Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.
Question 61
An application requires temporary elevated privileges to perform administrative tasks during specific maintenance windows. Which approach implements this requirement securely?
A) Create an IAM user with administrative privileges and share credentials during maintenance windows
B) Use IAM roles with temporary elevated permissions that can be assumed during maintenance windows with MFA requirement
C) Add administrative policies to application IAM roles permanently
D) Use the root account during maintenance windows
Answer: B
Explanation:
Time-limited privilege elevation is a security best practice that grants elevated access only when needed and for limited durations. Permanent administrative privileges increase security risks because compromised credentials provide attackers with broad access. Temporary privilege elevation combined with strong authentication ensures that elevated access is controlled and auditable.
IAM roles designed for elevated privileges can include trust policies that require multi-factor authentication before the role can be assumed. The roles would have administrative permissions necessary for maintenance tasks. During maintenance windows, authorized personnel assume these roles using MFA, receiving temporary credentials with elevated permissions. After the session expires, elevated access automatically ends.
The MFA requirement ensures that even if regular credentials are compromised, attackers cannot assume elevated privilege roles without the second authentication factor. Role assumption events are logged in CloudTrail, providing audit trails showing who assumed elevated privileges, when they did so, and what actions they performed. This approach implements time-bound privilege elevation with strong authentication controls.
A) Creating IAM users with administrative privileges and sharing credentials is a severe security anti-pattern. Shared credentials eliminate accountability because multiple people use the same identity. Credential sharing also makes rotation difficult and increases compromise risk. This approach violates fundamental security principles.
B) This is the correct answer because IAM roles provide temporary credentials that automatically expire, MFA requirements add strong authentication before privilege elevation, role assumption is fully auditable through CloudTrail, and access is limited to maintenance windows when roles are assumed.
C) Adding administrative policies permanently grants continuous elevated privileges rather than time-limited elevation during maintenance windows. Permanent administrative access violates least privilege principles and increases the risk window for credential compromise or misuse. This approach does not implement time-bound privilege elevation.
D) Using the root account for any operational tasks is a critical security violation. Root account usage should be reserved for a very limited set of account management tasks and should never be used for application maintenance or administrative operations. Root account compromise has catastrophic consequences.
Question 62
A company needs to implement network-level DDoS protection for applications running on EC2 instances behind a Network Load Balancer. Which AWS service provides this capability?
A) AWS WAF
B) AWS Shield Standard
C) AWS Shield Advanced
D) Amazon GuardDuty
Answer: C
Explanation:
Distributed Denial of Service attacks overwhelm systems with massive volumes of traffic, making services unavailable to legitimate users. Network-level DDoS attacks target infrastructure layers using techniques like SYN floods, UDP reflection attacks, and volumetric attacks. Organizations need DDoS protection that can absorb large-scale attacks while maintaining service availability.
AWS Shield Standard provides automatic DDoS protection for all AWS customers at no additional cost, defending against common network and transport layer attacks. However, Shield Advanced provides enhanced DDoS protection with additional capabilities including protection for applications on EC2 instances and Network Load Balancers, 24/7 access to the AWS DDoS Response Team, advanced attack diagnostics, and cost protection against scaling charges during attacks.
Shield Advanced integrates with Network Load Balancers to detect and mitigate sophisticated DDoS attacks targeting application infrastructure. The service uses advanced traffic analysis and machine learning to distinguish attack traffic from legitimate traffic, automatically applying mitigations. Shield Advanced also provides real-time attack notifications and detailed attack diagnostics through CloudWatch metrics and DRT support.
A) AWS WAF protects against web exploits at the application layer (Layer 7) by filtering HTTP/HTTPS requests. WAF does not protect against network-layer DDoS attacks that target infrastructure. WAF is designed for application-level protection rather than volumetric network attacks.
B) AWS Shield Standard provides baseline DDoS protection automatically enabled for all AWS customers. While Shield Standard protects against common network attacks, it does not provide the enhanced protection, DRT access, or advanced features required for comprehensive protection of EC2 instances behind Network Load Balancers. Shield Standard lacks the advanced capabilities of Shield Advanced.
C) This is the correct answer because Shield Advanced provides enhanced DDoS protection specifically for EC2 instances and Network Load Balancers, includes 24/7 access to AWS DDoS Response Team, offers advanced attack detection and mitigation, and provides cost protection during DDoS attacks.
D) Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior. GuardDuty does not provide DDoS protection or mitigation capabilities. GuardDuty detects threats through log analysis but does not actively defend against network-layer attacks.
Question 63
An organization must ensure that security group changes in production accounts are automatically reverted if they allow unrestricted access from the internet. Which AWS service implements this automated remediation?
A) AWS Config with remediation actions
B) AWS CloudTrail with Lambda functions
C) Amazon EventBridge with SNS notifications
D) AWS Security Hub with custom actions
Answer: A
Explanation:
Automated remediation of security misconfigurations reduces the window of exposure when security controls are weakened. Security group changes that allow unrestricted internet access create immediate risks by exposing resources to potential attacks. Automated detection and remediation ensure that misconfigurations are corrected rapidly without waiting for manual intervention.
AWS Config continuously monitors resource configurations and evaluates them against compliance rules. AWS Config includes managed rules that detect security group misconfigurations such as unrestricted SSH, RDP, or general inbound access. When Config detects non-compliant security groups, it can automatically trigger remediation actions using Systems Manager Automation documents or Lambda functions.
