Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.
Question 141
A company must ensure that Amazon EC2 instances cannot be launched in public subnets to prevent direct internet exposure. Which solution enforces this?
A) Manually verify subnet selection for each instance launch
B) Use Service Control Policies with conditions denying RunInstances in public subnets
C) Delete all public subnets
D) Use AWS Config to detect instances in public subnets
Answer: B
Explanation:
Preventing EC2 instance launches in public subnets requires evaluating subnet characteristics during instance creation. Public subnets have route table entries directing traffic to internet gateways. Service Control Policies can evaluate subnet routing configuration and prevent instance launches in subnets with internet gateway routes.
SCPs use the ec2:Subnet condition key to evaluate subnet ARNs in RunInstances requests. Combined with resource-based conditions or custom authorization, policies can determine whether target subnets are public (have internet gateway routes) and deny instance launches accordingly. This preventive control blocks non-compliant launches at the authorization layer.
Alternatively, organizations can maintain lists of approved private subnet IDs and use SCPs with ec2:Subnet conditions that only allow launches in specifically enumerated subnet IDs. This whitelist approach ensures instances can only be launched in known private subnets, preventing public subnet usage.
A) Manual verification doesn’t scale and allows non-compliant launches if users bypass verification or make mistakes. Manual processes are unreliable for enforcing mandatory security requirements. Human processes lack the consistency and enforcement capabilities of technical controls.
B) This is the correct answer because SCPs can evaluate subnet characteristics in RunInstances requests, ec2:Subnet condition keys enable subnet-based launch restrictions, preventive controls block public subnet launches at authorization time, and this ensures instances cannot be exposed directly to the internet.
C) Deleting all public subnets is operationally disruptive and prevents legitimate uses of public subnets for bastion hosts, NAT gateways, load balancers, and other edge resources. The requirement is to prevent EC2 instances in public subnets, not eliminate public subnets entirely.
D) AWS Config detects instances in public subnets after launch but doesn’t prevent creation. Detective controls are reactive, allowing instances to exist in public subnets before remediation. Preventive controls blocking public subnet launches are more effective.
Question 142
A security engineer needs to implement monitoring that detects when AWS CloudTrail logging is disabled in any account. Which solution provides real-time detection?
A) Manually check CloudTrail status monthly in each account
B) Use AWS Config with cloudtrail-enabled managed rule and EventBridge for real-time alerting
C) Review CloudTrail logs weekly
D) Enable GuardDuty
Answer: B
Explanation:
Detecting CloudTrail logging disruptions requires continuous monitoring that generates immediate alerts when trails are stopped or deleted. AWS Config provides continuous compliance monitoring with managed rules specifically designed to detect CloudTrail issues. EventBridge enables real-time alerting when compliance violations occur.
AWS Config includes the cloudtrail-enabled managed rule that continuously verifies at least one CloudTrail trail is enabled and logging. When Config detects trails being stopped or deleted, it marks the account as non-compliant and generates compliance change events. These events trigger EventBridge rules for immediate notification.
EventBridge rules match Config compliance change events and trigger actions like SNS notifications to security teams, Lambda functions that re-enable CloudTrail, or Systems Manager Automation that remediates the configuration. This real-time detection and response ensures minimal gaps in audit logging coverage.
A) Manual monthly checking introduces 30-day windows where CloudTrail could be disabled without detection. Critical audit logs would be missing for significant periods. Manual processes don’t provide the real-time detection required for maintaining continuous audit trails.
B) This is the correct answer because AWS Config continuously monitors CloudTrail status, the cloudtrail-enabled managed rule detects disabled trails immediately, EventBridge provides real-time alerting on compliance changes, and automated remediation can re-enable logging rapidly.
C) Reviewing CloudTrail logs weekly doesn’t detect when CloudTrail itself is disabled since no logs are generated when logging is stopped. This approach cannot detect the absence of logging. Weekly reviews also introduce multi-day detection delays.
D) GuardDuty detects security threats through log analysis but does not monitor CloudTrail service status. GuardDuty consumes CloudTrail logs but doesn’t provide alerting when CloudTrail logging is disabled. GuardDuty and CloudTrail monitoring address different concerns.
Question 143
An organization requires that AWS Secrets Manager secrets be automatically rotated every 30 days. Which configuration implements this?
A) Manually rotate secrets monthly
B) Enable automatic rotation for secrets with Lambda rotation functions and 30-day rotation schedule
C) Store secrets in Parameter Store instead
D) Use KMS key rotation for secret encryption
Answer: B
Explanation:
Secrets Manager provides native automatic secret rotation capabilities designed specifically for managing credential lifecycle. Automatic rotation uses Lambda functions to update secrets and their associated systems on defined schedules. This eliminates manual rotation processes and ensures consistent rotation compliance.
Secrets Manager automatic rotation is enabled per secret with configurable rotation intervals. For 30-day rotation, secrets are configured with rotation enabled and rotation period set to 30 days. Secrets Manager automatically invokes the rotation Lambda function every 30 days to perform the rotation process.
