In the world of cloud computing, security is paramount. The AWS Certified Security – Specialty (SCS-C02) certification validates your expertise in securing the AWS platform. This exam is for professionals who can design and implement robust security solutions, manage identity and access control, and respond to incidents. To demonstrate your mastery, you must be prepared for complex security scenarios, and our SCS-C02 mock test is the key to your success.
Our comprehensive practice exam is a full-length simulation of the SCS-C02 test, with questions covering all critical domains like Threat Detection and Incident Response, Security Logging and Monitoring, and Identity and Access Management. By taking our AWS Security Specialty practice exam, you will test your knowledge of AWS services like IAM, GuardDuty, AWS WAF, KMS, and AWS Organizations. The detailed explanations provided for each question will deepen your understanding of how to build a layered security defense, automate threat response, and maintain compliance in the cloud.
Passing the SCS-C02 exam means you are a trusted security expert on AWS. This requires a deep, practical understanding of security principles and services. Our mock test provides the realistic practice you need to identify your weak spots, build confidence, and master the skills required to pass. Take a proactive step in your career and start preparing with our SCS-C02 practice exam today.
Always consult the official AWS SCS-C02 Exam Guide for the most current and detailed information.
This is a timed quiz. You will be given 10200 seconds to answer all questions. Are you ready?
A company needs to automatically patch its fleet of Windows EC2 instances for operating system vulnerabilities. The patching process should occur during a specific maintenance window and provide detailed compliance reporting. Which service should be used?
AWS Systems Manager Patch Manager automates the process of patching managed instances with both security-related and other types of updates. You can define patching baselines, schedule patching to occur during maintenance windows, and get detailed reports on the patch compliance status of your fleet.
A security policy requires that the root EBS volume of all EC2 instances is encrypted. What is the most straightforward way to ensure this for all future instance launches from a specific AMI?
The simplest way to ensure the root volume is always encrypted is to create a new, encrypted AMI from the original. You can launch an instance from the original AMI, create a snapshot of its root volume, copy that snapshot while enabling encryption, and then create a new AMI from the encrypted snapshot. All instances launched from this new AMI will have an encrypted root volume by default.
A web application uses Amazon Cognito for user authentication. The application needs to access objects in an S3 bucket on behalf of the authenticated user. Each user should only have access to their own folder within the bucket (e.g., `s3://my-bucket/private/${cognito-identity.amazonaws.com:sub}/`). How can this be configured securely?
Cognito Identity Pools can provide temporary AWS credentials to authenticated users. The IAM role associated with the authenticated identity pool can have a policy that uses Cognito-specific policy variables, such as `${cognito-identity.amazonaws.com:sub}`. This variable resolves to the user's unique identifier, allowing you to create fine-grained policies that restrict access to user-specific prefixes in S3.
A company has federated their on-premises Active Directory with AWS using AD FS and SAML 2.0. When a user federates into the AWS Management Console, what does AWS STS provide them with?
In a SAML 2.0 federation scenario, the user authenticates with their on-premises identity provider (IdP), like AD FS. The IdP then sends a SAML assertion to AWS. The user's browser posts the assertion to the AWS sign-in endpoint, which calls the `AssumeRoleWithSAML` action in AWS Security Token Service (STS). STS verifies the assertion, and if valid, returns temporary security credentials that allow the user to access the AWS console with the permissions of the assumed IAM role.
A company wants to provide its remote workforce with secure access to applications hosted in a VPC. The solution should be a fully managed service that uses a client-based VPN approach. Which service should be used?
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can configure access control rules based on Active Directory or certificate-based authentication and security groups.
A serverless application uses an AWS Lambda function to process sensitive data stored in Amazon S3. The data must be encrypted at rest in S3 and in transit between S3 and Lambda. A security policy requires that the company controls the cryptographic keys and can audit their usage. Which combination of services and features provides the most secure solution?
Using SSE-KMS allows you to encrypt data in S3 using a customer master key (CMK) that you manage in AWS Key Management Service (KMS). This gives you control over the key and its access policies. CloudTrail integration with KMS provides detailed audit logs of every time the key is used. Using HTTPS for all communication ensures data is encrypted in transit. VPC endpoints for S3 provide a private, secure connection.