Remediation actions for security group violations typically involve removing the offending inbound rules that allow unrestricted access or replacing them with properly restricted rules. Config can be configured to execute remediation automatically upon detection or require manual approval before remediating. The service maintains compliance history showing when violations occurred and when they were remediated.
A) This is the correct answer because AWS Config continuously monitors security group configurations, managed rules detect unrestricted inbound access, automatic remediation can revert non-compliant changes, and Systems Manager Automation provides pre-built remediation actions for security groups.
B) CloudTrail logs security group changes but does not continuously evaluate configurations for compliance. While Lambda functions could be triggered from CloudTrail events to revert changes, this requires custom development and does not provide the built-in compliance rules and remediation workflows that Config offers.
C) EventBridge routes events from various sources and can trigger actions, but it requires another service like Config to evaluate security group compliance. EventBridge with SNS provides notifications but does not include automated remediation capabilities. This combination is insufficient for automated compliance remediation.
D) Security Hub aggregates findings from various services including Config, but Security Hub does not perform continuous configuration monitoring or automated remediation. Custom actions in Security Hub can trigger responses but require integration with other services for the actual remediation execution.
Question 64
A security engineer needs to grant developers access to read CloudTrail logs for troubleshooting but prevent them from modifying or deleting logs. Which IAM policy configuration implements this requirement?
A) Grant full S3 access to the CloudTrail bucket
B) Grant s3:GetObject permission on the CloudTrail bucket with a deny statement for s3:DeleteObject and s3:PutObject
C) Use S3 bucket ACLs to provide read-only access
D) Make the CloudTrail bucket public with read-only access
Answer: B
Explanation:
IAM policies support explicit deny statements that override any allow statements, ensuring that even users with broad permissions cannot perform denied actions. For CloudTrail logs, organizations need to balance providing access for legitimate troubleshooting purposes while protecting log integrity by preventing modifications or deletions that could hide evidence of security incidents.
The IAM policy would include an allow statement granting s3:GetObject permission on the CloudTrail bucket and objects, enabling developers to read and download logs. An explicit deny statement for s3:DeleteObject, s3:PutObject, and related write operations ensures that developers cannot modify or delete logs regardless of other permissions they might have. Deny statements always take precedence over allow statements in IAM policy evaluation.
This approach implements least privilege by granting only the specific read permissions needed for troubleshooting while explicitly preventing actions that could compromise log integrity. The explicit deny provides a strong guarantee that log manipulation is prevented even if other policies inadvertently grant write permissions. This layered approach to access control ensures log protection.
A) Granting full S3 access to the CloudTrail bucket provides excessive permissions including the ability to delete and modify logs. Full access violates least privilege principles and fails to meet the requirement of preventing log modification or deletion. This approach provides unrestricted access rather than read-only access.
B) This is the correct answer because s3:GetObject allows reading CloudTrail logs for troubleshooting, explicit deny statements for delete and put operations prevent log modification or deletion, deny statements override any conflicting allow statements, and this implements least privilege with read-only access.
C) S3 bucket ACLs are a legacy access control mechanism that provides coarse-grained permissions. AWS recommends using IAM policies and bucket policies for modern access control. ACLs lack the fine-grained control and explicit deny capabilities that IAM policies provide for implementing secure read-only access.
D) Making the CloudTrail bucket public exposes logs to anyone on the internet, not just authorized developers. Public buckets create severe security risks including unauthorized access to sensitive audit information. This approach fails to implement proper access controls and violates security best practices.
Question 65
An application needs to encrypt data before storing it in DynamoDB using keys that never leave the organization’s hardware security modules (HSMs). Which approach meets this requirement?
A) Use DynamoDB encryption at rest with AWS KMS
B) Use AWS CloudHSM to generate and store encryption keys, perform encryption in application code before writing to DynamoDB
C) Enable client-side encryption with AWS Encryption SDK using KMS keys
D) Use DynamoDB encryption with customer-provided keys
Answer: B
Explanation:
Requirements that encryption keys never leave customer-controlled HSMs mandate client-side encryption where all cryptographic operations occur within the customer’s HSM infrastructure. This ensures complete control over key material and cryptographic processes, meeting stringent compliance and security requirements that AWS-managed encryption services cannot satisfy.
AWS CloudHSM provides dedicated, single-tenant HSMs under customer control where encryption keys can be generated and stored. Applications integrate with CloudHSM using industry-standard APIs to perform encryption operations. The application retrieves plaintext data, sends it to CloudHSM for encryption, receives encrypted data, and stores the encrypted data in DynamoDB. Keys never leave the HSM, and all encryption occurs within the hardware security boundary.
Decryption follows the reverse process where the application retrieves encrypted data from DynamoDB, sends it to CloudHSM for decryption, and receives plaintext data. This client-side encryption approach provides complete control over cryptographic operations and key management while using DynamoDB purely as encrypted data storage. The HSM-based encryption meets requirements for hardware-based key protection.
A) DynamoDB encryption at rest with KMS uses AWS-managed HSMs operated by AWS. While these HSMs are FIPS 140-2 validated, customers do not have exclusive control and keys exist within AWS infrastructure rather than organization-owned HSMs. This does not meet the requirement for keys that never leave the organization’s HSMs.
B) This is the correct answer because CloudHSM provides customer-controlled dedicated HSMs, keys are generated and stored in the organization’s HSMs, encryption occurs within HSM hardware boundaries, and keys never leave the customer-controlled HSM infrastructure.