Rotation Lambda functions follow a multi-step process: create new credentials, update the target system (database, application) with new credentials, test new credentials work correctly, update the secret value in Secrets Manager, and mark old credentials as deprecated. This orchestrated process ensures seamless rotation without service disruption.
A) Manual monthly rotation is operationally intensive, error-prone, and risks human errors causing service disruptions. Manual processes require scheduled procedures and documentation. Automatic rotation eliminates operational burden and ensures consistent rotation without human intervention.
B) This is the correct answer because Secrets Manager provides automatic rotation with configurable schedules, Lambda rotation functions orchestrate the rotation process, 30-day rotation periods can be configured per secret, and rotation occurs automatically without manual intervention.
C) Systems Manager Parameter Store can store secrets but does not provide automatic rotation functionality. Parameter Store would require custom rotation logic using Lambda and scheduled triggers. Secrets Manager is purpose-built for automatic secret rotation.
D) KMS key rotation rotates encryption keys protecting secrets at rest but does not rotate the secret values themselves. Key rotation and secret rotation address different concerns. The requirement is for rotating secret values (credentials), not encryption keys.
Question 144
A company must ensure that Amazon RDS database instances are not publicly accessible from the internet. Which combination provides defense-in-depth?
A) Place RDS in private subnets, configure security groups allowing only VPC sources, and enable PubliclyAccessible=false
B) Use only security groups
C) Enable RDS encryption
D) Use Multi-AZ deployments
Answer: A
Explanation:
Defense-in-depth requires multiple complementary security layers so that if one control fails, others provide protection. RDS public accessibility prevention requires network-level, configuration-level, and access control-level protections. Combining subnet placement, security groups, and instance settings creates comprehensive protection.
Private subnets lack routes to internet gateways, preventing direct inbound connections from the internet at the network routing level. RDS instances in private subnets receive only private IP addresses and cannot be reached from outside the VPC without additional connectivity like VPN or Direct Connect.
Security groups provide instance-level firewall controls, restricting inbound connections to specific sources within the VPC. Even if other controls failed, security groups only allow connections from application security groups or specific CIDR ranges within the VPC. The PubliclyAccessible attribute set to false ensures RDS does not assign public DNS names or IP addresses.
A) This is the correct answer because private subnet placement prevents internet routing, security groups restrict connections to VPC sources only, PubliclyAccessible=false prevents public DNS/IP assignment, and multiple complementary controls implement defense-in-depth.
B) Security groups alone provide insufficient protection. If RDS is placed in public subnets with PubliclyAccessible=true, misconfigurations or overly permissive security group rules could allow internet access. Single-layer controls don’t provide defense-in-depth.
C) RDS encryption protects data at rest but does not control network accessibility. Encrypted databases can still be publicly accessible if improperly configured. Encryption and accessibility controls address different security concerns.
D) Multi-AZ deployments provide high availability through automated failover but do not control public accessibility. Multi-AZ addresses availability rather than access controls. Multiple AZs and public accessibility restrictions are independent security concerns.
Question 145
A security team needs to detect when EC2 instances are launched with security groups allowing unrestricted RDP access (port 3389 from 0.0.0.0/0). Which solution provides automated detection?
A) Manually review security groups monthly
B) Use AWS Config with restricted-rdp managed rule to detect non-compliant security groups continuously
C) Enable VPC Flow Logs
D) Use CloudWatch detailed monitoring
Answer: B
Explanation:
Detecting security group misconfigurations requires continuous compliance monitoring that evaluates security group rules against security policies. AWS Config provides managed rules specifically designed to detect common security group issues including unrestricted RDP access. Continuous evaluation ensures rapid detection of misconfigurations.
AWS Config’s restricted-rdp managed rule evaluates security groups for inbound rules allowing TCP port 3389 from 0.0.0.0/0. When Config detects non-compliant security groups, it generates compliance findings immediately. This continuous monitoring catches both new security groups created with unrestricted access and modifications to existing groups.
Config findings trigger EventBridge rules that can invoke automated responses. Lambda functions can automatically remove non-compliant rules, send notifications to security teams and rule creators, or create tickets for investigation. This automated detection and remediation minimizes exposure windows for unrestricted RDP access.
A) Manual monthly review introduces 30-day windows where unrestricted RDP access could exist. During these periods, instances remain vulnerable to brute force attacks and unauthorized access attempts. Manual processes don’t scale across dynamic environments with frequent security group changes.
B) This is the correct answer because AWS Config continuously monitors security group configurations, the restricted-rdp managed rule detects unrestricted RDP access specifically, Config generates immediate compliance findings, and automated remediation can remove non-compliant rules.
C) VPC Flow Logs capture actual network traffic showing RDP connection attempts but don’t detect security group misconfigurations. Flow logs are reactive, showing that traffic occurred, but don’t proactively identify vulnerable configurations before exploitation.
D) CloudWatch detailed monitoring provides additional EC2 instance metrics but does not evaluate security group rules or detect configuration issues. CloudWatch monitors instance performance rather than security group compliance.
