Amazon AWS Certified Security — Speciality SCS-C02 Exam Dumps and Practice Test Questions Set 7 Q91-105

Visit here for our full Amazon AWS Certified Security — Specialty SCS-C02 exam dumps and practice test questions.

Question91:

A global enterprise plans to migrate critical customer financial data to Amazon S3 across multiple AWS accounts and regions. Security requirements include enforcement of encryption using customer-managed KMS keys, prevention of unencrypted uploads, least-privilege access for IAM roles, automated remediation of non-compliant objects, and centralised audit logging. Which solution best satisfies these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to enforce encryption.
B) Use AWS Organizations Service Control Policies (SCPs) to deny S3 PutObject requests unless the specified customer-managed KMS key is used, enforce bucket policies granting access only to authorized IAM roles, configure EventBridge rules to detect unencrypted objects and trigger automated remediation, and consolidate CloudTrail logs into a centralised audit account.
C) Store unencrypted objects temporarily and encrypt them manually later.
D) Rely solely on developer discipline and periodic audits.

Answer:
B

Explanation:

Option A, enabling default SSE-S3 encryption, ensures encryption at rest but relies heavily on developers to enforce encryption policies consistently. SSE-S3 does not enforce the use of customer-managed KMS keys, which are essential for key rotation, access control, and auditing. In enterprise-scale environments, human error or lack of adherence to policies could result in unencrypted data being uploaded, creating potential regulatory compliance issues and security exposure. SSE-S3 alone does not provide mechanisms for real-time detection of non-compliant objects or automated remediation workflows, and it lacks centralised logging across multiple accounts and regions. This reactive approach is insufficient for maintaining security at scale and does not provide preventive, detective, or corrective controls in an integrated manner.

Option B represents a comprehensive and secure solution. Service Control Policies (SCPs) at the AWS Organizations level provide preventive enforcement, ensuring that all S3 PutObject requests comply with the use of the designated customer-managed KMS key. Bucket policies enforce least-privilege access for IAM roles, reducing the risk of unauthorized access and mitigating insider threats. EventBridge rules allow detection of non-compliant uploads in near real-time, triggering automated remediation actions such as encrypting the object with the correct KMS key, moving it to a quarantine bucket, or alerting administrators. CloudTrail logs capture all S3 object-level operations, providing centralised audit trails across multiple accounts and regions. This combination of preventive (SCPs, bucket policies), detective (EventBridge monitoring), and corrective (automated remediation) controls ensures comprehensive security, operational efficiency, and regulatory compliance.

Option C, temporarily storing unencrypted objects and encrypting them manually later, introduces unnecessary exposure during the interim period and is prone to operational error. Manual processes do not scale well in multi-account, multi-region environments and cannot ensure consistent compliance. Option D, relying solely on developer discipline and periodic audits, is insufficient for enterprise-scale environments where human error, oversight, or malicious actions can lead to security incidents. Audits cannot prevent real-time violations, leaving critical data at risk.

Option B is the only approach that ensures consistent enforcement, automated remediation, least-privilege access, and centralised auditing, making it the optimal choice for secure, compliant, and operationally efficient enterprise S3 deployments.

Question92:

A healthcare organization stores sensitive patient electronic health records in Amazon RDS. Security requirements include encryption at rest and in transit, strict identity-based access control, automated credential rotation, and centralised audit logging for all database operations and configuration changes. Which solution best satisfies these requirements?

A) Enable RDS encryption using AWS-managed keys, grant developers full access, and enable SSL/TLS connections.
B) Use customer-managed KMS keys for RDS encryption, enforce SSL/TLS connections, implement IAM database authentication, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging for all operations and configuration changes.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs periodically.

Answer:
B

Explanation:

Option A provides partial security. AWS-managed keys ensure encryption at rest, and SSL/TLS protects data in transit. However, granting developers full access violates the principle of least privilege, leaving sensitive healthcare data vulnerable to misuse or accidental exposure. AWS-managed keys do not provide detailed audit logs for key usage. Without automated credential rotation, static credentials may remain valid for extended periods, increasing exposure risk. Additionally, centralised auditing is absent, limiting operational visibility and compliance with regulatory requirements such as HIPAA.

