Logo Light

AWS Security Best Practices – Securing AWS Environments – MCQ Questions

by | Mar 5, 2025

1. Which AWS service provides identity and access management for AWS resources?

A) Amazon Cognito
B) AWS IAM
C) AWS WAF
D) AWS GuardDuty

Answer: B) AWS IAM
Explanation: AWS Identity and Access Management (IAM) allows you to manage permissions and control access to AWS services and resources securely.

2. What is the recommended way to provide temporary security credentials in AWS?

A) Hardcoding credentials in application code
B) Using AWS IAM users
C) Using AWS STS (Security Token Service)
D) Storing credentials in environment variables

Answer: C) Using AWS STS (Security Token Service)
Explanation: AWS STS provides temporary, limited-privilege security credentials for users or applications to access AWS resources securely.

3. How can you enforce MFA (Multi-Factor Authentication) for AWS users?

A) Enable MFA in AWS IAM settings
B) Configure MFA through AWS Security Hub
C) Activate MFA in AWS Config
D) Use AWS Lambda to enforce MFA

Answer: A) Enable MFA in AWS IAM settings
Explanation: AWS IAM allows you to configure MFA for users, adding an extra layer of security beyond passwords.

4. What AWS service helps detect unauthorized API calls and security anomalies?

A) AWS CloudTrail
B) AWS GuardDuty
C) AWS WAF
D) AWS Shield

Answer: B) AWS GuardDuty
Explanation: AWS GuardDuty is a threat detection service that continuously monitors AWS accounts for malicious activity.

5. Which security practice should be avoided in AWS?

A) Using IAM roles for EC2 instances
B) Encrypting data at rest
C) Using long-term access keys in applications
D) Enabling AWS Security Hub

Answer: C) Using long-term access keys in applications
Explanation: Long-term credentials should be avoided; instead, use IAM roles, AWS STS, or environment variables to manage access securely.

6. How can you protect sensitive data stored in Amazon S3?

A) Enable AWS WAF
B) Encrypt data using AWS KMS
C) Restrict public access using CloudFront
D) Disable logging on S3

Answer: B) Encrypt data using AWS KMS
Explanation: AWS KMS (Key Management Service) allows you to encrypt and decrypt data, adding an additional layer of security for S3 storage.

7. What AWS service provides centralized logging and security analysis?

A) AWS CloudTrail
B) AWS Config
C) AWS Security Hub
D) AWS Inspector

Answer: C) AWS Security Hub
Explanation: AWS Security Hub aggregates security findings from multiple AWS services and provides centralized security monitoring.

8. What is the recommended approach to managing permissions in AWS?

A) Assign full admin privileges to all users
B) Follow the principle of least privilege
C) Use the root user for daily tasks
D) Use a single IAM user for all AWS accounts

Answer: B) Follow the principle of least privilege
Explanation: The principle of least privilege ensures that users and services have only the permissions they need to perform their tasks, reducing security risks.

9. Which AWS service is used to manage security groups for EC2 instances?

A) AWS IAM
B) AWS Shield
C) Amazon VPC
D) AWS WAF

Answer: C) Amazon VPC
Explanation: Amazon VPC (Virtual Private Cloud) allows you to manage security groups and control inbound/outbound traffic for EC2 instances.

10. What is AWS Shield primarily used for?

A) Encrypting data in transit
B) Protecting against DDoS attacks
C) Managing access control policies
D) Detecting malware

Answer: B) Protecting against DDoS attacks
Explanation: AWS Shield provides automatic protection against Distributed Denial-of-Service (DDoS) attacks.

11. How can you restrict access to AWS resources based on IP address?

A) Using AWS Shield
B) Configuring Security Groups
C) Applying IAM Policies with conditions
D) Enabling AWS Config

Answer: C) Applying IAM Policies with conditions
Explanation: IAM policies can restrict access to AWS resources based on specific conditions, including IP address.