Question 146
An organization requires that all AWS KMS customer-managed keys have CloudTrail logging enabled to track key usage. However, CloudTrail is enabled by default for KMS. What additional configuration ensures comprehensive key usage monitoring?
A) Enable CloudTrail in each account
B) Ensure CloudTrail logs are delivered to a secure S3 bucket with appropriate retention and create CloudWatch metric filters for KMS key usage analysis
C) Enable KMS key rotation
D) Use AWS Config to monitor keys
Answer: B
Explanation:
While CloudTrail automatically logs KMS API calls, comprehensive key usage monitoring requires proper log storage, retention, and analysis capabilities. CloudTrail logs must be delivered to secure, centralized locations with appropriate retention policies. Analysis tools provide insights into key usage patterns.
CloudTrail logs all KMS operations including Encrypt, Decrypt, GenerateDataKey, and key management operations. These logs contain details about which principals accessed keys, when access occurred, which resources were involved, and whether operations succeeded. For compliance and security monitoring, these logs must be retained securely.
CloudWatch metric filters analyze CloudTrail logs in real-time, identifying specific KMS operations or patterns. Metrics can track key usage volume, detect unusual access patterns, identify which principals use which keys, and generate alarms for suspicious activity. This analysis transforms raw CloudTrail logs into actionable security intelligence.
A) Enabling CloudTrail in each account is baseline configuration but doesn’t ensure comprehensive monitoring. CloudTrail enablement alone doesn’t provide the log analysis, retention management, or security monitoring required for comprehensive key usage tracking.
B) This is the correct answer because CloudTrail logs KMS key usage comprehensively, secure S3 storage with retention policies ensures log preservation, CloudWatch metric filters enable real-time analysis of key usage patterns, and this provides complete key usage monitoring and analysis.
C) KMS key rotation rotates cryptographic key material but doesn’t provide usage monitoring or logging. Key rotation addresses key lifecycle management rather than usage tracking. Rotation and monitoring are complementary but separate concerns.
D) AWS Config monitors key configuration and compliance but doesn’t provide detailed usage tracking showing which principals perform encryption/decryption operations. Config tracks configuration state while CloudTrail tracks operational usage.
Question 147
A company must implement controls preventing S3 buckets from being made public even temporarily. Which combination provides the strongest protection?
A) Train users not to make buckets public
B) Enable S3 Block Public Access at the account level and use Service Control Policies denying public access configuration
C) Use bucket policies only
D) Enable S3 Object Lock
Answer: B
Explanation:
Preventing S3 public access requires multiple preventive control layers ensuring buckets cannot become public through any configuration method. S3 Block Public Access provides account and bucket-level controls, while Service Control Policies add organization-wide enforcement that cannot be overridden. This defense-in-depth approach provides maximum protection.
S3 Block Public Access at the account level overrides bucket policies and ACLs that would grant public access. When enabled, Block Public Access prevents buckets from becoming publicly accessible regardless of bucket configurations. This setting applies to all buckets in the account both existing and newly created.
Service Control Policies add an additional enforcement layer by denying API calls that would disable Block Public Access or create public bucket configurations. Even account administrators cannot disable Block Public Access if SCPs prevent it. This dual-layer approach ensures public access prevention cannot be circumvented.
A) Training alone is insufficient for mandatory security requirements. Human processes are fallible and don’t provide technical enforcement. Users may make mistakes, ignore training, or act maliciously. Technical controls are essential for preventing public access.
B) This is the correct answer because S3 Block Public Access at the account level prevents all public access configurations, SCPs provide organization-wide enforcement preventing Block Public Access from being disabled, dual-layer controls ensure buckets cannot become public through any method, and this provides the strongest protection against public exposure.
C) Bucket policies alone can be modified or removed by users with appropriate permissions. Without additional controls, bucket policies provide insufficient protection. Users could remove or modify policies to enable public access, violating security requirements.
D) S3 Object Lock prevents object deletion and modification for compliance purposes but does not control bucket public accessibility. Object Lock addresses data immutability rather than access controls. Lock settings are independent of public access prevention.
Question 148
A security team needs to implement automated remediation that removes default VPC security group rules allowing all inbound traffic from other instances in the same security group. Which solution implements this?
A) Manually review security groups monthly
B) Use AWS Config with a custom rule detecting default security groups and Systems Manager Automation for remediation
C) Delete all default VPCs
D) Use GuardDuty to detect security group issues
Answer: B
Explanation:
Default VPC security groups include rules allowing all inbound traffic from instances in the same security group, which can facilitate lateral movement if instances are compromised. Detecting and remediating these overly permissive rules requires continuous monitoring and automated remediation. AWS Config with custom rules provides this capability.
AWS Config custom rules use Lambda functions to evaluate security group configurations. The Lambda function identifies default security groups (named “default”) and checks for the self-referencing inbound rule allowing all protocols from the security group itself. When detected, Config marks the security group as non-compliant.
