Amazon Exam Practice Questions - Page 82

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A company used AWS Organizations to set up an environment with multiple AWS accounts. The company's organization currently has two AWS accounts, and the company expects to add more than 50 AWS accounts during the next 12 months. The company will require all existing and future AWS accounts to use Amazon GuardDuty. Each existing AWS account has GuardDuty active. The company reviews GuardDuty findings by logging into each AWS account individually. The company wants a centralized view of the Gua...

To meet the company’s requirements for centralized GuardDuty findings across multiple AWS accounts and automatic activation of GuardDuty in all new accounts, let’s analyze each option based on key factors such as automation, scalability, and centralized visibility. Option A: Enable AWS Security Hub in the organization's management account. Configure GuardDuty within the management account to send all GuardDuty findings to Security Hub. - Explanation: This option leverages AWS Security Hub to collect and display findings from GuardDuty. However, Security Hub is not specifically designed for centralized GuardDuty management, and it will not automatically enable GuardDuty in new AWS accounts. Security Hub can aggregate findings, but it does not fulfill the requirement to ensure GuardDuty is automatically turned on in new accounts. - Why rejected: While Security Hub can centralize security findings, it does not solve the problem of automatically enabling GuardDuty for new accounts or centralizing GuardDuty management. This option does not address all the requirements. Option B: Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account for GuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization. - Explanation: This option uses GuardDuty's delegated administrator feature. The newly created account will be designated as the delegated administrator for GuardDuty. It can manage GuardDuty settings across all member accounts, both existing and new. Additionally, the option to automatically add new AWS accounts to the organization ensures that GuardDuty will be automatically enabled for new accounts. - Why selected: This is the best option as it meets all the requirements: centralized GuardDuty management via the delegated administrator, automatic inclusion of new accounts, and existing accounts are added ...

Author: Layla · Last updated May 23, 2026

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile. However, three individuals who have IAM user accounts will need to access these instances by using an SS...

The company needs to remove SSH keys from its Amazon EC2 instances, but three specific IAM users need SSH access to these instances for critical duties. The solution must enable these users to access the EC2 instances without using SSH keys and without violating security best practices. Let's evaluate each option: Option A: Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Inventory to select the EC2 instance and connect. - Explanation: This option suggests using AWS Systems Manager Inventory, which is typically used for discovering and tracking resources. It does not directly provide a mechanism to establish an SSH session. Systems Manager Inventory doesn’t allow users to connect to EC2 instances for interactive sessions. Instead, it is more for inventory management. - Why rejected: This option does not meet the requirement of providing interactive SSH access to the instances. While it could be used to track instances, it doesn’t facilitate SSH access. Option B: Assign an IAM policy to the IAM user accounts to provide permission to use AWS Systems Manager Run Command. Remove the SSH keys from the EC2 instances. Use Run Command to open an SSH connection to the EC2 instance. - Explanation: AWS Systems Manager Run Command can be used to run commands remotely on EC2 instances. However, it doesn't open an SSH session or provide an interactive shell. While you can use Run Command to execute specific commands remotely, it doesn't provide the necessary SSH access for the IAM users to perform tasks interactively. - Why rejected: This option does not provide interactive access to the EC2 instance, which is a key requirement. It's useful for automation but not for the type of access ...

Author: Zara1234 · Last updated May 23, 2026

A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is ...

In this scenario, the company needs to correct a typo in a vault lock policy on Amazon S3 Glacier. The vault lock has already been initiated 12 hours ago, and the audit team has identified an issue with unintended access due to the typo. The goal is to correct the policy in the most cost-effective manner. Let's evaluate each option: Option A: Call the abort-vault-lock operation. Update the policy. Call the initiate-vault-lock operation again. - Explanation: Calling `abort-vault-lock` will cancel the existing vault lock and allow changes to the policy. Afterward, the policy can be updated, and the vault lock can be initiated again. The downside of this approach is that aborting the vault lock would potentially incur costs due to the abort process and would reset the state of the vault, which may be inefficient and costly. - Why rejected: Although this method allows you to update the policy, aborting the lock and reinitiating it is unnecessary and could incur additional costs. This is not the most cost-effective solution when compared to other alternatives that do not require aborting the vault lock. Option B: Copy the vault data to a new S3 bucket. Delete the vault. Create a new vault with the data. - Explanation: This option involves copying the entire 10 TB of data to a new location, deleting the existing vault, and creating a new vault with the data. This method is very costly due to the data transfer, storage, and re-setup process. Copying large volumes of data is resource-intensive and incurs significant costs. - Why rejected: This approach is highly inefficient and expensive for c...

Author: Sam · Last updated May 23, 2026

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks. The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web appl...

In this scenario, the company needs to protect its video content streamed via Amazon CloudFront using HTTP Live Streaming (HLS). The video is split into chunks, and the origin URL is not disclosed. The simplest and most effective way to protect the content and ensure only authorized users (paying subscribers) can access it needs to be considered. Let's evaluate each option: Option A: Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content. - Explanation: Signed URLs allow you to restrict access to specific CloudFront content by creating URLs that are valid for a limited time. This option is effective for restricting access to the video chunks, as each user would get a URL to access the content, and the URL expires after a defined period. - Why selected: This option is simple and effective because it allows precise control over access to the video content. Each user can receive a unique, time-limited URL that expires after a certain period, ensuring that unauthorized users cannot access the content. It works well in HLS environments, where video is served in multiple chunks, as each chunk can be secured with its own signed URL. Option B: Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content. - Explanation: Signed cookies are a method of securing multiple pieces of content from CloudFront by setting cookies on the user’s browser. This is useful when you want to allow access to multiple files under the same domain without requiring a separate signed URL for each one. - Why rejected: While signed cookies are effective for protecting multiple resources (e.g., a complete video playlist or group of files), they are more complex than signed URLs for a use case where each chunk of video content needs to be accessed separately. HLS content typically requires precise access control to individual chunks, which makes signed URLs more appropriate for this scenario. Signed cookies also...

Author: Elijah · Last updated May 23, 2026

A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources. The company needs to replicate its workloads and infrastructure to the us-west-1 Region. A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and...

To meet the company's requirements, the security engineer must ensure that secrets are replicated from us-east-1 to us-west-1 while using AWS Secrets Manager and AWS Key Management Service (KMS) for encryption. The solution must minimize latency and ensure high availability in the event of a Region failure. Let’s break down each option: Option A: Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a new AWS managed KMS key in us-west-1. - Explanation: AWS managed KMS keys are Region-specific, meaning that a key created in one Region cannot be used to encrypt or decrypt secrets in another Region. In this case, if a new AWS managed KMS key is used in us-west-1, the secrets would not be accessible across Regions since the encryption keys from one Region can't be used in another. - Why rejected: This option would create a scenario where secrets in one Region (us-east-1) cannot be decrypted in another Region (us-west-1), breaking the requirement of cross-Region availability. Each region would need its own encryption key, leading to complications in managing access and replication. Option B: Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1. - Explanation: This option suggests that resources in us-west-1 would make direct calls to the Secrets Manager endpoint in us-east-1. While this approach may technically work, it does not fully address the need for cross-Region replication and resilience in the event of a Region failure. Relying on a single Region (us-east-1) for all secrets access increases the risk of unavailability if the region becomes inaccessible. - Why rejected: This option introduces a single point of failure and does not provide the desired redundancy or resilience if one Region is unavailable. It also doesn't meet the requirement for replication between the two Regions. Option C: Encrypt the secrets in us-east-1 by using a cu...

Author: StarryEagle42 · Last updated May 23, 2026

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80. The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private su...

To ensure the security of the application while maintaining its functionality, let's go through each of the options and explain the reasoning behind selecting the best one. Option A: - Changes to NACL3: - Add a rule allowing inbound traffic on port 5432 from NACL2 (private subnet associated with the application instances). - Add a rule allowing outbound traffic on ports 1024-65536 to NACL2. - Remove the default rules that allow all inbound and outbound traffic. Analysis: - This option allows inbound traffic from NACL2 to port 5432 on the RDS instance, which is the correct direction for the application instances to connect to the RDS database. However, it adds a broad rule allowing outbound traffic from RDS to NACL2 on ports 1024-65536. This is quite permissive and would allow unnecessary wide access. Additionally, removing all default rules could potentially lock down the network too severely without ensuring the correct traffic flows. Issue: The outbound rule for ports 1024-65536 is too broad and insecure. So, this option is not ideal. Option B: - Changes to NACL3: - Add a rule allowing inbound traffic on port 5432 from the CIDR blocks of the application instance subnets. - Add a rule allowing outbound traffic on ports 1024-65536 to the application instance subnets. - Remove the default rules that allow all inbound and outbound traffic. Analysis: - This option correctly allows the RDS instance to receive traffic on port 5432 from the application instance subnets. However, similar to Option A, the outbound rule allowing ports 1024-65536 is too broad and unnecessary. Additionally, removing the default rules might lead to unintended access issues if the new rules are not well-defined. Issue: Again, the broad outbound rule (ports 1024-65536) is too permissive, making this option less secure. Option C: - Changes to NACL2: - Add a rule allowing outbound traffic on port 5432 to the CIDR blocks of the RDS subnets. - Remove the default rules that allow all inbound and outbound traffic. ...

Author: Matthew · Last updated May 23, 2026

AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected. What initial actio...

When CloudTrail is failing to deliver events to Amazon S3, it's essential to verify the configuration and permissions that allow CloudTrail to write to the S3 bucket. Below is a breakdown of each option to determine the best actions. Option A: Verify that the S3 bucket policy allows CloudTrail to write objects. - Analysis: - This is one of the most critical steps. If the S3 bucket policy doesn't grant CloudTrail the necessary permissions (specifically, the `s3:PutObject` permission), CloudTrail will not be able to deliver logs to the S3 bucket. - Ensuring the bucket policy allows CloudTrail to write objects to the bucket is essential for CloudTrail to function correctly. Why selected: This is directly related to the issue and needs to be checked to confirm that CloudTrail has permission to write logs to the S3 bucket. Option B: Verify that the IAM role used by CloudTrail has access to write to Amazon CloudWatch Logs. - Analysis: - This option addresses CloudTrail's ability to send logs to CloudWatch, not to Amazon S3. While CloudWatch integration is important for monitoring, it’s not relevant if the issue specifically concerns CloudTrail delivering logs to S3. The problem at hand is CloudTrail’s ability to write directly to S3, not CloudWatch. Why rejected: This action is unrelated to the direct issue of failing delivery to S3. Option C: Remove any lifecycle policies on the S3 bucket that are archiving objects to S3 Glacier Flexible Retrieval. - Analysis: - This option is about S3 object lifecycle management. If the objects are archived to S3 Glacier Flexible Retrieval, CloudTrail might face issues retrieving them or could fail to write logs if the objects are moved to Glacier before they ...

Author: Madison · Last updated May 23, 2026

A company has public certificates that are managed by AWS Certificate Manager (ACM). The certificates are either imported certificates or managed certificates from ACM with mixed validation methods. A security engineer needs to design a monitoring solution to provide alerts by email when...