Option B fulfils all preventive, detective, and corrective security requirements. Customer-managed KMS keys enforce encryption at rest with granular access control, rotation, and audit logging. SSL/TLS secures data in transit. IAM database authentication removes static credentials and enforces least-privilege access. AWS Secrets Manager automates credential rotation, reducing the operational burden and risk associated with long-lived credentials. CloudTrail captures all database operations and configuration changes, enabling centralised auditing, compliance reporting, and forensic analysis. This solution integrates preventive (KMS encryption, IAM access control), detective (CloudTrail logging), and corrective (automated credential rotation) controls, ensuring robust security for sensitive healthcare data.

Option C, storing credentials in environment variables, exposes sensitive information and lacks automated rotation or centralised logging. Default encryption alone does not enforce least-privilege access or provide auditability. Option D, relying on point-in-time recovery and manual log review, is reactive, labour-intensive, and insufficient for proactive security and regulatory compliance.

Option B is the only solution that meets all security, operational, and compliance requirements, providing secure, auditable, and efficiently managed access to sensitive healthcare data in Amazon RDS.

Question93:

A financial organisation needs to store highly sensitive transactional data in Amazon S3 with strict requirements for immutability during a defined retention period, prevention of accidental deletion, mitigation of insider threats, and comprehensive audit logging. Which solution best satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging for all object operations.
C) Maintain separate backups in S3 and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A enables S3 versioning, allowing the restoration of previous object versions. However, versioning does not prevent deletion or modification by privileged users, leaving the system vulnerable to insider threats or accidental deletions. Reliance on developers to enforce policies increases the risk of human error, which could result in non-compliance or data loss. Versioning alone does not meet regulatory requirements for immutability or auditable operations.

Option B represents the most secure and compliant solution. S3 Object Lock in compliance mode enforces WORM (write-once-read-many) immutability, preventing deletion or modification of objects during the retention period, even by administrators. Bucket policies enforce least-privilege access, restricting object management to authorised personnel and mitigating insider threat risks. CloudTrail logging captures all object-level operations, including deletion attempts, providing a centralised, immutable audit trail for regulatory compliance and forensic investigation. Option B integrates preventive (Object Lock, bucket policies), detective (CloudTrail logging), and corrective measures, ensuring operational security, auditability, and regulatory compliance.

Option C, relying on separate backups and manual tracking, is reactive, error-prone, and operationally intensive. Manual processes cannot consistently prevent deletions or guarantee compliance. Option D, using SSE-S3 encryption with manual access management, ensures confidentiality but does not enforce immutability or provide audit logging, leaving critical gaps in security and compliance.

Option B uniquely combines preventive, detective, and corrective controls, ensuring sensitive financial data remains immutable, auditable, and protected from both accidental and malicious actions.

Question94:

A healthcare organisation processes sensitive patient information using AWS Lambda. Security requirements dictate that Lambda functions can only be invoked through approved API Gateway endpoints, direct invocation by internal staff or other services must be blocked, and all invocations must be auditable. Which solution best satisfies these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging.
B) Attach resource-based policies to Lambda functions, allowing invocation only from approved API Gateway principals and enabling CloudTrail logging.
C) Store invocation secrets in environment variables and distribute them to developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A allows unrestricted invocation and relies solely on logging, which does not prevent unauthorised access. Option C, storing secrets in environment variables, exposes sensitive information and provides no access control, leaving Lambda functions vulnerable. Option D, relying on API keys, depends on secrecy and developer discipline, which is prone to accidental leaks, sharing, or mismanagement, making it unsuitable for sensitive healthcare workloads.

Option B enforces preventive access control through resource-based policies, restricting invocation to approved API Gateway principals. Unauthorised direct invocations are automatically blocked. CloudTrail logging captures all invocation events, providing centralised auditing for compliance, monitoring, and forensic investigation. This approach integrates preventive, detective, and corrective controls, ensuring secure and auditable Lambda execution aligned with AWS best practices and healthcare compliance requirements.

Question95:

A company operates multiple Amazon EC2 instances that access sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated rotation of secrets, and auditable access logs. Which solution best satisfies these requirements?

A) Store API keys in environment variables and rotate them manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access with CloudTrail.
C) Hard-code credentials in EC2 applications and review logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A exposes credentials in environment variables and relies on manual rotation, increasing the risk of leaks and operational overhead. Option C, hard-coding credentials, creates long-lived exposure and complicates rotation and auditing. Option D, using long-lived IAM user credentials, is difficult to rotate, audit, or manage securely, increasing the likelihood of compromise.