Systems Manager Automation documents orchestrate the remediation process. When Config detects non-compliant default security groups, automatic remediation triggers SSM Automation that modifies the security group, removing the overly permissive self-referencing inbound rule while preserving outbound rules. This automated enforcement prevents lateral movement risks.
A) Manual monthly review doesn’t scale and introduces 30-day windows where overly permissive default security groups exist. Default security groups are created automatically with new VPCs, requiring continuous monitoring. Manual processes cannot keep pace with automated VPC creation.
B) This is the correct answer because Config custom rules detect default security groups with self-referencing inbound rules, Systems Manager Automation automates rule removal, continuous monitoring catches new default security groups immediately, and automated remediation prevents lateral movement risks.
C) Deleting default VPCs prevents their use but is operationally disruptive and doesn’t address default security groups in existing VPCs. Organizations may have legitimate uses for default VPCs. The requirement is to remediate security group rules, not eliminate VPCs.
D) GuardDuty detects threats through behavioral analysis but does not evaluate security group configurations for overly permissive rules. GuardDuty focuses on detecting active threats rather than identifying configuration weaknesses.
Question 149
An organization requires that all AWS API calls made using root account credentials be immediately detected and alerted to security teams. Which solution provides this?
A) Manually review CloudTrail logs daily
B) Use CloudWatch Events (EventBridge) rules matching root account usage in CloudTrail events to trigger SNS notifications
C) Enable GuardDuty
D) Use AWS Config to monitor root usage
Answer: B
Explanation:
Detecting root account usage requires real-time monitoring of CloudTrail events identifying API calls made with root credentials. CloudWatch Events (EventBridge) provides event-driven architecture enabling immediate detection and alerting. This rapid response ensures root usage is investigated promptly.
CloudTrail logs include userIdentity information showing whether API calls were made by root accounts. EventBridge rules can match CloudTrail events where userIdentity.type equals “Root” or userIdentity.invokedBy contains root account identifiers. When root usage is detected, rules trigger immediate actions.
SNS topics receive EventBridge rule triggers and send notifications to security team members via email, SMS, or integration with incident management platforms. Lambda functions can be triggered for additional analysis, creating detailed incident tickets with context about what root actions were performed. This automated alerting ensures zero-delay notification of root usage.
A) Manual daily CloudTrail review introduces up to 24-hour detection delays. Root account usage could go undetected for an entire day, allowing unauthorized actions significant time to cause damage. Manual processes don’t provide the immediate detection required for critical security events like root usage.
B) This is the correct answer because EventBridge rules detect root account usage in real-time from CloudTrail events, rules match userIdentity fields identifying root account API calls, SNS notifications provide immediate alerting to security teams, and automated detection ensures zero-delay response to root usage.
C) GuardDuty generates findings for suspicious activity including compromised root credentials but doesn’t provide immediate alerting for all root account usage regardless of whether it appears malicious. GuardDuty focuses on threat detection rather than policy-based root usage alerting.
D) AWS Config monitors resource configurations but doesn’t provide real-time event-based detection of API calls. Config is designed for configuration compliance monitoring rather than operational event detection. CloudTrail with EventBridge is the appropriate tool for API call monitoring.
Question 150
A company must ensure that Amazon ECS task definitions only use approved container images from the organization’s ECR repository. Which solution enforces this?
A) Manually review task definitions before deployment
B) Use IAM policies with conditions requiring task definitions to reference specific ECR repository ARNs
C) Enable ECR image scanning
D) Use ECS service discovery
Answer: B
Explanation:
Preventing ECS tasks from using unauthorized container images requires validating image sources during task definition registration. IAM policies can evaluate task definition parameters to ensure container images reference approved ECR repositories. This preventive control blocks non-compliant task definitions at creation time.
IAM policies for ECS task definition registration can include conditions using the ecs:container-image or resource-based conditions that parse and validate image URIs. Policies deny RegisterTaskDefinition or CreateService actions when task definitions reference images from unauthorized registries like public Docker Hub or external ECR repositories.
The policy conditions extract the registry portion of container image URIs and compare against allowed ECR repository ARNs or account IDs. This ensures all container images originate from the organization’s controlled ECR repositories where images are scanned for vulnerabilities and validated for compliance before use.
A) Manual review before deployment is operationally intensive and introduces delays in deployment pipelines. Manual processes are error-prone and don’t scale across organizations with many ECS services and frequent deployments. Technical enforcement provides consistent, automated compliance.
B) This is the correct answer because IAM policies can validate container image sources in task definitions, conditions evaluate image URIs to ensure they reference approved ECR repositories, preventive controls block non-compliant task definitions at registration, and this ensures only approved images are deployed.
C) ECR image scanning detects vulnerabilities in container images but doesn’t enforce that ECS tasks only use images from organizational ECR repositories. Scanning validates image security but doesn’t control image sources in task definitions.
D) ECS service discovery provides DNS-based service discovery for ECS services but doesn’t control or validate container image sources. Service discovery addresses service-to-service communication rather than image source validation.
