Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.
Question 181
A security team needs to ensure that Amazon RDS database parameter groups cannot be modified to disable SSL/TLS requirements. Which solution enforces this?
A) Manually monitor parameter group changes monthly
B) Use IAM policies denying ModifyDBParameterGroup actions that would disable SSL/TLS parameters
C) Enable RDS encryption at rest
D) Use AWS Config to detect parameter changes
Answer: B
Explanation:
RDS parameter groups control database engine configuration including SSL/TLS enforcement. Preventing parameter modifications that weaken security requires IAM policies evaluating parameter changes. Policies can deny ModifyDBParameterGroup operations attempting to disable SSL/TLS-related parameters.
IAM policies can use custom authorization logic or Lambda-backed authorization to evaluate parameter changes in ModifyDBParameterGroup requests. Policies identify attempts to set SSL/TLS-related parameters (like require_secure_transport for MySQL or rds.force_ssl for PostgreSQL) to values disabling encryption and deny those requests.
Service Control Policies provide organization-wide enforcement preventing any account from disabling SSL/TLS in RDS parameter groups. Combined with Config rules detecting non-compliant parameter groups, this defense-in-depth approach ensures SSL/TLS requirements remain enforced across all databases.
A) Manual monthly monitoring is reactive and introduces 30-day windows where SSL/TLS could be disabled. During these periods, databases accept unencrypted connections creating security vulnerabilities. Manual processes don’t provide preventive controls or scale effectively.
B) This is the correct answer because IAM policies can evaluate ModifyDBParameterGroup requests for SSL/TLS parameter changes, policies deny operations that disable SSL/TLS requirements, preventive controls block security-weakening modifications, and this ensures SSL/TLS enforcement remains active.
C) RDS encryption at rest protects stored data but doesn’t control SSL/TLS connection requirements. Rest encryption and transit encryption are separate controls. Rest encryption alone doesn’t prevent parameter changes disabling SSL/TLS.
D) AWS Config detects parameter group changes after they occur but doesn’t prevent modifications. Config is reactive, identifying disabled SSL/TLS after configuration changes. Preventive controls blocking parameter modifications are more effective.
Question 182
An organization requires that EC2 instances be automatically isolated from the network when GuardDuty detects cryptocurrency mining activity. Which solution implements this?
A) Manually isolate instances when notified
B) Use GuardDuty findings with EventBridge to trigger Lambda functions that replace instance security groups with an isolation security group
C) Terminate instances immediately
D) Use Systems Manager to stop instances
Answer: B
Explanation:
Automated incident response for cryptocurrency mining requires immediate network isolation preventing continued mining while preserving instances for forensic analysis. GuardDuty detects mining through behavioral analysis, while EventBridge enables event-driven automation connecting findings to isolation actions.
When GuardDuty generates CryptoCurrency-related findings, EventBridge rules match specific finding types and trigger Lambda functions. The Lambda function retrieves the instance ID from the finding, creates or references an isolation security group with no inbound or outbound rules, and modifies the instance to use only the isolation security group.
Network isolation stops cryptocurrency mining by preventing instance communication with mining pools while preserving the instance for investigation. Security teams can subsequently analyze the instance to determine how mining software was installed, assess the scope of compromise, and identify security weaknesses enabling the breach.
A) Manual isolation introduces delays allowing mining to continue, consuming compute resources and incurring costs. Manual processes require human availability and response time. During off-hours or high-volume incidents, manual response may be inadequate for timely isolation.
B) This is the correct answer because GuardDuty detects cryptocurrency mining automatically, EventBridge triggers immediate automated response, Lambda functions isolate instances by replacing security groups, and isolation stops mining while preserving forensic evidence.
C) Immediate instance termination stops mining but destroys forensic evidence needed to understand attack vectors and prevent future incidents. Termination should only occur after forensic analysis or for instances confirmed beyond remediation.
D) Systems Manager can stop instances but this loses volatile memory contents valuable for forensics. Stopped instances can’t be actively investigated until restarted. Network isolation provides better forensic preservation than stopping instances.
Question 183
A company must ensure that AWS KMS keys used for encrypting sensitive data cannot be used by services outside a specific VPC. Which solution enforces this?
A) Use KMS key policies with conditions requiring requests originate from specific VPC endpoints
B) Enable KMS key rotation
C) Use CloudTrail to monitor key usage
D) Delete keys not used in the VPC
Answer: A
Explanation:
Restricting KMS key usage to specific network locations requires key policies that evaluate request sources. KMS key policies support conditions checking whether requests originate from VPC endpoints. This ensures keys are only used by services operating within approved network boundaries.
KMS key policies use the kms:ViaService condition key combined with aws:SourceVpce or aws:SourceVpc conditions to restrict key usage to requests from specific VPCs. Policies deny cryptographic operations unless requests come through designated VPC endpoints or originate from approved VPC IDs.