To design a monitoring solution for alerting when a certificate is approaching its expiration date, we need to evaluate the operational efficiency, ease of use, and cost-effectiveness of each option. Option A: Create an AWS Lambda function to list all certificates and describe each certificate using the AWS SDK. Filter on the NotAfter attribute and send an email notification. Use an Amazon EventBridge rate expression to schedule the Lambda function to run daily. - Analysis: - While this option would work, it involves custom coding and the creation of a Lambda function, which increases operational complexity. You would need to write the logic to query the ACM API, parse the expiration dates, and send notifications when certificates are near expiration. - Scheduling the Lambda function with EventBridge adds an additional step, and you would have to handle edge cases like multiple certificates with different expiration dates and errors. Why rejected: This approach is more complex and requires regular maintenance, making it less operationally efficient compared to other built-in solutions from AWS. Option B: Create an Amazon CloudWatch alarm. Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metric. Configure the alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when the value for the DaysToExpiry metric is less than or equal to 31. - Analysis: - CloudWatch does offer a `DaysToExpiry` metric for ACM certificates. However, you would need to manually collect and add all the certificate ARNs to the CloudWatch alarm configuration. This approach is not scalable if you have many certificates, as you would need to continuously manage the ARNs. - While CloudWatch is a powerful service, this requires manual intervention, which is not ideal for operational efficiency, especially when dealing with many certificates. Why rejected: Managing the ARNs manually could be error-prone and difficult to maintain, especially in environments with numerous certificates. Option C: Set up AWS Security Hub. Turn on the AWS ...

Author: Elijah · Last updated May 23, 2026

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both cu...

To meet the requirement of recording and retaining AWS API call activity for security review in a centralized location across both current and future AWS regions, let's analyze each option. Option A: Enable AWS Trusted Advisor security checks in the AWS Console, and report all security incidents for all regions. - Analysis: - AWS Trusted Advisor provides a set of best practice recommendations for security, cost optimization, fault tolerance, performance, and service limits. While Trusted Advisor can highlight some security concerns, it is not focused on recording API calls or providing detailed logs of AWS API call activity. - It doesn't offer a centralized logging solution for AWS API calls. Instead, it focuses more on guidance and alerts, which doesn't meet the requirement of capturing all API activity. Why rejected: Trusted Advisor is not designed for recording and retaining API call logs, and it does not provide detailed or comprehensive security audit logs. Option B: Enable AWS CloudTrail by creating individual trails for each region, and specify a single Amazon S3 bucket to receive log files for later analysis. - Analysis: - While CloudTrail does record API call activity, this option requires you to create individual trails for each region. This introduces additional management overhead as you would need to configure and maintain separate trails for each region, which could become cumbersome as new regions are added. - Moreover, managing individual trails for every region can lead to complexity and inconsistency in monitoring and analysis. Why rejected: This option is less efficient than having a centralized approach across all regions, leading to more management overhead. Option C: Enable AWS CloudTrail by creating a new trail and applying the t...

Author: Isabella · Last updated May 23, 2026

A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of ...

To address the issue of log data loss after a scale-in event and ensure the durability and availability of logs for at least one year, let’s analyze each option in detail. Option A: Within the Auto Scaling lifecycle, add a hook to create and attach an Amazon Elastic Block Store (Amazon EBS) log volume each time an EC2 instance is created. When the instance is terminated, the EBS volume can be reattached to another instance for log review. - Analysis: - This option involves creating a dedicated EBS volume for each instance in the Auto Scaling group. While this could prevent log loss during instance termination, it introduces complexity. The main issue is that if an instance is terminated, the log data is only retained on the EBS volume. This setup requires manually reattaching EBS volumes, which can be error-prone and doesn’t inherently provide long-term storage or durability. Also, if the instance is terminated without detaching the volume, the logs will be lost. - EBS volumes are not designed to be the most reliable long-term storage for logs in this case. A better approach would involve using services that are designed for log durability and availability. Why rejected: This solution introduces complexity and lacks the long-term durability required for logs, which is best achieved through managed services like CloudWatch or EFS. Option B: Create an Amazon Elastic File System (Amazon EFS) file system and add a command in the user data section of the Auto Scaling launch template to mount the EFS file system during EC2 instance creation. Configure a process on the instance to copy the logs once a day from an instance Amazon Elastic Block Store (Amazon EBS) volume to a directory in the EFS file system. - Analysis: - EFS provides a scalable and persistent file system that can be mounted across multiple EC2 instances. Using EFS ensures that logs are stored in a durable and highly available manner. This setup would prevent log loss during scale-in events and allow easy access to logs from any instance. - However, the added complexity here is the need for a manual process (copying logs daily from EBS to EFS), which might introduce potential failure points and isn’t fully automated. Additionally, while EFS is a reliable option, the extra step of copying logs daily might add overhead and is less efficient than a fully automated logging service. Why rejected: While EFS is a durable option, the added complexity of manually managing log copying could introduce potential points of failure and doesn’t fully address the need for automation and...

Author: VenomousSerpent42 · Last updated May 23, 2026

A company uses Amazon EC2 instances to host frontend services behind an Application Load Balancer. Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company uses Amazon S3 buckets to store large files for images and music. The company has implemented a security architecture on AWS to prevent, identify, and isolate potential ransomware attacks. The company now wants to further reduce risk. A security engineer must develop a disaste...

In this scenario, the company is seeking a disaster recovery solution that meets a Recovery Point Objective (RPO) of 1 hour. The solution must ensure that if ransomware bypasses preventive and detective controls, the company can restore its operations promptly, potentially mitigating the damage caused by such an attack. Let's break down each option based on the criteria of RPO, automation, and the overall effectiveness for a disaster recovery strategy. A) Use AWS Backup to create backups of the EC2 instances and S3 buckets every hour. Create AWS CloudFormation templates that replicate existing architecture components. Use AWS CodeCommit to store the CloudFormation templates alongside application configuration code. - RPO Consideration: This solution creates hourly backups, which aligns with the 1-hour RPO requirement. - Automation: It automates backup creation, but it doesn't focus on rapid restoration or monitoring for security incidents like ransomware. - Key Features: - AWS Backup is great for creating periodic backups of EC2 instances and S3, but the recovery process (manual or with CloudFormation) could take longer than expected in a disaster scenario, especially for complex infrastructures. - Storing CloudFormation templates in CodeCommit ensures that you can replicate infrastructure, but doesn't guarantee quick recovery of the compromised data itself. - Why rejected: While it provides regular backups, it lacks a more focused and automated recovery mechanism for quick restoration during an attack like ransomware. B) Use AWS Backup to create backups of the EBS volumes and S3 objects every day. Use Amazon Security Lake to create a centralized data lake for AWS CloudTrail logs and VPC flow logs. Use the logs for automated response. - RPO Consideration: The daily backups are a significant gap for this scenario. The required RPO is 1 hour, and daily backups will lead to much higher data loss. - Automation: Using AWS Backup daily with Security Lake for log data analysis is good for monitoring and gathering information, but it does not address the need for quick recovery of data (e.g., from ransomware). - Why rejected: The daily backup schedule doesn't meet the 1-hour RPO. The focus on logs doesn't address the immediate recovery needs for data and infrastructure. C) Use Amazon Security Lake to crea...

Author: Deepak · Last updated May 23, 2026

A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to Amazon Elastic Block Store (Amazon EBS) volumes. A security engineer needs to preserve all forens...

In this scenario, the goal is to preserve all forensic evidence from an EC2 instance for security or investigative purposes. The steps need to be arranged to ensure that the memory (RAM) and EBS volume data are preserved, and that the instance does not continue to change state after the evidence is collected. Let's evaluate the options one by one: A) Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Stop the instance. - Order Issues: This option starts by taking an EBS snapshot before stopping the instance or detaching it from the Auto Scaling group. The problem is that the instance could continue to change state or receive traffic from the ALB while the snapshots are being taken, potentially altering the evidence. - Memory Snapshot: Memory snapshots need to be taken while the instance is still running, so this option does not preserve the memory state at the optimal time since it takes the EBS snapshot first. - Why rejected: The memory snapshot should be taken before stopping the instance, and stopping the instance too early could lead to losing relevant volatile memory data. B) Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. - Correct Order: This option takes a memory snapshot first, preserving the volatile data before stopping the instance, which is the correct approach. - Post-Stop Actions: Stopping the instance before taking the EBS snapshot could lead to a potential loss of some in-memory data, as stopping the instance may impact how EBS snapshots capture the final state. - Why rejected: While it preserves memory first, the stopping of the instance before the EBS snapshot could lead to inconsistencies in the data, especially in case the EC2 instance writes any final data to disk upon shutdown. C) Detach the instance from the Auto Scaling group....

Author: Benjamin · Last updated May 23, 2026

An application team wants to use AWS Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53. The application team wants to use an AWS managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers. The distribution solution will use a primary domain name that is customized. The distribution solution also will use s...

Let's go through each option and reason out why it's selected or rejected, based on the needs of the application team: A) Request a certificate from ACM in the us-west-2 Region. Add the domain names that the certificate will secure. - Rejection Reason: AWS Certificate Manager (ACM) certificates need to be in the correct region for the service they are intended to work with. For CloudFront, the certificate must be issued in the us-east-1 region (N. Virginia) because CloudFront requires certificates from this region to be used globally. - Why rejected: ACM certificates requested in the us-west-2 region would not be compatible with CloudFront, which is required for this caching solution. B) Send an email message to the domain administrators to request validation of the domains for ACM. - Rejection Reason: Email validation is an option for validating ownership of domains when requesting an ACM certificate. However, this method is not the best fit in this scenario because it's typically more manual and requires coordination with the domain administrators. For automation and scalability, DNS validation is generally preferred. - Why rejected: This step is valid, but not as ideal as DNS validation for automating the process and ensuring indefinite renewal without manual intervention. C) Request validation of the domains for ACM through DNS. Insert CNAME records into each domain's DNS zone. - Selection Reason: DNS validation is a better choice in this scenario. Once DNS records are set, the validation process is automatic and can renew indefinitely without requiring manual steps. The application team can configure CNAME records in the DNS zones of their domains (even if not hosted on Route 53), which ensures that the domain ownership is validated efficiently. - Why selected: DNS validation is reliable, automated, and perfect for scenarios where ACM certificates need to renew automatically and without human intervention. D) Create an Application Load Balancer for the caching solution. Select the newly requested certificate from ACM to be used for secure connections. - Rejection Reason: While the Ap...

Author: Zain · Last updated May 23, 2026

A company's security engineer wants to receive an email alert whenever Amazon GuardDuty, AWS Identity and Access Management Access Analyzer, or Amazon Macie generate a high-severity security finding. The company uses AWS Control Tower to govern all of its accounts. The company also uses AWS Security Hub wit...

