditor is using the incorrect password. - Explanation: The auditor is trying to assume a role using IAM, which doesn't typically involve password-based authentication. Role assumption is done using IAM policies and temporary security credentials, not by logging in with a username and password. - Why this is rejected: This option is not relevant in the context of cross-account role assumption. The issue is not about passwords but about assuming a cross-account role using IAM policies. C) The auditor has not been granted `sts:AssumeRole` for the role in the destination account. - Explanation: In order for the auditor to assume a cross-account role, they must be explicitly granted the `sts:AssumeRole` permission for that role in the destination account. If the IAM policy associated with the auditor's role or user doesn't grant this permission, the auditor will not be able to assume the role. - Why this is selected: This is a very likely cause for the access issues. If the auditor does not have the required permission (`sts:AssumeRole`), they will not be able to access the target account,...

Author: Aarav · Last updated May 23, 2026

A security engineer needs to configure an Amazon S3 bucket policy to restrict access to an S3 bucket that is named DOC-EXAMPLE-BUCKET. The policy must allow access to only DOC-EXAMPLE-BUCKET from only the following endpoint: vpce-1a2b3c4d. The policy must deny all access t...

Author: Kunal · Last updated May 23, 2026

A company has a group of Amazon EC2 instances in a single private subnet of a VPC with no internet gateway attached. A security engineer has installed the Amazon CloudWatch agent on all instances in that subnet to capture logs from a specific application. To ensure that the logs flow securely, the company's networking team has created VPC endpoints for CloudWatch monitoring and CloudWatch logs. The networking team has attached the endpoints to the VPC. The application i...

To troubleshoot the issue of logs not appearing in CloudWatch despite the EC2 instances being in a private subnet with VPC endpoints for CloudWatch monitoring and CloudWatch logs, let's carefully evaluate each of the troubleshooting steps: A) Ensure that the EC2 instance profile that is attached to the EC2 instances has permissions to create log streams and write logs. - Explanation: The EC2 instance profile (IAM role) attached to the EC2 instances must have the necessary permissions to interact with CloudWatch logs, including the ability to create log streams and write log data. If the instance profile doesn't have these permissions, the CloudWatch agent won't be able to send logs to CloudWatch. - Why this is selected: This is a critical permission check. If the EC2 instances can't interact with CloudWatch due to a missing permission, the logs won't be transmitted. This is the first thing to verify because proper IAM permissions are required to send logs to CloudWatch. B) Create a metric filter on the logs so that they can be viewed in the AWS Management Console. - Explanation: Metric filters are used to create CloudWatch metrics based on log data. While this is useful for creating metrics from logs, it does not directly address the issue of logs not appearing in CloudWatch. The logs must first be successfully sent to CloudWatch before they can be processed into metrics. - Why this is rejected: This step is not relevant for the current issue, which is that logs are not appearing in CloudWatch in the first place. Metric filters come into play after the logs are successfully ingested by CloudWatch. C) Check the CloudWatch agent configuration file on each EC2 instance to make sure that the CloudWatch agent is collecting the proper log files. - Explanation: The CloudWatch agent must be correctly configured to collect the intended log files. If the configuration file is misconfigured or the wrong log files are being specified, the logs won't be collected and sent to CloudWatch. - Why this is selected: If the CloudWatch agent is not correctly configured to capture the logs, the logs will not be sent to CloudWatch. This is a key troubleshooting step to ensure that the correct log files are being collected. D) Check the VPC endpoint policies of both VPC endpoin...

Author: Carlos Garcia · Last updated May 23, 2026

A company uses AWS Signer with all of the company's AWS Lambda functions. A developer recently stopped working for the company. The company wants to ensure that all the code that the developer wrote can no ...

