Amazon Exam Practice Questions - Page 80

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break glass user for the AWS account that contains the workload. The company...

To meet the requirements of providing a break glass user access to an isolated AWS workload account while logging the activities, let's evaluate each option carefully based on the key factors involved: Key Factors: 1. Access Control: The break glass user must be able to access the workload in the event of SAML errors. This implies that the break glass user must have appropriate permissions. 2. Logging Activities: The actions of the break glass user must be logged for security and audit purposes. 3. Automating Notifications: Security teams need to be notified in case of activities involving the break glass user. --- Evaluation of Options: A) Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities. - Access Control: A local IAM user can be created specifically for break glass purposes, allowing access to the AWS account in case of SAML errors. - Logging Activities: Using CloudTrail with CloudWatch Logs enabled will log all activities performed by the break glass user, which is necessary for auditing. - Notifications: Amazon EventBridge can be used to monitor the activities of the break glass user and trigger notifications to the security team. - Conclusion: This option meets the requirements, as it provides a method for controlled access, logging, and sending notifications to the security team. B) Create a break glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTrail to monitor key pair activity. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS). - Access Control: This option provides EC2 key pair access to the break glass user, which isn't ideal for AWS account-level user access management. EC2 key pairs are typically used for instance-level SSH access and don't provide the same level of IAM-based access control as an IAM user or role. - Logging Activities: CloudTrail can track API calls but will not monitor SSH activity on instances, which limits the scope of logging for this solution. - Notifications: SNS notifications can be configured but are limited in the context of logging IAM activities compared to using CloudTrail with EventBridge. - Conclusion: This option is rejected because EC2 key pairs are not ideal for managing user access at the account level and don't provide sufficient logging for this use case. C) Create a break glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS CloudTrail tra...

Author: Evelyn · Last updated May 23, 2026

A security engineer is working with a product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services, and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider. Which combi...

To allow users to authenticate into the web application and call APIs, the security engineer must ensure that user identities from the SAML identity provider are mapped correctly to the application’s resources in AWS. The engineer should also ensure secure access control to the resources such as DynamoDB and API Gateway, leveraging AWS services like Amazon Cognito. Key Factors to Consider: 1. Authentication: The users are already in a directory that is exposed through a SAML identity provider, meaning the solution needs to integrate with the existing identity provider. 2. Authorization: The engineer needs to allow authenticated users to access API Gateway and DynamoDB securely. 3. Efficient Integration: The integration should involve using managed services like Cognito to handle user authentication and authorization, avoiding complex custom solutions unless necessary. --- Evaluation of Options: A) Create a custom authorization service using AWS Lambda. - Reasoning: This option suggests building a custom authorization solution, which is more complex and may require additional maintenance. While AWS Lambda is powerful and can provide flexible solutions, using it to create a custom authorization system might not be the most efficient approach when there are managed services like Cognito available. - Conclusion: This option is rejected because it adds complexity and doesn’t fully leverage AWS managed services for authentication and authorization. B) Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes. - Reasoning: This is a valid solution, as Cognito can act as a broker between the SAML identity provider and other AWS services. By configuring the SAML identity provider in Amazon Cognito, the engineer can map SAML attributes to Cognito user pool attributes. This allows users to authenticate via SAML and have their identity recognized in Cognito, which integrates easily with other AWS services. - Conclusion: This option is selected because it provides a seamless integration between SAML authentication and AWS resources using Cognito. C) Configure the SAML identity provider to add the Amazon Cognito user pool as a relying par...

Author: Samuel · Last updated May 23, 2026

A company needs to improve its ability to identify and prevent IAM policies that grant public access or cross-account access to resources. The company has implemented AWS Organizations and has started using AWS Identity and Access Management Access Analyzer to refine overly broad access to accounts in the organization. A security engineer must automate a response in the company's organization for any newly created policies that are overly permissive. T...

To address the requirements of automating a response to newly created IAM policies that grant overly permissive access (public or cross-account access), the security engineer needs a solution that ensures quick detection, remediation, and notification of such policies. Let’s evaluate the proposed options and their relevance to the scenario. Key Factors: 1. Automated Detection and Remediation: The process should identify policies that grant overly broad access and take action to remediate them automatically (e.g., blocking external access). 2. Notification: The security team must be notified of the actions taken to remediate the policy. 3. Integration with IAM Access Analyzer: The solution should integrate with AWS IAM Access Analyzer, which identifies findings related to public or cross-account access. --- Evaluation of Options: A) Create an AWS Step Functions state machine that checks the resource type in the finding and adds an explicit Deny statement in the trust policy for the IAM role. Configure the state machine to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic. - Reasoning: This option uses AWS Step Functions to automate the remediation by adding an explicit "Deny" statement in the trust policy of the affected IAM role. Additionally, the state machine can send notifications via SNS, keeping the security team informed. - Conclusion: This is a valid option as it integrates the automation of remediation with IAM Access Analyzer findings, applying the "Deny" rule, and notifying the team via SNS. B) Create an AWS Batch job that forwards any resource type findings to an AWS Lambda function. Configure the Lambda function to add an explicit Deny statement in the trust policy for the IAM role. Configure the AWS Batch job to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic. - Reasoning: This option suggests using AWS Batch to forward findings to Lambda for remediation. While AWS Batch could be used, it is not an ideal choice for this scenario because it is typically used for large-scale batch processing rather than event-driven responses. Lambda can be directly triggered by EventBridge for real-time processing, which is more suitable. - Conclusion: This option is rejected because using AWS Batch is unnecessary in this context, and it adds unnecessary complexity when simpler solutions like Step Functions or EventBridge can directly address the requirement. C) In Amazon EventBridge, create an event rule that matches active IAM Access Analyzer findings and invokes AWS Step Functions for resolution. - Reasoning: This option directly integrates EventBridge with IAM Access Analyzer findings. EventBridge can trigger Step Functions to handle the ...

Author: Vivaan · Last updated May 23, 2026

A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail ...

Key Requirements: - Detect failed sign-ins: The solution must identify failed sign-in attempts to the AWS Management Console. - Track failed attempts: It must specifically track three or more failed sign-in attempts within a 5-minute period. - Alerting: The solution must send an alert when this condition is met. Evaluation of Options: A) In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching "Failed authentication''. Configure a threshold of 3 and a period of 5 minutes. - Reasoning: CloudTrail Insights events help identify unusual activity in your AWS environment. However, CloudTrail Insights are used for detecting anomalous behavior, such as unusually high activity, rather than for tracking specific event patterns like failed logins. While this can work for detecting irregular patterns, it may not be as effective for specifically counting failed sign-in attempts for alerting, as Insights doesn't offer fine-grained control over specific event conditions like matching failed login attempts. - Conclusion: This option is not ideal because CloudTrail Insights is more focused on anomalies and won't provide the fine-grained control needed to track specific failed sign-ins based on event patterns. B) Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching "Failed authentication". Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes. - Reasoning: This solution uses CloudTrail events sent to CloudWatch Logs, which allows for detailed filtering of specific events, such as `ConsoleLogin` with an error message indicating "Failed authentication". You can then create a metric filter based on this pattern and set a CloudWatch alarm to trigger when the count of such events reaches 3 within a 5-minute window. This directly meets the requirement to track failed login attempts and generate alerts. - Conclusion: This is the best option because it uses CloudTrail to capture login attempts and CloudWatch to monitor and create alerts based on failed login even...

Author: Rohan · Last updated May 23, 2026

A company's security engineer is developing an incident response plan to detect suspicious activity in an AWS account for VPC hosted resources. The security engineer needs to provide visibility for as many AWS Regions as possibl...

Key Requirements: - Detect suspicious activity: The incident response plan should identify and provide visibility into suspicious activity in AWS accounts, particularly for VPC-hosted resources. - Visibility across AWS Regions: The solution should offer visibility into as many AWS Regions as possible. - Cost-effectiveness: The approach should be cost-efficient while fulfilling the requirements. Evaluation of Options: A) Turn on VPC Flow Logs for all VPCs in the account. - Reasoning: VPC Flow Logs capture network traffic information for resources in the VPC, which is useful for detecting suspicious activity such as unusual traffic patterns or unauthorized access. By enabling VPC Flow Logs for all VPCs, the security engineer can monitor traffic across the account in multiple regions. However, enabling VPC Flow Logs for all VPCs can generate large amounts of data, which can become costly. Nonetheless, this is a highly valuable step for gaining visibility into network traffic. - Conclusion: This is a good option for providing visibility into network activity in all regions, though the associated cost of storing and analyzing the logs should be carefully considered. B) Activate Amazon GuardDuty across all AWS Regions. - Reasoning: Amazon GuardDuty is a threat detection service that continuously monitors for suspicious activity across AWS accounts. By activating GuardDuty in all regions, the security engineer can detect anomalies and suspicious activities, including unauthorized API calls, unusual network traffic, and potential compromises. GuardDuty is region-specific, but enabling it across all regions ensures visibility across the entire AWS environment. It provides a highly effective way to monitor and respond to suspicious activity and does so with relatively low operational overhead. - Conclusion: This is a highly efficient and cost-effective solution for detecting suspicious activity across regions. It doesn't require manual monitoring and scales automatically with AWS workloads. C) Activate Amazon Detective across all AWS Regions. - Reasoning: Amazon Detective helps analyze, investigate, and visualize suspicious activities detected by GuardDuty. While it is useful for in-depth investigation, it doesn't help in the initial detection of suspicious activi...

Author: Sofia2021 · Last updated May 23, 2026

A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution...

To secure the images and limit their distribution to only allowed countries, the company can use a combination of CloudFront and S3 configurations. Let's analyze the options provided: A) Update the S3 bucket policy to restrict access to a CloudFront origin access control (OAC). - Reasoning: This option helps to ensure that only CloudFront (and not direct users) can access the S3 bucket, improving security by not allowing direct access to the bucket from unauthorized sources. - Why it's not fully relevant for restricting countries: While this option helps prevent direct access to the S3 bucket, it does not restrict access based on geography. It focuses on controlling access by ensuring requests only go through CloudFront. B) Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license. - Reasoning: Route 53 geolocation routing can direct traffic based on the geographic location of users, but it's not designed for denying or restricting access to specific countries for static content served by CloudFront. - Why it’s not a good fit: This is more relevant to routing requests to different services rather than restricting access to content. It does not control content delivery or provide an easy mechanism for enforcing deny lists based on countries. C) Add a CloudFront geo restriction deny list of countries where the company lacks a license. - Reason...