Let's evaluate each of the options based on the requirements of receiving an email alert whenever Amazon GuardDuty, AWS Identity and Access Management (IAM) Access Analyzer, or Amazon Macie generates a high-severity security finding. The goal is to minimize operational overhead while ensuring alerts are triggered for high-severity findings. A) Set up separate AWS Lambda functions for GuardDuty, IAM Access Analyzer, and Macie to call each service's public API to retrieve high-severity findings. Use Amazon Simple Notification Service (Amazon SNS) to send the email alerts. Create an Amazon EventBridge rule to invoke the functions on a schedule. - Rejection Reason: This solution involves creating and managing separate Lambda functions for each service and setting up an EventBridge rule to invoke those functions periodically. This approach would require significant manual configuration, handling multiple Lambda functions, and ongoing maintenance of each function. It would also introduce complexity and higher operational overhead due to managing multiple services and periodic invocations. - Why rejected: While functional, this approach is more complex and would require ongoing management of the Lambda functions and EventBridge rules, leading to unnecessary operational overhead. B) Create an Amazon EventBridge rule with a pattern that matches Security Hub findings events with high severity. Configure the rule to send the findings to a target Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the desired email addresses to the SNS topic. - Selection Reason: This is the most efficient solution with the least operational overhead. Since the company is already using AWS Security Hub with all service integrations enabled, Security Hub aggregates findings from GuardDuty, IAM Access Analyzer, and Macie. EventBridge can be configured to listen for Security Hub findings events (which include high-severity findings) and directly send them to an SNS topic. The email alerts can be sent by subscribing email addresses to the SNS topic. This solution requires minimal configuration and is highly automated. - Why selected: This solution leverages existing AWS Security Hub integrations and EventBridge, which simplifies the process of collecting and alerting on high-severity findings. It minimizes operational overhead because there’s no ...

Author: RadiantPhoenixX · Last updated May 23, 2026

A company hosts an application on Amazon EC2 instances. The application also uses Amazon S3 and Amazon Simple Queue Service (Amazon SQS). The application is behind an Application Load Balancer (ALB) and scales with AWS Auto Scaling. The company's security policy requires the use of least privilege access, which has been applied to all existing AWS resources. A security enginee...

To meet the company's requirement of least privilege access and private connectivity to AWS services, let's evaluate the steps carefully: A) Use an interface VPC endpoint for Amazon SQS. - Selection Reason: An interface VPC endpoint allows private, secure communication with Amazon SQS without routing traffic over the public internet. This fits well with the need for private connectivity and least privilege access, ensuring that the application can interact with SQS directly within the VPC. - Why selected: Using an interface VPC endpoint ensures that traffic to Amazon SQS does not traverse the public internet, and it provides a secure and private connection. B) Configure a connection to Amazon S3 through AWS Transit Gateway. - Rejection Reason: While AWS Transit Gateway is useful for connecting multiple VPCs and managing inter-VPC traffic, it is not the ideal choice for connecting to Amazon S3 privately. Transit Gateway is generally more appropriate for complex network architectures involving multiple VPCs. For private connectivity to Amazon S3, using a gateway VPC endpoint is more suitable and simpler. - Why rejected: Transit Gateway is not necessary for establishing private connectivity to Amazon S3, and it adds unnecessary complexity. A gateway VPC endpoint is the more straightforward solution for this. C) Use a gateway VPC endpoint for Amazon S3. - Selection Reason: A gateway VPC endpoint is specifically designed for private access to Amazon S3 from resources in a VPC. It enables private connectivity to S3, avoiding the use of the public internet. This is the most efficient and secure way to ensure that the EC2 instances can access S3 without exposing traffic to the public internet. - Why selected: This option directly meets the requirement of private connectivity to Amazon S3, ensuring compliance with the security policy for least privilege access. D) Modify the IAM role applied to the EC2 instances in the Auto Scaling group to allow outbound traffic to the interface endpoints. - Rejection Reason: The IAM role applied to the EC2 instances should not allow broad outbound access to the interface endpoints. IAM policies should be restrictive and grant the least priv...

Author: NebulaEagle11 · Last updated May 23, 2026

A security analyst attempted to troubleshoot the monitoring of suspicious security group changes. The analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The analyst tested the monitoring setup by making a configuration change to the...

To troubleshoot why the analyst didn't receive alerts for security group changes, the primary issue could lie in how the monitoring, alerting, and configuration are set up in CloudWatch. Let's break down the options and assess them: A) Ensure that CloudTrail and S3 bucket access logging is enabled for the analyst's AWS account. - Reasoning: CloudTrail is responsible for capturing events such as security group changes, but enabling CloudTrail alone is not enough to trigger CloudWatch alarms. CloudWatch needs to be configured to monitor specific events in CloudTrail logs, so ensuring CloudTrail is enabled would not directly help with troubleshooting the alarm notification mechanism. - Why rejected: S3 bucket access logging is unrelated to the monitoring of CloudTrail log events. The problem is related to CloudWatch monitoring and alarm configuration, not S3 logging. - Scenario: This step is only necessary if CloudTrail isn't enabled, which doesn't seem to be the case here. B) Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action. - Reasoning: A metric filter is required in CloudWatch to search through CloudTrail logs for specific events, like security group changes. Once the filter is set up, it must be mapped to a CloudWatch alarm. Additionally, checking the alarm notification ensures that the alarm is set up to send notifications. This option directly addresses the problem, ensuring that the metric filter and alarm are correctly configured. - Why selected: This is the most relevant troubleshooting step. If the metric filter is missing or misconfigured, the CloudWatch alarm would not trigger. Also, verifying the alarm's notification action ensures the alert is set up to notify the analyst. - Scenario: This should be the first step if there's a failure to receive ...

Author: Amira99 · Last updated May 23, 2026

An Amazon API Gateway API invokes an AWS Lambda function that needs to interact with a software-as-a-service (SaaS) platform. A unique client token is generated in the SaaS platform to grant access to the Lambda function. A security engineer needs to design a solution to encrypt the access token at...

To determine the most cost-effective solution for securely encrypting and passing the access token to the Lambda function, we need to consider factors such as encryption at rest, ease of retrieval, cost efficiency, and security. Option Analysis: A) Store the client token as a secret in AWS Secrets Manager. Use the AWS SDK to retrieve the secret in the Lambda function. - Reasoning: AWS Secrets Manager is a managed service designed specifically for securely storing secrets like API keys, credentials, and tokens. It offers automatic rotation of secrets and integrates well with AWS Lambda. However, it incurs a higher cost compared to other options like Parameter Store. - Why rejected: While Secrets Manager is highly secure and suitable for managing sensitive data, it is more expensive than alternatives like Parameter Store. If cost-effectiveness is a priority, this option may not be the best choice. B) Configure a token-based Lambda authorizer in API Gateway. - Reasoning: A Lambda authorizer is used for authenticating API requests based on tokens (e.g., JWT). This would help in verifying the client token before allowing access to the Lambda function, but it is not a solution for securely storing or passing the client token to Lambda at runtime. - Why rejected: This option focuses on authorization and API request validation rather than securely storing and retrieving the client token for Lambda to use. It doesn't address the need to store and encrypt the token securely. C) Store the client token as a SecureString parameter in AWS Systems Manager Parameter Store. Use the AWS SDK to retrieve the value of the SecureString parameter in the Lambda function. - Reasoning: AWS Systems ...

Author: Isabella · Last updated May 23, 2026

A company is using an Amazon CloudFront distribution to deliver content from two origins. One origin is a dynamic application that is hosted on Amazon EC2 instances. The other origin is an Amazon S3 bucket for static assets. A security analysis shows that HTTPS responses from the application do not comply with a security requirement to provide an X-Frame-Options HTTP header to prevent frame-related cross-s...

To meet the security requirement of adding the `X-Frame-Options` HTTP header to the HTTPS responses from the application hosted on Amazon EC2 and delivered through CloudFront, the solution needs to ensure that this header is added in a secure and scalable manner. Let's analyze the options in detail. Option Analysis: A) Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront origin response event. - Reasoning: Lambda@Edge allows you to run functions closer to the users to modify requests and responses as they pass through CloudFront. The origin response event is triggered when CloudFront receives a response from the origin (in this case, the EC2 application or S3 bucket). By using Lambda@Edge at the origin response event, the header can be added after CloudFront receives the response from the origin but before it sends the response back to the client. - Why selected: This solution will effectively add the missing `X-Frame-Options` header to the response for both EC2 and S3 origins, meeting the security requirement. Lambda@Edge functions run with minimal latency and can modify responses from the origin (EC2) or S3, making this a flexible and efficient solution. B) Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront viewer request event. - Reasoning: The viewer request event happens when a request from the client (browser) reaches CloudFront but before it’s forwarded to the origin. Modifying the response headers at this point would not be effective, as the content hasn't been delivered from the origin yet. - Why rejected: This is not the right event for adding headers to a response. The `viewer request` event is too early in the request lifecycle for adding headers to the response, which...

Author: Lucas · Last updated May 23, 2026

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages. What actions shou...

To troubleshoot the issue where EC2 instances can no longer retrieve messages from Amazon SQS due to recent IAM changes, it is essential to identify the root cause while maintaining the principle of least privilege. Let’s break down the options: Option Analysis: A) Configure and assign an MFA device to the role used by the instances. - Reasoning: Enabling Multi-Factor Authentication (MFA) for an IAM role does not directly address permissions issues related to SQS access. MFA is typically used for securing AWS Management Console access or API operations that require additional security layers. It does not help in resolving IAM policy or permissions problems for the EC2 instances retrieving SQS messages. - Why rejected: This step does not provide a relevant solution to the specific problem of retrieving messages from SQS and is unrelated to IAM permission settings in this case. B) Verify that the SQS resource policy does not explicitly deny access to the role used by the instances. - Reasoning: An explicit deny in the SQS resource policy would override any allow permissions in IAM roles. This is a critical step in troubleshooting because if the SQS queue’s resource policy includes an explicit deny for the role used by the EC2 instances, it would block access regardless of IAM permissions. - Why selected: This option helps ensure that the SQS queue policy isn’t causing the issue. If an explicit deny is found in the resource policy, it can directly resolve the issue by removing or modifying that deny. C) Verify that the access key attached to the role used by the instances is active. - Reasoning: While this is a good general troubleshooting step for access-related issues, it is not likely to be the root cause in this scenario. IAM roles used by EC2 instances typically do not rely on access keys directly, as the role itself assumes the necessary permissions au...

Author: Aarav2020 · Last updated May 23, 2026

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material. Company policy requires all encryption keys to be rotated every year. What shoul...

To meet the company policy of rotating encryption keys every year for a customer-managed key in AWS Key Management Service (KMS), let's analyze each option based on the AWS KMS key rotation features and the company's requirements. Option Analysis: A) Enable automatic key rotation annually for the existing customer managed key. - Reasoning: AWS KMS allows automatic key rotation for customer-managed keys (CMKs) that use KMS-generated key material. However, automatic key rotation is not supported for keys with imported key material. When using imported key material, the key material is not generated by AWS, and thus AWS cannot automatically rotate the key. - Why rejected: This option would work if the key material were KMS-generated, but since the company uses imported key material, automatic key rotation is not supported for this type of key. B) Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually. - Reasoning: While you could theoretically automate key rotation using Lambda functions with AWS CLI commands, this solution is unnecessary and overly complex. AWS KMS does not natively support automatic rotation for imported key material, so creating a Lambda function for key rotation would still require manual intervention to import new key material. This is not a simple or efficient solution, and AWS provides better options for rotating imported key material. - Why rejected: This approach adds unnecessary complexity without leveraging native AWS features for key management. C) Import new key material to the existing customer...

Author: Victoria · Last updated May 23, 2026

A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bu...