12. What should you do if the AWS root account credentials are compromised?

A) Immediately delete the AWS account
B) Change the IAM policies for all users
C) Delete the root account
D) Rotate the root account credentials and enable MFA

Answer: D) Rotate the root account credentials and enable MFA
Explanation: If root account credentials are compromised, immediately rotate the credentials, enable MFA, and audit the account for unauthorized access.

13. What is the best way to audit AWS user activities?

A) AWS CloudTrail
B) AWS IAM
C) AWS Inspector
D) AWS WAF

Answer: A) AWS CloudTrail
Explanation: AWS CloudTrail logs API activity, allowing administrators to monitor and audit AWS account activity.

14. What AWS service helps to automate security compliance checks?

A) AWS WAF
B) AWS Config
C) AWS Shield
D) AWS CloudTrail

Answer: B) AWS Config
Explanation: AWS Config continuously monitors AWS resource configurations and checks for compliance violations.

15. What type of encryption does AWS KMS provide?

A) Asymmetric encryption only
B) Symmetric encryption only
C) Both symmetric and asymmetric encryption
D) No encryption support

Answer: C) Both symmetric and asymmetric encryption
Explanation: AWS KMS supports both symmetric and asymmetric encryption for securing data.

16. Which AWS service can scan EC2 instances for vulnerabilities?

A) AWS WAF
B) AWS Inspector
C) AWS CloudTrail
D) AWS IAM

Answer: B) AWS Inspector
Explanation: AWS Inspector automatically assesses EC2 instances for vulnerabilities and security best practices.

17. What should be disabled for an AWS root user for better security?

A) AWS CloudTrail
B) Root access keys
C) Security groups
D) IAM policies

Answer: B) Root access keys
Explanation: Root access keys should never be used. Instead, create IAM users with least privilege.

18. What AWS feature enables private communication between services in different VPCs?

A) AWS Direct Connect
B) AWS VPC Peering
C) AWS Lambda
D) AWS VPN

Answer: B) AWS VPC Peering
Explanation: VPC Peering allows private connectivity between two VPCs without using the public internet.

19. Which AWS service allows automatic key rotation for encryption?

A) AWS IAM
B) AWS KMS
C) AWS Shield
D) AWS Config

Answer: B) AWS KMS
Explanation: AWS KMS allows automatic key rotation to enhance encryption security.

20. What should you do to prevent accidental data deletion in AWS S3?

A) Enable AWS Shield
B) Enable versioning and MFA delete
C) Use AWS WAF
D) Encrypt all files

Answer: B) Enable versioning and MFA delete
Explanation: Enabling versioning and MFA delete in S3 prevents accidental or unauthorized data deletion.

21. What AWS service allows private access to AWS services without using the public internet?

A) AWS VPN
B) AWS Direct Connect
C) AWS PrivateLink
D) AWS VPC Peering

Answer: C) AWS PrivateLink
Explanation: AWS PrivateLink enables private communication between AWS services and VPCs without exposing traffic to the internet.

22. How can you enforce encryption for all objects stored in an S3 bucket?

A) Enable Server-Side Encryption (SSE)
B) Use IAM policies
C) Configure AWS Shield
D) Enable AWS GuardDuty

Answer: A) Enable Server-Side Encryption (SSE)
Explanation: AWS S3 allows Server-Side Encryption (SSE) to encrypt objects automatically upon storage.

23. Which AWS security service helps detect and block web application attacks?

A) AWS Shield
B) AWS WAF
C) AWS GuardDuty
D) AWS Inspector

Answer: B) AWS WAF
Explanation: AWS Web Application Firewall (WAF) helps protect applications against SQL injection, XSS, and other web-based attacks.

24. What is a key security advantage of using AWS Lambda over traditional servers?

A) Automatically encrypts all data
B) Does not require patching and maintenance
C) Runs in a separate VPC by default
D) Provides root access to the OS

Answer: B) Does not require patching and maintenance
Explanation: AWS Lambda is a serverless computing service, meaning AWS manages the infrastructure, including security patches.