Author: Lina Zhang · Last updated May 23, 2026

A company has deployed servers on Amazon EC2 instances in a VPC. External vendors access these servers over the internet. Recently, the company deployed a new application on EC2 instances in a new CIDR range. The company needs to make the application available to the vendors. A security engineer verified that the associated security groups and network ACLs are allowing the re...

To troubleshoot why the vendors cannot connect to the application, we need to consider the security mechanisms in place, including security groups, network ACLs, and traffic routing. Let’s review the options: A) Modify the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules. - Reasoning: Security groups are stateful, meaning if an inbound connection is allowed, the corresponding outbound traffic is automatically allowed. The security group should not require the outbound rules to be explicitly modified to mirror the inbound rules for basic internet access. - Why it’s rejected: Security groups do not need to have the same outbound rules as inbound rules. If the inbound traffic is allowed and the return traffic is part of the same session, it will be allowed by default. Hence, this does not directly solve the issue with vendor access. B) Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports. - Reasoning: Network ACLs are stateless, and they control both inbound and outbound traffic separately. Ephemeral ports (ports typically used for response traffic) are often dynamically assigned in the range of 1024–65535. If the network ACL does not allow these outbound ephemeral ports, the response to the vendors' requests will be blocked. - Why it’s selected: This is a good solution because if the network ACL does not allow outbound traffic on the ephemeral port...

Author: NebulaEagle11 · Last updated May 23, 2026

A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates. After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company's security posture on AWS. The company must prevent the depl...

To prevent the deployment of any infrastructure that violates a security policy, such as unencrypted Amazon EBS volumes, the company needs a solution that provides policy enforcement before resources are created or modified. Let’s evaluate the options based on the goal of enforcing security policies as part of the infrastructure deployment process. A) Turn on AWS Trusted Advisor. Configure security notifications as webhooks in the preferences section of the CI/CD pipeline. - Reasoning: AWS Trusted Advisor provides recommendations for optimizing AWS resources, including security best practices. However, it only works after the resources are deployed and can only suggest improvements. - Why it’s rejected: Trusted Advisor is a post-deployment tool and doesn't prevent the creation of non-compliant resources. It also doesn't integrate well directly into a CI/CD pipeline for proactive policy enforcement before resource creation. B) Turn on AWS Config. Use the prebuilt rules or customized rules. Subscribe the CI/CD pipeline to an Amazon Simple Notification Service (Amazon SNS) topic that receives notifications from AWS Config. - Reasoning: AWS Config tracks configuration changes and compliance with rules. It can notify about non-compliance, but it is also a post-deployment tool. While it provides notifications, it doesn't prevent resources from being deployed that violate policies. - Why it’s rejected: AWS Config monitors resources and alerts when they are non-compliant but does not stop non-compliant resources from being deployed in the first place. This doesn’t provide the pr...

Author: SilverBear · Last updated May 23, 2026

A company is running an Amazon RDS for MySQL DB instance in a VPC. The VPC must not send or receive network traffic through the internet. A security engineer wants to use AWS Secrets Manager to rotate the DB instance credentials automatically. Because of a security policy, the security engineer cannot use the standard AWS Lambda function that Secrets Manager provides to rotate the credentials. The security engineer deploys a custom Lambda function in the VPC. The custom Lambda function will be responsible for rotating the secret in Secrets Manager. The security engineer edits the DB instan...

In this case, the security engineer is facing an issue where the custom Lambda function, deployed in the VPC, cannot communicate with AWS Secrets Manager due to networking constraints. Let's evaluate the possible solutions. A) Add an egress-only internet gateway to the VPC. Allow only the Lambda function's subnet to route traffic through the egress-only internet gateway. - Reasoning: An egress-only internet gateway allows IPv6 traffic to flow from the VPC to the internet, but it does not work for IPv4 traffic. Since AWS Secrets Manager endpoints are typically accessed over IPv4, this would not solve the issue. - Why it’s rejected: This solution does not address the need for access to AWS Secrets Manager via IPv4, and the egress-only internet gateway is not appropriate in this context. B) Add a NAT gateway to the VPC. Configure only the Lambda function's subnet with a default route through the NAT gateway. - Reasoning: A NAT gateway allows instances in a private subnet to initiate outbound connections to the internet (including AWS service endpoints) while preventing inbound internet traffic. This is useful for situations where you need to access services like Secrets Manager but cannot directly access the internet. - Why it’s rejected: Although the NAT gateway would allow outbound communication, it introduces unnecessary complexity and potential security concerns (routing traffic through the internet). The goal is to avoid sending tr...

Author: Ming · Last updated May 23, 2026

The security engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the internet. What steps should th...

To check for known vulnerabilities and limit the attack surface of the application, the security engineer needs to take steps that enhance security, reduce exposure, and identify vulnerabilities. Let's evaluate the options: A) Use AWS Certificate Manager to encrypt all traffic between the client and application servers. - Reasoning: AWS Certificate Manager (ACM) can be used to provision and manage SSL/TLS certificates, which is important for encrypting traffic between clients and servers. However, while this is a good security practice for ensuring data encryption, it does not directly check for vulnerabilities or reduce the attack surface. - Why it’s rejected: While encryption is important for protecting data in transit, it doesn’t help identify vulnerabilities or limit the attack surface on its own. It only addresses confidentiality and integrity, not the broader issue of vulnerability management. B) Review the application security groups to ensure that only the necessary ports are open. - Reasoning: Reviewing and updating security groups to ensure that only necessary ports are open is an essential step in reducing the attack surface. By limiting which ports are open, you prevent unnecessary exposure to malicious actors, which can mitigate attacks such as port scanning or exploiting open ports. - Why it’s selected: This option directly limits the attack surface by ensuring only necessary communication channels are open. Properly configured security groups are an effective method to control access to EC2 instances and can reduce the overall risk of exposure to known vulnerabilities. C) Use Elastic Load Balancing to offload Secure Sockets Layer encryption. - Reasoning: Elastic Load Balanci...

Author: Akash · Last updated May 23, 2026

A company is using Amazon Elastic Container Service (Amazon ECS) to run its container-based application on AWS. The company needs to ensure that the container images contain no severe vulnerabilities. The company also must ensure that only specific IAM roles and specific AWS acco...

Key Factors for Selection: 1. Security (Vulnerability Scanning): The company needs to ensure that container images are free from severe vulnerabilities. This means the solution must include automatic scanning and the ability to detect vulnerabilities in the container images. 2. Access Control: The solution must enforce tight control over which IAM roles and AWS accounts can access the images, ensuring proper security and limited access to authorized principals. 3. Management Overhead: The company wants the solution with the least management overhead, meaning it should minimize manual interventions and avoid managing additional infrastructure components like EC2 instances or self-hosted tools. 4. Centralization and Scalability: The solution should ideally support a centralized approach for managing images, allowing for easy scaling to multiple AWS accounts. Evaluating the Options: Option A: Pull images from the public container registry. Publish to Amazon ECR repositories with scan-on-push configured. Use a CI/CD pipeline. - Vulnerability Scanning: Amazon ECR offers built-in image scanning for vulnerabilities when using scan on push. This ensures container images are scanned automatically as they are pushed to the registry. - Access Control: IAM policies can be used to restrict which IAM principals have access to the images. Additionally, ECR provides repository policies for more granular control, but this is handled separately. - Management Overhead: This solution is highly automated. With the scan on push feature and managed CI/CD pipeline deployment, there is minimal manual management. - Scalability: The solution scales well across multiple accounts as ECR supports cross-account access configurations. - Recommendation: Least overhead since Amazon ECR manages the scanning, and IAM policies and repository policies handle access control. The CI/CD pipeline automates the deployment to multiple accounts. Option B: Pull images from the public registry. Publish to a private EC2-hosted container registry. Host-based container scanning tools. Basic authentication. - Vulnerability Scanning: This solution requires the deployment and maintenance of host-based container scanning tools. This introduces significant overhead in managing, updating, and maintaining these scanning tools. - Access Control: Basic authentication over HTTPS is less secure than using AWS-managed IAM roles and policies. Managing this authentication method also adds complexity. - Management Overhead: High management overhead due to the need for manually managing EC2 instances, container scanning tools, and securing authenticat...

Author: Amelia · Last updated May 23, 2026

A company's data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information. On average, the data scientists need 30 days to train models. The S3 bucket has been secured appropriately. The company's data retention policy...

Key Factors for Selection: 1. Data Retention Policy: The policy requires that data older than 45 days must be removed from the S3 bucket. This means we need an automatic mechanism to enforce this deletion without manual intervention. 2. Security and Compliance: The data contains sensitive information, so it’s important to ensure that the deletion process is automated, reliable, and compliant with company policies. 3. Management Overhead: The solution should minimize the operational overhead. The simpler and more automated the solution, the better. 4. Cost and Efficiency: Since training takes an average of 30 days, and retention is for up to 45 days, a mechanism should be set up that does not incur unnecessary cost or complexity. Evaluating the Options: Option A: Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days. - S3 Lifecycle Rules: Amazon S3 provides an automatic and managed way to enforce retention policies through Lifecycle rules. These rules can be configured to delete objects older than 45 days, meeting the data retention requirement. - Management Overhead: This is the simplest solution with minimal management overhead, as S3 Lifecycle rules are automatically applied, and no additional infrastructure or Lambda functions are needed. - Scalability and Reliability: Lifecycle policies are designed to work at scale and are fully managed by AWS, making this a scalable and reliable solution for ensuring compliance with the data retention policy. - Recommendation: Best option, as it directly addresses the need to delete objects older than 45 days with minimal setup and operational overhead. Option B: Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation. - Lambda Function with S3 Event Notification: While a Lambda function could be used to check and delete objects older than 45 days, triggering this function on every `PutObject` operation would result in unnecessary overhead. Every time an object is added to the S3 bucket, Lambda would be invoked, which is not efficient for the task at hand. - Management Overhead: This option introduces significant complexity by re...

Author: Manish · Last updated May 23, 2026

A security engineer is troubleshooting an AWS Lambda function that is named MyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy: ...