A company wants to create a dashboard to visualize AWS WAF logs, showing the top-10 blocked IP addresses and the most frequently triggered WAF rules. The logs should be available for analysis in near-real time. How can this be achieved?
AWS WAF can be configured to send its logs to an Amazon Kinesis Data Firehose delivery stream. This Firehose stream can then be pointed to an Amazon OpenSearch Service (formerly Elasticsearch Service) domain. OpenSearch Dashboards (formerly Kibana), which is part of the OpenSearch Service, can then be used to create powerful, near-real-time visualizations and dashboards from the WAF log data.
To secure an Application Load Balancer, a security engineer needs to ensure that it only accepts traffic encrypted with modern and secure TLS protocols and ciphers. Which ALB feature should be configured?
ALB Listeners have a Security Policy setting that controls the protocols and ciphers the load balancer uses to negotiate TLS connections with clients. AWS provides predefined security policies with different combinations of protocols and ciphers. Choosing a modern policy like `ELBSecurityPolicy-TLS-1-2-Ext-2018-06` ensures strong encryption.
A security team detects suspicious API activity originating from a compromised IAM user's credentials. The immediate goal is to prevent the compromised credentials from being used for any further actions in the AWS account. What is the fastest and most effective way to achieve this?
Attaching the `AWSDenyAll` managed policy to the compromised IAM user is the quickest and most direct way to revoke all permissions. This policy explicitly denies all actions on all resources, immediately locking down the user's credentials and preventing any further malicious activity while the security team investigates.
A security engineer is designing a VPC network. They need to implement a stateless firewall at the subnet level to filter traffic. Which VPC component should they use?
Network Access Control Lists (NACLs) act as a firewall for controlling traffic in and out of one or more subnets. NACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). They provide a secondary layer of defense for your VPC.
A company's web application is protected by AWS WAF. The security team wants to be alerted every time the WAF blocks more than 100 requests in a 5-minute period. How should this alert be configured?
AWS WAF publishes metrics to Amazon CloudWatch, including a `BlockedRequests` metric for each web ACL. A CloudWatch alarm can be created on this metric. By setting the period to 5 minutes and the threshold to 100, the alarm will enter the `ALARM` state if the sum of blocked requests in that period exceeds 100. The alarm's action can be configured to publish a notification to an SNS topic.
To meet compliance requirements, a security engineer must prove that the AWS CloudTrail log files stored in S3 have not been altered since they were delivered by CloudTrail. Which CloudTrail feature provides this assurance?
CloudTrail log file validation is a feature that creates a digitally signed digest file containing a hash of each log file. These digest files can be used to mathematically verify that the log files have not been modified or tampered with after being delivered to your S3 bucket, ensuring their integrity for audit and forensic purposes.
What is the purpose of an IAM permission boundary?
A permission boundary is an advanced IAM feature that sets the maximum permissions that an identity-based policy can grant to an IAM entity. It does not grant permissions on its own. An entity's effective permissions are the intersection of its identity-based policies and its permission boundary. It's used to safely delegate permissions management to others.
A company needs to store application secrets, such as database credentials and API keys, securely. The secrets need to be rotated automatically every 90 days without any manual intervention or application code changes. The application runs on Amazon ECS. Which service is designed to handle this entire lifecycle?
AWS Secrets Manager is the purpose-built service for managing the lifecycle of secrets. It securely stores secrets and, for supported services like RDS, can automatically rotate them on a defined schedule using an integrated Lambda function. Applications can then retrieve the current version of the secret at runtime. This removes hardcoded credentials and automates the rotation process securely.
A company wants to programmatically manage firewall rules for AWS WAF, AWS Shield Advanced, and VPC security groups across multiple accounts from a central administrator account. Which service is designed for this centralized management?
AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organization. With Firewall Manager, you can deploy and monitor rules for AWS WAF, AWS Shield Advanced, VPC security groups, AWS Network Firewall, and Route 53 Resolver DNS Firewall.
A security engineer is reviewing a KMS key policy. What is the purpose of the `kms:ViaService` condition key?
The `kms:ViaService` condition key is a powerful security control. It allows you to restrict the use of a KMS key to requests that originate from a specific AWS service (e.g., `s3.us-east-1.amazonaws.com`). This prevents direct use of the key by IAM users or roles for arbitrary encryption/decryption, ensuring the key is only used in the context of the integrated service it's intended for, like SSE-KMS for S3.