This network-based key usage restriction provides defense-in-depth by ensuring encryption keys cannot be used from arbitrary locations. Even if credentials are compromised, attackers cannot use keys unless operating within the approved VPC. This geographical access control adds a significant security layer.
A) This is the correct answer because KMS key policies can require requests originate from specific VPC endpoints, conditions evaluate request source network location, policies deny key usage from outside approved VPCs, and this restricts key usage to specific network boundaries.
B) KMS key rotation rotates cryptographic key material but doesn’t control which network locations can use keys. Key rotation addresses key lifecycle management while network-based access restrictions are separate concerns.
C) CloudTrail monitors key usage and logs operations but doesn’t enforce network-based restrictions. CloudTrail provides audit trails but requires additional analysis while key policies provide preventive enforcement at authorization time.
D) Deleting keys makes them completely unavailable rather than restricting usage to specific VPCs. The requirement is to allow key usage from within the VPC while preventing external usage, not to eliminate keys entirely.
Question 184
A security engineer needs to implement controls preventing AWS Lambda layers from containing malicious code or unauthorized libraries. Which solution provides this capability?
A) Manually review all Lambda layers
B) Use automated code scanning tools to analyze layer contents before deployment and implement approval workflows
C) Enable Lambda reserved concurrency
D) Use X-Ray tracing
Answer: B
Explanation:
Lambda layers package shared code and dependencies used across multiple functions. Ensuring layer security requires analyzing layer contents for malicious code, vulnerable dependencies, and unauthorized libraries. Automated scanning combined with approval workflows provides comprehensive layer security validation.
Deployment pipelines integrate security scanning tools that analyze Lambda layer zip files. Scanners check for known vulnerabilities in dependencies using CVE databases, detect suspicious code patterns, validate libraries against approved lists, and generate security reports. Layers failing security scans are blocked from deployment.
Approval workflows using Step Functions require security team review for new layers or layers with detected issues. Workflows present scan results to reviewers who approve or reject layers based on security assessment. Only approved layers are published to AWS, ensuring all layers meet security standards before use.
A) Manual layer review doesn’t scale across organizations with many layers and frequent updates. Manual processes are time-consuming and may miss subtle security issues that automated scanners detect. Consistent automated scanning provides comprehensive coverage.
B) This is the correct answer because automated scanning analyzes layer contents for malicious code and vulnerabilities, approval workflows provide governance for layer deployment, security validation occurs before layers are published, and this ensures layers meet security standards.
C) Lambda reserved concurrency controls maximum concurrent executions but doesn’t analyze layer contents or detect security issues. Reserved concurrency addresses capacity management rather than code security validation.
D) X-Ray tracing provides distributed request tracing but doesn’t analyze Lambda layer contents for security issues. X-Ray monitors runtime behavior but doesn’t perform static security analysis of layer code or dependencies.
Question 185
An organization requires that Amazon S3 access logs themselves be stored in buckets with restricted access and encryption. Which configuration implements this?
A) Store access logs in the same bucket as source data
B) Create dedicated logging buckets with restrictive bucket policies, SSE-S3 or SSE-KMS encryption, and S3 Block Public Access enabled
C) Disable access logging
D) Store logs in CloudWatch instead
Answer: B
Explanation:
S3 access logs contain sensitive information about bucket access patterns, requester identities, and accessed objects. Securing access logs requires dedicated logging buckets with strong access controls and encryption. Separation from source buckets and restrictive policies ensure log confidentiality and integrity.
Dedicated logging buckets receive access logs from multiple source buckets. Bucket policies grant write permissions only to S3 logging service principal while restricting read access to security and audit teams. This prevents unauthorized access to sensitive access patterns documented in logs.
Encryption using SSE-S3 or SSE-KMS protects logs at rest. S3 Block Public Access at the bucket and account level prevents accidental public exposure. Lifecycle policies manage log retention, automatically transitioning old logs to cost-effective storage classes or deleting them after retention periods expire.
A) Storing access logs in the same bucket as source data creates circular logging (logs documenting access to logs) and doesn’t provide security separation. If source buckets are compromised, access logs in the same bucket are also at risk.
B) This is the correct answer because dedicated logging buckets separate logs from source data, restrictive bucket policies limit access to authorized personnel, encryption protects log confidentiality, and S3 Block Public Access prevents accidental exposure.
C) Disabling access logging eliminates visibility into bucket access patterns and security events. Access logs are critical for security monitoring, incident investigation, and compliance. Disabling logging creates security blind spots.
D) S3 access logs and CloudWatch Logs serve different purposes. S3 access logs capture S3-specific request details while CloudWatch is a general log aggregation service. The requirement is for securing S3 access logs, not migrating to different logging infrastructure.