Option B provides a secure, automated, and auditable solution. Parameter Store SecureString parameters encrypt credentials and enforce access control. Assigning IAM roles to EC2 instances ensures least-privilege access, allowing only authorised instances to retrieve secrets. Automated rotation reduces exposure risk and operational complexity. CloudTrail logs all access events, supporting centralised auditing, compliance monitoring, and forensic analysis. By integrating preventive, detective, and corrective controls, Option B ensures secure, auditable, and operationally efficient access to sensitive APIs across EC2 instances.

Question96:

A multinational financial organisation is deploying Amazon S3 to store critical customer data. Security requirements include mandatory encryption using customer-managed KMS keys, prevention of unauthorised access, automated remediation of non-compliant uploads, and centralised auditing across multiple accounts and regions. Which solution best meets these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to enforce encryption.
B) Implement AWS Organisations Service Control Policies (SCPs) to deny S3 PutObject requests unless the designated customer-managed KMS key is used, apply bucket policies granting access only to authorised IAM roles, configure EventBridge rules for automated remediation, and consolidate CloudTrail logs into a centralised audit account.
C) Store unencrypted data temporarily and encrypt manually later.
D) Rely entirely on developer discipline and periodic audits.

Answer:
B

Explanation:

Option A, enabling default SSE-S3 encryption, ensures data at rest is encrypted automatically. While this provides basic encryption, it relies on developer discipline to use the correct KMS keys and does not enforce organisation-wide security policies. Default SSE-S3 cannot mandate the use of customer-managed KMS keys, which are critical for meeting enterprise compliance, key rotation, and fine-grained access control requirements. Furthermore, this approach lacks real-time detection and remediation for non-compliant objects, and auditing across multiple AWS accounts and regions is not centralised. In practice, this introduces significant operational risk, as human error or oversight could result in sensitive data being uploaded unencrypted or with incorrect encryption keys. Relying on default encryption alone does not satisfy comprehensive enterprise security requirements or regulatory obligations for financial institutions, which demand rigorous preventive, detective, and corrective controls to protect highly sensitive data.

Option B provides a holistic approach to security, integrating preventive, detective, and corrective controls across a large, multi-account enterprise environment. Service Control Policies (SCPs) applied at the AWS Organisations level enforce preventive controls by denying S3 PutObject requests unless the specified customer-managed KMS key is used. This ensures that every object uploaded across all accounts and regions is encrypted in a controlled and auditable manner. Bucket policies enforce least-privilege access, limiting permissions to authorised IAM roles, reducing the risk of accidental or malicious access to sensitive customer data. EventBridge rules act as a detective and corrective mechanism, automatically detecting any non-compliant objects and triggering remediation workflows. These workflows may include re-encrypting objects with the proper KMS key, moving non-compliant objects to a quarantine bucket, or notifying administrators for manual intervention. Centralised CloudTrail logging consolidates all object-level operations and policy violations across accounts, enabling a single source of truth for auditing, compliance reporting, and forensic investigations. By integrating these preventive, detective, and corrective measures, Option B ensures robust security, compliance with regulatory requirements, operational efficiency, and minimised risk of data exposure.

Option C, temporarily storing unencrypted data and manually encrypting it later, is reactive and error-prone. It exposes sensitive data during the interim period, significantly increasing the likelihood of security incidents. Manual processes cannot scale effectively across multiple accounts and regions, and they fail to guarantee compliance consistently. Option D, relying solely on developer discipline and periodic audits, is similarly insufficient. Human error, oversight, or malicious behaviour can lead to the upload of unencrypted or misconfigured objects. Audits, while useful for detection after the fact, do not provide preventive controls and cannot remediate issues in real time, leaving critical data vulnerable.

Question97:

A healthcare company is migrating sensitive patient records to Amazon RDS. Security requirements include encryption at rest and in transit, strict identity-based access control, automated credential rotation, and centralised auditing for all database operations and configuration changes. Which solution satisfies these requirements?

A) Enable RDS encryption with AWS-managed keys, grant developers full access, and use SSL/TLS connections.
B) Use customer-managed KMS keys for RDS encryption, enforce SSL/TLS, implement IAM database authentication, rotate credentials using AWS Secrets Manager, and enable CloudTrail logging.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs periodically.