The goal here is to ensure that the code written by the developer can no longer be deployed to the Lambda functions. Let's analyze each option in detail: A) Revoke all versions of the signing profile assigned to the developer - Explanation: AWS Signer uses signing profiles to ensure the integrity and authenticity of Lambda functions. If the developer has access to a signing profile and the code is signed using that profile, revoking all versions associated with that profile would ensure that no further deployment of that code is possible, as the code would no longer pass the verification step in AWS Signer. - Reasoning: Since the issue revolves around ensuring that the developer’s code can’t be deployed, revoking the signing profile versions associated with them directly addresses this. This effectively prevents the code from being redeployed if it's signed using that specific profile. B) Examine the developer's IAM roles. Remove all permissions that grant access to Signer. - Explanation: IAM roles grant permissions to interact with AWS services, including AWS Signer. By removing the developer's permissions to Signer, the developer would be unable to sign new Lambda function versions. However, this doesn’t address the code already signed by the developer that is already deployed. - Reasoning: This is a step toward ensuring that the developer can no longer sign or deploy code in the future but does not impact the previously deployed Lambda functions signed by the developer. It on...

Author: CrystalWolfX · Last updated May 23, 2026

A company plans to use AWS Key Management Service (AWS KMS) to implement an encryption strategy to protect data at rest. The company requires client-side encryption for company projects. The company is currently conducting multiple projects to test the company's use of AWS KMS. These tests have led to a sudden increase in the company's AWS resource consumption. The test projects include applications that issue multiple requests each second to KMS endpoints for encryption activities. The company needs t...

Let's analyze the options based on the requirements: preventing throttling, improving key usage for client-side encryption, and optimizing costs. A) Use keyrings with the AWS Encryption SDK. Use each keyring individually or combine keyrings into a multi-keyring. Decrypt the data by using a keyring that has the primary key in the multi-keyring. - Explanation: Keyrings in the AWS Encryption SDK allow for multiple encryption keys to be used to wrap or encrypt the data. Using a multi-keyring helps with flexibility, allowing different wrapping keys for the encryption process. However, it is primarily designed for the encryption part, not directly addressing the issue of throttling or caching to optimize client-side encryption performance. - Reasoning: While keyrings are useful for managing multiple encryption keys, this option doesn’t directly address reducing the load on KMS endpoints or improve key usage in a way that optimizes performance under high request rates. It's more about flexibility in key management than resource optimization or caching to avoid throttling. B) Use data key caching. Use the local cache that the AWS Encryption SDK provides with a caching cryptographic materials manager. - Explanation: Data key caching allows the encryption SDK to cache the data encryption keys locally after they are fetched from KMS. This reduces the need to repeatedly call KMS for the same encryption key, which can significantly lower the number of KMS API requests and mitigate throttling. The cached keys can be reused for a period before refreshing, which is ideal for reducing both cost and the risk of hitting rate limits. - Reasoning: This option directly addresses the problem of throttling by reducing the number of calls to KMS for the same data key, leading to better key usage, cost optimization, and avoidance of throttling due to frequent KMS requests. ...

Author: Zara · Last updated May 23, 2026

A security team is working on a solution that will use Amazon EventBridge to monitor new Amazon S3 objects. The solution will monitor for public access and for changes to any S3 bucket policy or setting that result in public access. The security team configures EventBridge to watch for specific API calls that are logged from AWS CloudTrail. EventBridge has an action to send an email notification through Amazon Simple Notification Service (Amazon SNS) to the security team immediately with details of the API call. Specifically, the security team wants EventBridge to watch for the s3:PutObjectAcl, s3:DeleteBucketPolicy, and s3:PutBucketPolicy API invocation logs from CloudTrail. While developing the solution in a single account, the security team discovers that the s3:PutObjectAcl API call does not invoke an EventBridge event However, the s3:DeleteBucketPolicy API call and the s3:PutBucketPolicy API call do invoke an event. The security team has enabled CloudTra...