25. What is the best way to secure an AWS API Gateway endpoint?

A) Use IAM authentication and API keys
B) Deploy the API publicly
C) Disable logging
D) Allow all incoming requests

Answer: A) Use IAM authentication and API keys
Explanation: AWS API Gateway can be secured using IAM roles, API keys, and AWS Cognito authentication.

26. Which AWS service can detect compromised AWS access keys?

A) AWS IAM
B) AWS Config
C) AWS Security Hub
D) AWS GuardDuty

Answer: D) AWS GuardDuty
Explanation: AWS GuardDuty uses machine learning and threat intelligence to detect compromised IAM credentials.

27. What is the main security risk of allowing inbound SSH access from 0.0.0.0/0 to an EC2 instance?

A) It may cause a network slowdown
B) It exposes the server to unauthorized access
C) It increases the AWS billing
D) It automatically enables root access

Answer: B) It exposes the server to unauthorized access
Explanation: Allowing SSH access from any IP (0.0.0.0/0) increases the risk of brute-force attacks and unauthorized access.

28. Which of the following can be used to enforce IAM policies across multiple AWS accounts?

A) AWS Security Hub
B) AWS Organizations Service Control Policies (SCPs)
C) AWS CloudWatch Logs
D) AWS Shield

Answer: B) AWS Organizations Service Control Policies (SCPs)
Explanation: SCPs allow centralized IAM policy enforcement across multiple AWS accounts within an AWS Organization.

29. What AWS service provides real-time monitoring of AWS resources and logs security-related activities?

A) AWS Config
B) AWS CloudTrail
C) AWS Inspector
D) AWS GuardDuty

Answer: B) AWS CloudTrail
Explanation: AWS CloudTrail logs API activity across AWS services, allowing real-time monitoring and security analysis.

30. What is the recommended way to prevent unintended deletion of an AWS S3 bucket?

A) Enable versioning and MFA delete
B) Enable AWS WAF
C) Enable AWS Shield
D) Apply a security group

Answer: A) Enable versioning and MFA delete
Explanation: MFA delete adds an additional authentication step before a bucket can be deleted, preventing accidental data loss.

31. How can you protect AWS credentials from being exposed in Git repositories?

A) Store credentials in a private Git repository
B) Use AWS Secrets Manager
C) Store credentials in IAM roles
D) Use AWS WAF

Answer: B) Use AWS Secrets Manager
Explanation: AWS Secrets Manager securely stores API keys, passwords, and other credentials, preventing accidental exposure.

32. Which AWS service allows centralized management of firewall rules across multiple AWS accounts?

A) AWS WAF
B) AWS Shield Advanced
C) AWS Firewall Manager
D) AWS GuardDuty

Answer: C) AWS Firewall Manager
Explanation: AWS Firewall Manager enables centralized management of firewall rules, making it easier to apply security policies across multiple accounts.

33. How can you prevent unauthorized access to EC2 instances using SSH?

A) Block all outbound traffic
B) Use IAM roles instead of SSH
C) Restrict SSH access using Security Groups
D) Disable SSH on EC2 instances

Answer: C) Restrict SSH access using Security Groups
Explanation: Security Groups allow whitelisting specific IPs for SSH access, preventing unauthorized logins.

34. What AWS security feature helps detect and analyze unusual API activity?

A) AWS GuardDuty
B) AWS CloudTrail
C) AWS Config
D) AWS Inspector

Answer: A) AWS GuardDuty
Explanation: AWS GuardDuty analyzes AWS API activity to detect suspicious behavior such as compromised accounts or unusual access patterns.

35. What is the best way to securely share AWS credentials between multiple applications?

A) Use AWS Secrets Manager
B) Store credentials in an S3 bucket
C) Hardcode credentials in application code
D) Share IAM user passwords

Answer: A) Use AWS Secrets Manager
Explanation: AWS Secrets Manager securely stores and manages credentials, ensuring they are not exposed in application code.