Question 186
A company must ensure that EC2 instances can only be launched with approved IAM instance profiles. Which solution enforces this?
A) Manually verify instance profiles during launch
B) Use IAM policies with conditions denying RunInstances unless specified approved instance profile ARNs are used
C) Enable CloudTrail logging
D) Use AWS Config to detect non-compliant instances
Answer: B
Explanation:
Controlling which instance profiles EC2 instances use requires IAM policies evaluating instance profile parameters during instance launch. Policies can allow RunInstances only when approved instance profile ARNs are specified. This preventive control ensures instances only use authorized profiles with appropriate permissions.
IAM policies use the iam:PassRole action to control which instance profiles can be associated with EC2 instances. Policies allow PassRole only for specific approved instance profile ARNs, denying attempts to launch instances with unapproved profiles. This ensures instances receive only authorized IAM permissions.
Service Control Policies enforce these restrictions organization-wide, preventing any account from launching instances with non-approved instance profiles. Combined with centralized instance profile management, this approach ensures consistent IAM permission assignment across all EC2 instances.
A) Manual verification doesn’t scale and allows non-compliant launches if verification is bypassed or errors occur. Manual processes are unreliable for enforcing mandatory security requirements. Technical controls provide consistent automated enforcement.
B) This is the correct answer because IAM policies evaluate instance profile parameters in RunInstances requests, policies deny launches with non-approved instance profiles, PassRole controls restrict which profiles can be associated with instances, and this ensures only approved profiles are used.
C) CloudTrail logs instance launches including instance profile assignments but doesn’t prevent non-compliant launches. CloudTrail is reactive, recording launches after they occur. Preventive controls blocking unauthorized profile usage are more effective.
D) AWS Config detects instances using non-approved profiles after launch but doesn’t prevent creation. Config is reactive, identifying non-compliant instances after they exist. Preventive controls blocking launches with unapproved profiles provide better enforcement.
Question 187
A security team needs to detect when AWS Secrets Manager secrets are accessed by unauthorized IAM principals. Which solution provides this capability?
A) Enable Secrets Manager rotation
B) Use CloudTrail logs with CloudWatch Insights queries identifying GetSecretValue calls by unauthorized principals
C) Enable Secrets Manager encryption
D) Use GuardDuty
Answer: B
Explanation:
Detecting unauthorized secret access requires monitoring Secrets Manager API calls and identifying access by unexpected IAM principals. CloudTrail logs all Secrets Manager operations including GetSecretValue. CloudWatch Logs Insights enables querying these logs to identify unauthorized access patterns.
CloudTrail logs for Secrets Manager include GetSecretValue operations with details about requesting IAM principals, timestamps, source IPs, and whether requests succeeded. CloudWatch Logs Insights queries filter these events, comparing requesting principals against lists of authorized users or roles for specific secrets.
Automated alerting uses CloudWatch metric filters matching unauthorized access patterns. When unauthorized principals access secrets, metrics increment and trigger CloudWatch alarms that notify security teams via SNS. This real-time detection enables rapid investigation of unauthorized secret access.
A) Secrets Manager rotation updates secret values periodically but doesn’t monitor or detect unauthorized access. Rotation addresses credential lifecycle management while access monitoring is a separate security concern.
B) This is the correct answer because CloudTrail logs all Secrets Manager access operations, CloudWatch Logs Insights queries identify unauthorized principal access, automated alerting notifies security teams of suspicious access, and this provides comprehensive unauthorized access detection.
C) Secrets Manager encryption protects secret values at rest but doesn’t monitor or prevent unauthorized access by IAM principals with appropriate permissions. Encryption addresses data confidentiality while access monitoring addresses authorization and usage patterns.
D) GuardDuty detects security threats through behavioral analysis but doesn’t specifically monitor Secrets Manager access for policy-based unauthorized access detection. GuardDuty focuses on malicious activity rather than access control policy violations.
Question 188
An organization requires that Amazon DynamoDB tables have point-in-time recovery (PITR) enabled for all production tables. Which solution ensures compliance?
A) Manually enable PITR on all tables
B) Use AWS Config with a custom rule detecting tables without PITR enabled and automated remediation enabling it
C) Enable DynamoDB encryption
D) Use DynamoDB backups instead
Answer: B
Explanation:
Ensuring DynamoDB tables have point-in-time recovery requires continuous monitoring of PITR configuration across all tables. AWS Config provides configuration compliance monitoring with custom rules detecting tables without PITR. Automated remediation ensures non-compliant tables are corrected immediately.
Config custom rules use Lambda functions to evaluate DynamoDB table configurations. The evaluation retrieves all tables, checks whether PITR is enabled on each, and marks tables without PITR as non-compliant. Config continuously monitors tables, detecting new tables without PITR immediately upon creation.