Answer:
B

Explanation:

Option A provides limited security. AWS-managed keys encrypt data at rest, and SSL/TLS ensures secure data in transit. However, granting developers full access violates the principle of least privilege, exposing sensitive healthcare data to potential misuse. AWS-managed keys lack detailed audit capabilities for key usage, and the absence of automated credential rotation leaves long-lived credentials vulnerable to compromise. Centralised auditing is not implemented, limiting the organisation’s ability to monitor operations and meet compliance requirements, such as HIPAA, which mandates strict controls over sensitive patient data.

Option B is comprehensive, covering preventive, detective, and corrective controls for security and compliance. Customer-managed KMS keys enforce encryption at rest with granular access control and auditability, allowing the organisation to track key usage and rotate keys as required. SSL/TLS encryption protects data in transit, mitigating risks of interception or tampering. IAM database authentication eliminates static credentials, enforcing identity-based, least-privilege access. AWS Secrets Manager automates credential rotation, reducing exposure risk and operational overhead. CloudTrail logging captures all database operations and configuration changes, centralising audit capabilities and supporting forensic investigation and compliance reporting. This approach ensures that sensitive patient data remains encrypted, accessed only by authorised personnel, rotated automatically, and auditable, fully satisfying organisational security and regulatory requirements.

Option C, storing credentials in environment variables, exposes sensitive information and lacks automated rotation and centralised logging. Option D, relying on point-in-time recovery and manual log review, is reactive and operationally intensive, providing insufficient preventive controls for sensitive healthcare data.

Option B is the optimal solution for protecting sensitive patient records in RDS, combining encryption, identity-based access control, automated credential management, and centralised auditing to meet enterprise-scale security and compliance standards effectively.

Question98:

A financial organisation requires S3 storage for highly sensitive transactional data with strict requirements for immutability, deletion prevention, insider threat mitigation, and auditability. Which solution satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging.
C) Maintain separate backups and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A, enabling versioning, allows recovery of previous object versions but does not prevent deletions or modifications by administrators or malicious insiders. Relying on developers to enforce deletion policies introduces significant operational risk and human error. Versioning alone does not satisfy regulatory requirements for immutable storage or comprehensive auditing, which are critical for sensitive financial data.

Option B implements S3 Object Lock in compliance mode, providing write-once-read-many (WORM) protection. Objects cannot be deleted or modified during the retention period, even by privileged users, ensuring compliance with regulatory requirements and mitigating insider threats. Bucket policies restrict access to authorised personnel, enforcing least-privilege principles. CloudTrail logging captures all object-level operations, including deletion attempts, providing centralised, immutable audit trails for compliance and forensic investigations. This solution integrates preventive (Object Lock and bucket policies), detective (CloudTrail logging), and corrective measures (audit review and remediation), ensuring robust security for highly sensitive financial data.

Option C, maintaining separate backups and manually tracking deletions, is reactive, labour-intensive, and error-prone. Manual processes cannot guarantee compliance or timely detection of unauthorised deletions. Option D, using SSE-S3 encryption with manual access management, ensures confidentiality but does not enforce immutability or provide centralised audit capabilities, leaving critical gaps in compliance and security.

Option B is the only solution that fully addresses immutability, deletion prevention, insider threat mitigation, and auditing, making it the best choice for secure, compliant, and operationally efficient storage of sensitive financial transactions.

Question99:

A healthcare company uses AWS Lambda to process sensitive patient data. Security policies require Lambda functions to be invoked only through approved API Gateway endpoints, and all invocations must be auditable. Which solution satisfies these requirements?

A) Allow all IAM users to invoke Lambda and rely on logging.
B) Attach resource-based policies to Lambda allowing invocation only from approved API Gateway principals and enable CloudTrail logging.
C) Store invocation secrets in environment variables for developers.
D) Protect Lambda with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A allows unrestricted Lambda invocation and relies only on logging, which does not prevent unauthorized access. This approach fails to meet preventive security requirements and does not satisfy compliance needs for sensitive healthcare data. Option C, storing invocation secrets in environment variables, exposes sensitive credentials and provides no controlled access, leaving functions vulnerable. Option D relies on secrecy and developer discipline, which is error-prone and does not guarantee security or auditability.

Option B enforces preventive access control through resource-based policies, ensuring Lambda functions are invoked only from approved API Gateway principals. Unauthorized direct invocations are automatically blocked, preventing accidental or malicious access. CloudTrail logging captures all invocation events, successful or failed, providing centralised, immutable auditing for compliance and forensic purposes. This solution integrates preventive, detective, and corrective controls, aligning with AWS best practices and regulatory requirements for handling sensitive healthcare data.