An application running on an EC2 instance needs to access an Amazon S3 bucket. According to the principle of least privilege, what is the most secure way to grant these permissions?
IAM roles for EC2 are the most secure way to grant permissions to applications running on instances. You create an IAM role with the specific permissions needed (e.g., `s3:GetObject` for a specific bucket), and then attach that role to the EC2 instance. The application can then use the AWS SDK, which automatically retrieves temporary credentials from the instance metadata service. This avoids storing long-term credentials (like access keys) on the instance.
A security administrator wants to track every configuration change made to a specific DynamoDB table, such as changes to its provisioned throughput or TTL settings. They need a continuous record of these changes over time. Which service provides this capability?
AWS Config is designed to continuously monitor and record your AWS resource configurations. It can track changes to supported resources, like a DynamoDB table, and maintain a detailed history of every change. This history can be reviewed for audit, compliance, and troubleshooting purposes.
A stateful firewall at the instance level is required to control traffic to a group of EC2 instances. What AWS component provides this functionality?
Security Groups act as a virtual stateful firewall for your EC2 instances to control inbound and outbound traffic. Being stateful means that if you allow an inbound request, the outbound response is automatically allowed, regardless of outbound rules. They operate at the instance level.
A company needs to ensure that all new EC2 instances launched in their AWS account are from a list of pre-approved, hardened AMIs. Any attempt to launch an instance from an unapproved AMI must be blocked. The solution must be enforced across the entire account. Which governance mechanism is most effective?
A Service Control Policy (SCP) is the ideal tool for enforcing preventative controls across an AWS Organization or a single account. By creating an SCP with a `Deny` effect on the `ec2:RunInstances` action and adding a condition that checks if the AMI ID (`ec2:ImageID`) is NOT in the approved list, you can effectively block any non-compliant launch attempts. This policy cannot be overridden by IAM users or roles within the account.
A developer needs to provide temporary, limited-privilege access to a specific object in an S3 bucket for an external user. The access should expire after 15 minutes. What is the most secure and appropriate method to grant this access?
S3 pre-signed URLs are the perfect solution for granting temporary access to a specific object. You can generate a URL using your own security credentials, programmatically specifying the object, the allowed action (e.g., GET or PUT), and an expiration time. Anyone who has the URL can then access the object with the specified permissions until it expires. This avoids creating temporary IAM users or modifying bucket policies.
A company wants to use a dedicated, hardware-based key storage solution to manage their AWS KMS keys for maximum security and control. They want to own and manage the hardware security modules (HSMs). Which AWS service or feature should they use?
AWS CloudHSM provides hardware security modules (HSMs) in the AWS cloud. You get dedicated, FIPS 140-2 Level 3 validated HSMs that you control. You can create a custom key store in AWS KMS that is backed by your CloudHSM cluster. This allows you to use the familiar KMS API while ensuring the cryptographic key material is stored and used exclusively within HSMs that you manage.
An organization needs to provide private, secure access from their VPC to several AWS services, including Amazon S3 and DynamoDB, without the traffic traversing the public internet. The solution must be highly available and scalable. Which VPC feature should be implemented?
VPC endpoints provide private connectivity to supported AWS services. Gateway endpoints are used for S3 and DynamoDB, creating a target for a route in your VPC route table. Interface endpoints (powered by AWS PrivateLink) are used for most other services, creating an elastic network interface in your subnet. Both types ensure that traffic between your VPC and the AWS service does not leave the Amazon network, enhancing security and reliability.
A security team wants to detect if sensitive data, such as personally identifiable information (PII), is being stored insecurely in Amazon S3 buckets across their organization. The solution must be automated and provide detailed findings. Which service is designed for this purpose?
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in Amazon S3. It can automatically identify PII, financial data, and other sensitive information, providing detailed findings and security assessments.
What is the primary difference between server-side encryption with S3-managed keys (SSE-S3) and server-side encryption with KMS-managed keys (SSE-KMS)?
The primary difference lies in key management and control. With SSE-S3, Amazon S3 manages the entire encryption process, including the keys. With SSE-KMS, you use AWS Key Management Service (KMS) to manage your keys. This provides centralized control, auditable key usage (via CloudTrail), and the ability to create and manage customer-managed CMKs with your own key policies, offering a higher level of security and governance.