Automated remediation triggers Lambda functions that enable PITR on non-compliant tables using the UpdateContinuousBackups API. This ensures all production tables maintain PITR automatically without manual intervention. PITR provides 35 days of continuous backup enabling point-in-time recovery from accidental deletions or data corruption.
A) Manual PITR enablement doesn’t scale and allows tables to be created without PITR if manual processes are missed. New tables may operate without recovery capabilities for periods before manual enablement. Automated enforcement ensures consistent compliance.
B) This is the correct answer because Config custom rules continuously monitor table PITR configuration, rules detect tables without PITR enabled, automated remediation enables PITR on non-compliant tables, and this ensures all production tables have recovery capabilities.
C) DynamoDB encryption protects data at rest but doesn’t provide point-in-time recovery capabilities. Encryption and backup recovery are separate features addressing different concerns. Encryption alone doesn’t enable PITR.
D) DynamoDB on-demand backups provide recovery capabilities but don’t offer point-in-time recovery like PITR. On-demand backups must be manually created and restore to backup snapshot time. PITR enables recovery to any point within 35 days.
Question 189
A company must ensure that AWS Lambda functions cannot be invoked by public or anonymous principals. Which solution enforces this?
A) Deploy Lambda in VPC
B) Use Lambda resource-based policies explicitly denying public and anonymous access
C) Enable Lambda reserved concurrency
D) Use X-Ray tracing
Answer: B
Explanation:
Preventing public Lambda invocation requires resource-based policies that block unauthenticated or anonymous access. Lambda resource-based policies control invocation authorization, denying public access while allowing only authenticated AWS principals. This ensures functions aren’t exposed to internet-based invocations.
Lambda resource-based policies use explicit deny statements for public principals. Policies deny lambda:InvokeFunction actions when the Principal is “*” or when requests are unauthenticated. This prevents both public API Gateway integrations from invoking functions without authentication and direct public invocation attempts.
Organization-wide enforcement requires applying these restrictive policies to all Lambda functions through deployment automation or AWS Config remediation. Lambda deployment pipelines automatically attach policies denying public access, ensuring consistent protection across all functions.
A) Lambda VPC deployment controls network connectivity but doesn’t prevent public invocation through Lambda’s managed API endpoint. VPC configuration addresses network access while resource-based policies control invocation authorization at the API level.
B) This is the correct answer because Lambda resource-based policies control invocation authorization, policies can explicitly deny public and anonymous principals, deny statements prevent unauthenticated invocations, and this ensures functions aren’t publicly accessible.
C) Lambda reserved concurrency controls maximum concurrent executions but doesn’t restrict which principals can invoke functions. Reserved concurrency addresses capacity management rather than invocation authorization or public access prevention.
D) X-Ray tracing provides distributed request tracing but doesn’t control invocation authorization or prevent public access. X-Ray monitors invocations but doesn’t restrict them based on principal authentication status.
Question 190
A security engineer needs to implement controls ensuring that Amazon S3 buckets cannot have their default encryption disabled once enabled. Which solution enforces this?
A) Manually monitor encryption settings
B) Use S3 bucket policies or SCPs denying PutBucketEncryption actions that disable encryption
C) Enable S3 versioning
D) Use S3 Object Lock
Answer: B
Explanation:
Preventing S3 bucket encryption from being disabled requires policies blocking PutBucketEncryption operations that would remove encryption configuration. S3 bucket policies or Service Control Policies can evaluate encryption parameters and deny operations disabling encryption.
S3 bucket policies can deny PutBucketEncryption actions when requests would disable or remove encryption settings. Policies evaluate whether ServerSideEncryptionConfiguration is being removed or set to null, denying those requests. This ensures encryption remains enabled regardless of user permissions.
Service Control Policies provide organization-wide enforcement preventing any account from disabling bucket encryption. SCPs deny encryption removal across all buckets in all accounts, ensuring consistent encryption protection. Combined with bucket-level policies, this defense-in-depth approach provides maximum protection.
A) Manual monitoring doesn’t prevent encryption from being disabled and is reactive. Encryption could be disabled and data could be uploaded unencrypted before monitoring detects the change. Manual processes don’t provide preventive controls.
B) This is the correct answer because bucket policies or SCPs can deny PutBucketEncryption operations disabling encryption, policies evaluate encryption configuration changes, preventive controls block encryption removal, and this ensures encryption remains active once enabled.
C) S3 versioning preserves object versions but doesn’t prevent encryption configuration changes. Versioning and encryption are separate features. Versioning alone doesn’t protect encryption settings from being disabled.
D) S3 Object Lock prevents object deletion and modification but doesn’t protect bucket encryption configuration. Object Lock addresses data immutability while encryption configuration protection requires different controls.