36. Which AWS service is used to centrally manage encryption keys across multiple AWS services?

A) AWS IAM
B) AWS KMS
C) AWS GuardDuty
D) AWS Shield

Answer: B) AWS KMS
Explanation: AWS Key Management Service (KMS) is used to centrally manage and enforce encryption policies across AWS services.

37. What security feature helps prevent unauthorized use of AWS Lambda functions?

A) AWS WAF
B) AWS IAM execution roles
C) AWS Shield Advanced
D) AWS Security Hub

Answer: B) AWS IAM execution roles
Explanation: IAM execution roles define the exact permissions Lambda functions require, preventing unauthorized operations.

38. What AWS service is best for scanning container images for security vulnerabilities?

A) AWS Shield
B) Amazon Inspector
C) AWS WAF
D) AWS GuardDuty

Answer: B) Amazon Inspector
Explanation: Amazon Inspector scans container images and EC2 instances for known security vulnerabilities.

39. How can you prevent SQL injection attacks on an AWS-hosted web application?

A) Use AWS GuardDuty
B) Use AWS WAF with rule sets
C) Block inbound traffic to the application
D) Disable database logging

Answer: B) Use AWS WAF with rule sets
Explanation: AWS WAF can filter malicious SQL queries, preventing SQL injection attacks.

40. Which AWS service allows defining security policies for multiple AWS accounts?

A) AWS Shield
B) AWS Organizations
C) AWS Config
D) AWS CloudTrail

Answer: B) AWS Organizations
Explanation: AWS Organizations allows defining and enforcing security policies across multiple AWS accounts using Service Control Policies (SCPs).

41. What is the purpose of AWS Identity Federation?

A) To create IAM roles for applications
B) To allow users to access AWS using external authentication providers
C) To manage multiple AWS accounts
D) To enforce compliance across AWS environments

Answer: B) To allow users to access AWS using external authentication providers
Explanation: AWS Identity Federation enables users to access AWS using external authentication providers like Google, Facebook, Active Directory, or SAML-based providers without creating separate AWS IAM users.

42. How can you restrict the regions where AWS resources can be deployed?

A) Using AWS Config rules
B) Using AWS Organizations Service Control Policies (SCPs)
C) By disabling unused AWS services
D) By modifying security groups

Answer: B) Using AWS Organizations Service Control Policies (SCPs)
Explanation: SCPs allow administrators to enforce policies that restrict AWS resource creation to specific regions for security and compliance.

43. What AWS feature can be used to enforce strong password policies for IAM users?

A) AWS Config
B) AWS CloudTrail
C) IAM Password Policy
D) AWS GuardDuty

Answer: C) IAM Password Policy
Explanation: AWS IAM allows setting password policies to enforce complexity requirements, expiration periods, and reuse restrictions.

44. How can you ensure EC2 instances comply with security best practices?

A) Manually reviewing EC2 settings
B) Using AWS Inspector
C) Relying on AWS IAM policies
D) Disabling logging on EC2 instances

Answer: B) Using AWS Inspector
Explanation: AWS Inspector automatically assesses EC2 instances against security best practices, identifying vulnerabilities and compliance issues.

45. What is an important security measure when using AWS RDS?

A) Disable all encryption options
B) Use IAM roles for database authentication
C) Store database credentials in plain text
D) Allow public access to the database

Answer: B) Use IAM roles for database authentication
Explanation: AWS RDS supports IAM authentication, which allows applications to connect to databases without storing passwords in configuration files.

46. Which AWS security service provides automated security assessments?

A) AWS Config
B) AWS Security Hub
C) AWS Inspector
D) AWS IAM

Answer: C) AWS Inspector
Explanation: AWS Inspector performs automated security assessments to identify vulnerabilities in EC2 instances.

47. What is the best practice for managing AWS credentials in a CI/CD pipeline?

A) Hardcode credentials in the pipeline configuration
B) Use AWS IAM access keys in plaintext files
C) Store credentials in AWS Secrets Manager
D) Disable IAM authentication

Answer: C) Store credentials in AWS Secrets Manager
Explanation: AWS Secrets Manager securely stores and rotates credentials, ensuring they are not exposed in the CI/CD pipeline.