A security team needs to capture detailed information about the traffic going to and from a specific EC2 instance's network interface, including accepted and rejected traffic. This information will be used for troubleshooting a security group issue. Which feature should be enabled?
VPC Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC. It can be configured to capture all traffic, or just accepted or rejected traffic. The logs provide details like source/destination IPs, ports, and the action (ACCEPT or REJECT), making them invaluable for troubleshooting security group and network ACL issues.
A security architect is designing a solution to prevent accidental exposure of sensitive data in S3. The requirement is to block all public access to all S3 buckets, both current and future, at the entire account level. Which feature provides the most comprehensive enforcement?
S3 Block Public Access is a feature that provides account-level and bucket-level settings to override and block any public access permissions. By enabling all four settings at the account level (Block all new public bucket policies, Block public and cross-account access if bucket has public policies, Block new public ACLs, Block public and cross-account access through public ACLs), you create a powerful, account-wide guardrail against accidental data exposure.
A security engineer must regularly scan a fleet of EC2 instances for software vulnerabilities and unintended network exposure. The process must be automated and provide prioritized findings. Which service should be used?
Amazon Inspector is an automated vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure. It automatically discovers running EC2 instances and container images in ECR, scans them, and produces prioritized findings based on severity, helping teams focus on the most critical issues.
A company needs to securely manage SSL/TLS certificates for its public-facing web applications hosted on an Application Load Balancer and a CloudFront distribution. The solution should handle automatic certificate renewal. Which service is designed for this?
AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services. Public certificates provided by ACM are free and can be automatically renewed by ACM as long as they are associated with an integrated service like ELB or CloudFront, simplifying certificate management.
An application is experiencing a DDoS attack. Amazon GuardDuty has generated findings related to the attack. A security engineer needs to automatically block the malicious source IP addresses at the edge. Which combination of services provides the most effective automated response?
This architecture provides a robust, automated response to DDoS attacks. GuardDuty detects the malicious activity. EventBridge captures the finding and triggers a Lambda function. The Lambda function extracts the malicious IP addresses and adds them to an AWS WAF IP set. AWS WAF, associated with the Application Load Balancer or CloudFront distribution, then blocks all requests from these IPs at the edge, protecting the application.
A security team needs to query two years' worth of CloudTrail logs stored in S3 to find all API calls made by a specific IAM role. The queries will be infrequent. What is the most cost-effective method to perform this analysis?
Amazon Athena is a serverless query service that is ideal for analyzing large datasets in S3, like CloudTrail logs, using standard SQL. Because it is serverless and you pay per query, it is extremely cost-effective for infrequent analysis compared to provisioning a dedicated data warehouse like Redshift. An external table can be created in the AWS Glue Data Catalog pointing to the S3 location of the logs.
A security engineer needs to analyze VPC Flow Logs to identify which specific TCP port on an EC2 instance is receiving the most traffic from a specific source IP address. The default VPC Flow Log format is enabled. What must the engineer do to get this level of detail?
The default VPC Flow Log format is limited. A custom format must be created to include detailed fields like `pkt-srcaddr` and `pkt-dstaddr` for packet-level analysis. To query this large volume of data efficiently, it should be published to Amazon S3 and analyzed using Amazon Athena, which allows for complex SQL-based queries on the log data.
During an incident investigation, a security analyst needs to visualize and analyze the relationships and interactions between AWS resources to quickly determine the root cause of a GuardDuty finding. For example, they need to see all API calls made by a specific IAM role and the resources accessed. Which service is designed for this type of investigation?
Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations. It helps you analyze and visualize security data to quickly get to the root cause of a finding.
A security policy mandates that all data stored in Amazon EBS volumes must be encrypted. The solution must be transparent to the applications running on the EC2 instances and should be enabled by default for all new volumes created in the account. What is the simplest way to enforce this?
AWS provides an account-level setting to enforce EBS encryption by default. When this feature is enabled in a specific region, all new EBS volumes and snapshot copies created in that region are automatically encrypted using the specified KMS key (either the AWS managed key or a customer-managed key). This is transparent to the EC2 instances and enforces the policy without any user intervention.
A company is deploying a three-tier web application in a VPC. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. However, the application tier needs to download software updates from the internet. What is the most secure network design for the application tier?