Question 191
An organization requires that EC2 instances automatically install the AWS Systems Manager Agent (SSM Agent) upon launch. Which solution implements this?
A) Manually install SSM Agent on each instance
B) Create custom AMIs with SSM Agent pre-installed and use user data scripts for additional configuration
C) Enable EC2 Instance Connect
D) Use Lambda to install SSM Agent
Answer: B
Explanation:
Ensuring consistent SSM Agent deployment requires standardized base images including the agent. Custom AMIs provide golden images with SSM Agent pre-installed and configured. Combined with user data scripts for instance-specific configuration, this approach ensures all instances are manageable through Systems Manager upon launch.
Custom AMIs are created from properly configured instances with SSM Agent installed, started, and configured for automatic startup. Amazon Linux 2 and some other AWS-provided AMIs include SSM Agent by default, but custom AMIs ensure consistent configuration including organization-specific settings.
User data scripts execute during instance initialization, performing additional SSM configuration like setting tags, joining managed instance groups, or configuring logging. This combination of pre-installed agent (AMI) and initialization configuration (user data) ensures instances are immediately available for Systems Manager operations.
A) Manual SSM Agent installation after launch is operationally intensive, introduces gaps between launch and manageability, and doesn’t scale. Instances remain unmanaged during the period between launch and manual installation, creating security monitoring blind spots.
B) This is the correct answer because custom AMIs ensure SSM Agent is pre-installed, user data scripts provide instance-specific configuration, all instances are immediately manageable upon launch, and this provides consistent automated deployment.
C) EC2 Instance Connect provides secure SSH access management but doesn’t deploy SSM Agent or provide Systems Manager capabilities. Instance Connect addresses authentication while SSM Agent enables comprehensive instance management.
D) Lambda functions could theoretically install SSM Agent post-launch but this adds unnecessary complexity and introduces delays. Pre-installation in AMIs is simpler, more reliable, and ensures immediate availability compared to post-launch installation.
Question 192
A company must ensure that AWS CloudFormation stacks can only be created using approved templates stored in a specific S3 bucket. Which solution enforces this?
A) Manually review stack templates before creation
B) Use IAM policies with conditions requiring CreateStack operations to reference templates in approved S3 bucket URLs
C) Enable CloudTrail logging
D) Use AWS Config to detect stacks from unapproved templates
Answer: B
Explanation:
Controlling CloudFormation template sources requires IAM policies evaluating template locations during stack creation. Policies can require that CreateStack and CreateChangeSet operations reference templates stored in approved S3 buckets. This preventive control ensures only validated templates are deployed.
IAM policies use the cloudformation:TemplateUrl condition key to evaluate template source locations. Policies deny stack creation unless template URLs match approved S3 bucket patterns. This ensures all stacks use templates that have undergone security review and approval processes.
Centralized template repositories in approved S3 buckets enable template governance. Security teams review and validate templates before storing them in approved buckets. Version control and access logging on template buckets provide audit trails of template changes and usage.
A) Manual template review is operationally intensive and introduces deployment delays. Manual processes are error-prone and don’t prevent users from deploying unapproved templates if verification is bypassed. Technical enforcement provides consistent automated compliance.
B) This is the correct answer because IAM policies evaluate template source URLs during stack creation, conditions require templates from approved S3 buckets, preventive controls block stacks using unapproved templates, and this enforces template governance.
C) CloudTrail logs stack creation events including template sources but doesn’t prevent creation of stacks from unapproved templates. CloudTrail is reactive, recording stack creation after it occurs. Preventive controls are more effective for this requirement.
D) AWS Config detects stacks created from unapproved templates after creation but doesn’t prevent creation. Config is reactive, identifying non-compliant stacks after resources are deployed. Preventive controls blocking unapproved template usage provide better enforcement.
Question 193
A security team needs to detect when AWS Security Groups are modified to allow RDP access (port 3389) from specific high-risk IP ranges. Which solution provides this detection?
A) Manually review security groups weekly
B) Use AWS Config with custom rules evaluating security group ingress rules for RDP access from high-risk IP ranges
C) Enable VPC Flow Logs
D) Use GuardDuty
Answer: B
Explanation:
Detecting security group rules allowing access from specific IP ranges requires continuous monitoring with custom logic evaluating rule combinations. AWS Config with custom rules provides the flexibility to implement complex security group analysis identifying specific risky configurations.
Config custom rules use Lambda functions to evaluate security group configurations. The Lambda function retrieves all ingress rules, identifies rules allowing TCP port 3389 (RDP), and checks whether source CIDR blocks include high-risk IP ranges from threat intelligence feeds. Non-compliant security groups are flagged.
High-risk IP ranges are maintained in Parameter Store or DynamoDB, updated from threat intelligence sources. Config evaluation Lambda queries these lists, comparing security group rule sources against known malicious or high-risk networks. This dynamic threat intelligence integration ensures current risk detection.