To solve the issue where the s3:PutObjectAcl API call is not invoking an EventBridge event, we need to address how CloudTrail is logging API events and how EventBridge is listening to those events. Let's review each option in detail: A) Modify the EventBridge event pattern by selecting Amazon S3. Select All Events as the event type. - Explanation: By selecting All Events as the event type, the EventBridge pattern would capture all S3-related events, including read, write, and ACL operations. This broad selection will include the s3:PutObjectAcl event. - Reasoning: This option is effective because it allows EventBridge to capture a wider range of S3 events, including the s3:PutObjectAcl API call. However, this approach might generate false notifications for a variety of other S3 events that are not relevant to the security team’s monitoring needs. While it ensures the event is captured, it doesn't guarantee the level of granularity needed to avoid unwanted notifications. B) Modify the EventBridge event pattern by selecting Amazon S3. Select Bucket Level Operations as the event type. - Explanation: By selecting Bucket Level Operations, the event pattern would only capture events related to S3 bucket configurations, such as changes to bucket policies and permissions, not individual object-level changes (like the s3:PutObjectAcl event). - Reasoning: This option is not suitable because the s3:PutObjectAcl is an object-level operation (not a bucket-level operation), and therefore, it will not be captured by the "Bucket Level Operations" event type. This option would work for the other API calls (like s3:DeleteBucketPolicy and s3:PutBucketPolicy) but not for s3:PutObjectAcl. C) Enable CloudTrail Insights to i...

Author: Zara · Last updated May 23, 2026

A company uses Amazon GuardDuty. The company's security team wants all High severity findings to automatically generate a ticket in a third-party ticketing system t...

Let's break down each option and see which one would best meet the requirement to automatically generate a ticket in the third-party ticketing system when High severity findings are detected by Amazon GuardDuty. A) Create a verified identity for the third-party ticketing email system in Amazon Simple Email Service (Amazon SES). Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SES identity as the target for the EventBridge rule. - Explanation: This option involves using Amazon SES (Simple Email Service) to send an email to the third-party ticketing system. EventBridge will capture the GuardDuty findings, and SES will send an email based on those findings. - Reasoning: While this solution does meet the requirement of sending an email, using SES directly requires the email system to be pre-configured in SES, and it may introduce complexity when interacting with the third-party ticketing system. It also may not provide as flexible or as clean an integration as using SNS (which is designed for notification purposes). This method may require additional work on email formatting and integration with the ticketing system. B) Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the third-party ticketing email system to the SNS topic. Create an Amazon EventBridge rule that includes an event pattern that matches High severity GuardDuty findings. Specify the SNS topic as the target for the EventBridge rule. - Explanation: This option uses Amazon SNS, a service that is designed for sending notifications. The third-party ticketing system can be subscribed to the SNS topic, and an EventBridge rule will send the High severity findings to the SNS topic, which will then email the ticketing system. - Reasoning: This is a clean and effective solution because SNS is specifically designed to handle notifications, including emails, and integrating it with EventBridge and GuardDuty is straightforward. It ensures that when GuardDuty generates a High severity finding, the notification is sent to the third-party system in the required format (email). This option is well-suited for the integration between AWS services and third-party systems. C) Use the GuardDuty CreateFilter API operation to build a filter in GuardDuty to monitor for High severity findings. Export the results of the filter to an Amazon Simple Notif...

Author: Liam · Last updated May 23, 2026

A company is using AWS Organizations to implement a multi-account strategy. The company does not have on-premises infrastructure. All workloads run on AWS. The company currently has eight member accounts. The company anticipates that it will have no more than 20 AWS accounts total at any time. The company issues a new security policy that contains the following requirements: * No AWS account should use a VPC within the AWS account for workloads. * The company should use a centrally managed VPC that all AWS accounts can access to launch workloads in subnets. * No AWS account should be able to modify another AWS account's application resources within the centrally managed VPC. * The centrally managed VPC should reside in an existing AWS acc...