Placing the application tier in a private subnet ensures it is not directly accessible from the internet. A NAT gateway, placed in a public subnet, provides instances in a private subnet with outbound-only internet access. This allows the application servers to download updates without exposing them to inbound internet traffic.
A company has a web application hosted on Amazon EC2 instances behind an Application Load Balancer. They need to protect the application from common web exploits like SQL injection and cross-site scripting (XSS). Which service should be used?
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. It can be integrated directly with Application Load Balancers, Amazon CloudFront, and API Gateway.
A company hosts multiple applications in different VPCs. They want to provide a single, managed DNS firewall to filter outbound DNS queries from all VPCs to block access to malicious domains. The solution must be centralized and easy to manage. Which service should be used?
Route 53 Resolver DNS Firewall allows you to filter and control outbound DNS traffic for your VPCs. You can create rule groups with lists of allowed or blocked domains and associate these rule groups with your VPCs. This provides a centralized, managed way to prevent resources from accessing known malicious domains.
A security team wants to monitor DNS queries made by EC2 instances in their VPCs to detect potential data exfiltration or communication with malicious domains. They need a solution that logs all DNS queries without requiring any software to be installed on the instances. Which service should they use?
Route 53 Resolver Query Logging is a feature that allows you to log all DNS queries made by resources within your VPCs. You can configure it to send logs to CloudWatch Logs, S3, or Kinesis Data Firehose. This provides visibility into DNS activity without needing to install agents on individual instances, helping to detect malicious activity.
A company wants to provision standardized, pre-approved IT products for its end users. For example, they want to offer a 'WordPress Server' product that deploys a specific EC2 instance type with pre-configured security groups. The solution should enforce tagging and other governance constraints. Which service should be used?
AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These services can be anything from virtual machine images and servers to software and databases. It helps you achieve consistent governance and meet your compliance requirements while enabling users to quickly deploy only the approved IT services they need.
A company needs to be alerted whenever a user tries to perform a sensitive action (e.g., `iam:CreateUser`) without being authenticated with MFA. How can this specific event be monitored and alerted on?
AWS CloudTrail captures the API call, and the event record contains details about the authentication context, including whether MFA was used (`"mfaAuthenticated": "false"`). An Amazon EventBridge (CloudWatch Events) rule can be configured with an event pattern that specifically matches the `iam:CreateUser` event name and the condition where `mfaAuthenticated` is false. This rule can then trigger an SNS topic to send an immediate alert.
An administrator of an AWS Organization wants to prevent member accounts from leaving the organization. Which type of policy should be used?
Service Control Policies (SCPs) are used to manage permissions in an organization. To prevent member accounts from leaving, you can create an SCP that denies the `organizations:LeaveOrganization` action. By attaching this SCP to the root of the organization or specific OUs, you prevent any IAM principal in the affected accounts from successfully making that API call.
An organization needs to monitor real-time metrics for its AWS Site-to-Site VPN connection, including `TunnelDataIn` and `TunnelDataOut`, and be alerted if a tunnel goes down. Which services should be used?
AWS VPN connections publish their metrics to Amazon CloudWatch. You can view metrics like data throughput and tunnel state in the CloudWatch console. To be alerted when a tunnel goes down, you can create a CloudWatch alarm based on the `TunnelState` metric, which has a value of 1 for UP and 0 for DOWN. The alarm can trigger an SNS notification to alert the operations team.
What is the primary function of AWS Artifact?
AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS's security and compliance reports (e.g., SOC, PCI, ISO reports) and select online agreements. It helps you demonstrate your own compliance and security to auditors and regulators.
When an IAM policy is evaluated, which policy type takes precedence if there is a conflict?
The IAM policy evaluation logic is explicit deny. An explicit `Deny` in any applicable policy (identity-based, resource-based, SCP, etc.) will always override any `Allow` statement. This ensures that the most restrictive permission is always enforced, providing a fail-safe security model.
What does envelope encryption refer to in the context of AWS KMS?
Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting that data key with a higher-level key (in AWS, a KMS Customer Master Key). Instead of transmitting and storing large amounts of data to be encrypted/decrypted by the key management service, you only transmit the small data key. The encrypted data and the encrypted data key are stored together. This is the fundamental mechanism behind how most AWS services use KMS for encryption.
To enhance security, a company wants to inspect all traffic between its VPCs and its on-premises network connected via AWS Direct Connect. The inspection must be centralized. Which architecture should be implemented?