C) The AWS Encryption SDK with KMS keys performs client-side encryption but uses KMS for key management. KMS keys are stored in AWS-managed HSMs, not in the organization’s HSMs. While this provides client-side encryption, it does not meet the requirement for keys that never leave organization-owned HSMs.
D) DynamoDB does not support customer-provided keys for encryption at rest. DynamoDB encryption uses either AWS-owned keys, AWS-managed keys, or customer-managed KMS keys, all of which are stored in AWS infrastructure rather than customer-controlled HSMs.
Question 66
A company requires that all Amazon ECS container instances be automatically patched and updated with the latest security fixes. Which approach implements this requirement?
A) Enable AWS Systems Manager Patch Manager for ECS container instances
B) Use AWS Fargate which automatically manages infrastructure patching
C) Create a Lambda function to manually patch ECS instances on a schedule
D) Enable automatic security updates in the ECS container OS
Answer: B
Explanation:
Container orchestration platforms require underlying infrastructure that must be maintained and secured. Traditional approaches using EC2-based ECS clusters require organizations to manage instance patching, updates, and security configurations. AWS Fargate eliminates this operational burden by providing serverless compute for containers where AWS manages all infrastructure including security patches.
AWS Fargate is a serverless compute engine for containers that removes the need to provision and manage EC2 instances. When using Fargate, AWS automatically handles infrastructure management including applying security patches, updating the underlying operating system, and maintaining infrastructure security. Organizations deploy container images to Fargate without managing any infrastructure.
Fargate provides isolation at the container level where each task runs in its own isolated compute environment. AWS continuously updates and patches the Fargate infrastructure, ensuring that containers run on secure, up-to-date platforms. This automatic patching occurs transparently without service disruptions or manual intervention, meeting the requirement for automatic security updates.
A) Systems Manager Patch Manager can manage EC2-based ECS container instances but requires configuration and maintenance of patching schedules, maintenance windows, and patch baselines. While Patch Manager provides automated patching, it still requires management of EC2 infrastructure. This approach works but involves more operational overhead than Fargate.
B) This is the correct answer because Fargate is serverless and AWS automatically manages infrastructure patching, security updates are applied automatically without user intervention, organizations do not manage underlying compute infrastructure, and Fargate provides infrastructure security maintenance without operational overhead.
C) Creating Lambda functions for manual patching introduces complexity, requires custom code development and maintenance, and creates potential for errors or missed patches. This approach is unnecessarily complex compared to using managed services designed for automated patching.
D) Enabling automatic security updates within container operating systems requires configuring each instance and ensuring update processes run successfully. This approach requires managing the update mechanism and does not fully eliminate the infrastructure management burden. It also does not address patching for the host OS underlying the containers.
Question 67
A security team needs to analyze AWS service usage patterns to detect potential security risks such as unused IAM users, overly permissive policies, or resource misconfigurations. Which AWS service provides these insights?
A) AWS Trusted Advisor
B) AWS Cost Explorer
C) Amazon CloudWatch Insights
D) AWS Personal Health Dashboard
Answer: A
Explanation:
Identifying security risks through analysis of AWS configurations and usage patterns helps organizations improve their security posture proactively. Many security issues result from unused resources, excessive permissions, or configuration drift rather than active attacks. Automated analysis tools that evaluate account configurations and provide actionable recommendations enable continuous security improvement.
AWS Trusted Advisor provides real-time guidance to help optimize AWS environments across five categories including security, cost optimization, performance, fault tolerance, and service limits. For security, Trusted Advisor checks for common security issues such as unrestricted security group access, IAM users without MFA, unused IAM credentials, S3 buckets with public access, and exposed access keys.
Trusted Advisor security checks evaluate configurations against AWS best practices and generate recommendations for remediation. The service identifies specific resources with security issues and provides actionable guidance for fixing them. Higher support tiers provide access to additional Trusted Advisor checks and the ability to integrate findings with other AWS services for automated remediation.
A) This is the correct answer because Trusted Advisor analyzes AWS configurations for security risks, identifies unused IAM users and excessive permissions, detects resource misconfigurations like public S3 buckets, and provides actionable recommendations for improving security posture.
B) AWS Cost Explorer analyzes spending patterns and provides cost optimization recommendations. While Cost Explorer can identify unused resources from a cost perspective, it does not evaluate security configurations or permissions. Cost Explorer focuses on financial optimization rather than security analysis.
C) Amazon CloudWatch Insights provides log analysis and querying capabilities for troubleshooting and performance monitoring. CloudWatch does not evaluate IAM policies, detect unused users, or analyze security configurations. CloudWatch focuses on operational monitoring rather than security configuration analysis.
D) AWS Personal Health Dashboard provides information about AWS service events that might affect resources in customer accounts. The dashboard shows service disruptions, scheduled maintenance, and notifications about resources. It does not analyze security configurations or identify security risks in account setups.
Question 68
An organization must ensure that deleted S3 objects can be recovered for 30 days after deletion to protect against accidental or malicious deletion. Which S3 feature implements this requirement?
A) S3 Object Lock
B) S3 Versioning
C) S3 Lifecycle policies
D) S3 Inventory
Answer: B
Explanation:
Protecting against data loss from accidental or malicious deletion requires mechanisms that preserve deleted data for recovery. Simple deletion operations should not permanently destroy data immediately. S3 Versioning provides object-level protection by maintaining multiple versions of objects, including preserving objects after deletion operations.
When S3 Versioning is enabled on a bucket, S3 preserves every version of every object. When an object is deleted, instead of permanently removing it, S3 creates a delete marker and preserves all previous versions. The object appears deleted in normal listings, but previous versions remain accessible and can be restored by removing the delete marker or copying a previous version.