48. How can you protect against accidental exposure of AWS S3 objects?

A) Disable bucket logging
B) Block public access to the bucket
C) Delete the bucket when not in use
D) Use AWS Inspector

Answer: B) Block public access to the bucket
Explanation: AWS provides a Block Public Access setting to prevent accidental exposure of S3 objects to unauthorized users.

49. Which AWS service monitors API calls and provides security recommendations?

A) AWS Shield
B) AWS IAM
C) AWS Security Hub
D) AWS Trusted Advisor

Answer: D) AWS Trusted Advisor
Explanation: AWS Trusted Advisor analyzes AWS account security, cost, and performance, providing recommendations to improve security posture.

50. How can you secure an AWS Lambda function’s environment variables?

A) Store them as plaintext in the function code
B) Encrypt them using AWS KMS
C) Store them in an S3 bucket
D) Disable logging for the Lambda function

Answer: B) Encrypt them using AWS KMS
Explanation: AWS KMS (Key Management Service) allows secure encryption of Lambda environment variables, protecting sensitive data.

51. What AWS service can be used to securely store API keys for third-party integrations?

A) AWS Shield
B) AWS CloudWatch
C) AWS Secrets Manager
D) AWS IAM

Answer: C) AWS Secrets Manager
Explanation: AWS Secrets Manager securely stores API keys, credentials, and other sensitive data, reducing the risk of accidental exposure.

52. What is the recommended way to control access to AWS resources at the network level?

A) Using IAM policies
B) Using security groups and NACLs
C) Storing credentials in plaintext
D) Allowing all incoming traffic

Answer: B) Using security groups and NACLs
Explanation: Security Groups and Network ACLs (NACLs) control inbound and outbound network traffic at different levels within AWS VPC.

53. What AWS service provides centralized threat intelligence across AWS accounts?

A) AWS WAF
B) AWS Config
C) AWS Security Hub
D) AWS Inspector

Answer: C) AWS Security Hub
Explanation: AWS Security Hub aggregates security findings from AWS services and third-party tools to provide centralized threat intelligence.

54. Which AWS feature ensures that users cannot assume IAM roles without MFA?

A) IAM Trust Policies
B) IAM Role Conditions
C) AWS Shield
D) AWS CloudTrail

Answer: B) IAM Role Conditions
Explanation: IAM role conditions can enforce MFA requirements before allowing a user to assume a role.

55. What should you do if an IAM user’s access key is compromised?

A) Rotate the access key immediately
B) Enable public access to AWS resources
C) Increase permissions for the user
D) Remove all IAM policies

Answer: A) Rotate the access key immediately
Explanation: If an access key is compromised, immediately deactivate and rotate the key to prevent unauthorized access.

56. What AWS security feature helps prevent brute-force attacks against AWS IAM users?

A) AWS GuardDuty
B) AWS WAF
C) AWS Config
D) AWS Shield

Answer: A) AWS GuardDuty
Explanation: AWS GuardDuty detects suspicious login attempts and brute-force attacks against AWS IAM users.

57. How can you enforce compliance with security policies in AWS?

A) Use AWS Config rules
B) Disable logging for compliance monitoring
C) Use AWS EC2 Auto Scaling
D) Delete IAM roles

Answer: A) Use AWS Config rules
Explanation: AWS Config rules help ensure that AWS resources comply with security policies and best practices.

58. What AWS service provides private network connectivity between AWS and on-premises data centers?

A) AWS PrivateLink
B) AWS Direct Connect
C) AWS Lambda
D) AWS CloudTrail

Answer: B) AWS Direct Connect
Explanation: AWS Direct Connect establishes a private network link between on-premises infrastructure and AWS.

59. How can you prevent unauthorized access to AWS CLI commands?

A) Use IAM policies with least privilege
B) Store AWS credentials in plain text
C) Share root credentials with developers
D) Use the same IAM user across multiple applications

Answer: A) Use IAM policies with least privilege
Explanation: Applying least privilege IAM policies ensures users only have access to the CLI commands they need.