A centralized inspection VPC using AWS Transit Gateway is the standard architecture for this requirement. The Transit Gateway acts as a cloud router, connecting all VPCs and the Direct Connect gateway. Route tables on the Transit Gateway are configured to forward traffic through the inspection VPC, which contains security appliances (like AWS Network Firewall) for inspection.
A company provides its developers with programmatic access to AWS using IAM users. A new security policy requires that all developers must use multi-factor authentication (MFA) to access AWS services, including when using the AWS CLI or SDKs. How can this be enforced?
An IAM identity-based policy is the correct way to enforce conditions on user actions. By adding a policy with a `Deny` effect for all actions (`"Action": "*"`) when the `aws:MultiFactorAuthPresent` condition is `false`, you effectively block any API call made without a valid MFA session. This forces developers to authenticate with MFA (e.g., using `aws sts get-session-token`) before using the CLI/SDK.
An application stores sensitive customer data in an Amazon DynamoDB table. A security review requires that the data be encrypted at rest. The solution should require minimal configuration effort. What is the simplest way to meet this requirement?
DynamoDB offers encryption at rest by default. You can choose the encryption key type. The simplest option is 'Owned by DynamoDB', where DynamoDB fully manages the key and encryption process at no additional cost and with no configuration needed. For more control, you can choose keys managed in AWS KMS, but the default option is the simplest way to meet the encryption requirement.
What is the primary function of AWS Shield Advanced?
AWS Shield Advanced provides enhanced, always-on protection against larger and more sophisticated Distributed Denial of Service (DDoS) attacks for your applications running on AWS. It offers more detailed attack diagnostics, integration with AWS WAF, and access to the AWS DDoS Response Team (DRT) for assistance during an attack.
A Lambda function has been compromised and is making anomalous API calls. Which GuardDuty finding type would indicate this specific threat?
GuardDuty has specific finding types for different threats. The `Execution:IAMUser/AnomalousLambdaActivity` finding type is generated when GuardDuty detects that a Lambda function is behaving anomalously, such as invoking APIs in a way that deviates from its established baseline behavior. This is a direct indicator of a potentially compromised Lambda function.
A company's security team needs to conduct a forensic investigation of a potentially compromised EC2 instance without altering the original instance. What is the first step the team should take to preserve evidence?
The first step in a forensic investigation is to preserve the evidence in a non-volatile state. Isolating the instance (by changing its security group) prevents further access or data tampering. Creating a snapshot of the EBS volume creates a point-in-time, bit-for-bit copy of the disk, which can then be attached to a separate forensic workstation for analysis without affecting the original evidence.
An organization uses AWS Single Sign-On (AWS SSO) to manage access to its AWS accounts. A security engineer needs to grant a group of users a specific set of permissions that are not available in the AWS managed policies. What is the correct way to do this?
In AWS SSO, permissions are defined in permission sets. While you can use AWS managed policies, you can also create a customer-managed policy with the exact permissions required. This customer-managed policy is then attached to the permission set, which is in turn assigned to the user group for a specific AWS account, following the principle of least privilege.
What is the primary purpose of enabling S3 Server Access Logging on a bucket?
S3 Server Access Logging provides detailed records for the requests that are made to an S3 bucket. This includes information such as the requester, bucket name, request time, request action, response status, and error code. It is a critical tool for security and access audits, allowing you to see who is accessing your data and how.
What is the purpose of an egress-only internet gateway?
An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound-only communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances. It's the IPv6 equivalent of a NAT Gateway for IPv4.
A security engineer is reviewing IAM policies and finds a policy attached to a role with a `sts:AssumeRole` action. What is the purpose of this permission?
The `sts:AssumeRole` action is the fundamental permission that allows a principal (a user or another role) to assume an IAM role. When a principal assumes a role, they give up their original permissions and take on the permissions granted by the assumed role, receiving temporary security credentials to perform actions.
A security team needs to automatically assess all resources in their AWS account for compliance with a set of custom security rules (e.g., 'All EBS volumes must be encrypted'). If a resource is found to be non-compliant, the team wants to be notified. Which service can be used to build this custom compliance check?
AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources. You can use managed rules provided by AWS or create your own custom rules using AWS Lambda functions. A custom AWS Config rule can be written to check for specific configurations, like EBS encryption, and flag any non-compliant resources.