Let's break down the requirements and options in order to find the most suitable solution for the company’s scenario. Requirements Summary: 1. No AWS account should use a VPC within the AWS account for workloads: Workloads should not run directly in each AWS account’s VPC. 2. Centralized VPC management: The company should use a centrally managed VPC that all AWS accounts can access. 3. Account isolation for application resources: No AWS account should be able to modify another account’s resources in the centralized VPC. 4. Centrally managed VPC resides in Account-A: The centrally managed VPC should reside in Account-A. Now let's evaluate each option: A) Use a CloudFormation template in the member accounts to launch workloads. Configure the template to use the Fn::ImportValue function to obtain the subnet ID values. - Explanation: This solution suggests using CloudFormation in member accounts to deploy workloads and retrieve subnet IDs from Account-A’s VPC using `Fn::ImportValue`. - Reasoning: While using `Fn::ImportValue` can import outputs like subnet IDs from another account’s CloudFormation stack, this approach would still require that the CloudFormation templates in the member accounts be able to launch resources directly within the shared VPC. This doesn’t enforce the level of isolation needed between accounts for resource modification or prevent direct use of VPCs within the member accounts, making this approach insufficient. B) Use a transit gateway in the VPC within Account-A. Configure the member accounts to use the transit gateway to access the subnets in Account-A to launch workloads. - Explanation: A Transit Gateway (TGW) allows multiple VPCs to communicate with each other through a central hub. This solution would involve setting up a transit gateway in Account-A and allowing member accounts to connect to it to access subnets for launching workloads. - Reasoning: This solution enables centralized connectivity and meets the requirement of no workloads running directly in member account VPCs. However, it doesn’t fully ensure that member accounts cannot modify resources in the centralized VPC. The transit gateway enables communication but does not address resource isolation in terms of access control at the application level, which the security policy demands. Therefore, this option isn’t sufficient by itself for enforcing the required resource i...

Author: Ming88 · Last updated May 23, 2026

A company's security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications auto...

Let's break down each option to evaluate its suitability for this task based on simplicity, effort, scalability, and integration with AWS services. Option A: AWS Config Managed Rule and EventBridge - AWS Config provides an automated way to monitor configuration compliance of AWS resources, which fits the requirement to track the rotation of access keys. - By using the access-keys-rotated managed rule and setting the maxAccessKeyAge parameter to 90 days, this option directly addresses the need to track when keys are rotated. - EventBridge can then listen to non-compliant events and trigger an SNS notification to the security team. - Key Benefits: - Minimal effort: The AWS Config rule is already built and just needs to be configured. - Automation: EventBridge automatically triggers actions based on AWS Config’s compliance state. - Scalability: AWS Config and EventBridge are fully managed, meaning they will scale automatically as your environment grows. - Drawback: It requires AWS Config to be enabled, which may incur additional cost if not already set up. Option B: Script with Trusted Advisor, Lambda, S3, and Athena - AWS Trusted Advisor provides recommendations for best practices, including IAM access key rotation, but it is not specifically designed for continuous monitoring. - The workflow involves exporting data, uploading it to S3, running Athena queries, and sending notifications via SNS. - Key Drawbacks: - This is a complex and manual solution, requiring custom scripting, exporting data, and maintaining the pipeline. - Additional complexity: Managing Athena queries and S3 buckets introduces unnecessary overhead when a simpler, more integrated solution like AWS Config exists. - Not scalable: This solution requires manual intervention to ensure the script is regularly updated or maintained, which increases the risk of errors or missed rotations. Option C: Script with IAM Credentials Report, Lambda, EventBridge, and SNS - This approach involves generating the IAM credentials report, filtering it using a Lambda function, and sending an SNS notification if any access keys have...

Author: Andrew · Last updated May 23, 2026

A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their AWS access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key. The company needs to assess the impact of the exposed...