60. Which AWS service helps detect misconfigured security settings across AWS accounts?

A) AWS GuardDuty
B) AWS Config
C) AWS WAF
D) AWS CloudTrail

Answer: B) AWS Config
Explanation: AWS Config continuously monitors and detects misconfigurations in AWS resources to maintain security compliance.

61. What AWS security service allows you to assess compliance with AWS security best practices?

A) AWS Config
B) AWS CloudTrail
C) AWS WAF
D) AWS Secrets Manager

Answer: A) AWS Config
Explanation: AWS Config helps assess AWS resource configurations and compliance with security best practices.

62. How can you prevent unauthorized changes to IAM policies?

A) Enable AWS WAF
B) Enable AWS Shield
C) Use AWS Organizations Service Control Policies (SCPs)
D) Disable AWS Config

Answer: C) Use AWS Organizations Service Control Policies (SCPs)
Explanation: SCPs allow organizations to enforce security policies and prevent unauthorized IAM policy modifications.

63. What is the recommended way to protect an AWS database from unauthorized access?

A) Store database credentials in the application code
B) Use IAM database authentication and security groups
C) Disable encryption on the database
D) Allow public access to the database

Answer: B) Use IAM database authentication and security groups
Explanation: AWS IAM authentication and security groups ensure only authorized users and applications can access the database.

64. What AWS feature helps detect and prevent the execution of malicious scripts in AWS Lambda functions?

A) AWS WAF
B) AWS GuardDuty
C) AWS Security Hub
D) AWS IAM

Answer: B) AWS GuardDuty
Explanation: AWS GuardDuty helps detect malicious activity and unauthorized behavior in AWS Lambda and other AWS services.

65. What is a key security advantage of using AWS Organizations?

A) Allows central management of AWS accounts and security policies
B) Provides detailed logging of all IAM activities
C) Automatically encrypts all data in S3 buckets
D) Prevents all unauthorized access to AWS accounts

Answer: A) Allows central management of AWS accounts and security policies
Explanation: AWS Organizations enables centralized security management across multiple AWS accounts using SCPs and consolidated billing.

66. What AWS security service detects unauthorized activities based on AI and machine learning?

A) AWS WAF
B) AWS CloudTrail
C) AWS GuardDuty
D) AWS Inspector

Answer: C) AWS GuardDuty
Explanation: AWS GuardDuty uses AI and machine learning to detect unauthorized activity and security threats.

67. How can you prevent data from being modified or deleted in AWS S3?

A) Enable AWS Shield
B) Use IAM roles
C) Enable Object Lock and Versioning
D) Allow full public access to S3

Answer: C) Enable Object Lock and Versioning
Explanation: AWS S3 Object Lock and Versioning prevent accidental or unauthorized data modification or deletion.

68. What is the recommended way to manage large-scale AWS user permissions securely?

A) Assign users to IAM groups and roles
B) Use a single IAM user for all AWS accounts
C) Provide admin access to all users
D) Store IAM credentials in a shared document

Answer: A) Assign users to IAM groups and roles
Explanation: IAM groups and roles help manage permissions efficiently while following the principle of least privilege.

69. How can you encrypt data in transit for an AWS application?

A) Enable SSL/TLS
B) Use AWS Lambda
C) Disable CloudTrail logging
D) Allow all inbound traffic in security groups

Answer: A) Enable SSL/TLS
Explanation: Using SSL/TLS encryption ensures data is protected during transmission between AWS resources and clients.

70. Which AWS service helps prevent distributed denial-of-service (DDoS) attacks?

A) AWS Config
B) AWS CloudTrail
C) AWS WAF
D) AWS Shield

Answer: D) AWS Shield
Explanation: AWS Shield provides automatic protection against DDoS attacks on AWS applications.