Versioning protects against both accidental deletions and malicious deletion attempts. Even if an attacker with write permissions deletes objects, the versions remain in the bucket and can be restored. Organizations can implement lifecycle policies that permanently delete old versions after the 30-day recovery window, automatically cleaning up versions while maintaining the protection period.
A) S3 Object Lock prevents deletion or modification of objects for specified retention periods and is designed for compliance requirements. While Object Lock can prevent deletion, it does not specifically address recovery after deletion. Object Lock is about preventing changes rather than enabling recovery of deleted data.
B) This is the correct answer because S3 Versioning preserves all versions of objects including after deletion, delete operations create delete markers rather than permanent deletion, previous versions can be restored during the recovery period, and versioning protects against accidental and malicious deletions.
C) S3 Lifecycle policies automate transitioning objects between storage classes and expiring objects. Lifecycle policies can complement versioning by removing old versions after retention periods, but lifecycle policies alone do not preserve deleted objects for recovery. They manage object lifecycle rather than provide deletion protection.
D) S3 Inventory generates lists of objects and their metadata for storage management and analytics. Inventory reports show what objects exist but do not preserve deleted objects or enable recovery. Inventory is a reporting tool rather than a data protection feature.
Question 69
A company needs to implement centralized logging for all VPC Flow Logs across multiple AWS accounts and regions. Logs must be searchable and retained for 90 days. Which solution meets these requirements?
A) Send VPC Flow Logs to CloudWatch Logs in each account with 90-day retention
B) Send VPC Flow Logs to a central S3 bucket and use Amazon Athena for searching
C) Use VPC Flow Logs with CloudTrail for centralized logging
D) Configure VPC Flow Logs to send to Amazon Kinesis Data Streams
Answer: B
Explanation:
Centralizing logs from multiple accounts and regions into a single location simplifies analysis, reduces management overhead, and enables comprehensive security investigations that span organizational boundaries. VPC Flow Logs generate significant data volumes, requiring cost-effective storage solutions that support complex queries and analysis.
S3 provides durable, cost-effective storage for large volumes of log data. VPC Flow Logs from multiple accounts and regions can be configured to deliver logs to a central S3 bucket in a dedicated logging account. Cross-account permissions allow VPC Flow Logs services in member accounts to write logs to the central bucket. S3 lifecycle policies can automatically delete logs older than 90 days, meeting retention requirements.
Amazon Athena enables SQL-based queries directly against S3 data without requiring data loading or infrastructure management. Security teams can write complex queries to search flow logs across all accounts and regions simultaneously, analyzing traffic patterns, identifying suspicious connections, or investigating security incidents. Athena pricing is based on data scanned, making it cost-effective for periodic analysis of large log volumes.
A) Sending Flow Logs to CloudWatch Logs in each account creates distributed logging that complicates cross-account analysis and investigation. Querying logs across multiple accounts requires accessing each account separately. CloudWatch Logs is also more expensive than S3 for long-term log retention, making it less cost-effective for 90-day retention at scale.
B) This is the correct answer because S3 provides centralized, cost-effective storage for logs from multiple accounts, Athena enables SQL-based searching across all logs without infrastructure management, S3 lifecycle policies automate 90-day retention, and the solution scales to handle large log volumes efficiently.
C) CloudTrail logs API calls and management events but does not process or centralize VPC Flow Logs. CloudTrail and VPC Flow Logs serve different purposes and operate independently. CloudTrail cannot be used to centralize VPC Flow Log data.
D) Kinesis Data Streams provides real-time data streaming but requires consumers to process and store data. Kinesis alone does not provide storage, retention management, or search capabilities. Additional components would be needed to store logs and enable searching, making this a partial solution that requires significant additional architecture.
Question 70
An application requires that API requests to AWS services include proof that they originated from approved devices. Which AWS service provides this capability?
A) AWS IAM with MFA requirements
B) AWS Device Farm
C) AWS Verified Access
D) AWS Certificate Manager
Answer: A
Explanation:
Verifying the source of API requests enhances security by ensuring that requests originate from trusted devices rather than potentially compromised or unauthorized systems. Multi-factor authentication provides a mechanism for proving possession of approved devices through cryptographic tokens or one-time passwords generated by registered MFA devices.
IAM supports MFA requirements through policy conditions that mandate MFA authentication before allowing specific actions. The aws:MultiFactorAuthPresent condition key checks whether the request was authenticated with MFA. Policies can require MFA for sensitive operations such as deleting resources, modifying security configurations, or accessing production systems, ensuring these actions can only be performed from devices with registered MFA.
Virtual MFA devices like Google Authenticator or hardware MFA devices like YubiKeys serve as approved devices for authentication. Users must possess and authenticate with these devices to perform MFA-protected actions. The MFA device proves possession of an approved authentication factor beyond just username and password, adding a strong security layer that verifies the request source.
A) This is the correct answer because IAM policy conditions can require MFA for API requests, MFA devices serve as approved device verification, the aws:MultiFactorAuthPresent condition enforces MFA requirements, and MFA provides cryptographic proof of device possession during authentication.
B) AWS Device Farm is a testing service for mobile and web applications that provides real devices for testing. Device Farm does not provide device verification for API requests or authentication purposes. This service addresses application testing rather than API security.
C) AWS Verified Access provides secure access to corporate applications without VPN by verifying device security posture and user identity. While Verified Access verifies devices, it is designed for application access scenarios rather than AWS API request authentication. Verified Access operates at the application layer for custom applications.