Question100:

A company operates multiple EC2 instances accessing sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated secret rotation, and auditable logs. Which solution satisfies these requirements?

A) Store API keys in environment variables and rotate manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access with CloudTrail.
C) Hard-code credentials in applications and review logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A exposes credentials in environment variables and relies on manual rotation, which increases the risk of leaks and operational overhead. Option C, hard-coding credentials, creates long-lived exposure and complicates rotation and auditing. Option D, using long-lived IAM user credentials, is difficult to rotate, audit, or manage securely, increasing exposure risk.

Option B provides a secure, automated, and auditable solution. Parameter Store SecureString parameters encrypt credentials and enforce access control. IAM roles assigned to EC2 instances ensure least-privilege access, allowing only authorised instances to retrieve secrets. Automated rotation reduces exposure risk and operational complexity. CloudTrail logs all access events, supporting centralised auditing, compliance monitoring, and forensic analysis. This integrated approach ensures secure, auditable, and operationally efficient access to sensitive internal APIs across EC2 instances.

Question101:

An enterprise organisation is designing a multi-region Amazon S3 architecture to store highly sensitive intellectual property. Security requirements include encryption at rest using customer-managed KMS keys, prevention of accidental or unauthorised deletions, enforcement of least-privilege access, real-time detection of policy violations, automated remediation, and centralised audit logging. Which solution best meets these requirements?

A) Enable default SSE-S3 encryption on all buckets and rely on developers to enforce KMS key usage.
B) Use S3 Object Lock in compliance mode for all buckets, implement SCPs to enforce KMS key usage, configure EventBridge for automated remediation of non-compliant objects, enforce bucket policies granting access only to authorised IAM roles, and consolidate CloudTrail logs into a centralised audit account.
C) Encrypt objects manually after upload and rely on developers to monitor compliance.
D) Rely on versioning and manual audit reviews by administrators.

Answer:
B

Explanation:

Option A, relying on default SSE-S3 encryption, offers a basic level of encryption at rest but does not enforce customer-managed KMS key usage across multiple accounts or regions. This creates the risk of unintentional non-compliance due to human error, misconfiguration, or developer oversight. SSE-S3 encryption cannot prevent accidental or malicious deletions and does not provide real-time monitoring or remediation capabilities. Centralised auditing is also absent, which makes it difficult for enterprise security teams to maintain comprehensive visibility and control over sensitive intellectual property. Although it is simple to configure, relying solely on SSE-S3 and developer discipline is insufficient for enterprise-grade multi-region environments where regulatory compliance, operational efficiency, and security are critical.

Option B offers a fully integrated, enterprise-ready solution by combining preventive, detective, and corrective controls. S3 Object Lock in compliance mode ensures that objects are immutable and cannot be deleted or modified during the defined retention period, mitigating insider threats and accidental deletions. Service Control Policies (SCPs) enforce the mandatory use of customer-managed KMS keys across all AWS accounts, ensuring encryption compliance organisation-wide. EventBridge rules monitor for policy violations in real-time and trigger automated remediation workflows, such as re-encrypting objects or moving them to a secure quarantine bucket, maintaining compliance without manual intervention. Bucket policies enforce least-privilege access, granting permissions only to authorised IAM roles, reducing the risk of unauthorised access. CloudTrail logging consolidates all object-level operations, policy violations, and remediation activities into a centralised audit account, providing a single source of truth for monitoring, forensic investigation, and regulatory compliance. By integrating preventive controls (SCPs, Object Lock, bucket policies), detective measures (EventBridge monitoring, CloudTrail), and corrective mechanisms (automated remediation), Option B ensures comprehensive security, compliance, and operational efficiency for multi-region, enterprise-grade S3 deployments.

Option C, manually encrypting objects after upload and relying on developers to monitor compliance, introduces significant operational risk. Sensitive data may remain unencrypted for extended periods, exposing it to potential compromise. Manual enforcement and monitoring are inefficient at scale, particularly in multi-region deployments, and are prone to human error. This approach also lacks automated audit logging and real-time detection of violations, making it unsuitable for enterprise environments that require strict security and compliance measures.

Option D, relying solely on versioning and manual audit reviews, is reactive and labour-intensive. Versioning can recover deleted objects, but it does not prevent deletion or modification by privileged users, and it cannot enforce KMS key usage. Manual audit reviews are time-consuming, prone to oversight, and cannot provide the real-time detection and automated remediation needed for sensitive enterprise data. This option fails to address preventive controls and leaves significant gaps in security, compliance, and operational efficiency.