Let's evaluate each option based on simplicity, relevancy, and required overhead to assess the impact of the exposed access key. Option A: AWS Identity and Access Management (IAM) Use Report from AWS Trusted Advisor - AWS Trusted Advisor provides recommendations and best practices but does not directly track the use of IAM access keys. - While it can help identify security issues like unused access keys or weak permissions, it does not provide detailed information about the specific usage of an access key after it has been exposed. - Key Drawback: The IAM use report from Trusted Advisor is not designed for tracking individual access key usage, so it would not be useful in this case. Option B: Analyze Amazon CloudWatch Logs for Activity by Searching for the Access Key - CloudWatch Logs capture application logs and AWS service logs. However, it does not directly track access key usage unless the application explicitly logs the access key in the logs. - While CloudWatch could potentially be configured to log API calls or authentication events, it is not designed to monitor access key usage out of the box. - Key Drawback: Using CloudWatch Logs would only be effective if the application or AWS services are set up to log such events, which is not always the case and would involve manual setup or additional logging configuration. Option C: Analyze VPC Flow Logs for Activity by Searching for the Access Key - VPC Flow Logs track traffic going to and from network interfaces in a VPC but...

Author: RadiantPhoenixX · Last updated May 23, 2026

A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure t...

Let's evaluate each option in terms of enforcement of the security requirement that DevOps team members should not be able to modify or disable the CloudTrail configuration, and analyze its suitability: Option A: Create an IAM Policy that Prohibits Changes to the Specific CloudTrail Trail and Apply the Policy to the AWS Account Root User - IAM policies applied to the root user are not recommended. The root user has broad administrative permissions and applying a policy to restrict root user actions is contradictory to the purpose of the root account, as root typically requires unfettered access for managing critical resources. - Key Drawback: Applying policies to the root user is not a best practice because the root account should be used minimally and with caution. Furthermore, root user access cannot be easily restricted, which poses a security risk. Option B: Create an S3 Bucket Policy in the Specified Destination Account for the CloudTrail Trail that Prohibits Configuration Changes from the AWS Account Root User in the Source Account - The S3 bucket policy would help restrict access to the logs stored in the bucket, but it doesn’t prevent changes to the CloudTrail configuration itself (such as disabling the trail or changing settings). - Key Drawback: This approach does not prevent changes to CloudTrail in the source account, such as modifying the configuration of CloudTrail itself. It only controls access to the logs in S3, which is a different level of control than needed to prevent CloudTrail modifications. Option C: Create an SCP that Prohibits Changes to the Specific CloudTrail Trail and Apply the SCP to the Appropriate Organizational Unit or Account in Organizations - Service Control Policies (SCPs) are a powerful tool in AWS Organizations that enable central management of permissions across multiple accounts. SCPs allow you to define and enforce permissions across the entire organization or specific organizational units (OUs). - By creating an SCP...

Author: Ethan · Last updated May 23, 2026

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team. However, an audit revealed that an API key is stored with the source code of an AWS Lambda...

To securely store and manage the API key, the solution needs to comply with the company's policy of encrypting and storing the key separately from the source code, and in a centralized security account managed by the security team. Let's evaluate each option based on its security, simplicity, and alignment with the company's policy. Option A: Create a CodeCommit Repository in the Security Account Using AWS KMS for Encryption. Require the Development Team to Migrate the Lambda Source Code to This Repository. - Key Drawbacks: - Inconvenient for DevOps workflow: This option would require the development team to move their Lambda code to a separate repository in the security account. It adds significant complexity to the development workflow. - Inappropriate for API key storage: Storing the API key within a CodeCommit repository, even if encrypted, does not align with the goal of separating sensitive information from the source code. The key should be managed separately from the application code, ideally in a service that specializes in secret management. - Why rejected: It violates the policy of keeping API keys separate from source code and introduces unnecessary overhead for the development team. Option B: Store the API Key in an Amazon S3 Bucket in the Security Account Using Server-Side Encryption with Amazon S3 Managed Encryption Keys (SSE-S3) to Encrypt the Key. Create a Presigned URL for the S3 Key, and Specify the URL in a Lambda Environmental Variable in the AWS CloudFormation Template. - Key Drawbacks: - Insecure access method: Presigned URLs are typically used for temporary access to specific objects and might not be the best way to securely retrieve an API key in production. Additionally, the URL would expose the key, even if temporarily. - Not ideal for secret management: Using S3 for storing API keys is not best practice. AWS offers services like Secrets Manager that are specifically designed for securely storing and managing secrets like API keys. - Why rejected: S3 is not a dedicated solution for storing sensitive information like API keys, and using presigned URLs adds unnecessary complexity and security risks. Option C: Create a Secret in AWS Secrets Manager in the Security Account to Store the API ...