Question 151
A security engineer needs to detect when AWS Security Hub findings reach CRITICAL severity in any account. Which solution provides real-time detection and alerting?
A) Manually check Security Hub daily
B) Use EventBridge rules matching Security Hub findings with CRITICAL severity to trigger SNS notifications
C) Enable GuardDuty
D) Use AWS Config
Answer: B
Explanation:
Security Hub aggregates security findings from multiple AWS services and generates findings with severity ratings. Real-time response to critical severity findings requires event-driven architecture detecting findings as they’re created. EventBridge provides integration with Security Hub for automated detection and alerting.
Security Hub publishes findings to EventBridge as they’re generated or updated. EventBridge rules can match specific finding attributes including severity levels. Rules filtering for findings where Severity.Label equals “CRITICAL” trigger immediate actions when critical findings are detected across any integrated security service.
SNS topics or Lambda functions triggered by EventBridge rules provide immediate notification to security teams. Notifications can include finding details like affected resources, finding types, and recommended remediation actions. This real-time alerting ensures critical security issues receive immediate attention regardless of when they occur.
A) Manual daily Security Hub checking introduces up to 24-hour detection delays for critical findings. Security issues requiring immediate response could go unaddressed for significant periods. Manual processes don’t provide the real-time alerting required for critical security events.
B) This is the correct answer because EventBridge integrates with Security Hub for real-time finding detection, rules match findings based on severity levels, SNS notifications provide immediate alerting for critical findings, and automated detection ensures zero-delay response to critical security issues.
C) GuardDuty is one of many services that sends findings to Security Hub but doesn’t provide centralized alerting on Security Hub findings from all integrated services. GuardDuty detects specific threats while Security Hub aggregates findings from multiple sources.
D) AWS Config monitors resource configurations and sends findings to Security Hub but doesn’t provide real-time alerting on Security Hub findings. Config is one finding source while EventBridge provides the alerting mechanism for all Security Hub findings.
Question 152
An organization requires that EC2 instances in production environments use instance metadata service version 2 (IMDSv2) exclusively. Which combination enforces and monitors this requirement?
A) Manually configure each instance
B) Use IAM policies requiring IMDSv2 for instance launches and AWS Config to monitor existing instances
C) Enable GuardDuty
D) Use VPC Flow Logs
Answer: B
Explanation:
Enforcing IMDSv2 usage requires both preventive controls for new instances and detective controls for existing instances. IAM policies ensure new instances are configured correctly at launch, while AWS Config continuously monitors existing instances for compliance. This dual approach provides comprehensive enforcement.
IAM policies use the ec2:MetadataHttpTokens condition key to require HttpTokens=required during RunInstances operations. This preventive control blocks launching instances configured to allow IMDSv1. Policies deny instance launches that don’t enforce IMDSv2, ensuring all new instances use the secure metadata service version.
AWS Config custom rules evaluate existing instances for IMDSv2 configuration. Rules check the HttpTokens metadata service setting on running instances, marking those allowing IMDSv1 as non-compliant. Config can trigger automated remediation using Systems Manager Run Command to modify instance metadata options, enabling IMDSv2 requirement on existing instances.
A) Manual configuration doesn’t prevent users from launching new instances with IMDSv1 enabled and doesn’t scale across dynamic environments. Manual processes are error-prone and require ongoing effort for each instance launch and configuration change.
B) This is the correct answer because IAM policies prevent launching instances without IMDSv2 enforcement, Config monitors existing instances for compliance, automated remediation can update non-compliant instances, and this provides comprehensive enforcement for both new and existing instances.
C) GuardDuty detects security threats but doesn’t enforce IMDSv2 configuration or monitor metadata service settings. GuardDuty focuses on behavioral threat detection rather than instance configuration compliance.
D) VPC Flow Logs capture network traffic but don’t evaluate instance metadata service configuration. Flow logs provide network visibility but cannot detect or enforce IMDSv2 settings on instances.
Question 153
A company must implement automated remediation that revokes IAM user access keys when they reach 90 days of age. Which solution implements this?
A) Manually review access key age monthly
B) Use AWS Config with a custom rule detecting old access keys and Lambda remediation to disable them
C) Enable IAM credential reports
D) Use GuardDuty to detect old credentials
Answer: B
Explanation:
Automating access key rotation enforcement requires continuous monitoring of key age and automated remediation actions. AWS Config provides the compliance monitoring framework, while Lambda functions execute remediation actions. This combination enables automated key lifecycle management without manual intervention.
AWS Config custom rules use Lambda functions to evaluate IAM user access key age. The evaluation Lambda retrieves all access keys, calculates age from creation dates, and marks users with keys older than 90 days as non-compliant. Config continuously evaluates keys, detecting when they exceed age thresholds immediately.
Automatic remediation triggers a Lambda function that disables (deactivates) old access keys using the IAM UpdateAccessKey API. Deactivating keys prevents their use for authentication while preserving them for audit purposes. Users are notified to create new keys and update applications before old keys are permanently deleted after a grace period.