Option B is the only approach that ensures encryption compliance, access control, immutability, automated remediation, real-time detection, and centralised auditing, meeting the rigorous requirements of enterprise security for multi-region S3 deployments. It provides a holistic solution covering preventive, detective, and corrective controls while minimising human error, reducing operational overhead, and ensuring full regulatory compliance.

Question102:

A healthcare organisation is migrating sensitive patient records to Amazon RDS. Security requirements include encryption at rest and in transit, identity-based access control, automated credential rotation, and centralised auditing of all database operations and configuration changes. Which solution best satisfies these requirements?

A) Enable RDS encryption using AWS-managed keys, grant developers full access, and use SSL/TLS connections.
B) Use customer-managed KMS keys for RDS encryption, enforce SSL/TLS connections, implement IAM database authentication, rotate credentials automatically using AWS Secrets Manager, and enable CloudTrail logging.
C) Store database credentials in environment variables and rely on default encryption.
D) Enable point-in-time recovery and manually review logs periodically.

Answer:
B

Explanation:

Option A provides basic encryption with AWS-managed keys and SSL/TLS for data in transit. However, granting developers full access violates the principle of least privilege and increases the risk of unauthorised access or accidental misuse. AWS-managed keys cannot provide detailed audit trails, and without automated credential rotation, credentials can remain valid indefinitely, creating security vulnerabilities. Centralised auditing is not implemented, reducing visibility and regulatory compliance. While simple, this approach is inadequate for enterprise-scale healthcare environments with strict regulatory obligations such as HIPAA.

Option B provides a comprehensive security framework. Customer-managed KMS keys encrypt RDS data at rest with full control over key usage, rotation, and auditability. SSL/TLS ensures secure communication, protecting data in transit from interception or tampering. IAM database authentication eliminates static credentials, enforcing identity-based access and least-privilege principles. AWS Secrets Manager automates credential rotation, reducing the operational burden and minimising the risk of credential compromise. CloudTrail logging captures all database operations and configuration changes, enabling centralised auditing, monitoring, and forensic investigations. Option B integrates preventive, detective, and corrective controls to ensure that sensitive patient data is encrypted, accessed only by authorised personnel, rotated automatically, and auditable, fully meeting enterprise security and compliance requirements.

Option C, storing credentials in environment variables, exposes sensitive information and lacks automated rotation and centralised auditing. Option D, relying on point-in-time recovery and manual log reviews, is reactive and inefficient, failing to provide preventive controls and automated compliance monitoring.

Only Option B ensures encryption compliance, least-privilege access, automated credential management, and centralised auditing for enterprise-scale RDS deployments, making it the optimal choice for healthcare organisations managing sensitive patient data.

Question103:

A financial organisation requires Amazon S3 storage for highly sensitive transactional data. Security requirements include immutability during a defined retention period, prevention of accidental or malicious deletions, mitigation of insider threats, and comprehensive audit logging. Which solution best satisfies these requirements?

A) Enable S3 versioning and rely on developers to prevent deletion.
B) Use S3 Object Lock in compliance mode, enforce bucket policies restricting access, and enable CloudTrail logging.
C) Maintain separate backups and manually track deletions.
D) Encrypt objects using SSE-S3 and allow developers to manage access manually.

Answer:
B

Explanation:

Option A, enabling versioning, allows recovery of deleted or modified objects, but it does not prevent deletion or modification by privileged users. Relying on developers to enforce deletion policies introduces operational risk and human error. Versioning alone does not provide immutability guarantees or comprehensive audit logging, which are critical for sensitive financial data requiring regulatory compliance.

Option B provides enterprise-grade security for highly sensitive transactional data. S3 Object Lock in compliance mode ensures write-once-read-many (WORM) immutability, preventing deletion or modification of objects during the defined retention period, even by administrators. Bucket policies enforce least-privilege access, mitigating insider threats and unauthorised access. CloudTrail logging captures all object-level operations, including attempted deletions or modifications, providing centralised, immutable audit trails for compliance and forensic investigations. This solution integrates preventive, detective, and corrective measures, addressing immutability, access control, insider threat mitigation, and centralised auditing.