A) Manual weekly review introduces multi-day windows where risky security group rules exist undetected. During these periods, instances are exposed to access attempts from high-risk networks. Manual processes don’t scale across dynamic environments.
B) This is the correct answer because Config custom rules continuously monitor security group configurations, rules evaluate ingress rules for RDP access from high-risk IPs, custom logic enables complex analysis with threat intelligence integration, and this provides comprehensive risky configuration detection.
C) VPC Flow Logs capture actual connection attempts but don’t detect security group misconfigurations before exploitation. Flow logs are reactive, showing traffic after it occurs, but don’t proactively identify vulnerable configurations.
D) GuardDuty detects threats through behavioral analysis but doesn’t evaluate security group configurations for policy-based rule analysis. GuardDuty might detect actual attacks but doesn’t identify configuration weaknesses creating vulnerabilities.
Question 194
An organization requires that Amazon EBS snapshots be automatically shared with a disaster recovery account in a different region. Which solution implements this?
A) Manually copy snapshots to DR account monthly
B) Use EventBridge rules triggering Lambda functions that automatically copy snapshots to DR account and region when snapshots are created
C) Enable EBS encryption by default
D) Use AWS Backup only
Answer: B
Explanation:
Automated disaster recovery snapshot distribution requires event-driven processes that respond to snapshot creation by copying snapshots to DR locations. EventBridge detects snapshot creation events, while Lambda functions orchestrate cross-account and cross-region snapshot copying for DR preparedness.
When EBS snapshots are created, AWS publishes events to EventBridge. Rules match “EBS Snapshot Notification” events and trigger Lambda functions. The Lambda function extracts snapshot details, copies the snapshot to the DR region using CopySnapshot API, and shares the copied snapshot with the DR account using ModifySnapshotAttribute.
Cross-account snapshot sharing requires the DR account to be specified in snapshot permissions. Cross-region copying ensures snapshots exist in geographically separate locations surviving regional disasters. Automated execution ensures DR copies are created immediately after production snapshots without manual intervention.
A) Manual monthly copying introduces 30-day recovery point objectives where data could be lost if disasters occur between copies. Manual processes are operationally intensive and don’t provide the near-real-time DR capability automated systems offer.
B) This is the correct answer because EventBridge detects snapshot creation events in real-time, Lambda functions automatically copy snapshots cross-region and cross-account, automation ensures immediate DR copy creation, and this provides comprehensive automated DR snapshot distribution.
C) EBS encryption by default ensures new volumes and snapshots are encrypted but doesn’t copy snapshots to DR accounts or regions. Encryption protects data confidentiality but doesn’t provide DR distribution functionality.
D) AWS Backup can automate cross-region and cross-account backup copying but the question asks for a solution specifically for EBS snapshots with automated sharing. While AWS Backup is a valid alternative, the EventBridge/Lambda approach provides more granular control for snapshot-specific workflows.
Question 195
A company must ensure that AWS Lambda functions can only access DynamoDB tables with the same tag values (e.g., Environment=Production). Which solution enforces this?
A) Manually configure Lambda permissions
B) Use IAM policies with condition keys evaluating resource tags to match principal tags
C) Enable DynamoDB encryption
D) Use Lambda environment variables
Answer: B
Explanation:
Implementing tag-based access control requires IAM policies that evaluate both principal tags and resource tags, allowing access only when tags match. This attribute-based access control (ABAC) enables dynamic permissions scaling with resources without requiring policy updates for each new resource.
IAM policies for Lambda execution roles use the aws:PrincipalTag condition key to retrieve tags from the role and dynamodb:ResourceTag to retrieve tags from DynamoDB tables. Policies allow DynamoDB actions only when specific tag values match between principal and resource, such as Environment tag values.
This ABAC approach enables self-service resource creation where new DynamoDB tables automatically become accessible to appropriately tagged Lambda functions without manual permission updates. Tags become the authorization mechanism, simplifying permission management in dynamic environments with frequent resource creation.
A) Manual Lambda permission configuration doesn’t scale as new tables are created and doesn’t enforce tag-based access control. Manual processes require updating IAM policies for each new table, creating operational overhead and potential permission gaps.
B) This is the correct answer because IAM policies can compare principal tags and resource tags, condition keys evaluate tag values during authorization, policies allow access only when tags match, and this implements attribute-based access control using tags.
C) DynamoDB encryption protects data at rest but doesn’t control access based on tags. Encryption addresses data confidentiality while tag-based access control addresses authorization. These are separate security concerns.
D) Lambda environment variables store configuration data but don’t enforce IAM authorization or implement tag-based access control. Environment variables provide application configuration while IAM policies control authorization based on tags.