To address the need of restricting users from deleting any S3 bucket across multiple AWS accounts in an AWS Organization, the most scalable and effective solution must apply restrictions at the organizational level while being adaptable across multiple accounts. Let's analyze each option: A) Permissions boundaries in AWS Identity and Access Management (IAM) Explanation: Permissions boundaries are a mechanism for limiting the permissions that a user or role can have in IAM. They define the maximum permissions a principal can have, but they cannot enforce specific rules like preventing deletion of S3 buckets in a cross-account setup directly. This option would not be ideal for enforcing a cross-account restriction such as preventing the deletion of S3 buckets in multiple accounts in an organization. Reason for rejection: Permissions boundaries are limited to controlling what permissions a principal (user or role) can be granted, but they cannot globally prevent actions (like S3 bucket deletion) across all accounts in an organization. Suitable Scenario: Permissions boundaries could be used in specific scenarios where an IAM principal's permissions need to be restricted for particular actions within one account, but not for organization-wide actions. --- B) S3 bucket policies Explanation: S3 bucket policies can be applied to individual buckets to control access. You could create a policy that denies the `s3:DeleteBucket` action. However, this would need to be configured for each S3 bucket, and would not automatically apply to new buckets or across all accounts unless managed carefully. Reason for rejection: S3 bucket policies only affect the specific bucket where the policy is applied. They do not provide a scalable solution for enforcing restrictions across all buckets or accounts, especially in an organization with multiple AWS accounts. Suitable Scenario: S3 bucket policies are useful for controlling access to specific buckets and ensuring compliance on a per-bucket basis, but are not scalable across an entire organization with many ...

Author: Amelia · Last updated May 23, 2026

A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The company needs a solution that requires no additional configuration of the existing EKS dep...

To detect unauthenticated access to Amazon Elastic Kubernetes Service (EKS) clusters with the least operational effort, the solution needs to be scalable, minimize the need for additional configuration, and integrate with existing AWS services without requiring custom setup for the EKS deployment. Let’s evaluate each option in terms of meeting these criteria: A) Install an Amazon EKS add-on from a security vendor Explanation: Installing an EKS add-on from a third-party security vendor could provide additional security features and monitoring, such as detecting unauthenticated access. However, this typically requires additional configuration and management of the add-on, which adds operational complexity. Furthermore, you would need to ensure the add-on integrates well with your current EKS deployment. Reason for rejection: While this solution could provide specific security benefits, it involves external dependencies and requires additional configuration and ongoing management, which contradicts the need for minimal operational effort. Suitable Scenario: This option is best when you need specific security features that aren’t natively available in AWS, and you are comfortable with the added configuration and operational effort. --- B) Enable AWS Security Hub. Monitor the Kubernetes findings Explanation: AWS Security Hub provides centralized security monitoring, but it primarily focuses on gathering and analyzing findings from other AWS services, such as Amazon GuardDuty, Amazon Inspector, and more. While it offers security visibility across AWS accounts and regions, it doesn't directly detect unauthenticated access to EKS clusters. Reason for rejection: Although AWS Security Hub is valuable for overall security posture monitoring, it doesn't directly address the need for detecting unauthenticated access to EKS clusters without additional configuration, such as enabling GuardDuty or other services for more specific monitoring. Suitable Scenario: Security Hub is effective for organizations that want a central place to view security findings, but it is not a targeted solution for detecting unauthenticated access in EKS without additional configuration. --- C) Monitor Amazon CloudWatch Container Insights metrics for Amazon EKS Explanation: CloudWatch C...

Author: Layla · Last updated May 23, 2026

A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet. The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The securi...

To identify which EC2 instances are attempting to communicate on TCP port 2905 with the least operational effort, we need to focus on minimizing configuration complexity and operational overhead while effectively detecting the malicious traffic. Let's evaluate each option: A) Create a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905. Explanation: Amazon VPC Network Access Analyzer is a tool for evaluating network access to resources in a VPC, helping to identify traffic flows between resources. However, it is primarily used for evaluating network paths and identifying misconfigurations in access, such as overly permissive security groups or network ACLs. It is not designed for identifying specific traffic patterns or for directly detecting traffic on specific ports like 2905. Reason for rejection: While Network Access Analyzer is useful for auditing VPC access configurations, it does not directly track or identify outbound traffic on specific ports such as TCP port 2905, which is needed in this case. Suitable Scenario: This would be useful for investigating VPC access issues or security group misconfigurations, but not for identifying malicious traffic targeting specific ports. --- B) Enable VPC flow logs for the VPC where the affected EC2 instances are located. Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905. Explanation: VPC Flow Logs can capture detailed information about the traffic flowing to and from network interfaces in a VPC, including the source and destination IP, port, and the action (ACCEPT/REJECT). By enabling VPC flow logs and configuring them to capture rejected traffic, you can specifically track denied traffic on TCP port 2905, which directly helps identify the EC2 instances attempting to communicate with the command and control servers. Reason for selection: VPC Flow Logs is a native AWS service that requires minimal additional configuration and operational effort. By filtering rejected traffic based on the destination port, you can quickly identify the EC2 instances involved in the suspicious communication. This solution efficiently meets the requirement with little additional effort. Suitable Scenario: VPC Flow Logs are ideal when you want to analyze network traffic for security incidents with minimal setup. It is especially useful in identifying blocked or denied traffic, making it perfect for this use case. --- C) Enable Amazon GuardDuty. Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication. Explanation: Amazon GuardDuty is a threat detection service that monitors AWS accounts for malicious activity. You ca...

Author: ElectricLionX · Last updated May 23, 2026

A security engineer uses Amazon Macie to scan a company's Amazon S3 buckets for sensitive data. The company has many S3 buckets and many objects stored in the S3 buckets. The security engineer must identify S3 buckets that contain sensitive data and must perform additional...

The goal is to identify S3 buckets containing sensitive data and perform additional scanning on those buckets with the least administrative overhead. Let’s evaluate each option and determine the most efficient and manageable solution: A) Configure S3 Cross-Region Replication (CRR) on the S3 buckets to replicate the objects to a second AWS Region. Configure Macie in the second Region to scan the replicated objects daily. Explanation: This option would involve setting up S3 Cross-Region Replication (CRR) to replicate the objects to another AWS Region. Then, Macie would scan the replicated data in the second region. This solution introduces unnecessary complexity by creating cross-region replication and managing the replicated data, which can increase both administrative overhead and cost. The sensitivity of the data could also create challenges regarding data residency and compliance requirements. Reason for rejection: This option is not optimal because of the added complexity of managing replication across regions, unnecessary duplication of data, and the overhead of managing multiple AWS Regions. There is no need for replication to scan the data with Macie. Suitable Scenario: This could be used in scenarios where data needs to be replicated for disaster recovery or compliance, but it adds unnecessary steps in the context of just scanning S3 buckets for sensitive data. --- B) Create an AWS Lambda function as an S3 event destination for the S3 buckets. Configure the Lambda function to start a Macie scan of an object when the object is uploaded to an S3 bucket. Explanation: This option involves setting up an AWS Lambda function to trigger a Macie scan each time a new object is uploaded to an S3 bucket. While this could work, it introduces the overhead of creating and managing Lambda functions, which might not be necessary for the use case of scanning all objects in a bucket. Additionally, Lambda could only initiate scans when new objects are added, potentially missing scans for existing objects and requiring a manual process to handle the entire bucket's contents. Reason for rejection: While this solution could trigger scanning of new objects, it does not cover existing data and introduces more complexity through Lambda functions. It also requires continual management of Lambda and event triggers. Suitable Scenario: This approach might be effective if you want to monitor real-time data uploads, but it is not ideal for scanning existing data across many S3 buckets. --- C) Configure Macie automated discovery to continuously sample data from the S3 buc...

Author: Maya2022 · Last updated May 23, 2026

A security engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use AWS. The application uses TCP port 443 and runs on Amazon C2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, t...

In this scenario, the security engineer needs to implement access restrictions that ensure the application is accessible only to the 1,500 subsidiary companies and is not exposed to the public internet. The solution should focus on leveraging AWS security mechanisms to control network access efficiently. Let’s evaluate each option: A) Create a NACL to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the NACL to both the NLB and EC2 instances. Explanation: Network ACLs (NACLs) can control traffic at the subnet level, so they can be used to restrict access to the EC2 instances and the Network Load Balancer (NLB). However, NACLs are stateless, meaning that responses to incoming requests must be explicitly allowed as well. Managing 1,500 CIDR block ranges for the subsidiaries would become challenging and error-prone because each NACL entry needs to be carefully defined for both incoming and outgoing traffic. Additionally, NACLs are applied at the subnet level, not to individual EC2 instances or the NLB, which may result in more granular access management issues. Reason for rejection: Using NACLs introduces potential complexity and operational overhead in managing the many CIDR blocks and stateless traffic rules. It would be harder to maintain and more error-prone compared to other solutions like security groups. Suitable Scenario: NACLs might be useful for simple, broad access control at the subnet level, but in this case, more precise and flexible access control is needed. --- B) Create an AWS security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block ranges. Associate the security group to the NLB. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group. Explanation: This option uses security groups, which are stateful and allow more granular control over inbound and outbound traffic compared to NACLs. The idea is to associate the first security group with the NLB, allowing traffic only from the specified 1,500 subsidiary CIDR ranges. The second security group would be associated with the EC2 instances behind the NLB, ensuring that only traffic from the NLB can reach the EC2 instances on port 443. This approach is effective, as security groups can handle both the NLB and EC2 instance access control in a more manageable way than NACLs. Reason for selection: This solution offers a scalable, stateful access control mechanism and allows precise control over the flow of traffic. Security groups are easy to manage, and using two groups (one for the NLB and one for EC2 instances) ensures that the right traffic is allowed at both layers. It's simple, easy to maintain, and scalable. Suitable Scenario: This is the optimal approach for controlling access to both the load balancer and EC2 instances with minimal overhead and maximum flexibility. --- C) Create an AWS PrivateLink endpoint service in the parent company account attached to the NLB. Create an AWS security group for the instances to allow access on TCP port 443 from the AWS Privat...

Author: Aarav · Last updated May 23, 2026

A company runs workloads on Amazon EC2 instances. The company needs to continually scan the EC2 instances for software vulnerabilities and unintended ...

In order to meet the company's requirements to continually scan EC2 instances for software vulnerabilities and unintended network exposure, let's evaluate each option based on its functionality and suitability: Option A: Use Amazon Inspector. Set the scan mode to hybrid scanning. - Amazon Inspector is a security assessment service that helps identify vulnerabilities in EC2 instances and applications. It scans EC2 instances for software vulnerabilities, and the "hybrid scanning" mode enables scanning of both the EC2 instances and the network infrastructure associated with them. This mode combines both host-level vulnerability scanning and network-level security assessments, making it a strong candidate for identifying software vulnerabilities and unintended network exposure. - Why it's selected: It specifically addresses the need to scan EC2 instances for software vulnerabilities and unintended network exposure, as it includes both host and network scanning. - Key consideration: Hybrid scanning is comprehensive for the use case of vulnerability scanning, covering both software issues and network security. Option B: Use Amazon GuardDuty. Enable the Malware Protection feature. - Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and anomalous behavior in an AWS environment. Enabling the Malware Protection feature adds malware detection capabilities to GuardDuty, but GuardDuty primarily focuses on detecting network anomalies, suspicious behavior, and security threats rather than performing detailed vulnerability scanning on EC2 instances. - Why it's rejected: While it is valuable for detecting suspicious activity, GuardDuty does not specifically scan EC2 instances for software vulnerabilities or unintended network exposure in the way that Amazon Inspector does. GuardDuty focuses on security monitoring and threat detection rather than vulnerability sc...

