50 AWS Certified Security - Specialty Practice Questions: Question Bank 2025

A security engineer needs to ensure that all new IAM users in an AWS account must use MFA before they can call any AWS API. Existing automation uses access keys. Which solution best enforces this requirement with the least operational overhead?

An application writes sensitive objects to an S3 bucket. Compliance requires that data at rest is encrypted using keys that the company manages, and that key usage is auditable. Which option meets the requirement with minimal application changes?

A company wants to detect and alert on anomalous API activity, such as unusual geolocations and high-risk actions, across multiple AWS accounts. Which AWS service is designed for this purpose with the least custom development?

A security team needs to centrally archive AWS CloudTrail logs from multiple accounts into an immutable storage location for long-term retention. The team must prevent deletion or alteration of the logs. Which approach best meets this requirement?

A company has an AWS Organizations multi-account setup. The security team wants to ensure S3 buckets in all member accounts cannot be made public (via ACLs or bucket policies), even by account administrators. What is the MOST effective control?

A security engineer must give a third-party auditor read-only access to specific CloudWatch Logs log groups and CloudTrail event history in a single account. The auditor must not be able to modify resources. Which solution is the MOST appropriate?

A company needs to monitor for potentially compromised EC2 instances by identifying outbound connections to known malicious IP addresses. VPC Flow Logs are enabled. Which solution provides the MOST direct managed detection capability?

A company must ensure that secrets used by applications (database passwords and API tokens) are rotated automatically and that rotation events are auditable. The applications run on Amazon ECS. Which solution best meets these requirements?

A company uses AWS Organizations with a dedicated log archive account. Security requires that member accounts send CloudTrail events to the log archive account, but member accounts must not be able to disable logging or delete delivered logs. Which design best satisfies these requirements?

A company uses an Application Load Balancer (ALB) in front of EC2 instances in private subnets. The security team needs to add TLS inspection for inbound traffic using a private CA and must ensure only strong TLS ciphers are allowed. The team also wants to minimize certificate distribution to instances. Which solution is best?

A security engineer needs to ensure that all IAM users in an AWS account use MFA. The solution must automatically identify noncompliant users and help enforce remediation. Which approach best meets these requirements?

A company wants to ensure that new Amazon EBS volumes are always encrypted and that unencrypted volume creation is prevented across all accounts in an AWS Organization. Which solution is the MOST effective?

A security team needs to centrally collect AWS CloudTrail logs from multiple accounts into a dedicated logging account. The solution must prevent member accounts from deleting or modifying the delivered logs. Which solution best meets these requirements?

An application running on Amazon ECS (Fargate) pulls images from Amazon ECR. The security team wants to ensure that tasks can only pull images from specific approved repositories and cannot access other AWS APIs. Which solution provides the LEAST privilege access for the tasks?

A company wants to detect potentially compromised EC2 instances that are making unexpected network connections. The security team needs visibility into both the instance process behavior and network activity, and wants managed findings with minimal custom code. Which approach best meets these requirements?

A company has an S3 bucket that contains sensitive reports. The security team wants to ensure that the reports can be accessed only through the company’s VPC using an S3 gateway endpoint, and that any access from the public internet is denied even if IAM permissions allow it. What should the team do?

A company must encrypt sensitive fields in application logs before storing them in Amazon CloudWatch Logs. The security team needs a solution that minimizes application code changes and uses AWS managed services. Which solution is best?

A security engineer is investigating suspicious API activity. They need to quickly identify which IAM principal called a specific API operation, from what source IP, and whether the call was made using temporary credentials. Which log source provides this information most directly?

A company wants to share a customer-managed KMS key in Account A with a role in Account B to encrypt and decrypt data in an S3 bucket in Account B. The security team attempted to allow the role in the key policy, but decrypt requests are still denied. Which combination of actions is required for cross-account KMS usage? (Choose the best answer.)

A company uses AWS Organizations and wants to ensure that no one can disable or delete security monitoring resources (GuardDuty, Security Hub, CloudTrail organization trail) in member accounts. The solution must work even if an administrator in a member account attempts the change. Which solution is MOST appropriate?

A security engineer needs to ensure that all CloudTrail logs for every AWS account in an organization are delivered to a central S3 bucket and cannot be modified or deleted by member accounts. Which solution meets these requirements with the LEAST operational overhead?

An application stores sensitive files in an S3 bucket. The security team wants to prevent accidental public exposure and ensure the bucket never allows public access, even if an ACL or bucket policy is misconfigured. Which control should be enabled?

A company uses AWS Organizations and wants to ensure that root user access keys are never created in any account. Which approach should the company use to enforce this across the organization?

An organization uses Amazon GuardDuty. The security team wants to automatically quarantine an EC2 instance when GuardDuty generates a high-severity finding indicating command-and-control activity. The quarantine must block all inbound and outbound traffic while preserving the instance for forensics. Which solution is MOST appropriate?

A company runs a private REST API in Amazon API Gateway. The API must be reachable only from specific VPCs in the organization by using interface VPC endpoints. What is the MOST effective way to restrict access to only those VPC endpoints?