D) AWS Certificate Manager provisions and manages SSL/TLS certificates for securing network communications. ACM does not verify device identity or provide device-based authentication for API requests. Certificate Manager addresses encryption and server authentication rather than client device verification.
Question 71
A security engineer needs to detect when EC2 instances are communicating with known malicious IP addresses. Which AWS service provides this capability?
A) Amazon VPC Flow Logs
B) Amazon GuardDuty
C) AWS WAF
D) AWS Shield
Answer: B
Explanation:
Detecting communication with malicious IP addresses requires threat intelligence that identifies known bad actors and continuous monitoring of network traffic to identify suspicious connections. Manual analysis of network logs is time-consuming and difficult to scale. Automated threat detection services that integrate threat intelligence with network monitoring provide effective detection of malicious communications.
Amazon GuardDuty analyzes VPC Flow Logs, CloudTrail logs, and DNS logs using machine learning and integrated threat intelligence feeds. GuardDuty maintains lists of known malicious IP addresses associated with command and control servers, cryptocurrency mining pools, malware distribution, and other malicious activities. When instances communicate with these malicious addresses, GuardDuty generates findings with detailed information about the threat.
GuardDuty findings include the instance ID, IP addresses involved, threat type, and severity rating. The findings integrate with EventBridge for automated response workflows such as isolating compromised instances, sending notifications to security teams, or triggering forensic investigations. GuardDuty continuously updates its threat intelligence, detecting new threats as they emerge without requiring manual updates or configuration changes.
A) VPC Flow Logs capture network traffic metadata but do not include threat intelligence or detection capabilities. Flow logs provide raw data showing connections but require separate analysis to identify malicious IP addresses. Organizations would need to implement custom analysis comparing flow log IPs against threat feeds, which is complex and operationally intensive.
B) This is the correct answer because GuardDuty continuously monitors network communications, integrates threat intelligence identifying known malicious IP addresses, automatically detects instances communicating with threats, and generates detailed findings with severity ratings and response guidance.
C) AWS WAF protects web applications by filtering HTTP/HTTPS requests based on rules. WAF operates at the application layer and does not monitor general instance network communications or detect connections to malicious IP addresses at the network layer. WAF focuses on web exploit protection rather than network threat detection.
D) AWS Shield provides DDoS protection against volumetric attacks but does not monitor outbound instance communications or detect connections to malicious IP addresses. Shield defends against inbound attack traffic rather than detecting suspicious outbound communications that might indicate compromise.
Question 72
An organization requires that all AWS API calls from administrators include justification comments explaining the reason for each action. How can this requirement be implemented?
A) Use AWS CloudTrail to log all API calls with automatic comment capture
B) Create a custom API gateway that requires comments before forwarding requests to AWS services
C) Use AWS Service Catalog with approval workflows requiring justification
D) Implement tags on all resources with justification information
Answer: B
Explanation:
Requiring justification for administrative actions creates accountability and provides valuable context during security investigations and compliance audits. While AWS APIs do not natively support justification fields, organizations can implement intermediary layers that capture justification before forwarding requests to AWS services. This approach adds governance without modifying AWS service behaviors.
A custom API gateway built with Amazon API Gateway and Lambda functions can intercept administrative API requests, validate that justification comments are included in request parameters or headers, store justifications in a database or log system, and forward authenticated requests to AWS services. The gateway acts as a proxy that enforces justification requirements before allowing operations to proceed.
The Lambda function behind the API gateway validates justification format and completeness, logs the justification along with the request details, and uses AWS SDK to execute the actual API call using appropriate service roles. All administrative tools and scripts would be configured to send requests through the gateway rather than directly to AWS services. IAM policies can restrict direct API access, ensuring all requests flow through the justification gateway.
A) CloudTrail logs API calls with extensive metadata including user identity, timestamp, source IP, and request parameters, but AWS APIs do not include standard justification fields that CloudTrail could automatically capture. CloudTrail logs what users provide in API requests but cannot enforce that justifications are included.
B) This is the correct answer because a custom API gateway can intercept API requests before they reach AWS services, enforce requirements for justification comments, log justifications with request details, and provide a governance layer ensuring all administrative actions include explanations.
C) AWS Service Catalog provisions approved products with governance workflows but focuses on resource provisioning rather than general API call governance. Service Catalog cannot intercept arbitrary AWS API calls across all services or enforce justification requirements for ad-hoc administrative actions outside of catalog provisioning.
D) Resource tags provide metadata about resources but do not capture justifications for individual API calls or actions. Tags are applied to resources, not to API operations. While tags can indicate resource purpose, they do not provide per-action justification or governance for administrative operations.
Question 73
A company must ensure that all data written to Amazon S3 is scanned for malware before being processed by downstream applications. Which approach implements this requirement?
A) Enable S3 Object Lock to prevent malware storage
B) Use S3 event notifications to trigger Lambda functions that scan uploaded objects with antivirus software
C) Enable S3 versioning to protect against malware
D) Use AWS WAF to scan S3 uploads
Answer: B
Explanation:
Scanning files for malware before processing prevents infected files from compromising systems or spreading malware through application workflows. S3 serves as an entry point for file uploads in many architectures, making it critical to scan objects for threats before downstream systems access them. Event-driven architectures enable automated scanning immediately upon upload.
S3 event notifications trigger Lambda functions when objects are created in buckets. The Lambda function receives event details including bucket name and object key, downloads the object, scans it using antivirus libraries or external scanning services, and takes action based on scan results. Clean files can be tagged or moved to approved locations, while infected files can be quarantined, deleted, or flagged for security review.