Author: Isabella1 · Last updated May 23, 2026

A company has a requirement that no Amazon EC2 security group can allow SSH access from the CIDR block 0.0.0.0/0. The company wants to monitor compliance with this requirement at all times and wants to receive a near-real-time notification if any security group is noncompliant. A security engineer has configured AWS Config and w...

To meet the company's requirements of continuously monitoring the compliance of security groups with the SSH access policy and sending near-real-time notifications if any security group is noncompliant, the solution needs to efficiently track compliance changes in AWS Config and notify the team immediately when an issue arises. Let's evaluate each option based on the requirements: Option A: Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricted-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered. - Explanation: This option suggests using AWS Config to send snapshots to an S3 bucket and then using Lambda to process the snapshots for compliance changes. While this approach works, it introduces unnecessary complexity and delay. It involves manual parsing of snapshots, which isn't an efficient or real-time method. The Lambda function would need to be triggered by PutEvents, requiring extra steps and potentially slower processing, making it less ideal for near-real-time monitoring. - Why it's rejected: This option is more complex and introduces a delay due to the snapshot process. It also requires manual Lambda handling and parsing, which isn't optimal for real-time compliance monitoring. Option B: Configure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Config for the restricted-ssh managed rule. Configure the event rule to target an Amazon Simple Notification Service (Amazon SNS) topic that will provide a notification. - Explanation: This is the most efficient option. AWS Config can generate a compliance change event when the restricted-ssh managed rule detects a change in compliance. This event can trigger an EventBridge rule, which immediately sends notifications via SNS. This approach is designed to be near real-time and doesn't involve complex processes or delays. - Why it's selected: This option leverages native AWS integration to detect and respond to compliance changes in real-time. EventBridge allows for quick event handling and triggers notifi...

Author: Rahul · Last updated May 23, 2026

A security engineer discovers that a company's user passwords have no required minimum length. The company is using the following two identity providers (IdPs): * AWS Identity and Access Management (IAM) federated with on-premises Active Directory * Amazon Cognito user pools that contain the user database for an AWS Cloud application that the comp...

To implement a required minimum password length across both AWS Identity and Access Management (IAM) and Amazon Cognito user pools, we need to consider the settings and mechanisms available for each identity provider (IdP) involved. Option A: Update the password length policy in the IAM configuration. - Explanation: AWS IAM allows you to configure certain password policies directly within IAM. You can define password length, complexity requirements, and expiration settings for IAM users. - Why it's selected: This option directly addresses the requirement for IAM users, where you can set a password length policy through the IAM management console or using AWS CLI commands. - Key consideration: This option is specifically for IAM users and does not apply to Cognito, which requires a different configuration. Option B: Update the password length policy in the Cognito configuration. - Explanation: Amazon Cognito user pools allow you to configure password policies for users in your custom applications. You can define minimum length, complexity, and other requirements for user passwords. - Why it's selected: This option applies directly to Cognito users, ensuring that the password policy in your application aligns with the required minimum length. - Key consideration: This addresses the password policy for Cognito, but does not impact IAM or the on-premises Active Directory users. Option C: Update the password length policy in the on-premises Active Directory configuration. - Explanation: If users are federated from an on-premises Active Directory to AWS IAM, you can configure password policies within Active Directory to enforce a minimum password length. - Why it's selected: This option ensures that the password policy for Active Directory users, who may be federated with AWS IAM, enforc...

Author: Kai · Last updated May 23, 2026

A company uses AWS Key Management Service (AWS KMS). During an attempt to attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance, the attachment fails. The company discovers that a customer managed key has become unusable because the key material for the key was deleted. The company needs the data that is on the EBS volume. A security engineer must recomme...

When dealing with the situation where a customer-managed key (CMK) has become unusable due to the deletion of the key material in AWS KMS, the goal is to decrypt the data on the Amazon Elastic Block Store (EBS) volume and successfully attach it to the EC2 instance. Let’s evaluate the options based on the given requirements: Option A: Import new key material into the key. Attach the EBS volume. - Explanation: AWS KMS allows you to import new key material into a CMK, but the key must already exist and be enabled. If the key material is deleted, the CMK itself is rendered unusable, meaning it cannot decrypt or encrypt data, even if you later import new key material. Importing new key material will make the CMK usable again, but it will not recover the ability to decrypt data that was encrypted with the original key material. - Why it’s rejected: Importing new key material doesn’t solve the problem of decrypting data that was encrypted with the deleted key material. Once the key material is deleted, it is impossible to recover the encrypted data with that key, even if the key is re-enabled. Option B: Restore the EBS volume from a snapshot that was taken before the deletion of the key material. - Explanation: If an EBS snapshot was taken before the key material was deleted, the snapshot would be encrypted with the key material that was present at the time. As long as the CMK is still available and usable (i.e., the key material is intact), you can restore the volume from the snapshot and attach it to an EC2 instance. - Why it’s selected: This option allows the restoration of the EBS...

Author: Daniel · Last updated May 23, 2026

A company needs to analyze access logs for an Application Load Balancer (ALB). The ALB directs traffic to the company's online login portal. The company needs to use visualizations to identify login attempts...

To meet the company's requirements of analyzing access logs for an Application Load Balancer (ALB) and visualizing login attempts by bots from a list of known IP sources, let's evaluate each option and determine the best approach. Option A: Configure the ALB to send logs directly to Amazon CloudWatch Logs. Analyze and visualize the logs by using CloudWatch Logs Insights. - Explanation: CloudWatch Logs Insights allows you to analyze logs stored in CloudWatch Logs using a query language. While CloudWatch is good for real-time log analysis and searching, it is typically not as powerful as some other services for creating detailed, interactive visualizations. - Why it's rejected: While CloudWatch Logs Insights can be used for analyzing the logs, it doesn’t provide rich visualization options like specialized dashboard tools (e.g., OpenSearch or QuickSight). Visualizations in CloudWatch are more basic compared to other options like OpenSearch or QuickSight, which provide more intuitive and interactive visual analytics. - Key consideration: For complex visualizations and in-depth analysis, CloudWatch may not be the best fit. Option B: Configure the ALB to send logs directly to Amazon Redshift. Analyze the logs by using SQL queries. Visualize the logs by using custom reports. - Explanation: Amazon Redshift is a fully managed data warehouse service that excels at running complex SQL queries on large datasets. While it's possible to analyze logs by storing them in Redshift, it would require setting up an ETL (extract, transform, load) process to import the logs into Redshift and then running SQL queries to analyze them. - Why it's rejected: This solution is overkill for log analysis as Redshift is typically used for large-scale data warehousing and more structured, analytical workloads. It would also require additional configuration for importing logs and managing data storage. Visualizations via custom reports would also require integrating Redshift with a separate visualization tool, which introduces complexity. - Key consideration: This solution is more complex and involves more manual configuration than necessary for analyzing ALB logs. Option C: Configure the ALB to send logs directly to Amazon OpenSearch Service. Analyze the logs by using OpenSearch dashboards. Visualize the logs by using custom OpenSearch dashboards. - Explanati...

Author: VioletCheetah55 · Last updated May 23, 2026

A company runs a cron job on an Amazon EC2 instance on a predefined schedule. The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) customer managed key with a key policy. The key policy and the EC2 insta...

Let's break down each option: A) Use the `aws kms encrypt` command to encrypt the file by using the existing KMS key. - Reasoning: The `aws kms encrypt` command encrypts the data directly with the KMS key. The data is encrypted using the key, and the result is the ciphertext. - Rejection: While this approach is straightforward and does work, it's not ideal for encrypting larger files (this case is 2 KB, which isn't large, but still). The encrypted data would be returned by KMS, but it would need to be handled and written to a file in the script manually, which could introduce complexities in error handling, managing large files, and performance optimization. B) Use the `aws kms create-grant` command to generate a grant for the existing KMS key. - Reasoning: The `aws kms create-grant` command is used to create grants for controlling access to the KMS key. A grant is a way to delegate the ability to perform certain operations (like encryption) to a principal (e.g., an IAM role or a user). - Rejection: This option doesn't directly solve the problem of file encryption. It's about managing permissions rather than performing encryption itself. The script does not need to create grants unless it's dealing with custom permissions that need to be granted on the KMS key. The necessary permissions for the EC2 instance role to encrypt with the key should already be set through the key policy or IAM policy. C) Use the `aws kms encrypt` command to generate a data key. Use the plaintext data key to encrypt the file. - Reasoning: The `aws kms encrypt` command is not typically used to generate a data key for encryption. It encrypts the data itself. T...

Author: Isabella · Last updated May 23, 2026

A security engineer needs to analyze Apache web server access logs that are stored in an Amazon S3 bucket. Amazon EC2 instance web servers generated the logs. The EC2 instances have the Amazon CloudWatch agent installed and configured to report their access logs. The security engineer needs to use a query in Amazon Athena to analyze the logs. The query must identify IP addresses that have attempted and failed to access r...

Let's break down each option to identify the correct query based on the given requirements: Requirements: - Logs: Stored in Amazon S3 bucket, generated by EC2 instances with CloudWatch agent installed. - Goal: Analyze Apache web server access logs using Athena. - Key Conditions: - Identify IP addresses that attempted and failed to access restricted content at the `/admin` URL path. - Failed attempts: Identified by the server status code, which typically indicates errors (e.g., `403` or `401`). - Also, identify URLs that the IP addresses attempted to access. Query Analysis: A) `SELECT client_ip, client_request FROM logs WHERE client_request LIKE '%/admin%' AND server_status = '403'` - Reasoning: - client_ip: Extracts the IP address. - client_request: Extracts the attempted URL. - WHERE client_request LIKE '%/admin%': Filters for logs where the requested URL contains `/admin`. - AND server_status = '403': Filters for failed access attempts (403 Forbidden errors, indicating restricted access). - Why Selected: This query properly meets the requirement to find IP addresses attempting to access restricted content (i.e., URLs containing `/admin`) and identifies the failure status (`403`). B) `SELECT client_ip FROM logs WHERE client_request CONTAINS '%/admin%' AND server_status = '401' GROUP BY client_ip` - Reasoning: - client_ip: Extracts the IP address. - WHERE client_request CONTAINS '%/admin%': Filters logs where the URL contains `/admin` (Note: `CONTAINS` is not valid in SQL syntax; it should be `LIKE`). - AND server_status = '401': Filters for failed access attempts (401 Unauthorized, which can also indicate restricted access). - GROUP BY client_ip: Groups by IP address. - Rejection: The use of `CONTAINS` is incorrect in SQL syntax for Athena. `LIKE` should be used instead. Als...

Author: RadiantPhoenixX · Last updated May 23, 2026

A company uses Amazon Cognito as an OAuth 2.0 identity platform for its web and mobile applications. The company needs to capture successful and unsuccessful login attempts. The company also needs to q...