Question 196
A security engineer needs to detect when AWS IAM roles are created with trust relationships allowing external accounts to assume them. Which solution provides this detection?
A) Use IAM Access Analyzer to detect roles with external trust relationships
B) Manually review role trust policies monthly
C) Enable CloudTrail logging only
D) Use GuardDuty
Answer: A
Explanation:
Detecting IAM roles with external trust relationships requires analyzing role trust policies to identify cross-account access grants. IAM Access Analyzer specifically evaluates trust policies and identifies roles assumable by external accounts. This automated analysis provides comprehensive visibility into cross-account role access.
IAM Access Analyzer continuously evaluates IAM role trust policies across accounts. When roles have trust relationships allowing external AWS accounts to assume them, Access Analyzer generates findings showing which roles are accessible externally and which external accounts can assume them.
Access Analyzer findings include details about trust policy conditions, whether MFA is required, and whether external IDs are used for additional security. Security teams review findings to determine whether external access is authorized and properly secured. Analyzer provides ongoing monitoring as roles are created or modified.
A) This is the correct answer because IAM Access Analyzer specifically detects cross-account role trust relationships, analyzer identifies roles assumable by external accounts, findings show which external principals have access, and this provides comprehensive external role access visibility.
B) Manual monthly review doesn’t scale across organizations with many roles and introduces 30-day detection delays. External trust relationships could exist for significant periods before detection. Manual analysis cannot match the comprehensive policy evaluation Access Analyzer provides.
C) CloudTrail logs role creation and trust policy modifications but doesn’t analyze trust policy content to identify external access. CloudTrail provides audit trails but requires additional analysis while Access Analyzer provides trust relationship evaluation.
D) GuardDuty detects security threats through behavioral analysis but doesn’t analyze IAM role trust policies for external access configuration. GuardDuty focuses on malicious activity rather than identifying policy-based external access grants.
Question 197
An organization requires that AWS CodeBuild projects can only pull source code from approved GitHub repositories. Which solution enforces this?
A) Manually verify repository URLs before build
B) Use IAM policies with conditions denying CodeBuild project creation unless source repositories match approved GitHub organization URLs
C) Enable CodeBuild logging
D) Use AWS Config to detect non-compliant projects
Answer: B
Explanation:
Controlling CodeBuild source repositories requires IAM policies evaluating repository URLs during project creation. Policies can allow project creation only when source locations reference approved GitHub organizations or repositories. This preventive control ensures builds only use trusted code sources.
IAM policies for CodeBuild project creation use custom conditions to parse and evaluate source repository URLs. Policies deny CreateProject and UpdateProject actions unless repository URLs match approved patterns, such as GitHub organization names or specific repository prefixes.
Organization-wide enforcement through Service Control Policies ensures all accounts comply with approved repository restrictions. Combined with CodeBuild webhook configurations requiring authentication, this approach ensures code provenance and prevents builds from untrusted sources.
A) Manual verification is operationally intensive and introduces delays in CI/CD pipelines. Manual processes are error-prone and don’t prevent creation of projects with unapproved repositories if verification is bypassed. Technical enforcement provides consistent automated compliance.
B) This is the correct answer because IAM policies evaluate source repository URLs during project creation, conditions require repositories from approved GitHub organizations, preventive controls block projects using unapproved sources, and this ensures code provenance.
C) CodeBuild logging provides build execution audit trails but doesn’t prevent project creation with unapproved repositories. Logging is reactive, recording builds after they execute. Preventive controls blocking unapproved repositories are more effective.
D) AWS Config detects projects using unapproved repositories after creation but doesn’t prevent creation. Config is reactive, identifying non-compliant projects after they exist. Preventive controls blocking creation with unapproved repositories provide better enforcement.
Question 198
A company must ensure that Amazon RDS databases are automatically backed up before any maintenance operations or configuration changes. Which RDS feature provides this?
A) Manual snapshots before changes
B) RDS automated backups with retention period configured
C) RDS Multi-AZ deployments
D) RDS encryption
Answer: B
Explanation:
RDS automated backups provide automatic snapshot creation before maintenance operations and daily backups during backup windows. Combined with transaction log backups, automated backups enable point-in-time recovery protecting against data loss during maintenance or configuration changes.
When automated backups are enabled with retention periods (1-35 days), RDS automatically creates snapshots before system maintenance, engine version upgrades, and instance modifications. These pre-maintenance snapshots ensure databases can be restored if issues occur during maintenance operations.
Automated backups also capture transaction logs continuously, enabling point-in-time recovery to any second within the retention period. This comprehensive backup strategy protects against data loss from maintenance issues, configuration errors, or data corruption, with minimal operational overhead.
A) Manual snapshots require remembering to create them before each change, introducing operational burden and potential for human error. Manual processes are unreliable for ensuring consistent pre-change backups across all maintenance operations.