Commercial antivirus solutions provide libraries and APIs that Lambda functions can integrate with for scanning. Alternatively, open-source solutions like ClamAV can be packaged into Lambda layers. The scanning architecture can be enhanced with SNS notifications alerting security teams of infected files, automatic quarantine to isolated buckets, and preventing downstream systems from accessing unscanned or infected objects through bucket policies.
A) S3 Object Lock prevents object deletion or modification for compliance and retention purposes but does not scan objects for malware or prevent malicious file uploads. Object Lock ensures immutability but does not provide content inspection or threat detection capabilities.
B) This is the correct answer because S3 event notifications trigger immediate scanning upon upload, Lambda functions can integrate antivirus software to scan objects, infected files can be automatically quarantined or deleted, and the solution prevents malware from reaching downstream applications.
C) S3 versioning preserves object versions including deleted objects but does not scan for malware or prevent malicious uploads. Versioning provides data protection and recovery but not content inspection or threat detection. Versioning would preserve malware-infected versions rather than detecting or preventing them.
D) AWS WAF protects web applications by filtering HTTP/HTTPS requests at the application layer but does not scan file contents uploaded to S3. WAF cannot inspect or scan objects stored in S3 buckets. WAF operates on HTTP requests before they reach applications, not on stored object contents.
Question 74
A security team needs to ensure that Amazon RDS instances cannot be modified to become publicly accessible. Which approach prevents this configuration change?
A) Use IAM policies to deny ModifyDBInstance API calls that set PubliclyAccessible to true
B) Place RDS instances in private subnets only
C) Enable RDS deletion protection
D) Use NACLs to block public internet access
Answer: A
Explanation:
Preventing RDS instances from becoming publicly accessible requires controls that block the configuration change at the API level. While network placement in private subnets provides defense-in-depth, administrators with appropriate permissions could still modify the PubliclyAccessible attribute. IAM policies that explicitly deny specific parameter combinations provide preventive controls at the authorization layer.
IAM policies support conditions that evaluate specific parameters in API requests. For the ModifyDBInstance API call, policies can include conditions checking whether the PubliclyAccessible parameter is being set to true. An explicit deny statement for modifications that would make instances publicly accessible blocks these changes regardless of other permissions the user might have.
The policy would use the rds:DatabaseClass or request parameter conditions to evaluate the PubliclyAccessible setting in modification requests. When combined with Service Control Policies for organization-wide enforcement, this approach ensures that RDS instances cannot be made publicly accessible even by users with broad database administration permissions. The preventive control blocks risky configurations before they take effect.
A) This is the correct answer because IAM policies can explicitly deny API calls with specific parameters, conditions can check the PubliclyAccessible parameter in ModifyDBInstance requests, explicit denies override any allow permissions, and this prevents the configuration change at the authorization layer.
B) Placing RDS in private subnets provides network-level protection and is a best practice, but administrators can still modify the PubliclyAccessible setting even for instances in private subnets. While the instance may not actually be reachable from the internet due to network configuration, the setting can still be changed, which violates security policy and creates confusion.
C) RDS deletion protection prevents accidental database deletion but does not control whether instances can be configured as publicly accessible. Deletion protection and public accessibility are separate configuration settings with different security purposes. Deletion protection does not prevent configuration changes.
D) NACLs provide subnet-level network filtering but do not prevent configuration changes to the PubliclyAccessible setting. NACLs can block traffic even if the setting is enabled, but they do not prevent the configuration change itself. The approach addresses symptoms rather than preventing the undesired configuration.
Question 75
An application requires encryption of data in transit between EC2 instances in different availability zones within the same region. Which approach provides this encryption?
A) VPC traffic is automatically encrypted between availability zones
B) Implement TLS/SSL at the application layer for inter-instance communications
C) Use VPN connections between availability zones
D) Enable VPC endpoint encryption
Answer: B
Explanation:
Traffic between EC2 instances within a VPC, including across availability zones, flows over AWS network infrastructure. While this traffic does not traverse the public internet and benefits from AWS network security, it is not automatically encrypted at the packet level. Organizations with requirements for encrypted inter-instance communications must implement encryption at the application or transport layer.
Transport Layer Security provides encrypted communications between clients and servers, protecting data in transit from interception or tampering. Applications can establish TLS connections between EC2 instances, encrypting all data transmitted over those connections. This approach works for any IP-based communication and is independent of network topology or instance placement.
Implementing TLS requires applications to use SSL/TLS libraries, configure certificates for server authentication, and establish encrypted connections instead of plaintext protocols. For example, web services would use HTTPS instead of HTTP, databases would use SSL/TLS connection options, and custom applications would use TLS libraries for socket communications. This provides end-to-end encryption under application control.
A) AWS VPC traffic between availability zones in the same region is not automatically encrypted at the packet level. While traffic flows over AWS private network infrastructure and does not traverse the public internet, it is transmitted in plaintext unless applications implement encryption. This is a common misconception about VPC networking.
B) This is the correct answer because TLS/SSL provides application-layer encryption for inter-instance communications, works across availability zones and any network topology, is implemented by applications using standard encryption protocols, and provides end-to-end encryption under application control.
C) VPN connections are designed for connecting remote networks to VPCs or between VPCs, not for encrypting traffic between instances within the same VPC. Setting up VPN connections between instances in the same VPC would be architecturally complex, create unnecessary overhead, and is not the intended use case for VPN technology.