Author: Aarav · Last updated May 23, 2026

A security engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message: "There i...

Let's evaluate each option based on the error message "There is a problem with the bucket policy" when trying to update the log file prefix in CloudTrail. Option A: Create a New Trail with the Updated Log File Prefix, and Then Delete the Original Trail. Update the Existing Bucket Policy in the Amazon S3 Console with the New Log File Prefix, and Then Update the Log File Prefix in the CloudTrail Console. - Key Drawbacks: - This option suggests creating a new trail and deleting the original one, which is inefficient and unnecessary. It introduces additional work and does not address the underlying issue, which likely lies with the existing bucket policy preventing the update of the log file prefix. - Unnecessary complexity: Creating and deleting trails just to change the log file prefix is overcomplicating the task. There's no need to delete the original trail if the underlying issue with the bucket policy is addressed correctly. - Why rejected: This is more of a workaround and does not solve the problem with the bucket policy itself. Option B: Update the Existing Bucket Policy in the Amazon S3 Console to Allow the Security Engineer's Principal to Perform PutBucketPolicy, and Then Update the Log File Prefix in the CloudTrail Console. - Key Drawbacks: - PutBucketPolicy allows changes to the S3 bucket policy, but the issue here is not with modifying the bucket policy itself. The error indicates a problem with the existing permissions or configuration rather than a need to modify the bucket policy to allow putting a new policy. - Unnecessary action: The problem seems to be with the permissions for CloudTrail to interact with the bucket, not with changing the policy itself. Giving permissions to modify the bucket policy could lead to more privileges than needed. - Why rejected: The error likely arises from incorrect permissions between CloudTrail and the bucket, rather than a need to modify the bucket policy for putting a new policy. Option C: Update the Existing Bucket Policy in t...

Author: Rohan · Last updated May 23, 2026

A company uses AWS Organizations. The company wants to implement short-term credentials for third-party AWS accounts to use to access accounts within the company's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts f...

To meet the requirements of providing short-term credentials to third-party AWS accounts while ensuring trust and minimal operational effort, let's evaluate each option based on the key factors of trust, operational effort, and scalability. Option A: Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs. - Trust: This approach would rely on external authentication mechanisms like OAuth or SAML. However, the trust model in this case doesn't align directly with AWS accounts and roles. - Operational Effort: Although Cognito and API Gateway are powerful, managing a central user pool and integrating it across services can lead to increased operational complexity, especially for managing temporary access credentials. - Scalability: It’s a bit over-engineered for just providing access to the AWS Management Console and third-party SaaS applications. Conclusion: This solution adds unnecessary complexity and operational overhead, so it’s not ideal. Option B: Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identity source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account. - Trust: IAM Identity Center provides a central identity management solution that integrates well with AWS accounts and external users. You can enforce identity federation (via SAML or other identity providers) to control who can access AWS resources. - Operational Effort: Using IAM Identity Center simplifies access management for multiple AWS accounts, as permission sets are assigned centrally. It requires minimal operational effort to manage users and permissions. - Scalability: IAM Identity Center supports managing external identities at scale, including integration with third-party SaaS applications, which fits well for the needs of this solution. Conclusion: This option is well-suited for managing short-term credentials and external access, with minimal operational overhead. Option C: Create a unique IAM role for each exter...