Key Factors for Selection: - Lambda Permissions: The Lambda function needs permission to access the S3 bucket objects. The bucket policy must explicitly allow the Lambda function to perform the necessary actions (like reading objects). - Principal: The Principal in the bucket policy should specify who is allowed to perform actions on the bucket. If it's Lambda, the IAM role or service associated with Lambda needs to be specified as the Principal. - Action: The Action element specifies what operations are allowed. To read objects in an S3 bucket, the action should be `s3:GetObject`. - Resource: The Resource should refer to the specific S3 objects or the entire bucket, depending on the requirement. Evaluating the Options: Option A: Remove the Condition element. Change the Principal element to the following: - Explanation: This option suggests removing the `Condition` element and changing the `Principal` to a new value, which is not provided in the prompt. - Why Rejected: Without specific changes to the Principal and Condition, this option is unclear and incomplete. The `Principal` must match the IAM role or AWS service that is invoking the Lambda function (in this case, the Lambda function's IAM role or `AWS:Lambda`). Additionally, just removing the Condition may not address the underlying issue unless it’s the Condition causing the failure. Option B: Change the Action element to the following: - Explanation: The action in the S3 bucket policy should allow Lambda to read the objects, which means the action must be `s3:GetObject`. This option doesn’t provide a concrete change and lacks detail about the Action value. - Why Rejected: This option lacks specificity and would be incomplete unless the action is explicitly defined as `s3:GetObject` for reading objects. Without a concrete action specified, it's not...

Author: Emily · Last updated May 23, 2026

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer ...

Key Factors for Selection: - Permissions to access objects in S3: The IAM user must have the necessary permissions both for the S3 actions (e.g., `s3:List`, `s3:Get`) and for the encryption/decryption of objects (using the `kms:Decrypt` permission on the KMS key). - Encryption with SSE-KMS: If the S3 bucket is using SSE-KMS for encryption, the IAM user must be authorized to decrypt the objects using the associated customer-managed KMS key. - KMS Key Policy: Even though the IAM policy grants the `kms:Decrypt` permission, KMS key policies can override IAM policies and restrict access to the KMS key. - Bucket Policy: The S3 bucket has no bucket policy defined, so this is not likely to be the issue unless explicitly mentioned. Evaluating the Options: Option A: The IAM policy needs to allow the kms:DescribeKey permission. - Explanation: The `kms:DescribeKey` permission is used to describe the key itself (e.g., to view its metadata), but it is not required for decrypting data. To decrypt data, the required permission is `kms:Decrypt`, which the IAM policy already allows. The IAM user already has the appropriate permission for decryption, so this is not the cause of the issue. - Why Rejected: The `kms:DescribeKey` permission is unnecessary for decrypting objects in the S3 bucket. The issue is more likely to be with the KMS key policy or S3 permissions. Option B: The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest. - Explanation: The problem states that the S3 bucket is using server-side encryption with a customer-managed key (SSE-KMS), and there is no indication in the prompt that it has been changed to use the AWS managed key (`aws/s3`). - Why Rejected: If the S3 bucket were using the AWS-managed KMS key, the IAM user would still need appropriate permissions on ...

Author: Benjamin · Last updated May 23, 2026

A company has a guideline that mandates the encryption of all Amazon S3 bucket data in transit. A security engineer must implement an S3 bucket policy that denies any S3 operations i...

Key Factors for Selection: - Encryption in Transit: The company mandates encryption of all Amazon S3 data in transit. For S3, this means that the operations (such as `s3:GetObject` and `s3:PutObject`) must be performed over HTTPS (which is inherently encrypted in transit). - S3 Bucket Policy: To enforce this requirement, the S3 bucket policy should explicitly deny any operations that are attempted over HTTP (non-encrypted). - Policy Syntax: The policy should use conditions to check if the request is using HTTPS. The condition key to check for HTTPS is `aws:SecureTransport`. Evaluating the Options: Option A: A policy that denies all operations unless the request is made using HTTPS. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } ``` - Explanation: This policy explicitly denies all S3 operations (`s3:`) if the request is not using HTTPS (`aws:SecureTransport: "false"`). This ensures that all requests must be encrypted in transit (over HTTPS). - Why Selected: This policy correctly enforces the encryption in transit requirement by denying access if the request is not made using HTTPS. It directly meets the company's guideline. Option B: A policy that denies all operations unless the request is made using SSL. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/", "Condition": { "StringNotEquals": { "aws:RequestSource": "ssl" } } } ] } ``` - Explanation: This policy attempts to enforce SSL, but the condition key (`aws:RequestSource`) is incorrect. There's no `aws:RequestSource` condition key for SSL, so this policy will not work as expected. - Why Rejected: This policy is inco...

Author: Lucas · Last updated May 23, 2026

A security engineer wants to use Amazon Simple Notification Service (Amazon SNS) to send email alerts to a company's security team for Amazon GuardDuty findings that have a High severity level. The security engineer also wants to deliver these ...

To address the requirements of sending email alerts for high-severity Amazon GuardDuty findings and delivering these findings to a visualization tool for further analysis, let's evaluate each option based on the following criteria: 1. Integration with GuardDuty: GuardDuty can send findings to other AWS services like EventBridge, CloudWatch, or CloudTrail. In this case, GuardDuty findings need to be processed and sent to both a notification mechanism (SNS for email alerts) and a data visualization tool (e.g., OpenSearch or QuickSight). 2. Event Filtering (High Severity): The security engineer specifically wants to send only High severity findings. Therefore, the solution must support filtering and event pattern matching to ensure that only High severity events are triggered for email alerts. 3. Visualization Tool: The selected solution should allow for a visualization tool (e.g., OpenSearch Dashboards or QuickSight) to analyze the GuardDuty findings. 4. Stream Processing: The solution must be capable of streaming the GuardDuty findings to a destination like OpenSearch for further analysis, using Kinesis Data Streams or Kinesis Data Firehose. --- Evaluating Each Option: - Option A: - GuardDuty to CloudWatch: GuardDuty can send findings to CloudWatch, but CloudWatch is not typically used for storing or visualizing large datasets (such as findings from GuardDuty) over long periods. It's more suited for monitoring metrics and setting alarms. - SNS for Email Alerts: The SNS setup for email alerts is valid here. - Kinesis Data Streams to OpenSearch: While feasible, Kinesis Data Streams is more commonly used for high-throughput, real-time streaming scenarios. In this case, it's not optimal because the flow of GuardDuty findings could be handled more easily by Firehose, which is better suited for streaming data directly into OpenSearch for storage and analysis. - QuickSight: QuickSight is a good choice for visualization, but OpenSearch Dashboards would typically be a more natural choice since the data is already in OpenSearch. - Option B: - GuardDuty to CloudTrail: GuardDuty findings are not generally sent to CloudTrail; CloudTrail records API calls. This makes this option unsuitable as CloudTrail is not meant for processing GuardDuty findings. - SNS for Em...

Author: Ahmed97 · Last updated May 23, 2026

A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The security engineer must ensure that objects cannot be overw...

To implement a write-once-read-many (WORM) model for data stored in Amazon S3 that prevents overwriting or deletion of objects, the security engineer needs to select the correct solution for locking the data in place. Let's evaluate each option based on the requirements: Key Requirements: - Prevent objects from being overwritten or deleted. - The solution should work for the S3 Standard storage class. - Prevent deletion or modification by all users, including the root user. --- Option A: Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets. - S3 Object Lock in compliance mode is designed to prevent deletion or modification of objects for a specified retention period, even by the root user. - Compliance Mode ensures that objects cannot be overwritten or deleted until the retention period expires, offering a true WORM model. - This option meets the requirements because it guarantees that objects cannot be altered or deleted, even by the AWS root user. Conclusion: This is the correct solution, as it locks objects in place and ensures compliance with a WORM model. --- Option B: Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to complete the Vault Lock process. Place objects in the S3 buckets. - S3 Glacier Vault Lock applies to Glacier or Glacier Deep Archive storage classes, not S3 Standard. This means it’s not applicable for objects in the S3 Standard storage class. - While Glacier Vault Lock offers WORM functionality, it is not suitable for S3 Standard. Conclusion: This option is not valid because Glacier Vault Lock applies only to Glacier storage, not to S3 Standard. --- Option C: Create new S3 buckets with S3 Object Lock enabled in governance mode. P...

Author: Jack · Last updated May 23, 2026

A company needs complete encryption of the traffic between external users and an application. The company hosts the application on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind an...

To meet the requirement of complete encryption of traffic between external users and the application hosted on Amazon EC2 instances behind an Application Load Balancer (ALB), the security engineer needs to ensure that traffic between users and the ALB is encrypted (SSL/TLS) and that traffic between the ALB and the EC2 instances is also encrypted if needed. Key Requirements: - Encryption of Traffic: The traffic from external users to the application must be encrypted. - ALB and EC2 Instances: The ALB should handle encryption for traffic coming from external users, and the EC2 instances should be secured as well. - Proper Certificate Management: The solution must handle the necessary SSL/TLS certificates for encryption. --- Evaluating Each Option: - Option A: Create a new Amazon-issued certificate in AWS Secrets Manager. Export the certificate from Secrets Manager. Import the certificate into the ALB and the EC2 instances. - AWS Secrets Manager is not typically used for storing SSL/TLS certificates. It's primarily used for storing and managing secrets like API keys or database credentials. - This option is not optimal because Secrets Manager is not the right service for managing SSL/TLS certificates and does not directly integrate with the ALB for secure certificate management. Conclusion: This option is not suitable. - Option B: Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associate the certificate with the ALB. Export the certificate from ACM. Install the certificate on the EC2 instances. - AWS Certificate Manager (ACM) is the correct service for managing SSL/TLS certificates. - Associating the certificate with the ALB will ensure that traffic from external users to the ALB is encrypted (SSL/TLS). - However, exporting the certificate and installing it on EC2 instances is not required if the EC2 instances do not need to handle direct SSL/TLS traffic from clients (i.e., if the ALB terminates SSL/TLS). This adds unnecessary complexity and overhead to the EC2 instances. Conclusion: T...

Author: Aarav2020 · Last updated May 23, 2026

A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows: The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not-authorized er...