A) Manual monthly review doesn’t enforce automatic key lifecycle and introduces 30-day windows where keys could exceed 90 days without action. Manual processes are operationally intensive and don’t scale across organizations with many IAM users and access keys.
B) This is the correct answer because Config custom rules continuously monitor access key age, rules detect keys exceeding 90 days immediately, automated remediation disables old keys without manual intervention, and this enforces consistent key rotation policies.
C) IAM credential reports provide access key information including creation dates but don’t automatically monitor age or trigger remediation. Credential reports are static snapshots requiring manual or scripted analysis rather than continuous automated enforcement.
D) GuardDuty detects security threats including compromised credentials but doesn’t monitor access key age for rotation policy enforcement. GuardDuty focuses on threat detection rather than credential lifecycle management based on age policies.
Question 154
A security team needs to implement controls preventing Lambda functions from being created with overly permissive execution role policies (e.g., policies with Action: “*”). Which solution enforces this?
A) Manually review all Lambda function roles
B) Use IAM Access Analyzer to detect overly permissive policies and prevent Lambda creation referencing those roles
C) Enable Lambda reserved concurrency
D) Use X-Ray for Lambda tracing
Answer: B
Explanation:
Preventing Lambda functions from using overly permissive execution roles requires analyzing IAM policies for excessive permissions and blocking use of non-compliant roles. IAM Access Analyzer identifies policies granting broad permissions, while preventive controls can block function creation using flagged roles.
IAM Access Analyzer continuously evaluates IAM policies, identifying those granting wildcard permissions on all actions and resources. Analyzer generates findings for overly permissive policies like those with Action: “” and Resource: ““. These findings indicate roles violating least privilege principles.
Integration with Lambda function creation processes checks whether proposed execution roles have Access Analyzer findings for excessive permissions. Lambda-backed custom authorization or API Gateway validators can prevent function creation when execution roles are flagged as overly permissive. This preventive control enforces least privilege at function creation time.
A) Manual review of Lambda function roles doesn’t scale across organizations with many functions and doesn’t prevent creation of functions with overly permissive roles. Manual processes are reactive and operationally intensive, requiring continuous effort as new functions are created.
B) This is the correct answer because IAM Access Analyzer detects policies with wildcard actions and resources, findings identify overly permissive roles, preventive controls can block Lambda function creation using non-compliant roles, and this enforces least privilege for Lambda execution roles.
C) Lambda reserved concurrency controls maximum concurrent executions but doesn’t analyze or restrict execution role permissions. Reserved concurrency addresses capacity management rather than IAM policy security.
D) X-Ray provides distributed tracing for Lambda functions but doesn’t analyze execution role permissions or detect overly permissive policies. X-Ray focuses on performance and request flow analysis rather than IAM security.
Question 155
An organization requires that all data in Amazon CloudWatch Logs be encrypted using customer-managed KMS keys. Which configuration implements this?
A) CloudWatch Logs uses default encryption automatically
B) Create log groups with encryption enabled using customer-managed KMS keys
C) Enable KMS key rotation for CloudWatch
D) Use S3 encryption for logs
Answer: B
Explanation:
CloudWatch Logs supports encryption at rest using KMS keys. While CloudWatch Logs provides encryption by default using AWS-managed keys, organizations requiring customer-managed keys must explicitly configure log groups with specific KMS keys. This configuration ensures logs are encrypted with keys under organizational control.
When creating CloudWatch Logs log groups, encryption can be enabled by specifying a customer-managed KMS key ARN. The KMS key must grant CloudWatch Logs service permissions to use the key for encryption operations. After configuration, all log data written to the log group is encrypted using the specified customer-managed key.
Existing log groups can be associated with customer-managed KMS keys, but this requires creating new encrypted log groups and migrating log streams. Organizations should configure encryption during initial log group creation to avoid migration complexity. Key policies must allow cloudwatch-logs service principal to perform encrypt and decrypt operations.
A) CloudWatch Logs does encrypt data at rest by default but uses AWS-managed keys rather than customer-managed keys. Default encryption doesn’t meet requirements for customer-managed keys with organizational control over key policies and rotation schedules.
B) This is the correct answer because CloudWatch Logs log groups can be configured with customer-managed KMS keys for encryption, log groups must be created with encryption enabled specifying the KMS key, this provides encryption using keys under organizational control, and key policies enable audit and access control.
C) KMS key rotation rotates cryptographic key material but doesn’t configure CloudWatch Logs to use customer-managed keys for encryption. Key rotation is separate from the initial configuration associating log groups with customer-managed keys.
D) CloudWatch Logs data is stored in CloudWatch Logs service storage, not S3. S3 encryption settings don’t apply to CloudWatch Logs. While logs can be exported to S3 for long-term storage, the requirement is for encrypting logs in CloudWatch Logs itself.
Question 156
A company must ensure that Amazon S3 buckets cannot be deleted without requiring multi-factor authentication (MFA). Which configuration implements this?