Author: StarryEagle42 · Last updated May 23, 2026

A company is evaluating its security posture. In the past, the company has observed issues with specific hosts and host header combinations that affected the company's business. The company has configured AWS WAF web ACLs as an initial step to mitigate these issues. The company must create a log analysis solution for the AWS WAF web ACLs to monitor problematic activity. The company wants to process all the AWS WAF logs in a central location. The company must have the ability to filter out request...

To meet the company's requirements of processing AWS WAF logs efficiently and being able to filter out requests based on specific hosts, let's evaluate the options based on key factors such as operational efficiency, ease of use, and cost-effectiveness. Option A: Specify Amazon Redshift as the destination for the access logs. Deploy the Amazon Athena Redshift connector. Use Athena to query the data from Amazon Redshift and to filter the logs by host. - Operational Efficiency: This approach involves using Amazon Redshift to store logs, then utilizing Athena with the Redshift connector to query them. Setting up Redshift requires configuration of the database, and while Athena can query the data, the overhead of managing Redshift as a data warehouse for logs adds complexity and operational burden. - Scalability and Cost: Redshift is a powerful database, but using it for log storage is unnecessary and may incur high costs, especially if logs are large or frequent. Redshift is better suited for analytics workloads rather than real-time log analysis. - Complexity: Deploying and maintaining Amazon Redshift and the Athena Redshift connector introduces unnecessary complexity, especially when other more lightweight solutions (like CloudWatch or S3) are available for log processing. Conclusion: This option is over-engineered and not optimal for log analysis from AWS WAF due to unnecessary complexity and higher costs. Option B: Specify Amazon CloudWatch as the destination for the access logs. Use Amazon CloudWatch Logs Insights to design a query to filter the logs by host. - Operational Efficiency: CloudWatch is a native AWS service and integrates well with AWS WAF. CloudWatch Logs Insights is a powerful query engine that allows you to easily filter and analyze logs based on specific conditions, such as the host. - Scalability and Cost: This solution is cost-efficient as CloudWatch Logs is a managed service designed for log collection, and CloudWatch Logs Insights allows you to query logs directly. No need to manage external storage or complex connectors. - Simplicity: Setting up CloudWatch as the destination and using Logs Insights for querying is straightforward. There is no need for additional infrastructure or external services, reducing complexity. Conclusion: This option is the simplest, most efficient, and cost-effective choice. It directly...

Author: Stella · Last updated May 23, 2026

A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: "AccessDenied: Access Denied status code: 403". The security engineer must resolve the error b...

To resolve the "AccessDenied: Access Denied status code: 403" error and ensure that the EC2 Image Builder pipeline can run successfully with proper least privilege access, we need to address both the permissions for the EC2 instance and the permissions for the security engineer’s IAM role, specifically for accessing the S3 bucket. Let’s evaluate the options: Option A: Ensure that the following policies are attached to the IAM role that the security engineer is using: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore. - Explanation: These policies are intended for an EC2 instance profile, not the security engineer’s IAM role. The EC2InstanceProfileForImageBuilder and related policies allow the EC2 instance to perform operations such as image building, interacting with ECR for container image builds, and using SSM (Systems Manager) for instance management. - Reasoning: The security engineer’s IAM role typically manages the permissions for orchestrating the EC2 Image Builder pipeline but not for the instance's actions directly. Therefore, this option is not appropriate because it’s focusing on the instance role’s policies, not the engineer’s permissions. Conclusion: This option is not correct. Option B: Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore. - Explanation: These policies are for the EC2 instance, which is required for the instance to carry out specific tasks like building the image, interacting with Amazon ECR, and communicating with Systems Manager. This setup would allow the EC2 instance to perform the actions needed during the image building process. - Reasoning: This is an important step, but it's not the only step needed to resolve the access issue because it doesn’t address the necessary permissions related to the S3 bucket where logs are stored. Conclusion: This option is partially correct but needs additional steps to address the S3 access issue. Option C: Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance. - Explanation: Th...