The issue here is that the developers are receiving a "not-authorized" error despite having the appropriate IAM policy allowing access to Amazon SES and being within an OU that allows SES access via SCP. The reason for this "not-authorized" error can be traced back to how Service Control Policies (SCPs) interact with IAM policies. Key Concepts: 1. IAM Policies: These policies grant permissions to users, groups, or roles for accessing AWS services. 2. SCPs (Service Control Policies): SCPs set permission guardrails within an AWS Organization. They restrict what IAM users and roles within an organization can do, regardless of their individual IAM policies. 3. AWS Organizations: SCPs apply to accounts, Organizational Units (OUs), or the root of the organization. In this case, developers have an IAM policy that grants access to ses: actions, and there is an SCP that allows SES at the OU level. However, the "not-authorized" error suggests that something is blocking access, and this could likely be an issue with the root SCP that is overriding the allowed permissions for Amazon SES, making it inaccessible. --- Evaluating Each Option: - Option A: Add a resource policy that allows each member of the group to access Amazon SES. - Resource-based policies (like those for Amazon S3, SES, or Lambda) are generally used to grant permissions to specific resources, but IAM policies and SCPs govern access to AWS services across the board. The issue is not with the resource policy; it's more likely related to the overarching restrictions imposed by SCPs. - Conclusion: This is not the correct approach to fix the issue since the root cause is more likely tied to SCPs, not resource policies. - Option B: Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::account-number:group/Dev"}. - Similar to Option A, this approach involves modifying a resource-based policy. However, SCPs control access to services ...

Author: Ahmed · Last updated May 23, 2026

A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server. The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer must create a security group for the EC2 inst...

To secure the EC2 instance properly, we need to focus on controlling access based on the requirements, which are: 1. HTTPS traffic should be allowed to access the website. 2. SSH should be allowed only from the management subnet for secure server management. 3. The website is hosted on the subnet 10.0.1.0/24. 4. The management subnet is 192.168.100.0/24. We need to create a security group that allows HTTPS access from all internet traffic (since it's a public website) but restricts SSH access to only the management subnet. Step-by-Step Analysis: 1. HTTPS traffic: - HTTPS (port 443) needs to be accessible from the public internet for the website to be available to users. - The correct configuration would be to allow traffic on port 443 from 0.0.0.0/0 (i.e., anywhere on the internet). 2. SSH traffic: - SSH (port 22) should only be allowed from trusted sources, specifically the management subnet, to ensure that only the security engineers (from the management subnet 192.168.100.0/24) can access the server for management purposes. - Allowing port 22 from 0.0.0.0/0 would be highly insecure, as it would expose the server to the entire internet. Therefore, SSH access should be restricted to 192.168.100.0/24. 3. Other subnet options: - Port 22 should not be opened to the web server subnet (10.0.1.0/24), as the goal is to allow SSH only from the management subnet, not from the web server subnet itself. Evaluating Each Option: - Option A: Allow port 22 from source 0.0.0.0/0: - Rejected: This wou...

Author: VenomousSerpent42 · Last updated May 23, 2026

A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file. However, CloudWatch does not receive the logs. The security e...

To resolve the issue of the EC2 instance not forwarding custom application-security logs to Amazon CloudWatch, we need to ensure the EC2 instance has the necessary permissions to send logs to CloudWatch. Let’s analyze the options: A) Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch. - Why it's rejected: CloudTrail is used for logging API calls and actions made on AWS resources, not for forwarding custom application logs. This option would not resolve the issue because CloudTrail is not intended for handling application logs in the way CloudWatch is. B) Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs. - Why it's rejected: While logs can be written to S3 and then ingested into CloudWatch Logs using Lambda or other mechanisms, this solution is more complex and unnecessary for this use case. The question specifies using the CloudWatch agent, which is intended to directly push logs to CloudWatch without needing S3 as an intermediary. C) Add Amazon Inspector to the trust...

Author: StarlightBear · Last updated May 23, 2026

A systems engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the development team wants to use security groups and network ACLs to accomplish various security req...

To troubleshoot the connectivity of a test environment involving a virtual security appliance, the key factor to consider is how the virtual security appliance routes traffic while using security groups and network ACLs. The virtual security appliance must be able to process and route traffic through different layers of the network, while also interacting with the security groups and network ACLs effectively. Let’s evaluate the options: A) Disable network ACLs. - Why it's rejected: Disabling network ACLs entirely would be an inappropriate approach because network ACLs are an important layer of security for controlling traffic at the subnet level. Simply disabling them would remove an additional security layer, which isn’t necessary for the virtual security appliance to route traffic. It’s better to allow the security appliance to work in conjunction with network ACLs rather than disable them. B) Configure the security appliance's elastic network interface for promiscuous mode. - Why it's rejected: Promiscuous mode would allow the virtual security appliance to capture all traffic on the network, but it is not necessary for routing purposes. This mode is typically used when the appliance needs to inspect traffic, not route it. Additionally, promiscuous mode could have unnecessary overhead and isn’t typically required for inline routing of traffic in a scenario like this one. C) Disable the Network Source/Destination check on the security appliance's elastic network interface. - Why this is selected: The Network Source/...

Author: Daniel · Last updated May 23, 2026

A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User1, User2, and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy: When the security engineer tries to add the policy to the S3 bucket, the following error message appears: "Missing required field Principa...

The error message "Missing required field Principal" indicates that the policy is missing a Principal field, which specifies the IAM entities (users, groups, or roles) that the policy applies to. In the context of an S3 bucket policy, you need to define the IAM users (User1, User2, and User3) that the policy will grant access to. Here’s a breakdown of the available solutions: Options to consider: A) Use IAM group ARN (AuthorizedPeople group) as the Principal. - Why this is rejected: A bucket policy typically specifies individual IAM users or roles as the Principal, not an IAM group. While the group `AuthorizedPeople` is used to organize users in the IAM system, S3 bucket policies require specific IAM user ARNs (Amazon Resource Names) or roles as principals, not groups. Therefore, using the group ARN is not a valid solution for applying specific access to individual users. B) Use the specific IAM user ARNs (User1, User2, and User3) in the Principal field. - Why this is selected: This solution directly addresses the requirement to grant least privilege read access to the individual users: User1, User2, and User3. In an S3 bucket policy, you must specify the Principal as the ARNs of the IAM users. The policy can list the ARNs of User1, User2, and User3 to grant them the specific access needed. For example, the policy would look like this: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket-name/", ...

Author: Sam · Last updated May 23, 2026

A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules: mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check. The security engineer notices that all resources ar...

Let's evaluate the possible causes for the noncompliant status after invoking the GenerateCredentialReport API operation and enabling AWS Config rules. Options Analysis: A) The IAM credential report was generated within the past 4 hours. - Why this is rejected: The IAM credential report being generated recently (within the past 4 hours) shouldn't cause the noncompliant status. AWS Config rules typically assess compliance based on the most recent credential data. The timing of the report doesn't generally affect whether AWS Config identifies compliance, as the report reflects the current state of IAM users, access keys, and MFA settings. Therefore, this option is not the root cause of the issue. B) The security engineer does not have the GenerateCredentialReport permission. - Why this is rejected: The GenerateCredentialReport permission is needed to generate the IAM credential report, but the fact that the report was successfully generated indicates that the security engineer must have this permission. If the engineer didn't have this permission, the API request would have failed, so this is not the cause of the noncompliant status. C) The security engineer does not have the GetCredentialReport permission. - Why this is selected: The GetCredentialReport permission is r...

Author: RadiantJaguar56 · Last updated May 23, 2026

A company is using AWS WAF to protect a customized public API service that is based on Amazon EC instances. The API uses an Application Load Balancer. The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After a software upgrade to the API and the client application, some types of requests are no longer working and are causing application stability issues. A security engineer discovers that AWS WAF logging is not turned on for the web ACL. The security engineer needs to immediately return the application to service, resolve the issue, and ensure t...

Let's break down the situation and the options: Scenario Overview: - The company uses AWS WAF to protect an API service based on EC2 instances. - After a software upgrade, certain requests are no longer working, causing stability issues. - The AWS WAF logging was not enabled for the web ACL, so the engineer enabled logging to Amazon CloudWatch Logs. - The security engineer needs to immediately return the application to service and ensure logging remains enabled in the future. The key requirements are: 1. Immediate action to return the application to service. 2. Logging needs to stay enabled for monitoring future issues. 3. Determining which rule is blocking the requests. Step-by-step Evaluation of Options: A) Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs. - Why this is selected (partially): - Using Count actions will allow the engineer to count requests that match a specific rule without actually blocking them. This is useful for identifying which rules are affecting traffic without causing further issues. - IAM policy modification is an important step to prevent future removal of logging configurations. - Why the rest is rejected: - The IAM policy ensures that administrators cannot remove logging, which addresses the concern of turning off logging unintentionally, but it doesn't fully address the other requirements. B) Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs. - Why this is selected (partially): - The Count actions approach helps in identifying which rule is blocking requests without disrupting t...

Author: Carlos Garcia · Last updated May 23, 2026

A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account. When the code is processed, the following error message appears: "An error occurred (AccessDenied) when ...

The error message indicates that the Lambda function is trying to assume a role across AWS accounts but lacks the necessary permissions. To resolve this, the security engineer needs to ensure that both roles (LambdaAuditRole and AcmeAuditFactoryRole) are configured correctly for cross-account role assumption. Let's evaluate each option: A) Ensure that LambdaAuditRole has the sts:AssumeRole permission for AcmeAuditFactoryRole. - Explanation: LambdaAuditRole needs the `sts:AssumeRole` permission to be able to assume the AcmeAuditFactoryRole. This permission should be part of the policy attached to LambdaAuditRole. If it's missing, the Lambda function will not be able to assume the role. - Why this option is selected: This is crucial for the Lambda function to assume a role in a different account. Without this permission, the assume role operation will fail. - Why other options are rejected: This option is not rejected because it directly addresses the error. This permission needs to be present for LambdaAuditRole. B) Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached. - Explanation: The AWSLambdaBasicExecutionRole policy allows Lambda functions to interact with AWS services, but it doesn't directly address the issue of assuming roles in another account. - Why this option is rejected: While it's a good practice to attach this policy for logging and execution permissions, it is not directly related to the issue of cross-account role assumption. The issue at hand is with the `sts:AssumeRole` permission, not Lambda execution rights. C) Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole. - Explanation: The trust policy of AcmeAuditFactoryRole must explicitly allow the LambdaAuditRole to assume the role by allowing `sts:AssumeRole` from that specific role or ...

Author: Ming · Last updated May 23, 2026

A company has AWS accounts in an organization in AWS Organizations. The organization includes a dedicated security account. All AWS account activity across all member accounts must be logged and reported to the dedicated security account. The company must retain all the activity logs in a secure storage location within the dedicated security account for 2 years. ...

To meet the company's requirements of logging all AWS account activity and ensuring the logs are stored securely in a dedicated security account with the least operational overhead, let's evaluate each option: A) In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years on the S3 bucket. Set the bucket policy to allow the organization's management account to write to the S3 bucket. - Explanation: S3 Object Lock in compliance mode prevents object modification or deletion for the specified retention period, ensuring the logs cannot be altered or deleted. Setting the bucket policy to allow the organization's management account to write to the bucket makes sense for this scenario, but it doesn't ensure all member accounts can write to it. - Why this option is rejected: This option restricts access to the S3 bucket only to the management account. Since the requirement is for all member accounts to log activity, the policy should allow member accounts to write logs to the bucket, not just the management account. B) In the dedicated security account, create an Amazon S3 bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years on the S3 bucket. Set the bucket policy to allow the organization's member accounts to write to the S3 bucket. - Explanation: S3 Object Lock in compliance mode with a 2-year retention period ensures that logs cannot be deleted or altered during that period, fulfilling the security requirement. The policy allowing all member accounts to write to the S3 bucket ensures that logs from all accounts are delivered to this centralized storage location. - Why this option is selected: This setup satisfies the requirement for centralized logging with secure, unalterable storage and ensures that all member accounts can contribute logs. It’s efficient and meets all the security requirements with minimal overhead. C) In the dedicated security account, create an Amazon S3 bucket that has an S3 Lifecycle configuration that expires objects after 2 years. Set the bucket policy to allow the organization's member accounts to write to the S3 bucket. - Explanation: S3 Lifecycle configuration allows you to define policies for automatically deleting or transitioning objects. However, t...

Author: IronLion88 · Last updated May 23, 2026

A company is testing its incident response plan for compromised credentials. The company runs a database on an Amazon EC2 instance and stores the sensitive database credentials as a secret in AWS Secrets Manager. The secret has rotation configured with an AWS Lambda function that uses the generic rotation function template. The EC2 instance and the Lambda function are deployed in the same private subnet. The VPC has a Secrets Manager VPC endpoint. A security engineer discovers that the secret cannot rotate...

The error message "setSecret: Unable to log into database" in the CloudWatch logs suggests that the Lambda function responsible for rotating the secret is unable to connect to the database. Since the VPC endpoint for Secrets Manager is working, the issue seems to be with the Lambda function's ability to connect to the EC2 instance hosting the database. Let's evaluate each option to identify the best solution: A) Use the AWS Management Console to edit the JSON structure of the secret in Secrets Manager so that the secret automatically conforms with the structure that the database requires. - Explanation: The structure of the secret in Secrets Manager should match the format expected by the database. However, the error message indicates that the problem is not with the format of the secret, but rather with the Lambda function's ability to interact with the database. - Why this option is rejected: While ensuring the secret format matches the database's expected structure is important, the error message points to a connection issue rather than an issue with the secret's structure. The solution likely lies in resolving network connectivity issues. B) Ensure that the security group that is attached to the Lambda function allows outbound connections to the EC2 instance. Ensure that the security group that is attached to the EC2 instance allows inbound connections from the security group that is attached to the Lambda function. - Explanation: The Lambda function must have network access to the EC2 instance where the database is hosted in order to update the database credentials. For this, the Lambda function's security group must allow outbound connections to the EC2 instance, and the EC2 instance's security group must allow inbound connections from the Lambda function's security group. - Why this option is selected: This option addresses the core problem: ensuring that the Lambda function can reach the EC2 instance to update the database credentials. Properly configured security groups are essential for network connectivity between these resources in the same VPC. - Why other options are rejected: This solution directly address...

Author: Liam · Last updated May 23, 2026

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts. All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The securi...

To meet the requirement of preventing anyone from disabling Amazon GuardDuty and AWS Security Hub while ensuring that no other IAM policies are overridden, the security engineer needs to create and attach an SCP (Service Control Policy) that explicitly denies actions related to disabling GuardDuty and Security Hub, but does not interfere with other permissions granted by IAM policies. Let's evaluate each option and consider key factors in the reasoning: Key Factors: - Service Control Policies (SCPs) govern what actions can be performed within AWS Organizations. SCPs are used to set permission guardrails for IAM roles and policies, but they do not override permissions that are granted by IAM policies within the accounts. - The goal is to deny disabling GuardDuty and Security Hub but allow all other IAM policy permissions. - The SCP must be applied to the root of the organization so that it affects all accounts and organizational units (OUs). Explanation of the Correct SCP The correct SCP should explicitly deny any actions that are capable of disabling GuardDuty or AWS Security Hub, while ensuring that other permissions are not overridden. Here’s a sample SCP that could achieve this: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "guardduty:DisableGuardDuty", "securityhub:DisableSecurityHub", "securityhub:BatchDisableStandards", "securityhub:UpdateSecurityHubConfiguration" ], "Resource": "" } ] } ``` This SCP: - Deny specific actions such a...

Author: Ryan · Last updated May 23, 2026

A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials. The company already uses AWS Key ...

To meet the company's requirements of securely deploying resources from an AWS CloudFormation template while handling sensitive database credentials, we need to leverage AWS services that ensure security best practices. Let's evaluate each option: Key Factors: - AWS Secrets Manager: A service designed specifically for managing sensitive information like database credentials, API keys, and other secrets. - AWS Key Management Service (KMS): A service to manage encryption keys and control access to encrypted data. - CloudFormation: A service for deploying AWS resources in a secure, automated, and consistent manner. Option Analysis: A) Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager. - Explanation: AWS CloudFormation supports dynamic references to securely reference values stored in services such as Secrets Manager. When using dynamic references in the template, CloudFormation automatically retrieves the secret values from Secrets Manager at stack creation time. This approach is a recommended security best practice because the database credentials are never exposed directly in the template, and the retrieval process is secure and encrypted. - Why this option is selected: This solution uses Secrets Manager, which is purpose-built for managing sensitive information. The dynamic reference allows secure retrieval of the credentials without hardcoding them in the template, meeting both security and best practice requirements. B) Use a parameter in the CloudFormation template to reference the database credentials. Encrypt the CloudFormation template by using AWS KMS. - Explanation: This option suggests referencing the database credentials as a parameter in the CloudFormation template. While you can encrypt the template with AWS KMS, parameters passed into CloudFormation can be viewed in plaintext by users with access to CloudFormation, which is a security risk. Encrypting the entire template with KMS doesn’t provide proper protection for sensitive data like credentials that are handled by the template itself. - Why this option is rejected: While encrypting the CloudFormation template adds some level of security, the credentials are still passed as parameters and could be exposed to users with sufficient CloudFo...

Author: Lucas · Last updated May 23, 2026

An international company wants to combine AWS Security Hub findings across all the company's AWS Regions and from multiple accounts. In addition, the company wants to create a centralized custom dashboard to correlate these findings with operational data for deeper analysis and insights. The company needs an an...

Reasoning and Explanation: 1. Step A: Designate an AWS account as a delegated administrator for Security Hub. Publish events to Amazon CloudWatch from the delegated administrator account, all member accounts, and required Regions that are enabled for Security Hub findings. - Why Rejected: While CloudWatch can be used for monitoring and alerting purposes, it is not the most suitable for aggregating and visualizing large amounts of Security Hub findings across multiple accounts and regions. The company needs to centralize and analyze findings from all accounts and regions, which would be more efficiently done using EventBridge and a data pipeline to a centralized data store (like S3). CloudWatch events can be used for operational metrics but don’t offer the same ease of analysis and cross-account data handling as EventBridge. 2. Step B: Designate an AWS account in an organization in AWS Organizations as a delegated administrator for Security Hub. Publish events to Amazon EventBridge from the delegated administrator account, all member accounts, and required Regions that are enabled for Security Hub findings. - Why Selected: This is the most suitable option as it uses Amazon EventBridge to aggregate events from all accounts and regions into a centralized event bus. EventBridge is specifically designed to handle event-driven architectures across multiple AWS accounts and regions, which is exactly what the company needs. This centralized collection of findings will allow for easy correlation and deeper analysis of Security Hub data. 3. Step C: In each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis data stream. Configure the Kinesis data streams to output the logs to a single Amazon S3 bucket. - Why Rejected: While Kinesis is a great tool for streaming data in real-time, this solution does not provide the same level of ease for querying and visualizing the data. Storing findings in S3 and using Athena or QuickSight for querying would be a better approach. Kinesis also adds unnecessary complexity compared to using EventBridge directly to publish findings to S3 or other analytics services. 4. Step D: In each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis Data Firehose delivery stream. Configure the Kine...

Author: Harper · Last updated May 23, 2026

An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication: After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands...

Reasoning and Explanation: 1. Option A: Change the value of aws:MultiFactorAuthPresent to true. - Why Rejected: This option only modifies the policy’s condition, but it doesn't solve the issue where users are unable to perform EC2 commands. The core issue is that users need to authenticate using multi-factor authentication (MFA), but this approach doesn't address how users should authenticate via CLI or API after MFA enforcement. It assumes the policy is incorrect without considering how to implement MFA with the CLI. 2. Option B: Instruct users to run the aws sts get-session-token CLI command and pass the multi-factor authentication --serial-number and -token-code parameters. Use these resulting values to make API/CLI calls. - Why Selected: This is the most effective option. The `aws sts get-session-token` command is used to obtain temporary security credentials that include the MFA authentication. This allows users to authenticate with MFA while still being able to run AWS CLI commands. The users will authenticate using the MFA device and then use the temporary credentials (access key ID, secret access key, and session token) provided by the `get-session-token` command to authenticate their requests to AWS services, such as EC2. It resolves the problem by ensuring MFA is enforced while enabling the users to perform EC2 commands. 3. Option C: Implement federated API/CLI access using SAML 2.0, then configure the identity provider to enforce multi-factor authentication. - Why Rejected: While SAML-based fede...

Author: Ella · Last updated May 23, 2026

A company is developing a mechanism that will help data scientists use Amazon SageMaker to read, process, and output data to an Amazon S3 bucket. Data scientists will have access to a dedicated S3 prefix for each of their projects. The company will implement bucket policies that use the dedicated S3 prefixes to restrict access to the S3 objects. The projects can last up to 60 days. The company's securi...

Reasoning and Explanation: 1. Option A: Create an AWS Lambda function to identify and delete objects in the S3 bucket that have not been accessed for 60 days. Create an Amazon EventBridge scheduled rule that runs every day to invoke the Lambda function. - Why Rejected: While this option would technically meet the requirement of deleting objects after 60 days, it is more complex than necessary. It involves the setup of an AWS Lambda function that runs on a scheduled basis, adding operational overhead, maintenance, and additional costs for the Lambda execution and EventBridge rules. Additionally, Lambda would need to query the objects to determine if they haven't been accessed, which may not be the most efficient approach in terms of both time and cost. 2. Option B: Create a new S3 bucket. Configure the new S3 bucket to use S3 Intelligent-Tiering. Copy the objects to the new S3 bucket. - Why Rejected: S3 Intelligent-Tiering is a storage class designed to move objects between two access tiers (frequent and infrequent access) based on access patterns. However, this is not directly related to the requirement of expiring objects after 60 days. The additional costs and complexity of configuring a new bucket and moving data to the Intelligent-Tiering storage class do not align with the goal of simply ensuring data is deleted after the project ends. Intelligent-Tiering is useful for cost optimization based on access patterns but doesn't automatically delete objects after a specified period, which is a key requirement here. 3. Option C: Create an S3 Lifecycle configuration for each S3 bucket prefix for each project. Set the S3 ...

Author: Ryan · Last updated May 23, 2026

A company has AWS accounts that are in an organization in AWS Organizations. An Amazon S3 bucket in one of the accounts is publicly accessible. A security engineer must change the configuration so that the S3 bucket is no longer publicly accessible. The security engineer also must ...

Reasoning and Explanation: 1. Option A: Configure the S3 bucket to use an AWS Key Management Service (AWS KMS) key. Encrypt all objects in the S3 bucket by creating a bucket policy that enforces encryption. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account. - Why Rejected: While using AWS KMS encryption can enhance data security, it does not directly address the requirement of preventing public access to the S3 bucket. Also, denying the `s3:GetObject` action via an SCP does not directly prevent the bucket from being made publicly accessible. The goal is to restrict public access to the bucket and ensure it cannot be made public again in the future, which this solution does not fully address. 2. Option B: Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:GetObject action for the OU that contains the AWS account. - Why Rejected: Enabling the PublicAccessBlock configuration is the correct step to block public access, but denying the `s3:GetObject` action via an SCP is unnecessary and might disrupt legitimate access. The `s3:GetObject` action is essential for reading objects from the S3 bucket, and denying this action could create access issues for legitimate users or applications, which doesn't align with the requirement. 3. Option C: Enable the PublicAccessBlock configuration on the S3 bucket. Configure an SCP to deny the s3:PutPublicAccessBlock action for the OU that contains the AWS account. - W...

Author: Noah Williams · Last updated May 23, 2026

A company is designing a new application stack. The design includes web servers and backend servers that are hosted on Amazon EC2 instances. The design also includes an Amazon Aurora MySQL DB cluster. The EC2 instances are in an Auto Scaling group that uses launch templates. The EC2 instances for the web layer and the backend layer are backed by Amazon Elastic Block Store (Amazon EBS) vol...

Reasoning and Explanation: 1. Option A: Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh. - Why Selected: By modifying the EBS default encryption settings, all newly created EBS volumes will be automatically encrypted at rest using AWS Key Management Service (KMS). This ensures that the web and backend EC2 instances will have encrypted EBS volumes as they are launched by the Auto Scaling group. Using the instance refresh ensures that existing EC2 instances are replaced with new instances that use the updated launch template and the new EBS encryption settings. This approach is an efficient and cost-effective way to ensure encryption at rest for the EC2 instances’ EBS volumes. 2. Option B: Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh. - Why Rejected: AWS Certificate Manager (ACM) is primarily used to manage SSL/TLS certificates for securing communication over HTTPS, not for encrypting EBS volumes. EBS volume encryption is handled using AWS Key Management Service (KMS), not ACM. Therefore, this option is incorrect because it incorrectly refers to ACM for encryption of EBS volumes. 3. Option C: Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster. - Why Selected: To meet the encryption-at-rest requirement for the Amazon Aurora MySQL DB cluster...

Author: MoonlitPantherX · Last updated May 23, 2026

A company uses SAML federation with AWS Identity and Access Management (IAM) to provide internal users with SSO for their AWS accounts. The company's identity provider certificate was rotated as part of its normal lifecycle Shortly after users started receiving the following error when attempting to log in: 'Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)' A s...

In this scenario, the security engineer needs to address an issue caused by a certificate rotation on the identity provider used for SAML federation. Users are encountering the "Response Signature Invalid" error because the IAM identity provider's configuration is not aligned with the new certificate. Let's go through the options systematically: A) Download a new copy of the SAML metadata file from the identity provider. Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. - Why Rejected: This option involves creating a new IAM identity provider, which is unnecessary for addressing the issue. It's likely that the original IAM identity provider configuration is still valid, and merely updating the certificate or metadata should resolve the issue. Creating a new IAM entity unnecessarily introduces complexity and doesn't align with best practices for certificate rotations. B) During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required. - Why Selected: This option is ideal because it takes a proactive approach. By adding a secondary certificate, you can avoid disruption during the current certificate's rotation, allowing for a smooth transition. Additionally, uploading the updated metadata and performing certificate rotations as needed ensures that the process remains aligned with best practices. It also prevents similar errors from recurring in the future by maintaining updated metadata. C) Download a new copy of the SAML metadata file from the identity provider. Upload the new metadata to the IAM identity provider entity configured for the S...

Author: Sophia · Last updated May 23, 2026

A company is implementing a new application in a new AWS account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same AWS Region for database access Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A secu...

To address the requirement where only certain EC2 instances in the application VPC need access to the database in the peered VPC over TCP port 1521, the security engineer should use a solution that restricts access based on security group rules, as they provide a more dynamic and manageable approach than network ACLs. Option Analysis: A) Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to allow TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access. - Why Rejected: While security groups can control inbound traffic to database instances, adding a network ACL rule is unnecessary and adds complexity. Network ACLs are stateless, and using them in combination with security groups introduces redundant layers of security. Security groups are generally more flexible for controlling traffic within a VPC, and using them to allow access to specific instances is the preferred method. B) Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access. - Why Rejected: This approach involves using IP address ranges in the security group rules, which may not be as precise or dynamic as using specific security groups. It's also harder to manage when EC2 instances are dynamically created or terminated. Additionally, if multiple EC2 instances from the application VPC need to access the database, it's more efficient to use security groups ra...

Author: Ella · Last updated May 23, 2026

A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2. The solution must perform real-time analytics on the logs, must support the replay of messages, and must per...

To meet the requirements of forensic logging, real-time analytics, log persistence, and replay of messages, the solution needs services that support log collection, analysis, storage, and easy retrieval. Let's evaluate the available options: Option Analysis: A) Amazon Athena - Why Rejected: Amazon Athena is a serverless query service that allows you to analyze data directly from Amazon S3 using standard SQL. While it is great for querying logs that are already stored in S3, it does not support real-time log ingestion or replay of messages directly. Athena is more suited for batch analytics over logs stored in S3 rather than for real-time log streaming or persistent log ingestion. It's not the best choice for real-time logging and replay scenarios. B) Amazon Kinesis - Why Selected: Amazon Kinesis is a real-time streaming data platform, ideal for handling log data in real-time. It allows for the ingestion of log data (using Kinesis Data Streams) and provides the capability to process this data in real-time with Kinesis Data Analytics. Additionally, Kinesis supports data replay, making it a great fit for both real-time processing and log persistence requirements. It can easily integrate with other AWS services for log storage and analytics. C) Amazon SQS - Why Rejected: Amazon SQS is a simple queue service designed for decoupling applications and microservices. While it supports message persistence and retrieval, it is not optimized for real...

Author: Max · Last updated May 23, 2026

A company has many member accounts in an organization in AWS Organizations. The company is concerned about the potential for misuse of the AWS account root user credentials for member accounts in the organization. To address this potential misuse, the company wants to ensure that even if th...

To protect the AWS account root user credentials in member accounts within an AWS Organization, the company must implement a solution that mitigates the risk of root user misuse while ensuring the root user account can still be managed securely. Let's evaluate the available options: Option Analysis: A) Block service access by using SCPs for the root user - Why Rejected: Service Control Policies (SCPs) can be used to restrict permissions for accounts in an organization, but SCPs do not directly restrict the root user's ability to perform actions. SCPs apply to IAM users and roles, but they do not prevent the root user from accessing services unless the organization applies additional constraints, which is not a direct protection mechanism for the root user credentials. Therefore, SCPs are not an ideal solution for this scenario. B) Remove the password for the root user - Why Selected: Removing the password for the root user is an effective measure to mitigate the risk of unauthorized access. If the root user does not have a password, an attacker cannot access the account using the web console, even if they obtain the root user's credentials. This action significantly reduces the attack surface for the root user, ensuring that its access is limited to programmatic access only (such as through access keys). This step can be paired with the use of MFA to further secure root account ac...

Author: Rahul · Last updated May 23, 2026

An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC The VPC provides access to the internet for private subnets through a NAT gateway. A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches. The security engineer validates that the CloudWatch Logs...

In this scenario, the EC2 instances launched by the Auto Scaling group are unable to publish logs to CloudWatch Logs despite proper configuration of the CloudWatch Logs agent. The security engineer has already validated that network communication is functioning and the agent is running, indicating that the issue might lie in network access or IAM permissions. Let's analyze the options: Option Analysis: A) Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions that will publish logs. - Why Rejected: The IAM policy attached to the instance’s IAM role already provides access to publish custom metrics to CloudWatch, so it’s likely that the permissions required to publish logs (such as `logs:PutLogEvents`, `logs:CreateLogStream`, etc.) are not included in the policy. However, the IAM policy already has CloudWatch-related permissions. This option might not be the most direct solution because it doesn't directly address network access, which seems to be the root cause, given that the issue persists even after network and agent configuration are validated. B) Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs. - Why Rejected: The EC2 Auto Scaling service-linked role manages Auto Scaling group operations, but it is not responsible for managing EC2 instance access to CloudWatch Logs. The issue here is that the EC2 instances themselves lack the correct permissions to publish logs, and this would not be reso...

Author: Lucas · Last updated May 23, 2026

A company uses Amazon Elastic Container Service (Amazon ECS) containers that have the Fargate launch type. The containers run web and mobile applications that are written in Java and Node.js. To meet network segmentation requirements, each of the company's business units deploys applications in its own dedicated AWS account. Each business unit stores container images in an Amazon Elastic Container Registry (Amazon ECR) private registry in its own account. A security engineer must recommend a solution to scan ECS containers and ECR registries for vulnerabilities i...

To determine the best solution, we need to evaluate each option based on the specific requirements mentioned: Key Requirements: 1. Scan ECS Containers and ECR Registries for Vulnerabilities: The solution should scan both ECS containers and ECR registries for vulnerabilities in operating systems and programming language libraries. 2. Network Segmentation: The business units deploy applications in their own dedicated AWS accounts, so the solution must be able to scan across multiple accounts. 3. Audit Team Access: The audit team should be able to identify vulnerabilities in all accounts and have access to the vulnerability findings from all accounts. Option A: Amazon Inspector + AWS Security Hub - Amazon Inspector is a vulnerability assessment service that can scan for security vulnerabilities in Amazon EC2 instances, Lambda functions, and container images stored in Amazon ECR. - AWS Security Hub is a service that aggregates and centralizes security findings across multiple AWS accounts. The vulnerability findings from Inspector can be forwarded to Security Hub. - Why it fits: Amazon Inspector provides comprehensive vulnerability scanning for ECS containers and ECR images. By forwarding findings to AWS Security Hub, the audit team can review the vulnerabilities in a central location across all accounts. - Why it's not rejected: This option aligns well with the requirements of scanning vulnerabilities, forwarding findings to a central account, and providing audit team access to Security Hub. Option B: AWS Config + Conformance Packs - AWS Config monitors and records configuration changes across AWS...

Author: RadiantJaguar56 · Last updated May 23, 2026

A company uses Amazon EC2 Linux instances in the AWS Cloud. A member of the company's security team recently received a report about common vulnerability identifiers on the instances. A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed. The security engineer must determine which EC2 instances are at risk ...

Let's evaluate the options based on the requirements of the security engineer: Key Requirements: 1. Identify which EC2 instances are at risk: The security engineer needs to determine which EC2 instances have missing patches. 2. Automate patching for remediation: The solution must allow for the automation of patching on EC2 instances that are not fully patched. Option A: AWS Systems Manager Patch Manager - AWS Systems Manager Patch Manager is designed specifically to automate the process of patching EC2 instances by applying missing patches for the operating system. It also allows you to view which instances are missing patches. - Why it fits: Patch Manager allows for both vulnerability identification (via patch status) and automated patching of EC2 instances, making it ideal for the task at hand. - Why it's not rejected: This solution directly addresses both the need to identify instances with missing patches and the need to automate the patching process. It’s a specialized tool for patching EC2 instances and works seamlessly in the AWS environment. Option B: AWS Shield Advanced + AWS Systems Manager Patch Manager - AWS Shield Advanced is a managed DDoS protection service and does not provide patching or vulnerability scanning capabilities for EC2 instances. - Why it's rejected: While AWS Shield Advanced is great for protecting against DDoS attacks, it has no relation to vulnerability identification or patching, making it unnecessary and irrelevant for this use case. Option C: Amazon ...

Author: Zara · Last updated May 23, 2026

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet. To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 ...

Let's break down the options based on the requirements and the reasoning behind each: Key Requirements: 1. Inspect traffic for network-level attacks: This requires the ability to inspect the entire packet to identify attacks. 2. Traffic monitoring: The engineer needs to monitor traffic going to and from the application instances. 3. Use of a c5n.4xlarge EC2 instance: The security engineer will install intrusion detection software on this instance for monitoring traffic. Option A: Place the network interface in promiscuous mode to capture the traffic - Promiscuous mode allows a network interface to capture all traffic on the network, not just traffic meant for that specific instance. This is useful for packet capture. - Why it fits: Promiscuous mode allows the EC2 instance to capture all traffic, which is useful for packet inspection. - Why it's not rejected: While promiscuous mode can capture traffic, it is not sufficient by itself for setting up a comprehensive solution that sends traffic from other instances to the monitoring EC2 instance. It is typically used in combination with tools like traffic mirroring or packet capture agents. Option B: Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer - VPC Flow Logs capture metadata about IP traffic (e.g., source and destination IP addresses, ports, protocols), but they do not capture the full packet data. Flow logs are useful for traffic monitoring, but they are not sufficient for inspecting the whole packet. - Why it's rejected: VPC Flow Logs provide metadata, not the full packet content. Since the requirement is to inspect the whole packet, VPC Flow Logs would not be appropriate here. Option C: Configure VPC traffic mirrorin...

Author: Manish · Last updated May 23, 2026

A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, e...

Let's evaluate the options based on the requirement that all TLS traffic to the Application Load Balancer (ALB) must stay secure, even if the certificate private key is compromised. This requirement focuses on ensuring that traffic remains secure and that forward secrecy is maintained. Key Requirements: - TLS traffic must stay secure: Even if the certificate's private key is compromised, the communication must remain secure. - Perfect Forward Secrecy (PFS): PFS ensures that if the private key of the server's TLS certificate is compromised, past communications are still secure, because session keys are not derived from the private key. Option A: Create an HTTPS listener that uses a certificate that is managed by AWS Certificate Manager (ACM) - ACM can be used to manage SSL/TLS certificates for ALBs, and it simplifies certificate management and renewal. However, just using an ACM-managed certificate by itself does not guarantee forward secrecy. - Why it's rejected: While ACM helps with the management and renewal of certificates, it doesn't necessarily ensure that the certificate uses secure cipher suites with perfect forward secrecy. This is not sufficient to meet the requirement for security in case of private key compromise. Option B: Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect forward secrecy (PFS) - Perfect Forward Secrecy (PFS) is the key here. By configuring the ALB to use a security policy with cipher suites that support PFS, the TLS traffic will remain secure even if the private key is compromised. - Why it fits: This option ensures that the cipher suites used for TLS connections support perfect forward secrecy, which means the session keys used to encrypt traffic are not derived from the private key, making the traffic se...

Author: Lucas · Last updated May 23, 2026

A company recently adopted new compliance standards that require all user actions in AWS to be logged. The user actions must be logged for all accounts that belong to an organization in AWS Organizations. The company needs to set alarms that respond when specified actions occur. The alarms must forward alerts to ...

Let's evaluate each option based on the requirements: Key Requirements: 1. Logging user actions for all accounts in an AWS Organization: The solution must log user actions across all accounts within the organization. 2. Real-time alarms: The company needs to be notified in near real-time when specified actions occur. 3. Alert forwarding: Alerts must be forwarded to an email distribution list. 4. AWS compliance standards: The solution should comply with the need to log and react to user actions efficiently. Option A: Implement an AWS CloudTrail trail as an organizational trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic. - Why it fits: - CloudTrail can log actions from all accounts in the organization when set as an organizational trail. - CloudWatch Logs forwarding allows logs to be sent in near real-time, and setting metric filters enables the detection of specific user actions. - CloudWatch alarms can be triggered based on the metric filter, and SNS can be used to send notifications to the email distribution list. - This solution is highly efficient for near-real-time logging, alerting, and forwarding. - Why it's not rejected: - This solution uses AWS native services effectively, ensuring compliance and providing near real-time alerts via SNS. - It meets all the requirements: organizational coverage, near real-time alerts, and email forwarding via SNS. Option B: Implement an AWS CloudTrail trail. Configure the trail with Amazon CloudWatch Logs forwarding. In CloudWatch Logs, set a metric filter for any user action events that the company specifies. Create an Amazon CloudWatch alarm to provide alerts for occurrences within a reported period and to send messages to an Amazon Simple Queue Service (Amazon SQS) queue. - Why it's rejected: - While this option uses CloudTrail, CloudWatch Logs, and metric filters to monitor user actions, using SQS to send alerts is not the best solution for this case. SQS is a message queue that is used for queu...

Author: Samuel · Last updated May 23, 2026

A company wants to create a log analytics solution for logs generated from its on-premises devices. The logs are collected from the devices onto a server on premises. The company wants to use AWS services to perform near real-time log analysis. The company also wants to store these logs for 365 days for pattern...

Solution Breakdown: Key Factors: - Near real-time log analysis: The system should be capable of processing and analyzing the logs quickly after they are received. - Long-term storage: The logs need to be stored for 365 days to facilitate pattern matching and substring search. - Minimal development overhead: The solution should require minimal setup and management while providing scalable capabilities for log processing and storage. Let's analyze each option: --- Option A: Install Amazon Kinesis Agent on the on-premises server to send the logs to Amazon DynamoDB. Configure an AWS Lambda trigger on DynamoDB streams to perform near real-time log analysis. Export the DynamoDB data to Amazon S3 periodically. Run Amazon Athena queries for pattern matching and substring search. Set up S3 Lifecycle policies to delete the log data after 365 days. - Pros: - DynamoDB is highly scalable and managed, which reduces development effort for handling data storage. - AWS Lambda allows for near real-time processing of logs. - Athena can be used for querying logs stored in S3, which is well-suited for pattern matching and substring searches. - S3 lifecycle policies are effective for automatically deleting logs after the retention period. - Cons: - DynamoDB is typically not ideal for high-volume log storage due to potential cost issues with frequent writes. - Exporting data to S3 periodically adds complexity to the solution and introduces potential delays. - The use of Lambda for processing DynamoDB streams can be tricky to manage at scale and may not be efficient enough for large amounts of log data. - Conclusion: While feasible, this solution is a bit cumbersome and introduces complexity due to the manual export process to S3 and the use of DynamoDB, which isn't ideal for logs. --- Option B: Install Amazon Managed Streaming for Apache Kafka (Amazon MSK) on the on-premises server. Create an MSK cluster to collect the streaming data and analyze the data in real time. Set the data retention period to 365 days to store the logs persistently for pattern matching and substring search. - Pros: - Kafka (via MSK) is excellent for high-throughput, real-time log streaming and processing. - It’s capable of retaining log data for a configurable time period (365 days). - Cons: - Setting up MSK involves a substantial amount of management overhead compared to other AWS services. - Kafka clusters can require careful scaling and tuning to handle high data volumes, leading to higher operational complexity. - It doesn't directly provide a solution for performing log analysis (like pattern matching) unless you add another service like Elasticsearch or Athena. - Operational overhead for managing MSK clusters and ensuring scaling is handled properly adds more complexity. - Conclusion: MSK is a powerful tool for high-throughput streaming, but it requires a lot of manual setup and management. It doesn’t offer a seamless solution for log analysis or querying without additional to...