A) Enable S3 versioning
B) Configure S3 bucket policies requiring MFA for delete operations
C) Enable S3 Object Lock
D) Use IAM policies with MFA conditions
Answer: B
Explanation:
Preventing accidental or malicious bucket deletion requires strong authentication for destructive operations. S3 bucket policies can enforce MFA requirements for specific API actions including bucket deletion. This adds an authentication layer ensuring only users with physical MFA devices can delete buckets.
S3 bucket policies use the aws:MultiFactorAuthPresent condition key to require MFA for delete operations. Policies deny DeleteBucket actions unless the request is authenticated with MFA. This ensures bucket deletion requires both password/access key and physical MFA device, significantly reducing accidental or unauthorized deletion risks.
The bucket policy explicitly denies DeleteBucket operations when the MFA condition is not met. Even users with delete permissions in their IAM policies cannot delete buckets without MFA authentication. This bucket-level enforcement provides strong protection against destructive operations on critical data storage.
A) S3 versioning preserves object versions but doesn’t prevent bucket deletion. Versioning protects object data but buckets themselves can still be deleted if users have appropriate permissions. Versioning and deletion protection address different concerns.
B) This is the correct answer because S3 bucket policies can require MFA for delete operations, aws:MultiFactorAuthPresent condition enforces MFA authentication, bucket policies deny deletion without MFA regardless of IAM permissions, and this provides strong protection against accidental or unauthorized bucket deletion.
C) S3 Object Lock prevents object deletion and modification but doesn’t protect the bucket itself from deletion. Object Lock ensures object immutability but buckets can still be deleted if no objects remain or retention periods have expired.
D) IAM policies with MFA conditions can require MFA for specific actions but bucket policies provide bucket-specific protection that applies regardless of which IAM principal attempts deletion. Bucket policies offer more granular control for bucket-specific MFA requirements.
Question 157
A security engineer needs to detect when VPC route tables are modified to add routes directing traffic to unauthorized internet gateways or NAT gateways. Which solution provides this detection?
A) Use VPC Flow Logs to monitor routing changes
B) Use AWS Config with custom rules evaluating route table configurations for unauthorized routes
C) Manually review route tables monthly
D) Enable GuardDuty
Answer: B
Explanation:
Detecting unauthorized route table modifications requires continuous monitoring of route configurations identifying routes directing traffic through unapproved gateways. AWS Config provides configuration monitoring with custom rules capable of evaluating complex routing configurations against organizational policies.
AWS Config custom rules use Lambda functions to evaluate route table configurations. The Lambda function retrieves all routes in each route table, identifies routes with destinations 0.0.0.0/0 (default route), and checks whether target gateways are on approved lists. Routes directing traffic to unauthorized internet gateways or NAT gateways trigger non-compliance findings.
Config continuously evaluates route tables, detecting modifications immediately after they occur. When unauthorized routes are detected, Config generates compliance findings that trigger EventBridge rules for automated alerting or remediation. Lambda functions can automatically remove unauthorized routes, restoring proper routing configurations.
A) VPC Flow Logs capture network traffic but don’t monitor route table configurations. Flow logs show traffic that occurred but don’t detect configuration changes to routing. Flow logs are reactive rather than providing configuration monitoring.
B) This is the correct answer because Config custom rules continuously monitor route table configurations, rules evaluate routes to detect unauthorized gateway targets, Config detects route modifications immediately, and automated remediation can remove unauthorized routes.
C) Manual monthly review introduces 30-day windows where unauthorized routes direct traffic through unapproved gateways. During these periods, traffic could flow to unintended destinations. Manual processes don’t provide timely detection or scale across dynamic environments.
D) GuardDuty detects security threats through behavioral analysis but doesn’t monitor VPC route table configurations. GuardDuty focuses on detecting malicious activity rather than identifying configuration changes violating network policies.
Question 158
An organization requires that AWS Lambda functions in production accounts cannot access AWS Systems Manager Parameter Store parameters from development accounts. Which solution enforces this?
A) Use separate AWS accounts for production and development with no cross-account access
B) Use IAM policies with conditions preventing production Lambda execution roles from accessing parameters with development paths or from development account IDs
C) Delete all development parameters
D) Enable Parameter Store encryption
Answer: B
Explanation:
Preventing cross-environment parameter access requires IAM policies that evaluate parameter locations and enforce environment-based access restrictions. Parameter Store supports hierarchical parameter organization enabling path-based access control. IAM policies with conditions can restrict access based on parameter paths or source account context.
IAM policies for production Lambda execution roles can include conditions using the ssm:ResourceTag or parameter path restrictions. Policies deny GetParameter and GetParameters actions when parameters are located in development paths (e.g., /dev/*) or when attempting to access parameters from development account IDs through cross-account references.
The aws:ResourceAccount condition key evaluates which account owns the parameter being accessed. Policies deny parameter access when the resource account doesn’t match the production account ID. This prevents Lambda functions from accessing parameters in other accounts, enforcing environment isolation at the authorization layer.