A security team wants to ensure that specific tags (e.g., 'CostCenter', 'Owner') are always applied to certain resource types, like EC2 instances and S3 buckets, when they are created. How can this be enforced across an AWS Organization?
Tag Policies are a type of policy in AWS Organizations that help you standardize tags across resources in your organization’s accounts. You can define rules for specific tags, such as which tag keys are allowed and, for those keys, which values are permitted. You can also configure them to enforce tag application on resource creation.
A company is using AWS Control Tower to manage its multi-account environment. What is the role of the 'Log Archive' account in a Control Tower setup?
When you set up an AWS Control Tower landing zone, it creates two core accounts in addition to the management account. The 'Log Archive' account works as a repository for immutable logs of API activities (from CloudTrail) and resource configuration changes (from AWS Config) from all accounts in the organization. This centralizes logging for security and audit purposes.
An Amazon GuardDuty finding reports that an EC2 instance is communicating with an IP address on a known threat list. A security engineer needs to automatically isolate the instance from the network to prevent further impact while preserving its memory and disk state for forensic analysis. Which automated response is most appropriate?
This is a classic automated incident response pattern. Amazon EventBridge can filter for specific GuardDuty findings. The rule's target should be an AWS Lambda function that performs the remediation. The Lambda function can modify the instance's security group to a quarantine group and then use AWS Systems Manager Run Command to capture a memory dump.
What is the primary difference between an identity-based IAM policy and a resource-based IAM policy?
Identity-based policies are attached to IAM principals (users, groups, roles) and define what actions that principal can perform on which resources. Resource-based policies are attached directly to resources (like an S3 bucket or an SQS queue) and specify which principals are allowed to perform actions on that specific resource.
A company uses AWS Organizations and wants to grant a third-party auditor read-only access to resources in several member accounts. The auditor uses a dedicated AWS account. What is the most secure and scalable way to grant this cross-account access?
Cross-account access using IAM roles is the standard and most secure method. In each member account, an IAM role should be created with the required read-only permissions (e.g., `ReadOnlyAccess` managed policy). The role's trust policy should be configured to allow principals from the auditor's AWS account to assume the role. The auditor can then use `sts:AssumeRole` to get temporary credentials for each account.
A company must retain all API call records for 7 years for compliance. The logs must be stored immutably, and the integrity of the logs must be verifiable. The solution should also provide a centralized view of all API activity across an entire AWS Organization. Which configuration meets these requirements?
AWS CloudTrail is the service for logging API activity. Creating an organization trail ensures all accounts are covered. Storing logs in a central S3 bucket with S3 Object Lock in compliance mode provides immutable, WORM (Write-Once-Read-Many) storage for the required retention period. Enabling CloudTrail log file validation provides a way to verify the integrity of the log files.
An S3 bucket policy contains a statement with `"Effect": "Deny"` and a condition that checks for `"aws:SecureTransport": "false"`. What is the result of this policy?
This policy statement explicitly denies any S3 action (like `s3:*`) on the bucket if the request was not sent over HTTPS. The `aws:SecureTransport` condition key checks if the request was made using SSL/TLS. By denying requests where this is false, you enforce encryption in transit for all access to the bucket.
A company wants to use a single service to get a comprehensive view of its security posture. The service should aggregate findings from Amazon GuardDuty, Amazon Inspector, and Amazon Macie, and also perform its own automated security checks against industry standards like CIS AWS Foundations Benchmark. Which service should be used?
AWS Security Hub is a cloud security posture management service that provides a comprehensive view of your security state in AWS. It collects and aggregates security findings from various AWS services and third-party partners. It also runs its own automated, continuous security checks based on standards like CIS and PCI DSS, providing a single pane of glass for security and compliance.
A financial services company needs to continuously audit its AWS environment against common security and compliance frameworks, such as CIS AWS Foundations Benchmark and PCI DSS. The solution should be automated and provide a centralized dashboard of findings. Which AWS service is designed for this purpose?
AWS Security Hub is a cloud security posture management service that performs automated security checks against best practices and industry standards. It collects findings from various AWS services (like GuardDuty, Inspector, Macie) and third-party products, providing a single, comprehensive view of your security and compliance status. It includes built-in checks for frameworks like CIS and PCI DSS.
Share your Results:
