AWS Certified Security - Specialty Practice Exam 2025: Latest Questions

A security engineer needs to ensure that all Amazon S3 buckets in an AWS account cannot be made public, even if a bucket policy or ACL is accidentally configured to allow public access. What should the engineer implement?

A company wants to centrally manage and restrict permissions in multiple AWS accounts by using job functions. The company also wants users to sign in with corporate credentials and receive short-term AWS access. Which solution meets these requirements with the least operational overhead?

A security team needs to capture a history of configuration changes to security groups and be able to answer who made a change and when. Which AWS service provides this capability with minimal setup?

A company wants to ensure EBS volumes attached to Amazon EC2 instances are encrypted and that the encryption cannot be disabled by developers. Which approach best enforces this requirement?

A company stores application logs in CloudWatch Logs. The security team must prevent log deletion and modification for 1 year to support investigations, while still allowing near real-time search and analytics. Which solution best meets these requirements?

A company runs workloads in multiple AWS accounts using AWS Organizations. The security team wants to ensure that VPC flow logs are enabled for every VPC and that logs are delivered to a central logging account. The team wants new accounts and VPCs to be covered automatically. Which solution is most appropriate?

An application uses an IAM role to read a specific secret from AWS Secrets Manager. After a deployment, the application fails with AccessDenied when calling secretsmanager:GetSecretValue. The security engineer notices the secret was recently encrypted with a different customer managed KMS key. What is the MOST likely cause?

A company must ensure that no IAM policy in any account grants administrative access ("Action": "*" and "Resource": "*") unless explicitly approved. The company uses AWS Organizations and wants continuous enforcement with automated remediation. Which solution best meets these requirements?

A company wants to detect attempts to exfiltrate data from S3 by identifying unusual API patterns (for example, large spikes in GetObject from new locations). The security team also wants automated triage to snapshot relevant resources and preserve evidence. Which solution provides the BEST end-to-end approach?

A regulated workload runs on Amazon EKS. The company must ensure that pods cannot reach the public internet, but they must still be able to pull container images from Amazon ECR and send logs to CloudWatch. The cluster runs in private subnets. Which architecture meets these requirements with the strongest network controls?

A security engineer must ensure Amazon EBS snapshots used for disaster recovery are encrypted with a customer managed key (CMK) and that only the backup role can use the key. The engineer also needs to prevent accidental deletion or disabling of the key. Which solution meets these requirements?

An organization uses AWS Organizations with multiple accounts. They need to ensure that CloudTrail logs cannot be modified or deleted by administrators in member accounts, while still allowing centralized access for investigations. Which approach best meets these requirements?

A company wants to reduce the blast radius of IAM permissions for workloads running on Amazon EKS. The company wants pods to obtain AWS credentials without using node instance profiles and without storing static secrets. Which solution should the security engineer recommend?

A security team needs to detect and alert when any IAM principal in the account creates an access key. The team wants near real-time notifications and minimal operational overhead. Which solution meets these requirements?

A company uses Amazon S3 to store sensitive documents. They must ensure that objects cannot be made public, even if a developer accidentally applies a public bucket policy or ACL. Which solution provides the strongest preventative control?

A security engineer is investigating suspicious outbound connections from an EC2 instance in a private subnet. The engineer needs to identify the destination IP addresses and ports and correlate them with the instance’s network interface. Which logging configuration provides the MOST direct data for this investigation?

A company runs workloads in two AWS Regions. They need a centralized security posture view and automated aggregation of findings from multiple accounts, including AWS Config, Amazon GuardDuty, and Amazon Inspector. The company wants a single place to manage standards and send findings to a SIEM. Which solution should they implement?

A company wants to allow a third-party auditor to access specific resources in an AWS account for 8 hours. The company requires no long-term credentials for the auditor and wants to ensure the auditor cannot perform any actions outside a defined read-only scope. What is the BEST approach?

A company must ensure that data stored in Amazon S3 is encrypted with a specific customer managed KMS key and that uploads failing to use that key are rejected. The company also needs to ensure that even authorized IAM principals cannot upload unencrypted objects by mistake. Which configuration meets these requirements?

A security engineer needs to design an automated incident response for suspected credential exfiltration. When GuardDuty generates a high-severity finding indicating an IAM access key is being used from an anomalous location, the engineer must automatically contain the threat while minimizing disruption to other workloads. Which response is MOST appropriate?

A security team wants to ensure that only private certificate authorities (CAs) from an approved list can issue TLS certificates used by workloads in the company’s AWS accounts. The team wants preventive controls that block non-approved private CAs from being created. Which solution best meets these requirements?

A company uses Amazon S3 for a data lake. The security team must ensure that all PUT requests include server-side encryption with AWS KMS (SSE-KMS) and that requests using SSE-S3 or no encryption are rejected. What is the MOST effective way to enforce this requirement?

A company wants all inbound HTTPS traffic to an Application Load Balancer (ALB) to be inspected for common web exploits. The company does not want to manage custom infrastructure and needs the ability to create rules based on IP reputation lists and OWASP patterns. Which solution should a security engineer recommend?

A company is investigating a suspected credential compromise in one AWS account. The security team wants to search for API calls from unusual geolocations and determine which IAM principal used the calls. The solution must minimize operational overhead and provide near-real-time detection going forward. Which solution meets these requirements?

A company centralizes CloudTrail logs from 50 AWS accounts into a dedicated log archive account. The security team must ensure that logs cannot be modified or deleted for 7 years, even by administrators in the log archive account. The company also needs the ability to prove log integrity during audits. Which solution best meets these requirements?