Let's go through the options and analyze each one based on the requirements: capturing successful and unsuccessful login attempts and the ability to query the data. Key Requirements: - The company needs to capture both successful and unsuccessful login attempts. - The company also needs to query the data about these login attempts. Option Analysis: A) Configure Cognito to send logs of user activity to Amazon CloudWatch. Configure Amazon EventBridge to invoke an AWS Lambda function to export the logs to an Amazon S3 bucket. Use Amazon Athena to query the logs for event names of SignUp with event sources of cognito-idp.amazonaws.com. - Reasoning: - CloudWatch Logs: The option starts by sending logs to CloudWatch. This is useful for capturing events. - EventBridge and Lambda: EventBridge can forward events to Lambda, which then exports logs to S3. This can be useful for archiving logs, but it adds complexity and may not be the most straightforward approach. - Querying with Athena: Athena can be used to query the logs in S3, but the query here is focused on `SignUp` events, which are not related to the login attempts requirement. - Rejection: This option focuses on `SignUp` events and not on login attempts (e.g., `InitiateAuth`), which is what the company needs. This doesn't align with the login attempt tracking requirement. B) Enable AWS CloudTrail to deliver logs to an Amazon S3 bucket. Use Amazon Athena to query the logs for event names of InitiateAuth with event sources of cognito-idp.amazonaws.com. - Reasoning: - CloudTrail Logs: CloudTrail logs provide detailed records of API calls made to AWS services, including Amazon Cognito. `InitiateAuth` is the API action for authenticating users, which directly relates to login attempts. - Event Querying: Using Athena to query CloudTrail logs is efficient, and the query for `InitiateAuth` is directly related to the login attempts. - Success and Failure: CloudTrail logs can capture both successful and failed authentication attempts, as failures will also be logged (e.g., failed `InitiateAuth`). - Why Selected: This option directly aligns with the requirement of capturing both successful and unsuccessful login atte...

Author: Max · Last updated May 23, 2026

A security engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled. While testing the solution, the s...

Let's break down each option and analyze why a particular one is the most likely cause of the issue: Key Information: - The CloudTrail trail is set up to log events across all regions. - The logs are encrypted with SSE-KMS (AWS KMS-managed keys). - Log integrity validation is enabled. - The digest files are readable, but the log files are not. Option Analysis: A) The log files fail integrity validation and automatically are marked as unavailable. - Reasoning: Integrity validation is enabled, which means the system checks the integrity of CloudTrail logs against the digest files. If the logs fail this validation, they might be marked as unavailable. - Rejection: This could be a potential cause, but the problem described specifically involves the unreadability of the log files, not necessarily integrity failure. Failed integrity validation would typically trigger an alert or error, but the logs would not be accessible regardless. The logs themselves might still be encrypted and readable, though potentially inaccessible due to permission issues, making this less likely as the primary cause. B) The KMS key policy does not grant the security engineer's IAM user or role permissions to decrypt with it. - Reasoning: The logs are encrypted using SSE-KMS, meaning the security engineer's IAM user or role must have decrypt permissions on the KMS key. If the IAM user or role does not have these permissions, they will not be able to decrypt the log files, leading to the inability to read them. - Why Selected: This is the most likely cause. Since the digest files are readable, the IAM user has at least some level of access, but missing decrypt permissions on the KMS key would prevent access to the actual log files. This fits perfectly with the scenario described, where the digest files are accessible, but the log files are not. C) Th...

Author: FrozenWolf2022 · Last updated May 23, 2026

A company needs to securely deploy resources and workloads across AWS accounts. The accounts are in an organization in AWS Organizations. The company needs to use AWS CloudFormation for infrastructure as code (IaC) management of approved architectural patterns. The company also must enforce tagging requi...

Let's break down each option and analyze how well it meets the company's requirements of securely deploying resources across AWS accounts, using AWS CloudFormation for infrastructure management, and enforcing tagging and configuration policies: Key Requirements: - Securely deploy resources and workloads across AWS accounts. - Use AWS CloudFormation for managing infrastructure as code (IaC). - Enforce tagging requirements and specific configuration guidelines for resources and workloads. Option Analysis: A) Use CloudFormation stack policies to prevent the creation of resources that do not meet the tagging or configuration requirements. Use Amazon EventBridge rules to detect API calls that attempt to create resources outside of CloudFormation. - CloudFormation stack policies: These policies control which resources can be updated or deleted within a CloudFormation stack but do not directly enforce tagging or configuration requirements for new resource creation. - EventBridge: While EventBridge can detect and react to API calls, it would add complexity and may not be efficient for enforcing tagging and configuration on a wide scale. - Rejection: This option doesn't directly address the enforcement of consistent tagging or configuration standards across AWS accounts. CloudFormation stack policies focus on updating resources within a stack, but not on preventing misconfigured resources at a global level. EventBridge adds complexity and isn't the best tool for enforcing consistent configuration or tagging policies. B) Use an AWS CodePipeline pipeline to test and deploy IaC defined workloads through CloudFormation into the accounts. Use AWS Config rules to enforce the tagging requirements. Apply an SCP to prevent the creation of misconfigured resources in all OUs. - AWS CodePipeline: Using CodePipeline for continuous integration and continuous delivery (CI/CD) of CloudFormation-managed workloads is a great way to ensure that infrastructure changes are tested and deployed securely. - AWS Config rules: Config rules can be used to enforce compliance with tagging requirements and other configuration standards across resources. - Service Control Policies (SCPs): SCPs provide a way to control what actions are allowed or denied across accounts in an AWS Organization, which can help prevent misconfigured resources. - Why Selected: This approach combines IaC deployment, tagging enforcement, and misconfiguration prevention across multiple AWS accounts using CloudFormation, AWS Config, and SCPs. It ensures resources are deployed securely and according to guidelines, and it enforces the necessary configurations and tagging policies across AWS accounts. C) Create an IAM permissions boundary to prevent the creation of misconfigured resources through C...

Author: Noah · Last updated May 23, 2026

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv...

In this scenario, the goal is to confirm whether any EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1) after migrating to Version 2 (IMDSv2). The security engineer needs to monitor and ensure that IMDSv1 is no longer being used. Analyzing each option: Option A: Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard. - This option involves setting up logging for IMDSv1 on the EC2 instance itself, which could create logs when IMDSv1 is accessed. However, the process of configuring logging on each instance would require significant management overhead, especially when scaling. This would not provide a simple, centralized way of tracking IMDSv1 usage across instances. Additionally, it might miss instances that do not generate logs correctly, or that are not properly configured. - Rejected: This approach involves manual setup per instance and lacks a centralized monitoring solution. Option B: Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard. - The `EC2:MetadataNoToken` metric in CloudWatch tracks requests to the instance metadata service that do not include a session token (which would occur if IMDSv1 is being used). This option is effective because it directly monitors for the usage of IMDSv1 (which does not require a session token), and the absence of this metric would indicate that IMDSv1 is not being used. By monitoring this across all instances, you can quickly verify if any instance is still relying on IMDSv1. - Selected: This is an efficient way to track and confirm the use of IMDSv1 across multiple EC2 instances...

Author: Kai99 · Last updated May 23, 2026

A company is planning to create an organization by using AWS Organizations. The company needs to integrate user management with the company's external identity provider (IdP). The company also needs to centrally manage access to all of its AWS accounts...

In this scenario, the company needs to integrate an external identity provider (IdP) with AWS, manage user access centrally through AWS Organizations, and ensure that access to all AWS accounts and applications is controlled from the organization's management account. Let's break down each option: Option A: Configure AWS Directory Service with the external IdP. Create IAM policies and associate them with users from the external IdP. - AWS Directory Service can integrate with an external IdP, such as Microsoft Active Directory, and it allows for management of user accounts in AWS. However, this solution is more suited for environments where a company needs to maintain an Active Directory environment, and is not specifically tailored for managing multiple AWS accounts in a centralized manner. Also, IAM policies would need to be manually created for each user, making the management of access across multiple AWS accounts cumbersome. - Rejected: While this works for directory integration, it is not the best solution for centralizing access control across multiple AWS accounts managed through AWS Organizations. Option B: Enable AWS IAM Identity Center and use the external IdP as the identity source. Create permission sets and account assignments by using IAM Identity Center. - AWS IAM Identity Center (formerly AWS SSO) is designed for centralized access management across AWS Organizations. It integrates with an external IdP for user authentication and allows you to manage user permissions across multiple AWS accounts centrally. By using IAM Identity Center, you can assign users to specific accounts and create permission sets that define access policies for each user. This solution directly meets the company's requirement for central management of access to AWS accounts and applications. - Selected: This is the best solution for centralizing user access management across multiple AWS accounts, integrating with an externa...

Author: Julian · Last updated May 23, 2026

A company uses Amazon Elastic Container Registry (Amazon ECR) as the repository for its production applications. A security engineer must implement an automated solution to report any vulnerabilities that ECR enhanced scanning detects. The solution must provide notification of vulnerability findings in an...

In this scenario, the goal is to automate the process of reporting any vulnerabilities detected by Amazon ECR Enhanced Scanning, and to provide the notifications in a Slack channel. The solution must be operationally efficient and should automate this process as much as possible. Let's break down each option: Option A: Activate Amazon Inspector scans for the ECR repository. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure an AWS Chatbot client for Slack that consumes the SNS topic. Create an Amazon EventBridge rule for Amazon Inspector findings. Specify the SNS topic as the target for the rule. - Explanation: Amazon Inspector is integrated with Amazon ECR to scan container images for vulnerabilities. By creating an SNS topic, you can configure an AWS Chatbot to send notifications directly to Slack when vulnerabilities are detected. The EventBridge rule can be used to automatically capture findings from Amazon Inspector and trigger the SNS notification. This solution is both efficient and automated, as it involves minimal manual intervention once set up, and the Slack notifications will be real-time. - Selected: This solution is highly operationally efficient because it uses AWS managed services (SNS, EventBridge, AWS Chatbot) for seamless integration with Slack and minimizes custom scripting or infrastructure management. Option B: Activate Amazon Inspector scans for the ECR repository. Write a script to use AWS CLI commands to retrieve image scan findings from Amazon Inspector. Configure the script to send the findings to a Slack endpoint. Launch an Amazon EC2 instance to run the script. - Explanation: This option requires writing a custom script to retrieve findings from Amazon Inspector using the AWS CLI and then sending them to a Slack endpoint. Additionally, an EC2 instance needs to be set up to run this script. While this solution is functional, it is less efficient because it introduces the overhead of maintaining an EC2 instance and custom scripting. It also requires manual intervention to ensure the script runs correctly and continuously. - Rejected: This approach adds unnecessary complexity and operational overhead with the need to manag...

Author: Stella · Last updated May 23, 2026

A company uses AWS Config rules to identify Amazon S3 buckets that are not compliant with the company's data protection policy. The S3 buckets are hosted in several AWS Regions and several AWS accounts. The accounts are in an organization in AWS Organizations. The company needs a solution to remediate the organization's exi...