Option C, maintaining separate backups and manually tracking deletions, is reactive and operationally intensive. Manual processes cannot guarantee timely detection or prevention of unauthorised actions and do not provide centralised auditing. Option D, using SSE-S3 encryption with manual access management, ensures confidentiality but does not enforce immutability or centralised auditability, leaving critical gaps in security and compliance.

Only Option B provides comprehensive preventive, detective, and corrective controls for secure, immutable, auditable storage of highly sensitive financial transactions.

Question104:

A healthcare organisation processes sensitive patient data using AWS Lambda. Security policies require that Lambda functions be invoked only through approved API Gateway endpoints, with centralised auditing of all invocations. Which solution best satisfies these requirements?

A) Allow all IAM users to invoke Lambda functions and rely on logging.
B) Attach resource-based policies to Lambda functions, allowing invocation only from approved API Gateway principals and enabling CloudTrail logging.
C) Store invocation secrets in environment variables for developers.
D) Protect Lambda functions with API keys and rely on developers not to share them.

Answer:
B

Explanation:

Option A allows unrestricted Lambda invocation and relies solely on logging, which does not provide preventive controls. Unauthorised access may occur before detection, creating potential compliance violations and exposure of sensitive healthcare data. Option C exposes sensitive secrets and provides no controlled access, increasing security risk. Option D relies on API key secrecy, which is prone to accidental sharing or misuse, making it unreliable for sensitive workloads.

Option B enforces preventive access control through resource-based policies, restricting Lambda invocation to approved API Gateway principals. Unauthorised attempts are automatically blocked. CloudTrail logs all invocation events, providing centralised auditing, monitoring, and forensic capabilities. This solution integrates preventive, detective, and corrective controls, ensuring compliance with security policies and healthcare regulations while protecting sensitive patient data.

Question105:

A company operates multiple EC2 instances that access sensitive internal APIs. Security requirements include least-privilege access, centralised credential management, automated secret rotation, and auditable access logs. Which solution best satisfies these requirements?

A) Store API keys in environment variables and rotate manually.
B) Use AWS Systems Manager Parameter Store with SecureString parameters, assign IAM roles to EC2 instances to retrieve secrets, enable automated rotation, and monitor access with CloudTrail.
C) Hard-code credentials in applications and review logs weekly.
D) Use long-lived IAM user credentials for each EC2 instance.

Answer:
B

Explanation:

Option A exposes credentials in environment variables and relies on manual rotation, increasing the risk of compromise and operational complexity. Option C, hard-coding credentials, introduces long-lived static secrets that are difficult to rotate, audit, and manage securely. Option D relies on long-lived IAM user credentials, which cannot be rotated easily and increase exposure risk.

Option B provides a secure, automated, and auditable solution. Parameter Store SecureString parameters encrypt credentials and enforce access control. IAM roles assigned to EC2 instances ensure least-privilege access, allowing only authorised instances to retrieve secrets. Automated rotation reduces exposure risk and operational burden. CloudTrail logging provides centralised auditing, monitoring, and forensic capabilities. By integrating preventive, detective, and corrective controls, Option B ensures secure, auditable, and operationally efficient access to sensitive APIs from EC2 instances, meeting enterprise security and compliance requirements.

Inherent Risks of Using Environment Variables

Option A, which involves storing API keys in environment variables and relying on manual rotation, presents several significant risks in cloud environments. Environment variables, while convenient for runtime access by applications, are inherently exposed to the operating system. Any process or user with access to the EC2 instance can potentially view environment variables, which increases the attack surface. Additionally, system logs, debugging outputs, or crash reports may inadvertently capture these variables, leading to unintentional disclosure of sensitive credentials. Manual rotation of environment variables is operationally challenging and prone to human error. In large-scale deployments with hundreds or thousands of instances, administrators must carefully coordinate rotations to ensure all instances are updated simultaneously. Failure to rotate credentials promptly leaves them valid for longer than intended, increasing the window of exposure. Moreover, reliance on manual rotation makes it difficult to demonstrate consistent security practices, which is particularly problematic in regulated environments that require auditability and compliance.

Challenges of Hard-Coded Credentials in Applications

Option C, which involves embedding credentials directly into EC2 applications, introduces even greater security and operational risks. Hard-coded credentials are essentially static, long-lived secrets. They remain in the deployed application until modified and redeployed, which makes rotation slow, error-prone, and operationally intensive. Hard-coded credentials may also be exposed through source control systems, shared deployment artefacts, or backups. This exposure increases the likelihood of unauthorised access, especially in environments with multiple developers or operational teams. Hard-coded secrets bypass centralised access controls and auditing mechanisms, making it difficult to enforce least-privilege policies and track access. Organisations may struggle to demonstrate secure handling of credentials during audits, leading to non-compliance with regulatory standards such as PCI DSS, HIPAA, or ISO 27001. Operationally, managing hard-coded credentials across multiple applications and environments creates complexity and reduces agility, as any change to credentials requires a full code update and redeployment cycle.

