Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 3 Q31-45

Visit here for our full Amazon AWS Certified Security — Specialty SCS-C02 exam dumps and practice test questions.

Question31:

A company operates multiple Amazon S3 buckets across several AWS accounts containing highly sensitive financial and personal data. The security team requires organisation-wide enforcement of encryption with customer-managed KMS keys, prevention of unencrypted object uploads, access control restricted to approved IAM roles, automated detection and remediation of non-compliant objects, and centralised audit logging. Which solution best satisfies these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to enforce encryption during uploads.
B) Use AWS Organizations Service Control Policies (SCPs) to deny S3 PutObject requests unless the correct customer-managed KMS key is used, enforce bucket policies granting access only to approved IAM roles, implement EventBridge rules to detect unencrypted objects and trigger automated remediation, and consolidate CloudTrail logs into a centralised audit account.
C) Store unencrypted objects temporarily in S3 and encrypt them later manually.
D) Rely on developer discipline to monitor uploads and manually audit compliance on a periodic basis.

Answer:
B

Explanation:

This scenario emphasizes organization-wide enforcement of encryption, least-privilege access, automated remediation, and centralised auditing. The solution must prevent human error, ensure compliance with financial regulations, and provide visibility for security operations.

Option A relies on SSE-S3 default encryption and developer compliance during uploads. While SSE-S3 encrypts objects at rest, it does not offer the granularity of customer-managed KMS keys, which provide full control over key policies, key usage permissions, and key rotation. Developers are responsible for enforcing encryption headers, introducing risk of misconfiguration, non-compliant uploads, or human error. Additionally, default SSE-S3 encryption does not detect or remediate non-compliant objects, which is critical for sensitive data protection and regulatory compliance.

Option B provides a comprehensive and preventive solution. AWS Organizations SCPs can enforce organization-wide rules that deny S3 PutObject actions unless a specified customer-managed KMS key is used. This ensures all object uploads across accounts adhere to encryption policies, preventing non-compliant data from being stored. Bucket policies further enforce least-privilege access by restricting actions to approved IAM roles, preventing unauthorized users or processes from bypassing security controls. EventBridge rules can detect attempts to upload unencrypted objects and trigger automated remediation actions, such as deleting, encrypting, or alerting responsible teams. CloudTrail consolidation into a centralised audit account ensures full visibility of all operations, including attempted violations, supporting regulatory compliance and security monitoring.

Option C, manually encrypting unencrypted objects after upload, is reactive rather than preventive. Objects may be temporarily exposed in plaintext, increasing the risk of unauthorized access or accidental exposure. Manual remediation introduces operational complexity and delays, which may not meet compliance requirements for sensitive financial and personal data.

Option D relies entirely on human discipline for monitoring and auditing, which is insufficient for an organization with multiple accounts and high-value data. Human error, oversight, or insider threats can lead to unencrypted data exposure, non-compliance, and regulatory penalties. Manual auditing is labor-intensive, inconsistent, and prone to gaps in visibility.

Option B is the only solution that integrates preventive, detective, and corrective controls, ensuring organization-wide encryption enforcement, strict access control, automated remediation, and comprehensive auditability. It aligns with AWS security best practices and regulatory requirements for financial and personal data protection.

Question32:

A healthcare organization stores patient electronic health records in Amazon RDS instances. The security team requires encryption at rest and in transit, automated credential rotation, least-privilege access enforcement, and comprehensive audit logging for all database operations and configuration changes. Which solution best satisfies these requirements?

A) Enable RDS encryption using AWS-managed keys, use SSL for database connections, and allow developers full access to the database.
B) Use customer-managed KMS keys for RDS encryption, enable SSL/TLS for all database connections, enforce IAM database authentication, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging for all RDS operations and configuration changes.
C) Store database credentials in environment variables and rely on default RDS encryption.
D) Enable point-in-time recovery for the RDS instance and review logs manually for auditing purposes.

Answer:
B

Explanation:

The healthcare organization’s requirements focus on protecting sensitive electronic health records in accordance with regulatory standards such as HIPAA. The solution must integrate encryption, identity-based access, automated credential management, and comprehensive auditing.