D) VPC endpoints provide private connectivity to AWS services and do not encrypt traffic between EC2 instances. VPC endpoints are gateways for accessing AWS services like S3 and DynamoDB privately, not mechanisms for encrypting inter-instance traffic within the VPC.
Question 76
A company needs to implement audit logging showing all changes to AWS Organizations policies and account structures. Which service provides this information?
A) AWS CloudTrail in the management account
B) AWS Config in all member accounts
C) Amazon CloudWatch Logs
D) AWS Service Catalog
Answer: A
Explanation:
AWS Organizations operates at the account management layer where organizational units, accounts, and Service Control Policies are managed from a central management account. API calls that modify organizational structures and policies are made against the Organizations service and must be logged in the management account where Organizations operations are performed.
CloudTrail in the management account captures all AWS Organizations API calls including CreateAccount, AttachPolicy, CreateOrganizationalUnit, MoveAccount, and policy modification operations. These logs show who made organizational changes, when they occurred, what changes were made, and the results of operations. Organizations API activity appears in CloudTrail logs for the management account because Organizations is a global service accessed from that account.
For comprehensive audit logging across an organization, organization trails can be configured in CloudTrail to automatically log activity from all member accounts to a central location. However, for Organizations service operations specifically, logging must be enabled in the management account where Organizations API calls are made. These logs are essential for auditing organizational governance and detecting unauthorized structural changes.
A) This is the correct answer because AWS Organizations operations are performed in the management account, CloudTrail in the management account captures all Organizations API calls, logs include detailed information about policy and structure changes, and this provides comprehensive audit trails for organizational governance.
B) AWS Config in member accounts monitors resource configurations within those accounts but does not capture AWS Organizations operations that occur at the organizational level in the management account. Config focuses on resource-level configuration rather than account-level organizational structure and policies.
C) CloudWatch Logs aggregates and stores logs from various sources but does not automatically capture AWS Organizations API calls. CloudTrail would need to send logs to CloudWatch Logs for centralized storage and analysis. CloudWatch Logs is a destination for logs rather than a source of Organizations audit information.
D) AWS Service Catalog provides self-service provisioning of approved products but does not log AWS Organizations operations. Service Catalog focuses on resource provisioning governance rather than organizational structure management. Service Catalog does not provide audit logging for Organizations changes.
Question 77
An organization requires that all cryptographic keys used for data encryption support automatic annual rotation. Which AWS service meets this requirement?
A) AWS KMS with customer managed keys and automatic rotation enabled
B) AWS CloudHSM with manual key rotation
C) AWS Secrets Manager
D) AWS Certificate Manager
Answer: A
Explanation:
Regular cryptographic key rotation is a security best practice that limits the amount of data encrypted with any single key and reduces the impact of potential key compromise. Automatic rotation eliminates the operational burden of manual key rotation and ensures consistent compliance with rotation policies. AWS KMS provides built-in automatic rotation capabilities for customer managed keys.
When automatic key rotation is enabled for customer managed KMS keys, AWS automatically rotates the backing key material annually. KMS generates new cryptographic material while keeping the same key ID and ARN, ensuring that applications and configurations continue working without changes. KMS maintains all previous versions of key material to decrypt data encrypted with older versions while using new material for encryption operations.
The rotation process is transparent to applications using the key. AWS handles the complexity of managing multiple key versions, ensuring that encryption uses current material while decryption works for data encrypted with any previous version. This automatic rotation provides strong security hygiene without requiring application modifications or manual key management procedures.
A) This is the correct answer because KMS customer managed keys support automatic annual rotation, rotation is managed by AWS without manual intervention, previous key versions are maintained for decrypting existing data, and applications continue working without changes after rotation.
B) AWS CloudHSM provides customer-controlled HSMs but requires manual key rotation procedures. CloudHSM does not include automatic rotation features, as customers have complete control over key lifecycle management. Manual rotation requires custom procedures and operational effort, failing to meet the automatic rotation requirement.
C) AWS Secrets Manager stores and rotates application secrets like database credentials but is not designed for managing cryptographic keys used for data encryption. Secrets Manager focuses on secrets management rather than encryption key rotation, though it can use KMS for encrypting stored secrets.
D) AWS Certificate Manager manages SSL/TLS certificates for secure communications but does not manage cryptographic keys for data encryption. ACM focuses on certificate lifecycle management including renewal but does not provide data encryption key rotation capabilities.
Question 78
A security engineer needs to restrict S3 bucket access to requests that originate from a specific VPC endpoint. Which S3 bucket policy condition implements this requirement?
A) aws:SourceVpc condition checking the VPC ID
B) aws:SourceVpce condition checking the VPC endpoint ID
C) aws:SourceIp condition with VPC CIDR ranges
D) s3:LocationConstraint condition
Answer: B
Explanation:
Restricting S3 access to specific VPC endpoints ensures that bucket access only occurs through approved network paths. This prevents direct internet access to buckets and ensures that all access flows through designated VPC endpoints where additional network controls can be applied. S3 bucket policies support condition keys that evaluate the source VPC endpoint of requests.
The aws:SourceVpce condition key checks whether requests arrive through a specific VPC endpoint. When included in S3 bucket policies, this condition allows requests only from designated VPC endpoint IDs, denying requests from the internet or other VPC endpoints. This provides fine-grained control over network paths used for S3 access.