Limitations of Long-Lived IAM User Credentials

Option D, which relies on long-lived IAM user credentials for each EC2 instance, also introduces operational and security challenges. IAM users are intended primarily for human access, not for automated workloads. Using long-lived credentials for EC2 instances increases exposure risk, as compromised credentials remain valid until manually rotated or revoked. Managing large numbers of long-lived credentials across multiple instances is complex, and the potential for misconfiguration is high. Auditing becomes challenging because all activity performed using the IAM user is associated with a single identity, making it difficult to trace actions to specific instances or workloads. This approach violates the principle of least privilege and increases the operational burden, as administrators must manually monitor, rotate, and revoke credentials while ensuring that applications continue functioning seamlessly.

Advantages of Using Parameter Store SecureString Parameters

Option B provides a secure, automated, and auditable solution for managing API credentials on EC2 instances. AWS Systems Manager Parameter Store supports SecureString parameters, which encrypt sensitive data using AWS Key Management Service (KMS). Encryption ensures that credentials are protected both at rest and in transit, preventing unauthorised access. SecureString parameters can be tightly controlled using IAM policies, allowing administrators to define which roles, users, or instances have permission to retrieve the credentials. Centralised storage of secrets eliminates the need to distribute credentials manually across multiple instances, reducing the risk of leakage and improving operational efficiency.

Role-Based Access via IAM Roles

Assigning IAM roles to EC2 instances is a key component of Option B. IAM roles provide dynamic, role-based access to credentials, ensuring that only authorised instances can retrieve SecureString parameters. This approach enforces least-privilege access, preventing accidental or intentional misuse of credentials. Roles can be updated or revoked centrally, providing administrators with flexibility and control without requiring redeployment of applications. This approach significantly reduces human error, streamlines access management, and ensures that credentials are only accessible to workloads with a legitimate need.

Automated Rotation Enhances Security Posture

Automated rotation of SecureString parameters further strengthens security. By automatically rotating credentials at regular intervals, exposure time for compromised secrets is minimised. Applications can dynamically retrieve updated credentials at runtime without downtime or manual intervention. This automation eliminates operational errors associated with manual rotation and ensures that credentials are always current, reducing the risk of long-lived exposure. Automated rotation also enhances compliance by ensuring that security best practices are consistently applied across all EC2 instances and workloads.

Centralised Auditing and Monitoring with CloudTrail

CloudTrail integration provides a centralised logging mechanism to track all interactions with Parameter Store. Every retrieval, modification, or rotation event is logged, including the principal accessing the credentials, the timestamp, and the resource accessed. Centralised auditing enables organisations to monitor for unauthorised access attempts, investigate anomalies, and respond to potential security incidents proactively. In regulated industries, CloudTrail logs provide verifiable evidence of secure handling and controlled access to sensitive credentials, supporting compliance with standards such as PCI DSS, HIPAA, and ISO 27001. Auditability is crucial for demonstrating accountability, detecting insider threats, and validating that preventive, detective, and corrective controls are effectively implemented.

Integration of Preventive, Detective, and Corrective Controls

Option B integrates multiple layers of security controls. Preventive controls are enforced via IAM roles and KMS encryption, blocking unauthorised access to credentials. Detective controls are implemented through CloudTrail logging, enabling real-time monitoring and anomaly detection. Corrective controls are supported because compromised credentials can be rotated immediately, and audit logs provide actionable information for incident investigation and remediation. This layered approach ensures comprehensive protection, accountability, and resilience, reducing risk across all phases of credential management.

Operational Efficiency and Scalability

Centralized management of credentials via Parameter Store enhances operational efficiency. Administrators can manage secrets from a single location, avoiding duplication and reducing administrative overhead. Updates, revocations, or rotations can be executed centrally without redeploying applications. EC2 instances can retrieve credentials dynamically at runtime, ensuring consistent and reliable access. This approach scales efficiently across large environments with hundreds or thousands of EC2 instances, supporting enterprise-level deployments while maintaining strict security and compliance standards.