Option A uses AWS-managed encryption keys and grants full access to developers. While encryption at rest and in transit are partially addressed, the lack of customer-managed KMS keys prevents granular control over key access and rotation, which is essential for compliance with strict healthcare regulations. Allowing developers full access violates the principle of least privilege, introducing unnecessary risk of accidental or malicious data exposure. SSL/TLS connections protect data in transit but do not compensate for weak key management or broad access permissions.

Option B addresses all requirements comprehensively. Customer-managed KMS keys provide granular control over key usage, allow for automated rotation, and enforce compliance policies. Enabling SSL/TLS ensures that sensitive data is protected during transmission between clients and database instances. IAM database authentication enforces role-based access controls, removing reliance on static credentials and allowing centralised identity management. Automatic credential rotation using AWS Secrets Manager reduces the risk of credential compromise and ensures that database access remains secure. CloudTrail logging provides detailed audit trails for all API calls, configuration changes, and access events, offering centralised visibility and enabling compliance reporting. This combination of preventive, detective, and corrective controls ensures full compliance, security, and operational efficiency.

Option C, storing credentials in environment variables, introduces risk due to potential exposure through logs, misconfiguration, or insider threats. Default RDS encryption alone does not meet regulatory requirements for key management or auditing. Option D, relying on point-in-time recovery and manual log review, is reactive and lacks preventive security controls, automated credential management, and real-time auditing, leaving significant gaps in compliance and security posture.

Option B is the only solution that fully aligns with security best practices for healthcare data, ensuring encryption, least-privilege access, automated credential management, and complete auditing, thereby meeting regulatory and organizational requirements effectively.

Question33:

A financial organization stores highly sensitive transaction data in Amazon S3 and must enforce immutability, prevent accidental deletion, protect against insider threats, and provide comprehensive audit logging. Which solution best satisfies these requirements?

A) Enable S3 versioning and rely on developers to avoid deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting deletion, and enable CloudTrail logging for all object access and attempts to modify or delete objects.
C) Maintain separate backups in S3 and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Sensitive financial data requires strict immutability, controlled access, and comprehensive auditing. Option A, enabling versioning, allows recovery of prior object versions but does not prevent deletion or tampering by privileged users. Relying on developer discipline introduces risk, as errors or intentional actions can bypass versioning protections.

Option B provides a preventive, enforced, and auditable solution. S3 Object Lock in compliance mode ensures objects are immutable for the retention period, preventing deletion or modification even by administrators. Bucket policies enforce least-privilege access, restricting deletion and modification actions to authorized personnel only. CloudTrail logging captures all object-level operations, including attempted or failed access, enabling centralised auditing for compliance reporting and internal monitoring. This approach addresses immutability, access control, insider threat mitigation, and audit requirements comprehensively.

Option C relies on manual backups and tracking, which is operationally intensive, prone to error, and cannot prevent deletion or tampering at the source. Option D, using SSE-S3 encryption with manual access management, provides data confidentiality but does not enforce immutability, prevent deletion, or provide centralised auditing.

Option B is the only solution that satisfies all regulatory, operational, and security requirements for highly sensitive financial data in S3, ensuring immutability, protection from internal and external threats, and comprehensive auditability.

Question34:

A company uses AWS Lambda to process sensitive healthcare transactions. The security team requires that Lambda functions are invoked exclusively through approved API Gateway endpoints, that internal direct invocation is blocked, and that all invocation events are auditable. Which solution best meets these requirements?
A) Allow all IAM users to invoke Lambda functions and rely on logging for monitoring.
B) Attach resource-based policies to Lambda functions that allow invocation only from specific API Gateway principals, and enable CloudTrail logging for all invocations.
C) Store invocation secrets in environment variables and distribute them to developers.
D) Protect Lambda functions with API keys and rely on developers not to share the keys.

Answer:
B

Explanation:

Healthcare transaction processing requires strict control over invocation paths, least-privilege enforcement, and auditable access. Option A permits unrestricted invocation, allowing potential misuse by internal users and violating least-privilege principles. Option C exposes secrets in environment variables, which can be accidentally disclosed or misused, and does not prevent unauthorized invocation. Option D relies on API key secrecy, which can be circumvented if keys are shared or mishandled by developers.

Option B is the correct solution. By attaching resource-based policies to Lambda functions, the organization ensures that only approved API Gateway endpoints can invoke the functions. CloudTrail logging captures all invocation events, including unauthorized attempts, enabling centralised auditing and compliance reporting. This approach enforces strict access control, prevents internal bypass, and ensures regulatory compliance. Resource-based policies combined with centralised logging provide a preventive, detective, and corrective framework that meets operational and regulatory requirements for sensitive healthcare data processing.

Question35:

A company operates multiple Amazon EC2 instances that access sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated secret rotation, and auditable access logs. Which solution best meets these requirements?

A) Store API keys in environment variables and rotate them manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access using CloudTrail.
C) Hard-code credentials in application code on EC2 instances and review access logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Sensitive API access demands secure credential management, automated rotation, least-privilege access, and auditable logs. Option A is risky because environment variables can be exposed through misconfigurations, logs, or insider misuse, and manual rotation is prone to errors. Option C hard-codes credentials, violating best practices and increasing risk of compromise. Option D relies on long-lived IAM user credentials, which are difficult to rotate and can be misused if compromised.

Option B is the optimal solution. AWS Systems Manager Parameter Store with SecureString parameters securely stores secrets and integrates with IAM-based access controls. EC2 instances retrieve secrets using assigned IAM roles, ensuring least-privilege access without exposing credentials to developers. Automated rotation reduces the risk of stale or compromised credentials, and CloudTrail monitoring provides a comprehensive audit trail of all access events. This approach ensures operational security, regulatory compliance, and reduces administrative overhead while maintaining strict security controls.

Question36:

A multinational financial organization stores sensitive transactional data in multiple Amazon S3 buckets across several AWS accounts. Security and compliance requirements mandate organization-wide enforcement of encryption with customer-managed KMS keys, prevention of unencrypted object uploads, least-privilege access control, automated detection and remediation of non-compliant objects, and centralised audit logging. Which solution best satisfies these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to ensure encryption is applied during uploads.
B) Use AWS Organizations Service Control Policies (SCPs) to deny S3 PutObject requests unless the specified customer-managed KMS key is used, enforce bucket policies restricting access to approved IAM roles, configure EventBridge rules to detect unencrypted objects and trigger automated remediation, and consolidate CloudTrail logs into a centralised audit account.
C) Store unencrypted objects temporarily in S3 and manually encrypt them later.
D) Rely on developer discipline to monitor uploads and audit compliance periodically.

Answer:
B

Explanation:

Ensuring secure storage of sensitive financial data in a multi-account AWS environment requires a comprehensive solution integrating preventive, detective, and corrective controls, centralised auditing, and automated remediation. Option A, enabling SSE-S3 default encryption, provides some baseline encryption but relies on developers to enforce encryption headers during object uploads. While this approach may work in small, controlled environments, it is inherently risky in a large organization because human error or misconfiguration can result in non-compliant object storage. Furthermore, AWS-managed keys (SSE-S3) do not provide the granular control over key usage, rotation, or access permissions necessary for compliance with strict financial regulations. Default encryption cannot automatically remediate non-compliant objects or detect policy violations across multiple accounts.

Option B addresses all requirements comprehensively. AWS Organizations SCPs allow the organization to enforce a preventive, organization-wide policy that denies any S3 PutObject operation unless the correct customer-managed KMS key is used. This ensures that all object uploads comply with encryption policies across all accounts, effectively eliminating the risk of non-compliant data storage. Bucket policies further enforce least-privilege access by allowing only approved IAM roles to upload or modify objects. This approach prevents unauthorized users or services from bypassing encryption policies, aligning with the principle of least privilege and minimizing insider threats. EventBridge rules provide a detective and corrective mechanism by automatically detecting unencrypted objects or policy violations and triggering remediation actions such as encrypting objects, deleting non-compliant uploads, or alerting responsible teams. CloudTrail consolidation into a centralised audit account ensures that all S3 operations, including attempted violations, are captured for centralised visibility, compliance reporting, and forensic investigation if required. This combination of preventive, detective, and corrective controls provides comprehensive security, operational efficiency, and regulatory compliance.

Option C relies on manual encryption of unencrypted objects after upload, which is reactive rather than preventive. Objects may be temporarily exposed in plaintext, increasing the risk of unauthorized access or accidental exposure. Manual processes are also operationally intensive, prone to errors, and inconsistent, and they may not meet stringent financial or regulatory requirements.

Option D relies solely on developer discipline and periodic audits, which is insufficient for a large, multi-account environment. Human error, oversight, or intentional bypass could result in non-compliance or data exposure. Periodic audits, while useful for verification, cannot prevent violations in real time and may fail to detect or remediate incidents promptly, leading to potential regulatory or operational consequences.

Option B is therefore the only solution that fully integrates preventive enforcement, least-privilege access control, automated remediation, and centralised auditing, ensuring organization-wide compliance and operational security. This approach aligns with AWS security best practices for sensitive financial data storage and is scalable across multiple accounts and regions.

Question37:

A healthcare organization stores electronic health records in Amazon RDS instances. Security requirements mandate encryption at rest and in transit, strict identity-based access controls, automated credential rotation, and centralised audit logging for all database operations and configuration changes. Which solution best satisfies these requirements?

A) Enable RDS encryption using AWS-managed keys, allow developers full database access, and enable SSL for database connections.
B) Use customer-managed KMS keys for RDS encryption, enforce IAM database authentication, enable SSL/TLS for all database connections, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging for all operations and configuration changes.
C) Store database credentials in environment variables and rely on default RDS encryption.
D) Enable point-in-time recovery on the RDS instance and manually review logs for auditing purposes.

Answer:
B

Explanation:

Option A provides basic encryption at rest using AWS-managed keys and SSL for in-transit encryption but fails to enforce least-privilege access or centralised credential management. Allowing developers full database access introduces significant risk, violating the principle of least privilege. AWS-managed keys do not allow granular control over access policies, key rotation, or usage permissions, limiting compliance with strict healthcare regulations such as HIPAA. While SSL/TLS protects data in transit, it does not mitigate risks associated with improper access or compromised credentials.

Option B comprehensively addresses all security and compliance requirements. Customer-managed KMS keys enable granular control over key usage, access permissions, and rotation schedules, providing full regulatory compliance and operational oversight. Enforcing IAM database authentication eliminates the need for static credentials, allowing identity-based access controls and ensuring only authorized personnel or systems can access the database. SSL/TLS ensures secure transmission of sensitive data between clients and the database, protecting it from interception or tampering. Automated credential rotation using AWS Secrets Manager minimizes the risk of stale or compromised credentials, reducing operational burden while maintaining continuous security. CloudTrail logging captures all API calls, configuration changes, and access events, enabling centralised auditing and real-time monitoring for compliance verification. The integration of these preventive, detective, and corrective controls ensures that sensitive healthcare data is fully protected, access is strictly controlled, credentials are managed securely, and auditability is maintained.

Option C, storing credentials in environment variables, introduces the risk of credential exposure due to misconfigurations, logs, or insider misuse. Default RDS encryption does not provide key management control or centralised auditing. Option D, relying on point-in-time recovery and manual log review, is reactive and does not enforce encryption, access control, or automated credential management. Manual auditing is error-prone, inconsistent, and cannot provide real-time security monitoring or regulatory compliance assurances.

Option B remains the only solution that fully satisfies all preventive, detective, and corrective security controls while ensuring regulatory compliance and operational efficiency for sensitive healthcare data. It adheres to AWS security best practices and aligns with HIPAA and other relevant healthcare regulations, providing strong encryption, automated credential management, identity-based access control, and centralised auditing.

Question38:

A financial organization stores sensitive transactional data in Amazon S3. Security requirements include immutability for a specified retention period, protection against accidental deletion, prevention of insider threats, and comprehensive audit logging of all object access and attempted modifications. Which solution best meets these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies to restrict access, and enable CloudTrail logging for all object operations.
C) Maintain separate backups in S3 and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A relies on S3 versioning to recover previous object versions. While versioning allows recovery from accidental deletions, it does not prevent deletion or modification by privileged users. Relying on developer discipline is risky, as human error or insider threats may compromise immutability. Versioning alone is insufficient to meet regulatory requirements for immutability and auditability in financial environments.

Option B is the correct solution. S3 Object Lock in compliance mode enforces a write-once-read-many (WORM) policy, ensuring that objects remain immutable for the defined retention period. Even privileged users cannot delete or modify these objects, addressing insider threat concerns and accidental deletion risks. Bucket policies enforce least-privilege access, restricting actions to authorized personnel and preventing unauthorized modifications. CloudTrail logging captures all object-level operations, including attempted deletions or modifications, providing centralised auditing and forensic capabilities. This combination of preventive, detective, and corrective controls ensures regulatory compliance, operational security, and auditability.

Option C relies on manual backups and tracking, which is reactive and prone to human error. It does not prevent deletions or modifications at the source, leaving sensitive data vulnerable. Operational overhead is high, and auditability is limited. Option D, using SSE-S3 encryption with manual access management, does not enforce immutability or prevent deletion. While encryption protects confidentiality, it does not provide integrity or compliance controls necessary for regulatory requirements.

Option B is the only solution that satisfies all requirements, including immutability, access control, insider threat mitigation, and comprehensive audit logging, ensuring compliance with financial regulations and best practices for secure data storage.

Question39:

A healthcare organization uses AWS Lambda to process sensitive patient information. Security requirements mandate that Lambda functions can be invoked only through approved API Gateway endpoints, direct invocation by internal staff or other services must be blocked, and all invocation activity must be auditable. Which solution best meets these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging for monitoring.
B) Attach resource-based policies to Lambda functions to allow invocation only from specific API Gateway principals, and enable CloudTrail logging for all invocations.
C) Store invocation secrets in environment variables and distribute them to developers.
D) Protect Lambda functions with API keys and rely on developers not to share the keys.

Answer:
B

Explanation:

Option A provides unrestricted invocation and relies on logging for auditing. While logging can provide visibility, it does not prevent unauthorized invocation, violating least-privilege principles and regulatory requirements for sensitive healthcare data. Option C, using environment variables for secrets, does not prevent unauthorized invocation and exposes sensitive information to potential misuse or accidental disclosure. Option D relies on API key secrecy, which can be circumvented if keys are shared, mishandled, or misconfigured.

Option B is the correct solution. Resource-based policies allow explicit control over which principals can invoke a Lambda function. By specifying approved API Gateway endpoints, the organization ensures that Lambda functions are invoked only through authorized workflows. CloudTrail logging captures all invocation events, including successful and failed attempts, providing centralised auditing and compliance reporting. This approach enforces preventive controls by blocking unauthorized access, detective controls through logging and monitoring, and corrective controls through automated alerts and audit workflows. It ensures least-privilege access, prevents internal bypass, and maintains regulatory compliance for sensitive patient data. Option B is fully aligned with AWS security best practices and healthcare regulatory requirements.

Question40:

A company operates multiple Amazon EC2 instances that access sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated rotation of secrets, and auditable access logs. Which solution best satisfies these requirements?

A) Store API keys in environment variables and rotate them manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access using CloudTrail.
C) Hard-code credentials in application code on EC2 instances and review access logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A is insecure because environment variables can be exposed through logs, misconfigurations, or insider actions. Manual rotation is error-prone and increases operational overhead. Option C introduces significant risk by hard-coding credentials in application code, making them difficult to rotate and exposing them to potential compromise. Option D relies on long-lived IAM user credentials, which are difficult to rotate, challenging to audit, and can be misused if compromised.

Option B provides the most secure, automated, and auditable solution. AWS Systems Manager Parameter Store with SecureString parameters allows secure storage of sensitive credentials. IAM roles assigned to EC2 instances enforce least-privilege access, ensuring only authorized instances can retrieve secrets. Automated rotation minimizes the risk of credential compromise and reduces operational overhead. CloudTrail logging provides comprehensive audit trails of all access attempts, successful or failed, enabling compliance reporting, forensic analysis, and centralised monitoring. This solution integrates preventive, detective, and corrective controls, fully satisfying security requirements and operational best practices for sensitive API access.

Question41:

A multinational financial services company stores sensitive transactional data in Amazon S3 across multiple AWS accounts. Security and compliance requirements include organization-wide encryption using customer-managed KMS keys, prevention of unencrypted object uploads, least-privilege access control for approved IAM roles, automated detection and remediation of non-compliant objects, and centralised auditing of all operations. Which solution best satisfies these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to ensure encryption during uploads.
B) Use AWS Organizations Service Control Policies (SCPs) to deny S3 PutObject requests unless the specified customer-managed KMS key is used, enforce bucket policies granting access only to approved IAM roles, configure EventBridge rules to detect unencrypted objects and trigger automated remediation, and consolidate CloudTrail logs into a centralised audit account.
C) Store unencrypted objects temporarily in S3 and manually encrypt them later.
D) Rely on developer discipline to monitor uploads and audit compliance periodically.

Answer:
B

Explanation:

Securing sensitive transactional data across multiple accounts requires a solution that combines preventive, detective, and corrective controls while ensuring operational efficiency and regulatory compliance. Option A, enabling default SSE-S3 encryption, is insufficient for large-scale enterprise environments because it relies on developers to apply encryption during uploads. While SSE-S3 encrypts objects at rest, it does not provide granular control over encryption keys, key rotation, or policy enforcement. Misconfigurations or accidental uploads without the proper headers can result in non-compliant object storage. Furthermore, default encryption does not provide automated detection or remediation of unencrypted objects, leaving gaps in compliance.

Option B addresses all requirements comprehensively. SCPs in AWS Organizations enforce organization-wide policies, denying PutObject requests unless the specified customer-managed KMS key is used. This ensures preventive enforcement across all accounts. Bucket policies grant access only to approved IAM roles, enforcing least-privilege principles and mitigating the risk of insider threats. EventBridge rules detect unencrypted objects in near real-time and trigger automated remediation, such as encrypting objects, deleting non-compliant uploads, or alerting responsible teams. Consolidating CloudTrail logs into a centralised audit account provides full visibility into all object-level operations, including attempted violations, enabling comprehensive auditing, compliance reporting, and forensic investigation. This integrated approach reduces operational overhead, prevents policy violations, and ensures organization-wide enforcement of encryption policies.

Option C relies on manual encryption of objects after upload, which is reactive and error-prone. Objects may be exposed in plaintext before encryption, increasing the risk of unauthorized access or accidental leakage. Manual remediation is inconsistent, labor-intensive, and cannot guarantee timely compliance with regulatory requirements.

Option D relies entirely on developer discipline and periodic audits, which is inadequate in multi-account, multi-region environments. Human error, oversight, or deliberate circumvention can result in unencrypted data being stored, exposing the organization to regulatory and operational risk. Periodic audits are reactive and may fail to detect violations promptly, leading to non-compliance and potential reputational damage.

Option B is therefore the only solution that satisfies all security, operational, and regulatory requirements by integrating preventive enforcement, least-privilege access control, automated remediation, and centralised auditing across multiple accounts and regions.

Question42:

A healthcare organization stores sensitive electronic health records in Amazon RDS instances. Security requirements include encryption at rest and in transit, automated credential rotation, strict identity-based access control, and comprehensive auditing of all database operations and configuration changes. Which solution best satisfies these requirements?

A) Enable RDS encryption using AWS-managed keys, allow developers full access to databases, and enable SSL for database connections.
B) Use customer-managed KMS keys for RDS encryption, enable SSL/TLS for all database connections, enforce IAM database authentication, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging for all operations and configuration changes.
C) Store database credentials in environment variables and rely on default RDS encryption.
D) Enable point-in-time recovery on the RDS instance and manually review logs for auditing purposes.

Answer:
B

Explanation:

Option A provides only partial encryption and relies on AWS-managed keys and full developer access. While SSL protects data in transit, AWS-managed keys do not allow granular control over access policies or key rotation, which is critical for healthcare regulatory compliance such as HIPAA. Full developer access violates the principle of least privilege, creating significant security and compliance risks.

Option B comprehensively addresses all security and regulatory requirements. Customer-managed KMS keys provide encryption at rest with control over key usage, rotation schedules, and access policies. Enabling SSL/TLS ensures encryption of data in transit. IAM database authentication eliminates the use of static credentials and enforces role-based access controls, ensuring that only authorized personnel or systems can access databases. AWS Secrets Manager automates credential rotation, reducing the risk of stale or compromised credentials. CloudTrail logging captures all RDS API calls, configuration changes, and access events, providing centralised auditing and compliance reporting. This combination of preventive, detective, and corrective controls ensures robust security, regulatory compliance, and operational efficiency.

Option C, storing credentials in environment variables, is risky because credentials may be exposed through misconfigurations or logs. Default RDS encryption alone does not provide auditing, key management, or identity-based access controls, leaving significant gaps in compliance and security. Option D is reactive, relying on point-in-time recovery and manual log reviews. While useful for disaster recovery, it does not prevent unauthorized access or provide automated credential management or comprehensive auditing.

Option B is the only solution that integrates preventive encryption, least-privilege access, automated credential management, and centralised auditing, ensuring sensitive healthcare data remains protected, compliant, and auditable.

Question43:

A financial services organization stores highly sensitive transactional data in Amazon S3. Security requirements include immutability for a defined retention period, prevention of accidental deletion, protection against insider threats, and comprehensive audit logging. Which solution best satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging for all object operations.
C) Maintain separate backups in S3 and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A uses S3 versioning to recover previous object versions. While it provides a basic recovery mechanism, it does not prevent privileged users from deleting or modifying objects. Relying on developer discipline introduces the risk of human error or insider threats. Versioning alone cannot satisfy regulatory requirements for immutable storage or auditable object access.

Option B is the correct solution. S3 Object Lock in compliance mode enforces write-once-read-many (WORM) policies, ensuring objects remain immutable for the retention period. Even administrators cannot delete or modify these objects, preventing accidental or malicious tampering. Bucket policies enforce least-privilege access, ensuring only authorized personnel can access or manage objects. CloudTrail captures all object-level operations, including attempted modifications or deletions, providing a centralised audit trail for compliance reporting and forensic analysis. This integrated approach satisfies all preventive, detective, and corrective requirements for sensitive financial data.

Option C relies on manual backups and tracking, which is operationally intensive and error-prone. It does not prevent deletion or modification at the source and may fail to meet regulatory compliance requirements. Option D, using SSE-S3 encryption with manual access management, protects confidentiality but does not enforce immutability or audit access, leaving significant gaps in compliance and security.

Option B is the only solution that ensures immutability, access control, insider threat mitigation, and comprehensive auditing, meeting regulatory requirements and security best practices.

Question44:

A healthcare organization uses AWS Lambda to process sensitive patient information. Security requirements mandate that Lambda functions be invoked only through approved API Gateway endpoints, direct invocation by internal personnel or other services must be blocked, and all invocation events must be auditable. Which solution best satisfies these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging for monitoring.
B) Attach resource-based policies to Lambda functions allowing invocation only from approved API Gateway principals and enable CloudTrail logging for all invocations.
C) Store invocation secrets in environment variables and distribute them to developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A permits unrestricted invocation, violating least-privilege principles and regulatory requirements. Logging alone is insufficient for preventive controls. Option C, storing secrets in environment variables, does not prevent unauthorized invocation and exposes sensitive information. Option D relies on API key secrecy, which can be circumvented if keys are mishandled or shared.

Option B enforces least-privilege access by attaching resource-based policies that restrict invocation to approved API Gateway endpoints. CloudTrail logging provides a comprehensive audit trail, capturing successful and failed invocations, enabling compliance reporting, forensic investigation, and real-time monitoring. This combination of preventive, detective, and corrective controls ensures secure invocation paths, prevents internal bypass, and meets regulatory requirements for sensitive healthcare data. Option B aligns with AWS best practices for serverless security and regulatory compliance.

Question45:

A company operates multiple Amazon EC2 instances that access sensitive internal APIs. Security requirements mandate least-privilege access, centralised credential management, automated rotation of secrets, and auditable access logs. Which solution best satisfies these requirements?

A) Store API keys in environment variables and rotate them manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access using CloudTrail.
C) Hard-code credentials in application code on EC2 instances and review access logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A is insecure because environment variables can be exposed through logs, misconfigurations, or insider actions. Manual rotation increases operational overhead and introduces human error. Option C, hard-coding credentials in application code, is insecure and difficult to rotate, violating best practices. Option D relies on long-lived IAM user credentials, which are difficult to manage, rotate, or audit, increasing operational and security risk.