Bucket policies combining aws:SourceVpce conditions with resource permissions ensure that data access occurs only through approved network routes. Even authenticated users with valid credentials cannot access the bucket unless their requests route through the specified VPC endpoint. This network-based access control complements identity-based permissions for defense-in-depth.
A) The aws:SourceVpc condition checks the VPC ID from which requests originate but provides coarser control than checking specific VPC endpoints. Multiple VPC endpoints could exist in the same VPC, and SourceVpc does not distinguish between them. For precise control over which VPC endpoint is used, SourceVpce is more appropriate.
B) This is the correct answer because aws:SourceVpce specifically checks the VPC endpoint ID, allows restricting access to designated VPC endpoints, provides precise control over network paths for S3 access, and can be combined with resource permissions in bucket policies.
C) The aws:SourceIp condition checks request source IP addresses but cannot reliably identify VPC endpoint traffic. Requests through VPC endpoints and requests through internet gateways from the same IP ranges would both match. SourceIp does not provide the network path specificity needed to ensure VPC endpoint usage.
D) The s3:LocationConstraint condition restricts bucket creation to specific regions but does not control access paths or network routing for existing buckets. LocationConstraint addresses data residency requirements rather than network-based access control.
Question 79
A company must ensure that EC2 instances can only be launched from approved AMIs that have been hardened and validated by the security team. Which combination of AWS services enforces this requirement?
A) AWS Service Catalog with approved AMI products
B) AWS Systems Manager with Run Command
C) AWS Config with custom Lambda functions
D) Amazon EC2 Image Builder with automated pipelines
Answer: A
Explanation:
Ensuring that only approved, hardened AMIs are used for EC2 instances requires governance mechanisms that provide self-service capabilities while enforcing security policies. Users need convenient ways to launch instances while security teams maintain control over which AMIs are available. AWS Service Catalog provides governed self-service for AWS resources including EC2 instances.
Service Catalog allows organizations to create portfolios of approved products, where each product defines a CloudFormation template for launching resources. EC2 products can be configured with specific approved AMI IDs, instance types, security groups, and other parameters. When users launch instances through Service Catalog, they can only use the approved AMI IDs defined in the products.
IAM policies can restrict EC2 instance launch permissions, requiring users to launch instances through Service Catalog rather than directly through EC2 APIs. This combination of Service Catalog for governed provisioning and IAM policies preventing direct launches ensures that all instances use approved AMIs. The security team maintains the catalog of approved products, updating AMI IDs as new hardened images are released.
A) This is the correct answer because Service Catalog provides governed self-service for EC2 launches, products can be configured with approved AMI IDs only, IAM policies can restrict direct EC2 launches requiring Service Catalog usage, and security teams control which AMIs are available through catalog management.
B) Systems Manager Run Command executes commands on managed instances but does not control AMI selection during instance launches. Run Command is designed for executing operational tasks on existing instances rather than governing resource provisioning or enforcing AMI requirements during launches.
C) AWS Config with custom Lambda functions can detect instances launched from non-approved AMIs and trigger remediation, but this approach is detective rather than preventive. Instances would be launched from unapproved AMIs before being detected and remediated, creating a security risk window. Detective controls are less effective than preventive controls for this requirement.
D) EC2 Image Builder automates building, testing, and distributing AMIs, helping security teams create hardened images. However, Image Builder does not enforce that instances can only be launched from approved AMIs. Image Builder creates AMIs but does not provide governance over which AMIs users can select when launching instances.
Question 80
A security team discovers unusual data transfer volumes from an EC2 instance to external IP addresses. They need to investigate which processes are responsible for the network activity. Which approach provides this visibility?
A) Analyze VPC Flow Logs for the instance
B) Use AWS Systems Manager Session Manager to access the instance and inspect process network activity
C) Review CloudTrail logs for API calls
D) Enable CloudWatch detailed monitoring
Answer: B
Explanation:
Investigating unusual network activity requires visibility into processes running on the instance and their network connections. While VPC Flow Logs show network-level traffic metadata, they do not provide information about which processes are generating traffic. Forensic investigations require accessing the instance operating system to examine running processes, established connections, and system logs.
AWS Systems Manager Session Manager provides secure shell access to EC2 instances without requiring SSH keys, bastion hosts, or open inbound ports. Security teams can connect to instances through Session Manager to run diagnostic commands like netstat, lsof, ps, or Windows Task Manager to identify processes with active network connections. This investigation occurs without modifying instance network security groups.
During forensic investigations, Session Manager provides several advantages including centralized access logging showing who accessed instances and when, session recordings for audit purposes, no need to expose SSH/RDP ports reducing attack surface, and IAM-based access control without managing SSH keys. Investigators can examine process details, network connections, and system state to determine the source of unusual network activity.
A) VPC Flow Logs show network traffic metadata including source and destination IP addresses, ports, and byte counts but do not identify which processes on the instance are generating traffic. Flow Logs provide network-level visibility but not process-level detail needed for forensic investigations.
B) This is the correct answer because Session Manager provides secure instance access without requiring open SSH/RDP ports, investigators can run diagnostic commands to identify processes responsible for network activity, access is fully logged and auditable, and this enables detailed forensic investigation at the OS level.
C) CloudTrail logs AWS API calls made by users and services but does not capture information about processes running on EC2 instances or their network activity. CloudTrail logs actions taken through AWS APIs, not operating system-level process behavior or network connections.
D) CloudWatch detailed monitoring provides additional instance metrics at one-minute intervals but does not include process-level information or identify which processes are generating network traffic. CloudWatch metrics show aggregate instance behavior but lack the granularity needed for forensic process investigation.