Author: Madison · Last updated May 23, 2026

A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure ...

To meet the requirement of automatically expiring the key material in 90 days, we need to carefully consider the available options in the context of AWS Key Management Service (KMS). Let’s evaluate each option based on the need for automatic key expiration and key management best practices. Option A: A customer managed key that uses customer-provided key material - Explanation: A customer managed key (CMK) with customer-provided key material allows the customer to bring their own encryption keys to AWS. However, this option does not inherently support automatic expiration of the key material. While the key material can be manually rotated or replaced, AWS KMS does not provide a native mechanism to automatically expire or delete the key material after a specific period like 90 days. - Reasoning: This option requires manual intervention to delete or rotate the key material, making it unsuitable for the requirement of automatic expiration. Conclusion: This option is not suitable because it lacks automatic expiration support. Option B: A customer managed key that uses AWS-provided key material - Explanation: A customer managed key (CMK) that uses AWS-provided key material allows AWS to manage the key material. This provides more convenience and security, as AWS handles key rotation and availability. However, AWS KMS does not offer automatic expiration of key material. Key rotation is done by AWS on a regular schedule, but expiration based on a fixed timeline (like 90 days) is not supported. - Reasoning: While this option allows for automated key rotation, it does not support automatic expiration of the key material in the way that the scenario requires. Conclusion: This option is not suitable because it does not allow for key expiration within a specific timeframe. Option C: An AWS managed key - Explanation: AWS managed keys are cr...

Author: CrystalWolfX · Last updated May 23, 2026

A security engineer is building a Java application that is running on Amazon EC2. The application communicates with an Amazon RDS instance and authenticates with a user name and password. Which combination of steps can the engineer ...

To protect the database credentials and minimize downtime when they are rotated, let's evaluate the options based on key principles such as security, automation, and minimizing operational overhead. Option A: Have a database administrator encrypt the credentials and store the ciphertext in Amazon S3. Grant permission to the instance role associated with the EC2 instance to read the object and decrypt the ciphertext. - Explanation: Storing credentials in Amazon S3 encrypted by a database administrator could work, but it introduces additional complexity, such as manual encryption and decryption steps. The credentials would need to be manually updated and rotated, which can increase the operational overhead. - Security Considerations: Storing credentials in S3 and relying on the EC2 instance to decrypt them could potentially expose the credentials to unauthorized access if not properly configured. Additionally, it doesn't integrate well with automated credential rotation. - Operational Efficiency: This solution is not automated and requires the database administrator to handle encryption and rotation manually. This leads to higher operational overhead and potential human errors. Conclusion: This option is not ideal due to manual management, increased operational complexity, and lack of automated credential rotation. Option B: Configure a scheduled job that updates the credential in AWS Systems Manager Parameter Store and notifies the engineer that the application needs to be restarted. - Explanation: This option involves creating a scheduled job to update the credentials in Systems Manager Parameter Store. However, it requires the application to be restarted every time the credentials are updated. - Operational Efficiency: The need to restart the application adds downtime, which is against the goal of minimizing downtime. This method also involves more manual intervention (notification to the engineer and restarting the application). - Security Considerations: While storing credentials in Parameter Store can be secure, the need for manual updates and restarts reduces the efficiency of this solution. Conclusion: This option is not optimal due to the manual intervention required and the added downtime for the application restart. Option C: Configure automatic rotation of credentials in AWS Secrets Manager. - Explanation: AWS Secrets Manager allows for automatic credential rotation, which helps ensure that credentials are regularly rotated without manual intervention. This option is fully integrated with AWS services and supports built-in automation for credential management. - Security Considerations: Secrets Manager is designed to securely store and manage secrets, including automatic encryption and rotation of credentials. It provides better security than manual management, as it automatically handles the lifecycle of credentials. - Operational Efficiency: This solution minimizes operational overhe...

Author: FrostFalcon88 · Last updated May 23, 2026