B) This is the correct answer because RDS automated backups automatically create snapshots before maintenance operations, daily backups with transaction logs enable point-in-time recovery, retention periods provide recovery windows, and this provides comprehensive automated backup protection.
C) RDS Multi-AZ deployments provide high availability through automatic failover but don’t create backups before maintenance. Multi-AZ addresses availability while automated backups address recoverability. These are complementary but separate features.
D) RDS encryption protects data at rest but doesn’t create backups before maintenance operations. Encryption addresses data confidentiality while automated backups provide recovery capabilities. These are separate security and reliability features.
Question 199
A security team needs to implement automated remediation that removes inline IAM policies from IAM users when detected, forcing use of managed policies only. Which solution implements this?
A) Manually review and remove inline policies monthly
B) Use AWS Config with custom rules detecting inline policies on users and Lambda remediation deleting them
C) Enable CloudTrail logging
D) Use GuardDuty
Answer: B
Explanation:
Enforcing managed policy usage over inline policies requires detecting inline policy attachments and automatically removing them. AWS Config with custom rules provides continuous monitoring of IAM user configurations, while Lambda remediation executes automatic policy removal ensuring compliance with managed policy requirements.
Config custom rules use Lambda functions to evaluate IAM users for inline policies. The evaluation retrieves all IAM users, checks for attached inline policies using ListUserPolicies API, and marks users with inline policies as non-compliant. Config continuously monitors users, detecting new inline policy attachments immediately.
Automated remediation triggers Lambda functions that delete inline policies using DeleteUserPolicy API. The remediation function can optionally notify users about policy removal and provide guidance for requesting appropriate managed policy attachments instead. This enforcement drives users toward centrally managed policies.
Using managed policies instead of inline policies provides centralized policy management, easier auditing, and simplified permission updates across multiple users. Managed policies can be updated once to affect all attached users, while inline policies require individual updates creating management overhead.
A) Manual monthly review introduces 30-day windows where inline policies exist. Users could have excessive or inappropriate permissions during these periods. Manual processes don’t scale across organizations with many IAM users and don’t provide consistent enforcement.
B) This is the correct answer because Config custom rules continuously detect inline policies on IAM users, automated remediation removes inline policies immediately, enforcement drives managed policy usage, and this provides consistent automated compliance with policy management standards.
C) CloudTrail logs inline policy creation events but doesn’t detect existing inline policies or trigger remediation. CloudTrail provides audit trails but requires additional analysis and doesn’t provide the automated enforcement that Config remediation offers.
D) GuardDuty detects security threats through behavioral analysis but doesn’t evaluate IAM user configurations for inline policy usage. GuardDuty focuses on threat detection rather than IAM policy management compliance.
Question 200
An organization requires that AWS Systems Manager Session Manager connections be restricted to specific source IP addresses (corporate office IPs). Which solution enforces this?
A) Use security groups on EC2 instances
B) Use IAM policies with aws:SourceIp condition keys denying StartSession actions from non-corporate IP ranges
C) Enable VPC endpoints for Systems Manager
D) Use NACLs to restrict access
Answer: B
Explanation:
Session Manager connections are authenticated through IAM, not traditional network protocols like SSH. Restricting Session Manager access by source IP requires IAM policies evaluating the IP address of API requests. IAM condition keys enable IP-based access control for Session Manager operations.
IAM policies attached to users or roles include aws:SourceIp condition keys that evaluate the IP address of StartSession API requests. Policies deny StartSession actions unless requests originate from specified corporate IP CIDR ranges. This ensures Session Manager access only occurs from authorized network locations.
IP-based restrictions provide defense-in-depth by adding network location requirements to authentication and authorization. Even users with valid credentials cannot start sessions unless connecting from approved corporate networks. This prevents credential compromise from unauthorized locations from being exploited for instance access.
A) Security groups control network traffic to EC2 instances but Session Manager doesn’t use traditional inbound SSH/RDP ports. Session Manager connections are established through AWS service APIs using outbound HTTPS from instances. Security groups cannot restrict Session Manager API authorization.
B) This is the correct answer because IAM policies with aws:SourceIp conditions evaluate request source IPs, policies can deny StartSession from non-corporate IP ranges, IP-based restrictions add network location requirements to Session Manager access, and this enforces corporate network access requirements.
C) VPC endpoints provide private connectivity to Systems Manager services without traversing the internet, but endpoints don’t restrict which IP addresses can initiate Session Manager connections. Endpoints address network routing while IAM policies control authorization based on source IP.
D) NACLs control network traffic at the subnet level but Session Manager uses AWS service APIs for connection establishment, not direct network connections to instances. NACLs cannot restrict Session Manager API authorization based on administrator source IPs.