71. What is the best practice for managing AWS IAM roles across multiple accounts?

A) Create separate IAM roles for each account
B) Use AWS Organizations to manage IAM roles centrally
C) Assign full admin access to all users
D) Disable IAM logging

Answer: B) Use AWS Organizations to manage IAM roles centrally
Explanation: AWS Organizations allows centralized role-based access management across multiple AWS accounts.

72. How can you restrict AWS access to specific times of the day?

A) Using IAM policies with time-based conditions
B) Using AWS Shield
C) Using AWS Config
D) Deleting user accounts after working hours

Answer: A) Using IAM policies with time-based conditions
Explanation: AWS IAM policies can enforce access restrictions based on time-based conditions (e.g., business hours).

73. What AWS feature enables automatic key rotation for encryption?

A) AWS Secrets Manager
B) AWS IAM
C) AWS CloudTrail
D) AWS Config

Answer: A) AWS Secrets Manager
Explanation: AWS Secrets Manager supports automatic key rotation to enhance security.

74. What AWS security best practice helps detect insider threats?

A) Disabling AWS Config
B) Monitoring AWS CloudTrail logs
C) Using public S3 buckets
D) Assigning all users full permissions

Answer: B) Monitoring AWS CloudTrail logs
Explanation: AWS CloudTrail logs all API activities, helping detect unauthorized access or suspicious user behavior.

75. How can you enforce mandatory use of Multi-Factor Authentication (MFA) for AWS users?

A) By enforcing IAM policies with MFA conditions
B) By creating multiple IAM users for redundancy
C) By allowing all users to log in with just passwords
D) By disabling security group rules

Answer: A) By enforcing IAM policies with MFA conditions
Explanation: IAM policies with MFA conditions ensure AWS users cannot log in without completing MFA.

76. What AWS service provides real-time visibility into AWS security posture?

A) AWS WAF
B) AWS Security Hub
C) AWS Secrets Manager
D) AWS IAM

Answer: B) AWS Security Hub
Explanation: AWS Security Hub provides a centralized security view by aggregating findings from AWS security services.

77. How can you protect an AWS EC2 instance from brute-force attacks?

A) Use strong security group rules and limit SSH access
B) Enable AWS Shield
C) Disable CloudWatch monitoring
D) Allow unrestricted inbound SSH access

Answer: A) Use strong security group rules and limit SSH access
Explanation: Limiting SSH access to specific IPs prevents brute-force attacks on EC2 instances.

78. Which AWS service helps detect sensitive data exposure in logs?

A) AWS Shield
B) Amazon Macie
C) AWS WAF
D) AWS CloudTrail

Answer: B) Amazon Macie
Explanation: Amazon Macie uses AI/ML to detect sensitive data exposure in AWS logs and S3.

79. What AWS security feature ensures that AWS Lambda can only interact with specific resources?

A) Security groups
B) IAM execution roles
C) AWS Shield
D) AWS CloudWatch

Answer: B) IAM execution roles
Explanation: IAM execution roles grant AWS Lambda access only to necessary AWS resources.

80. What is the best way to detect and respond to security incidents in AWS?

A) Enable AWS Security Hub and CloudTrail
B) Disable logging
C) Store security logs on a public S3 bucket
D) Ignore security alerts

Answer: A) Enable AWS Security Hub and CloudTrail
Explanation: AWS Security Hub and CloudTrail help detect, analyze, and respond to security incidents.

81. What is the purpose of AWS Macie?

A) Protect EC2 instances from malware
B) Detect sensitive data in S3 buckets
C) Manage IAM permissions
D) Monitor AWS billing usage

Answer: B) Detect sensitive data in S3 buckets
Explanation: AWS Macie uses machine learning to identify and protect sensitive data such as PII (Personally Identifiable Information) stored in S3.

82. What AWS feature prevents users from accidentally deleting important S3 objects?

A) AWS WAF
B) Object Lock and Versioning
C) Security Groups
D) AWS GuardDuty

Answer: B) Object Lock and Versioning
Explanation: Object Lock and Versioning protect S3 objects from accidental deletion or overwrites by keeping previous versions.