A company wants to monitor AWS account activity for potential credential compromise. The security team needs alerts when an API call is made from an IP address not previously seen for a specific IAM user, and they want to minimize false positives from expected automation. Which approach is BEST?

A company must ensure that EBS volumes attached to EC2 instances are always encrypted with a customer managed key (CMK) and that unencrypted volumes cannot be created. The solution must apply to all accounts in an AWS Organization. Which solution meets these requirements?

An organization requires that all security logs stored in Amazon S3 are retained for 7 years and are immutable during the retention period, even for administrators. The organization also needs the ability to prove that log data has not been altered. Which solution BEST meets these requirements?

A company uses IAM roles for Amazon EC2. A forensics investigation shows that an attacker on one EC2 instance attempted to obtain credentials from the instance metadata service (IMDS). The security team wants to reduce this risk across all new and existing instances while minimizing application changes. Which action is MOST effective?

A security team needs to ensure that only compliant AWS resources can be deployed. The team wants to enforce guardrails such as ‘S3 buckets must have Block Public Access enabled’ and ‘EBS volumes must be encrypted’ BEFORE resources are created, across multiple accounts. Which solution BEST meets these requirements?

A company uses AWS Organizations with multiple accounts. Security wants to ensure that CloudTrail logs cannot be deleted or altered, even by administrators in member accounts. What is the MOST effective solution?

A security engineer wants to detect unauthorized API calls across all accounts and automatically open a ticket with key details (account, principal, source IP, API, time). Which approach is BEST?

A company must enforce that all Amazon S3 buckets in an account deny any request that is not encrypted in transit. What is the BEST way to implement this requirement?

A workload in a private subnet must call AWS Security Token Service (STS) without traversing the public internet. Which solution meets this requirement?

A company wants to ensure that only approved AMIs are used to launch EC2 instances across multiple accounts. The company uses AWS Organizations. What is the BEST approach?

An Amazon RDS for PostgreSQL database stores sensitive customer data. The security team wants to be alerted when a database snapshot is shared publicly or with an unapproved AWS account. Which solution is MOST appropriate?

A company uses Amazon CloudWatch Logs for application logs. Security requires that sensitive fields (for example, credit card numbers) are masked before logs are stored. The application code cannot be changed quickly. What is the BEST solution?

An application team is building an internal service on Amazon ECS that must call AWS APIs. Security wants to avoid long-term credentials and ensure that tasks can access only the required AWS resources. What should the team do?

A security engineer needs to provide end-to-end encryption for an application that stores objects in Amazon S3. The requirement states that AWS must not be able to decrypt the data, and the company wants to control the root key lifecycle outside AWS. What is the BEST option?

A company uses AWS Organizations and wants to ensure that any attempt to disable or delete GuardDuty in any member account is automatically reverted and investigated. The company also wants centralized visibility of these events. What is the BEST solution?

A company wants to ensure that S3 objects cannot be deleted or overwritten for 7 years to meet regulatory retention requirements. The company also wants the ability to prove the objects were not modified during the retention period. Which solution BEST meets these requirements?

A security engineer needs to detect if any IAM policy changes are made in an AWS account and send near-real-time notifications to an incident response channel. Which approach is MOST appropriate?

A company uses AWS Organizations with multiple accounts. Security leadership wants a single place to manage and delegate administration of security findings across accounts and regions with minimal operational overhead. Which service should the company use?

An organization wants to enforce that all new EBS volumes and RDS databases across all member accounts must be encrypted with AWS KMS keys, and noncompliant resources must be reported centrally. Which solution BEST meets these requirements?

A company runs a public API on Amazon API Gateway with Lambda integration. The security team wants to protect the API against common web exploits (for example, SQL injection patterns) and rate-based attacks, and they want centralized rule management across multiple APIs. Which solution should they implement?

A security engineer must allow an external auditor to read objects in a specific S3 bucket for 30 days. The auditor uses an AWS account controlled by the auditor’s company. The security engineer must ensure least privilege and avoid long-term credentials. Which solution is BEST?

A company stores sensitive data in Amazon S3. The security team wants to ensure that all data access is logged in a way that can be queried quickly for investigations, including the requester identity, source IP, and the exact S3 API action. Which logging approach should they use?

An organization uses AWS KMS customer managed keys (CMKs) to encrypt data in multiple services. A compliance requirement states that key administrators must not be able to decrypt data, and application roles must not be able to modify key policies or key settings. Which approach BEST satisfies this separation of duties requirement?

A company has strict requirements that container images must be scanned for vulnerabilities before deployment, and deployments must be blocked if critical vulnerabilities are found. The company uses Amazon ECR and Amazon ECS. Which solution provides the MOST robust preventive control with the least custom code?

A security team receives an alert that an EC2 instance might be compromised. They need to preserve forensic evidence while minimizing the risk of further data exfiltration. The instance is in a private subnet and uses an IAM role. What is the BEST immediate action?