A) Using separate accounts provides isolation but doesn’t prevent cross-account access if cross-account IAM roles or resource-based policies are configured. Account separation alone is insufficient without IAM policies explicitly denying cross-account parameter access.
B) This is the correct answer because IAM policies can restrict parameter access based on parameter paths and account IDs, conditions evaluate parameter locations to enforce environment boundaries, policies deny production Lambda access to development parameters, and this enforces environment isolation for configuration data.
C) Deleting development parameters eliminates legitimate development environment functionality. The requirement is to prevent production functions from accessing development parameters, not to eliminate development parameters entirely. Separate environments should maintain their own parameters.
D) Parameter Store encryption protects parameter values at rest but doesn’t control which Lambda functions can access which parameters. Encryption addresses data confidentiality but not access control or environment-based segmentation.
Question 159
A company must implement automated incident response that creates forensic AMIs from EC2 instances when security incidents are detected. Which solution implements this?
A) Manually create AMIs during incidents
B) Use GuardDuty findings with EventBridge to trigger Lambda functions that create AMIs from affected instances
C) Enable automated backups for all instances
D) Use Systems Manager for instance management
Answer: B
Explanation:
Automated forensic evidence collection requires detecting security incidents and immediately creating instance images for investigation. GuardDuty identifies compromised or suspicious instances, while EventBridge enables event-driven automation connecting findings to response actions. Lambda functions orchestrate AMI creation for forensic preservation.
When GuardDuty detects incidents like backdoor installation, cryptocurrency mining, or unusual API activity from instances, EventBridge rules match specific finding types and trigger Lambda functions. The Lambda function extracts instance details from findings, stops the instance to ensure consistent state, creates an AMI capturing the complete instance configuration and data, and tags the AMI with incident metadata.
Forensic AMIs preserve complete instance state including operating system, applications, logs, and data for detailed investigation. Security teams launch forensic instances from AMIs in isolated environments for analysis without affecting production or alerting attackers. Automated AMI creation ensures evidence preservation before attackers can destroy it.
A) Manual AMI creation during incidents introduces delays allowing attackers time to destroy evidence or continue malicious activities. Manual processes require human availability and may not capture instance state before modifications occur. Automated response ensures immediate evidence preservation.
B) This is the correct answer because GuardDuty detects security incidents on EC2 instances, EventBridge triggers automated response to findings, Lambda functions create AMIs preserving instance state for forensics, and automation ensures rapid evidence collection before attackers can interfere.
C) Automated backups provide disaster recovery capabilities but don’t trigger incident-specific forensic collection. Backup schedules may not align with incident timing, potentially missing critical evidence. Backups address availability rather than security incident response.
D) Systems Manager provides instance management capabilities but doesn’t automatically detect security incidents or trigger forensic AMI creation. Systems Manager can be used within incident response workflows but requires integration with threat detection services like GuardDuty.
Question 160
A security team needs to ensure that Amazon RDS database snapshots are shared only with specific approved AWS accounts and never made public. Which solution enforces this?
A) Manually review snapshot sharing settings monthly
B) Use IAM policies denying ModifyDBSnapshotAttribute unless target account IDs match an approved list
C) Enable RDS encryption
D) Use AWS Config to detect public snapshots
Answer: B
Explanation:
Controlling RDS snapshot sharing requires evaluating share targets during snapshot attribute modification. IAM policies can assess target account IDs in ModifyDBSnapshotAttribute requests, allowing shares only to approved accounts while blocking public sharing or unauthorized account sharing.
IAM policies use the rds:SharedAccount or request parameter conditions to evaluate account IDs specified in snapshot sharing operations. Policies explicitly deny ModifyDBSnapshotAttribute actions unless target account IDs are in an approved allowlist or when snapshots are being made public (indicated by the “all” value for snapshot sharing).
Service Control Policies can enforce these restrictions organization-wide, ensuring all accounts comply with snapshot sharing policies. SCPs prevent even account administrators from sharing snapshots with unauthorized accounts or making them public. This provides strong preventive controls protecting sensitive database data from exposure.
A) Manual monthly review is reactive and introduces 30-day windows where snapshots could be shared inappropriately. Database snapshots could expose sensitive data to unauthorized accounts during these periods. Manual processes don’t prevent unauthorized sharing at the time it’s attempted.
B) This is the correct answer because IAM policies evaluate target account IDs in snapshot sharing operations, policies deny sharing to non-approved accounts and public sharing, preventive controls block unauthorized sharing at the authorization layer, and SCPs enable organization-wide enforcement.
C) RDS encryption protects snapshot data at rest but doesn’t control sharing permissions. Encrypted snapshots can still be shared with unauthorized accounts if users have appropriate permissions. Encryption and sharing controls address different security concerns.
D) AWS Config detects public or inappropriately shared snapshots after sharing occurs, but this is reactive. Snapshots would be exposed before detection and remediation. Preventive controls blocking unauthorized sharing are more effective than detective controls.