To address the company's requirement of remediating noncompliant S3 buckets both in the past and in the future across multiple accounts and regions, we need to evaluate the effectiveness of different solutions based on the goals of detecting, remediating, and preventing future noncompliance with the data protection policy. Option A: Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an AWS Lambda function that responds to AWS Config findings of noncompliant S3 buckets by deleting or reconfiguring the S3 buckets. - Explanation: This solution leverages an AWS Config aggregator that aggregates compliance data across all accounts in the AWS organization. By using a Lambda function to automatically remediate noncompliant S3 buckets (either by deleting them or reconfiguring them), this option provides both remediation of existing noncompliant buckets and prevention of future noncompliance. The Lambda function can be set to trigger automatically whenever a noncompliance finding is detected by AWS Config, ensuring that the solution is dynamic and automatic. - Selected: This option is the most efficient and flexible for both remediating existing noncompliant S3 buckets and preventing noncompliance for future S3 buckets. It takes advantage of AWS Config's powerful compliance monitoring and integrates well with automation (Lambda). Option B: Deploy an AWS Config aggregator with organization-wide resource data aggregation. Create an SCP that contains a Deny statement that prevents the creation of new noncompliant S3 buckets. Apply the SCP to all OUs in the organization. - Explanation: While using an SCP (Service Control Policy) with a "Deny" statement to prevent the creation of noncompliant S3 buckets is a valid solution for preventing future noncompliance, it doesn't address the remediation of existing noncompliant S3 buckets. SCPs only prevent the creation of noncompliant resources in the future but don't automatically correct existing noncompliant resources. - Rejected: This approach is not comprehensive enough because it ...

Author: Carlos Garcia · Last updated May 23, 2026

A company's engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) customer managed key grants for users. Immediately after a grant is created, users must be able to use the KMS key to encrypt a 512-byte payload. During load testing, AccessDeniedException errors occur occasionally when a user first att...

To solve the issue of AccessDeniedException errors when users first attempt to use a KMS key for encryption immediately after a grant is created, it's important to focus on how AWS Key Management Service (KMS) handles grants and permissions. The problem is likely caused by the fact that there might be a delay in the KMS system registering the grant, leading to temporary access issues. Let's analyze each option: Option A: Instruct users to implement a retry mechanism every 2 minutes until the call succeeds. - Explanation: This approach would instruct users to retry the encryption request every 2 minutes if the initial attempt fails. While this could eventually succeed, it is not an optimal solution because it doesn't address the root cause of the problem. Additionally, the delay could lead to inefficiencies, especially if the issue is intermittent and happens too frequently. - Rejected: While it may eventually work, this is a workaround rather than a solution. It introduces unnecessary complexity and doesn't address the underlying problem in a more direct or efficient way. Option B: Instruct the engineering team to consume a random grant token from users and to call the CreateGrant operation by passing the grant token to the operation. Instruct users to use that grant token in their call to encrypt. - Explanation: This option suggests that the engineering team generates a random grant token for each user, consumes the token in the `CreateGrant` operation, and then users would pass the token when calling the `encrypt` operation. This would create an additional layer of complexity and is unnecessary. The grant token is typically a way to identify and manage the grant, not something that requires this level of dynamic handling. - Rejected: This solution overcomplicates the process and introduces unnecessary complexity without directly addressing the issue. AWS KMS grants don't require this level of token management for proper functioning. Option C: Instruct the engineering team to create a random name for the grant ...

Author: Vikram · Last updated May 23, 2026

A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack by a specific IoT device brand that has a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate the web ACL with the ALB. The security engineer must implement a rule statement as part of the web ACL to block the requests. The rule ...

To address the requirements of mitigating the ongoing DDoS attack from a specific IoT device brand with a unique user agent, and ensuring that future attacks from this device brand are blocked without affecting legitimate customer traffic, we need to consider the nature of the attack and the available rule statements. Let's analyze each option: A) Use an IP set match rule statement that includes the IP address for IoT devices from the user agent. - This approach would only work if we could reliably identify the specific IP addresses associated with the IoT devices. However, DDoS attacks typically involve distributed sources and may use dynamic IP addresses, meaning the IP addresses of the attacking devices can change frequently. This makes it difficult to block the attack using an IP set match rule. Moreover, this rule would not effectively block all attacks from the IoT devices, as attackers could switch IP addresses to bypass this rule. - Reason for rejection: DDoS attacks are often distributed, and the IP addresses of the attacking devices are not static. Blocking by IP may not be effective in this case. B) Use a geographic match rule statement. Configure the statement to block countries that the IoT devices are located in. - This method blocks traffic from specific countries based on the geographic location of the IP addresses. However, it would be a broad solution that may unintentionally block legitimate customers from those countries, even if the attack is isolated to a smaller group of IoT devices. Moreover, not all DDoS traffic necessarily originates from a specific country, as IoT devices may use proxy servers or botnets spread across different locations. - Reason for rejection: Blocking by geographic region could block legitimate customers and is not a targeted solution for the specific IoT devic...

Author: Oscar · Last updated May 23, 2026

A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint. The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway. A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an IAM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that t...

To diagnose why the request from the EC2 instance to Amazon S3 is failing, we need to carefully examine the networking configuration and security settings involved. Here's the analysis of each option: A) Verify that the EC2 instance’s security group does not have an implicit inbound deny rule for Amazon S3. - Reasoning: EC2 instance security groups are stateful and control only inbound and outbound traffic to/from the instance. However, security groups do not control access to the VPC endpoint or traffic to AWS services like S3. The security group’s inbound rules only determine whether traffic can reach the EC2 instance, not whether it can route traffic through the VPC endpoint to Amazon S3. - Reason for rejection: The EC2 security group does not control traffic to Amazon S3 via the VPC endpoint. Therefore, this step is unlikely to resolve the issue. B) Verify that the VPC endpoint’s security group does not have an explicit inbound deny rule for the EC2 instance. - Reasoning: A VPC endpoint for S3 does not typically require a security group associated with it. If no security group is explicitly associated with the VPC endpoint, this would not be a problem. Additionally, VPC endpoints are designed to allow traffic between the VPC and AWS services (like S3) regardless of security group settings unless explicitly denied by the VPC endpoint policy. - Reason for rejection: VPC endpoint security groups aren't commonly used with S3 gateway endpoints, so this wouldn't be the cause of the issue in this case. C) Verify that the internet...

Author: Sophia · Last updated May 23, 2026

A security administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has all features enabled. The management account is used for billing and administrative purposes, but it is not used for operational AWS resource...

To restrict the usage of root user accounts across an AWS Organization, we need to focus on a solution that effectively applies organization-wide policies, without relying on specific configurations for individual accounts or services. Let's analyze each option in detail: A) Disable the use of the root user account at the organizational root. Enable multi-factor authentication (MFA) of the root user account for each organization member account. - Reasoning: While enabling MFA for root users is a best practice to enhance security, it does not restrict the usage of root user accounts; it only adds an extra layer of authentication. Disabling root user access at the organizational root isn't directly achievable in AWS Organizations. Additionally, this approach is more about securing root user accounts rather than restricting their usage. - Reason for rejection: This option focuses on securing root accounts with MFA, but it does not address restricting the root user accounts' usage across the organization effectively. B) Configure IAM user policies to restrict root account capabilities for each organization member account. - Reasoning: IAM user policies apply to IAM users, not root users. IAM policies do not have the capability to directly restrict or block the root user. Root users are not subject to IAM user policies, so this approach would not restrict root account usage. - Reason for rejection: IAM user policies cannot restrict root user accounts, as they apply to IAM users, not the root user. C) Create an OU in Organizations, and attach an SCP that controls usage of the root user. Add all member accounts to the new OU. - Reasoning: Service Contr...

Author: Vivaan · Last updated May 23, 2026

A company wants to start processing sensitive data on Amazon EC2 instances. The company will use Amazon CloudWatch Logs to monitor, store, and access log files from the EC2 instances. The company's developers use CloudWatch Logs for troubleshooting. A security engineer must implement a solution that prevents the developers from viewing the sensitive data....

To meet the company's requirement of preventing developers from viewing sensitive data in CloudWatch Logs while still allowing them to troubleshoot logs (but without access to sensitive information), the solution needs to provide automatic application of controls to future log groups and enforce protection policies. Let's break down each option: A) Create a CloudWatch Logs account-wide data protection policy. Specify the appropriate data identifiers for the policy. Ensure that the developers do not have the `logs:Unmask` IAM permission. - Reasoning: This option suggests using a CloudWatch Logs account-wide data protection policy and specifies that developers should not have the `logs:Unmask` permission. The `logs:Unmask` permission controls whether users can view the sensitive parts of the log data, such as redacted fields. The issue here is that an account-wide policy does not apply automatically to new log groups. The requirement specifies that this must apply to any new log groups created in the future, which this approach may not fully meet as it's not automatically enforced for new log groups. - Reason for rejection: While the `logs:Unmask` permission is important for preventing access to sensitive data, this solution doesn't automatically apply to new log groups and is less flexible in terms of future log groups. B) Export the CloudWatch Logs data to an Amazon S3 bucket. Set up automated discovery by using Amazon Macie on the S3 bucket. Create a custom data identifier for the sensitive data. Remove the developers' access to CloudWatch Logs. Grant permissions for the developers to view the exported log data in Amazon S3. - Reasoning: This option involves exporting logs to Amazon S3 and using Amazon Macie to identify sensitive data. While Macie can be used for discovering sensitive data, the developers would still have access to logs stored in S3. The issue with this approach is that it requires extra complexity (exporting data to S3) and manual management of sensitive data discovery. Furthermore, this approach doesn't directly restrict CloudWatch Logs access, which was one of the core requirements. - Reason for rejection: This is not a direct CloudWatch Logs-based solution and adds unnecessary complexity with exporting data. It doesn't automatically apply to all new log groups, and Macie is not a solution to restrict access but only to discover sensitive data. C) Export the CloudWatch Logs data to ...

Author: Leah · Last updated May 23, 2026

A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (...

To meet the requirements of identifying sensitive data stored in an Amazon S3 bucket and sending notifications via an existing Amazon SNS topic, we need to choose a solution that is simple to implement and leverages AWS services efficiently. Let's analyze each option: A) Enable AWS Config. Configure AWS Config to monitor for sensitive data in the S3 bucket and to send notifications to the SNS topic. - Reasoning: AWS Config is used for monitoring configuration changes to AWS resources, but it is not designed for identifying or scanning sensitive data within those resources. It primarily monitors compliance with resource configurations rather than content inside those resources. AWS Config wouldn't directly help identify sensitive data in an S3 bucket, as it's not designed for data discovery. - Reason for rejection: This solution does not focus on scanning for sensitive data inside the S3 bucket, and AWS Config does not provide a way to identify sensitive content in stored objects. B) Create an AWS Lambda function to scan the S3 bucket for sensitive data that matches a pattern. Program the Lambda function to send notifications to the SNS topic. - Reasoning: While AWS Lambda can be used to scan an S3 bucket for sensitive data, creating a Lambda function to manually scan files for sensitive data (e.g., by pattern matching or other custom logic) can be complex and error-prone. It requires developing and maintaining custom code, handling scalability issues, and creating custom logic for pattern matching. This adds significant implementation effort compared to other options. - Reason for rejection: This solution involves more manual setup, custom code, and maintenance overhead. It's not the most efficient or least effort solution for identifying sensitive data in an S3 bucket. C) Configure Amazon Macie to use managed data identifiers to identify and categorize sensitiv...

Author: Andrew · Last updated May 23, 2026

A company has an application on Amazon EC2 instances that store confidential customer data. The company must restrict access to customer data. A security engineer requires secure access to the instances that host the application. According to company policy, users must not open any inbound ports, maintain bastion hosts, or manage SSH keys for the EC2 instances. T...