Option B provides a fully automated and secure solution. Parameter Store SecureString parameters store secrets securely, IAM roles enforce least-privilege access, automated rotation reduces credential exposure risk, and CloudTrail provides centralised logging and auditability. This integrated approach satisfies preventive, detective, and corrective security requirements while ensuring operational efficiency and regulatory compliance. Option B aligns with AWS security best practices for secure, centralised credential management.

Risks of Using Environment Variables

Option A suggests storing API keys in environment variables and rotating them manually. While this approach is common in simple setups, it carries multiple security and operational risks. Environment variables can be inadvertently exposed through system logs, monitoring tools, or misconfigured services. For example, if an application crashes and outputs environment variables to logs, sensitive secrets could be captured in plain text. Insider threats also pose a concern, as anyone with access to the instance could retrieve secrets from memory or process listings. Manual rotation, though better than static credentials, is prone to human error and inconsistencies. Administrators may forget to rotate keys on schedule or may not update all affected instances, leaving some secrets active beyond their intended lifespan. These risks can lead to unauthorized access, data breaches, or non-compliance with regulatory frameworks requiring automated and auditable secret management.

Insecurity of Hard-Coding Credentials

Option C, which involves embedding credentials directly in application code, is widely recognized as a poor practice. Hard-coded credentials are exposed whenever code is shared, committed to source control, or deployed to multiple environments. This approach makes rotation extremely difficult, as every instance of the application containing the credentials must be updated and redeployed. Additionally, it creates a maintenance burden: if a secret is compromised, every version of the application that contains the credentials must be addressed. Hard-coded secrets also bypass AWS’s centralised identity and access management controls, making it difficult to enforce least privilege, monitor usage, or revoke access quickly. From both a security and operational standpoint, this method introduces significant vulnerabilities.

Challenges with Long-Lived IAM User Credentials

Option D proposes using long-lived IAM user credentials for each EC2 instance. While IAM users are designed for human access, using them for automated processes or instances creates multiple issues. Long-lived credentials are difficult to rotate, increasing the likelihood of compromise over time. Unlike IAM roles, IAM user credentials are tied to a single entity, making auditing more complex. Each compromised credential can provide unrestricted access until manually revoked. Managing hundreds or thousands of EC2 instances with long-lived credentials quickly becomes operationally unmanageable. This approach also violates the principle of least privilege, as IAM user credentials may have broader permissions than necessary for a specific EC2 workload, increasing the risk of accidental or malicious misuse.

Advantages of Using Parameter Store SecureString Parameters

Option B offers the most secure and operationally efficient solution. AWS Systems Manager Parameter Store allows secrets to be stored as SecureString parameters, which are encrypted using AWS KMS. This ensures that sensitive information is protected at rest and during transit. By assigning IAM roles to EC2 instances, access can be tightly controlled so that only the intended instances or applications can retrieve specific secrets. This approach enforces the principle of least privilege and reduces the risk of credential misuse.

Automated Rotation and Risk Reduction

Parameter Store supports automated rotation of secrets, which significantly reduces the exposure window of credentials. Automated rotation ensures that even if a secret is compromised, the impact is limited to a short time frame before the secret is updated. This eliminates reliance on manual processes, reducing human error and operational burden. Rotation can also be integrated with AWS Lambda functions to ensure seamless updates for applications consuming the secrets, further enhancing security without disrupting operations.

Auditability and Compliance

CloudTrail logging provides detailed records of all interactions with Parameter Store, including who accessed secrets, when, and from which resource. This centralised logging supports both internal audits and compliance requirements, such as PCI DSS, HIPAA, or ISO 27001, which mandate strict access control, monitoring, and traceability for sensitive credentials. Security teams can use CloudTrail logs to detect unauthorised access attempts, investigate potential breaches, and demonstrate compliance to regulators.

Operational Efficiency

Option B is operationally efficient because it centralises secret management, removes the need for manual distribution or rotation of credentials, and provides seamless integration with EC2 instances through IAM roles. Administrators can manage secrets from a single location, reduce duplication, and maintain consistent security policies across environments. By decoupling secret storage from application code, updates and rotations can occur without redeploying applications, minimising downtime and deployment complexity.