Author: Oscar · Last updated May 23, 2026

A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instances that run in private subnets. The company wants all remote administration to be performed as securel...

In the given scenario, the goal is to ensure that all remote administration of Linux and Windows EC2 instances in private subnets is performed as securely as possible in the AWS Cloud. We will analyze each option based on key factors such as security, compliance, ease of use, and suitability for instances in private subnets. Option A: Do not use SSH-RSA private keys during the launch of new instances. Implement AWS Systems Manager Session Manager. - Pros: - AWS Systems Manager Session Manager allows secure shell access to instances without the need for an SSH key, making it a more secure and centralized management option. - No need for SSH key management: Since SSH keys are not used, there is no need to manage or rotate keys, reducing the administrative overhead. - Works in private subnets: AWS Systems Manager does not require direct internet access to instances, so it is ideal for instances in private subnets. - Logging: Session Manager provides audit logs, which improve the traceability of admin activities. - Role-based access control: It integrates well with AWS IAM policies for defining who can access instances and for what purposes. - Cons: - Requires configuring and maintaining the AWS Systems Manager agent on all EC2 instances. Option B: Generate new SSH-RSA private keys for existing instances. Implement AWS Systems Manager Session Manager. - Pros: - AWS Systems Manager Session Manager is still the key feature for securely managing instances. - SSH keys would be used for access, but this would add complexity by requiring SSH keys for instances already launched. - Cons: - Key management complexity: Even though Session Manager is used, SSH key management still introduces the possibility of human error or misuse. - Not ideal: The presence of SSH keys might conflict with the goal of reducing key management overhead and focusing entirely on centraliz...

Author: Stella · Last updated May 23, 2026

A company has decided to move its fleet of Linux-based web server instances to an Amazon EC2 Auto Scaling group. Currently, the instances are static and are launched manually. When an administrator needs to view log files, the administrator uses SSH to establish a connection to the instances and retrieves the logs manually. The company often needs to query the logs to produce results about application sessions and user issues. The company does not want its new automatically scali...

To address the requirements of securely storing log files, avoiding data loss when instances are scaled in, and ensuring efficient log query capabilities, let's analyze each option based on security, cost, ease of implementation, and scalability. Option A: Configure a cron job on the instances to forward the log files to Amazon S3 periodically. - Pros: - Durability: Storing logs in Amazon S3 ensures they are safe from instance termination or scaling in, as S3 is a persistent and highly durable storage solution. - Cost-effective: S3 storage is generally inexpensive and offers low costs for storage, especially for log files which often don’t need frequent access. - Simple to set up: A cron job can be set up quickly to periodically upload log files to S3, making this a straightforward solution. - Cons: - Manual management: You must manage the cron job on each instance, which could become cumbersome as the number of instances grows. - Periodic uploads: If instances are terminated before the cron job runs, some logs might be lost unless you implement a more complex logging mechanism. Option B: Configure AWS Glue and Amazon Athena to query the log files. - Pros: - Powerful querying: AWS Glue and Athena are excellent tools for querying large sets of log data stored in Amazon S3, making this a powerful solution for analyzing log data. - Cons: - Does not address log storage: This option assumes you already have the logs stored somewhere like Amazon S3, so it doesn't solve the log storage issue. - More complex and costly: AWS Glue and Athena can be more expensive and complex to set up, making it less cost-effective for simple log storage. Option C: Configure the Amazon CloudWatch agent on the instances to forward the logs to Amazon CloudWatch Logs. - Pros: - Centralized management: CloudWatch Logs is a managed service that allows centralized log collection and storage, and ensures that logs are not lost even when instances are terminated or scaled in. - Integration with other AWS services: CloudWatch integrates well with other AWS services, including CloudWatch Logs Insights for querying and monitoring. - Automatic handling: Once configured, CloudWatch Logs automatically handles the forwarding of logs, with minim...

Author: Liam · Last updated May 23, 2026

A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a ...

In this scenario, the goal is to quickly identify the federated user responsible for terminating a production EC2 instance a week ago. Let's break down each option and determine the fastest and most efficient way to accomplish this. Option A: Review the AWS CloudTrail event history logs in an Amazon S3 bucket and look for the TerminateInstances event to identify the federated user from the role session name. - Pros: - Simple: This approach involves directly reviewing the CloudTrail event logs and locating the termination event. - Direct: If the federated user’s role session name is included in the event, this can provide immediate identification. - Cons: - Requires manual filtering: You would need to manually sift through the logs, which may be time-consuming if the log data is large. - Role session name ambiguity: The session name may not always clearly indicate the user’s identity, especially in complex federated setups with multiple roles. Option B: Filter the AWS CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username. - Pros: - Specific to federated users: By reviewing the `AssumeRoleWithSAML` event, you can directly identify the federated user who assumed the role. - Accurate identification: This provides a clear link between the termination event and the federated user. - Cons: - Multiple steps: This approach requires finding both the `TerminateInstances` event and the corresponding `AssumeRoleWithSAML` event, which might take extra time to search and correlate. - Complexity: If there are many federated users or SAML assertions, this could become more complicated and take longer than necessary. Option C: Search the AWS CloudTrail logs for the TerminateInstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated. - Pros: - Uses IAM Access Advisor: This provides a way to check when federated roles were last accessed, which can be helpful if you're looking for the activity timestamp. - Cons: - Not direct: The IAM Access Advisor tab is not...

Author: Manish · Last updated May 23, 2026

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rul...

To troubleshoot the issue of two Amazon EC2 instances in different subnets not being able to communicate with each other, let's review the most relevant troubleshooting steps based on network behavior, security rules, and AWS service functionalities. Option A: Check inbound and outbound security groups, looking for DENY rules. - Why it's not the best choice: - Security groups are stateful: Security groups do not have explicit "DENY" rules. If a security group is not permitting traffic, the absence of an appropriate "ALLOW" rule will result in the traffic being implicitly denied, not an explicit "DENY" rule. - Limited scope: Since security groups are stateful and the communication between instances in different subnets should be allowed if the security groups have valid "ALLOW" rules, this step would likely not uncover the problem if the issue lies elsewhere in the network configuration. Option B: Check inbound and outbound Network ACL rules, looking for DENY rules. - Why this is a valid choice: - Network ACLs are stateless: Unlike security groups, network ACLs are stateless, meaning they have both "ALLOW" and "DENY" rules. If there are restrictive ACL rules in place, traffic could be blocked at the subnet level even if the security group rules are correct. - Subnet-specific traffic control: Network ACLs control traffic at the subnet level, so issues with ACLs could prevent communication between instances in different subnets. - Effective troubleshooting step: Checking the Network ACLs would be a logical next step because they are designed to control inbound and outbound traffic at the subnet level, which might be causing the issue if configured incorrectly. Option C: Review the rejected packet reason codes in the VPC Flow Logs. - Why this is a valid choice: - Flow logs provide detailed insights: VPC Flow Lo...

Author: Layla · Last updated May 23, 2026

What Our Friends Say

What Our Friends Say

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail ...

A company's security engineer is developing an incident response plan to detect suspicious activity in an AWS account for VPC hosted resources. The security engineer needs to provide visibility for as many AWS Regions as possibl...

A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution...

The security engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the internet. What steps should th...

A company is using Amazon Elastic Container Service (Amazon ECS) to run its container-based application on AWS. The company needs to ensure that the container images contain no severe vulnerabilities. The company also must ensure that only specific IAM roles and specific AWS acco...

A security engineer is troubleshooting an AWS Lambda function that is named MyLambdaFunction. The function is encountering an error when the function attempts to read the objects in an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The S3 bucket has the following bucket policy: ...

A company has a guideline that mandates the encryption of all Amazon S3 bucket data in transit. A security engineer must implement an S3 bucket policy that denies any S3 operations i...

A security engineer wants to use Amazon Simple Notification Service (Amazon SNS) to send email alerts to a company's security team for Amazon GuardDuty findings that have a High severity level. The security engineer also wants to deliver these ...

A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The security engineer must ensure that objects cannot be overw...

A company needs complete encryption of the traffic between external users and an application. The company hosts the application on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind an...

A systems engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the development team wants to use security groups and network ACLs to accomplish various security req...

A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials. The company already uses AWS Key ...

An AWS account administrator created an IAM group and applied the following managed policy to require that each individual user authenticate using multi-factor authentication: After implementing the policy, the administrator receives reports that users are unable to perform Amazon EC2 commands...

A company has AWS accounts that are in an organization in AWS Organizations. An Amazon S3 bucket in one of the accounts is publicly accessible. A security engineer must change the configuration so that the S3 bucket is no longer publicly accessible. The security engineer also must ...

A company needs a forensic-logging solution for hundreds of applications running in Docker on Amazon EC2. The solution must perform real-time analytics on the logs, must support the replay of messages, and must per...

A company has many member accounts in an organization in AWS Organizations. The company is concerned about the potential for misuse of the AWS account root user credentials for member accounts in the organization. To address this potential misuse, the company wants to ensure that even if th...

A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, e...

A company has a large fleet of Linux Amazon EC2 instances and Windows EC2 instances that run in private subnets. The company wants all remote administration to be performed as securel...

A company uses an external identity provider to allow federation into different AWS accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a ...

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rul...