To evaluate the available solutions and determine the best one for meeting the company's requirements, let's break down the specific requirements: Requirements: 1. Restrict access to customer data: The company needs a way to securely access EC2 instances without opening inbound ports, maintaining bastion hosts, or managing SSH keys. 2. Monitor, store, and access session activity logs: The security engineer must have detailed session activity logs. 3. Logs must be encrypted: The logs need to be encrypted to ensure confidentiality. Option Breakdown: A) Use AWS Control Tower to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups. - Reasoning: AWS Control Tower is designed for setting up and governing multi-account AWS environments. While it helps in managing environments, it doesn't provide direct access to EC2 instances for session management. AWS Control Tower itself doesn’t include features for session activity logging or encryption of logs for individual EC2 instance sessions. This solution does not align well with the requirement to directly manage EC2 sessions. - Rejected: It doesn't support secure access to EC2 instances, logging, or session monitoring in the context needed here. B) Use AWS Security Hub to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups. - Reasoning: AWS Security Hub is focused on providing a comprehensive view of security alerts and compliance status across AWS accounts, rather than directly managing access to EC2 instances or logging session activity. It doesn’t have built-in functionality to securely connect to EC2 instances for session management, which is a core requirement. - Rejected: Security Hub does not provide direct access to EC2 instances for managing sessions, logging, or encryption as needed here. C) Use AWS Systems Manager Session Manager to conne...

Author: Evelyn · Last updated May 23, 2026

A company uses an organization in AWS Organizations to help separate its Amazon EC2 instances and VPCs. The company has separate OUs for development workloads and production workloads. A security engineer must ensure that only AWS accounts in the production OU can write VPC flow logs to an Amazon S3 bucket. The security engineer is configuring the S3 bucket policy with a Co...

To meet the requirement of ensuring that only AWS accounts in the production OU can write VPC flow logs to an Amazon S3 bucket, we need to configure a Condition element in the S3 bucket policy. Let's break down each option to determine which one fulfills the security engineer's requirements. Key Requirements: - Scope: The condition must restrict access to the S3 bucket for VPC flow log writes (s3:PutObject) to accounts in the production OU of the AWS Organization. - Action: Only the production accounts should have the permission to write logs to the bucket. Option Analysis: A) Set the value of the aws:SourceOrgID condition key to be the organization ID. - Reasoning: The `aws:SourceOrgID` condition key is used to match the organization ID of the source (i.e., the account making the request). However, this key does not filter by Organizational Unit (OU), so it would allow all accounts from the organization, including development accounts, to write to the S3 bucket. - Rejected: This option doesn’t limit access to only accounts in the production OU, so it doesn’t fulfill the requirement of restricting access based on the specific OU. B) Set the value of the aws:SourceOrgPaths condition key to be the Organizations entity path of the production OU. - Reasoning: The `aws:SourceOrgPaths` condition key allows you to specify the entity path (i.e., the path to the Organizational Unit) for the AWS account requesting access. This path can be used to filter requests to ensure that only accounts from a specific OU (in this case, the production OU) are allowed. By specifying the path for the production OU, only accounts within that OU will be able to write VPC flow logs to the S3 bucket. - Selected: This is the correct option, as it ...

Author: Olivia Johnson · Last updated May 23, 2026

Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of ho...

To identify the cause of logs stopping delivery to Amazon CloudWatch Logs after a specific number of hours, the security engineer needs to investigate potential issues with the CloudWatch Logs agent and the environment. Let's evaluate the options and identify the most relevant steps to take: Analysis of Options: A) Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified. - Reasoning: If the file permissions of the monitored log files are changed, it could prevent the CloudWatch Logs agent from reading the log files, resulting in logs failing to be delivered. If logs stop after a period of time, it could be because the agent loses access to the files due to modified permissions. - Selected: This is a valid step to take because ensuring proper file permissions is essential for continuous log delivery to CloudWatch Logs. It is important to verify that the agent can still read the log files at the point when the logs stop being delivered. B) Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming. - Reasoning: Log rotation is a common practice in operating systems to manage log file sizes and prevent them from growing indefinitely. If the CloudWatch Logs agent is not properly configured to handle log rotation, it may fail to continue streaming logs after a rotation occurs, especially if the log file is renamed or replaced during the rotation process. This can explain why logs stop after a specific number of hours. - Selected: This is another key step. If the log rotation mechanism is incompatible with how the CloudWatch Logs agent handles log files, logs will not be delivered after the rotation. Ensuring compatibility between log rotation rules and agent configuration is crucial to avoid disruptions in log delivery. C) Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams. - Reasoning: Using Amazon Kinesis Streams as a buffer between log delivery and CloudWatch Logs is a potential solution, bu...

Author: David · Last updated May 23, 2026

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone). The security engineer discovers ...

To address the issue where all four subnets in the VPC are attempting to route traffic out through the internet gateway, the solution should ensure that public and private subnets have appropriate routing for their respective traffic flows. Let's break down the steps and reasoning for each option. Scenario: - The VPC includes two Availability Zones (AZs) with one private subnet and one public subnet in each AZ. - There are three route tables: one for public subnets and two for private subnets (one for each AZ). - The issue is that all subnets are routing traffic out through the internet gateway (IGW), which is not correct for private subnets (they should route traffic through a NAT gateway instead). Steps to Remedy: A) Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone. - Reasoning: A NAT gateway should be placed in a public subnet, allowing instances in private subnets to access the internet for things like software updates and external API calls. The NAT gateway should be used as the route target for private subnets when routing external traffic. If the NAT gateway is not provisioned, private subnets would not be able to route traffic correctly. - Selected: This is a necessary step. The NAT gateway must be provisioned in each public subnet in both Availability Zones to facilitate traffic from the private subnets to the internet. Without this, the private subnets cannot reach the internet through a controlled gateway. B) Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone. - Reasoning: A NAT gateway should never be placed in a private subnet, as it is designed to be accessible by the public subnet. Private subnets should route traffic to the NAT gateway located in a public subnet, not within a private subnet. - Rejected: This option is incorrect because placing a NAT gateway in a private subnet would make it inaccessible from the public internet, which would defeat the purpose of using a NAT gateway for internet access. C) Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range...

Author: Benjamin · Last updated May 23, 2026

A company hired an external consultant who needs to use a laptop to access the company's VPCs. Specifically, the consultant needs access to two VPCs that are peered together in the same AWS Region. The company wants to provide the consultant with access to these VPCs with...

Analysis of Options: The goal is to provide the consultant with access to two VPCs that are peered together in the same AWS Region. The access should be secure, controlled, and not include unnecessary access to other network resources. Let’s break down each option: A) Create an AWS Site-to-Site VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule. - Reasoning: The Site-to-Site VPN is typically used to securely connect an on-premises network (like an office or data center) to an AWS VPC over a public network. While it could provide access to the VPCs, it is primarily designed for network-level communication between an on-premises network and AWS VPCs. For an external consultant to use a laptop to access specific VPCs, this would be a less efficient and overcomplicated solution. - Rejected: This is not the most appropriate option for the consultant's use case, as it's designed for connecting networks rather than providing individual user access to VPCs. B) Create an AWS account. Use the VPC sharing feature through AWS Resource Access Manager to allow the consultant to access the VPCs. - Reasoning: VPC sharing via AWS Resource Access Manager allows multiple AWS accounts to share a VPC within an organization, which could be useful for sharing resources between accounts. However, VPC sharing is generally used for allowing different AWS accounts within the same organization to share a VPC and is not suitable for providing access to a specific external consultant's laptop. It does not directly solve the problem of providing controlled access to specific VPCs for an individual user. - Rejected: This solution is more complex and inappropriate for a single consultant who needs controlled access. It is not the right tool for providing individual user access to specific VPCs. C) Create an AWS Client VPN endpoi...

Author: Vikram · Last updated May 23, 2026

What Our Friends Say

What Our Friends Say

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile. However, three individuals who have IAM user accounts will need to access these instances by using an SS...

A company is storing data in Amazon S3 Glacier. A security engineer implemented a new vault lock policy for 10 TB of data and called the initiate-vault-lock operation 12 hours ago. The audit team identified a typo in the policy that is ...

AWS CloudTrail is being used to monitor API calls in an organization. An audit revealed that CloudTrail is failing to deliver events to Amazon S3 as expected. What initial actio...

A company has public certificates that are managed by AWS Certificate Manager (ACM). The certificates are either imported certificates or managed certificates from ACM with mixed validation methods. A security engineer needs to design a monitoring solution to provide alerts by email when...

A security team is responsible for reviewing AWS API call activity in the cloud environment for security violations. These events must be recorded and retained in a centralized location for both cu...

A company is running an application on Amazon EC2 instances in an Auto Scaling group. The application stores logs locally. A security engineer noticed that logs were lost after a scale-in event. The security engineer needs to recommend a solution to ensure the durability and availability of ...

A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to Amazon Elastic Block Store (Amazon EBS) volumes. A security engineer needs to preserve all forens...

A security analyst attempted to troubleshoot the monitoring of suspicious security group changes. The analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The analyst tested the monitoring setup by making a configuration change to the...

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages. What actions shou...

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material. Company policy requires all encryption keys to be rotated every year. What shoul...

A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bu...

A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The company needs a solution that requires no additional configuration of the existing EKS dep...

A security engineer uses Amazon Macie to scan a company's Amazon S3 buckets for sensitive data. The company has many S3 buckets and many objects stored in the S3 buckets. The security engineer must identify S3 buckets that contain sensitive data and must perform additional...

A company runs workloads on Amazon EC2 instances. The company needs to continually scan the EC2 instances for software vulnerabilities and unintended ...

A company needs to analyze access logs for an Application Load Balancer (ALB). The ALB directs traffic to the company's online login portal. The company needs to use visualizations to identify login attempts...

A company runs a cron job on an Amazon EC2 instance on a predefined schedule. The cron job calls a bash script that encrypts a 2 KB file. A security engineer creates an AWS Key Management Service (AWS KMS) customer managed key with a key policy. The key policy and the EC2 insta...

A company uses Amazon Cognito as an OAuth 2.0 identity platform for its web and mobile applications. The company needs to capture successful and unsuccessful login attempts. The company also needs to q...

A security engineer is setting up an AWS CloudTrail trail for all regions in an AWS account. For added security, the logs are stored using server-side encryption with AWS KMS-managed keys (SSE-KMS) and have log integrity validation enabled. While testing the solution, the s...

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv...

A company is planning to create an organization by using AWS Organizations. The company needs to integrate user management with the company's external identity provider (IdP). The company also needs to centrally manage access to all of its AWS accounts...

A security administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has all features enabled. The management account is used for billing and administrative purposes, but it is not used for operational AWS resource...

A security engineer needs to implement a solution to identify any sensitive data that is stored in an Amazon S3 bucket. The solution must report on sensitive data in the S3 bucket by using an existing Amazon Simple Notification Service (...

Amazon CloudWatch Logs agent is successfully delivering logs to the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of ho...

A company hired an external consultant who needs to use a laptop to access the company's VPCs. Specifically, the consultant needs access to two VPCs that are peered together in the same AWS Region. The company wants to provide the consultant with access to these VPCs with...