83. What AWS service provides an automated compliance dashboard?

A) AWS Security Hub
B) AWS WAF
C) AWS Macie
D) AWS Config

Answer: A) AWS Security Hub
Explanation: AWS Security Hub aggregates security findings and compliance checks across multiple AWS services into a single dashboard.

84. How can you prevent public access to AWS resources?

A) Use Security Groups and IAM policies
B) Delete all IAM roles
C) Disable encryption
D) Use AWS Marketplace

Answer: A) Use Security Groups and IAM policies
Explanation: Security Groups and IAM policies help control access to AWS resources and prevent unintended public exposure.

85. What AWS service helps identify misconfigurations in AWS resources?

A) AWS WAF
B) AWS Config
C) AWS Shield
D) AWS IAM

Answer: B) AWS Config
Explanation: AWS Config continuously monitors and reports misconfigurations in AWS resources.

86. What is a best practice for securing AWS credentials in an application?

A) Store credentials in IAM user policies
B) Hardcode credentials in the application
C) Use IAM roles and AWS Secrets Manager
D) Allow unrestricted access to the application

Answer: C) Use IAM roles and AWS Secrets Manager
Explanation: IAM roles and AWS Secrets Manager securely manage credentials, preventing unauthorized access.

87. What is the best way to enforce security compliance in AWS organizations?

A) Use AWS Organizations and SCPs
B) Enable AWS WAF
C) Use a single IAM user for all accounts
D) Disable security logging

Answer: A) Use AWS Organizations and SCPs
Explanation: AWS Organizations and Service Control Policies (SCPs) enforce security compliance across multiple AWS accounts.

88. Which AWS service helps detect unusual network activity in a VPC?

A) AWS WAF
B) Amazon VPC Flow Logs
C) AWS Shield
D) AWS KMS

Answer: B) Amazon VPC Flow Logs
Explanation: VPC Flow Logs capture network traffic data, helping detect unusual or malicious network activity.

89. How can you restrict AWS Lambda functions to access only necessary resources?

A) Use IAM execution roles with least privilege
B) Store credentials in environment variables
C) Enable AWS WAF
D) Use AWS CloudTrail

Answer: A) Use IAM execution roles with least privilege
Explanation: IAM execution roles ensure that AWS Lambda only has permissions needed to perform its tasks.

90. What AWS service helps in securing serverless applications?

A) AWS WAF
B) AWS Lambda
C) AWS Firewall Manager
D) AWS IAM

Answer: A) AWS WAF
Explanation: AWS WAF protects serverless applications from common web threats like SQL injection and cross-site scripting (XSS).

91. How can you prevent unauthorized API calls in AWS?

A) Use API Gateway with IAM authentication and WAF
B) Allow anonymous access to APIs
C) Disable IAM authentication
D) Use AWS Shield

Answer: A) Use API Gateway with IAM authentication and WAF
Explanation: IAM authentication and AWS WAF protect API Gateway from unauthorized access and attacks.

92. Which AWS feature allows centralized monitoring of multiple AWS accounts?

A) AWS GuardDuty
B) AWS Security Hub
C) AWS Lambda
D) AWS Inspector

Answer: B) AWS Security Hub
Explanation: AWS Security Hub provides a centralized view of security alerts across multiple AWS accounts.

93. How can you protect sensitive log data in AWS CloudWatch?

A) Enable encryption using AWS KMS
B) Delete logs regularly
C) Allow public access to logs
D) Store logs in S3 without encryption

Answer: A) Enable encryption using AWS KMS
Explanation: Encrypting CloudWatch logs using AWS KMS ensures sensitive data is protected from unauthorized access.

94. What AWS service can help enforce least privilege access for users?

A) AWS IAM
B) AWS Shield
C) AWS Secrets Manager
D) AWS CloudTrail

Answer: A) AWS IAM
Explanation: AWS IAM allows fine-grained permission control, enforcing least privilege access for users and roles.

95. How can you secure AWS IoT devices?

A) Use AWS IoT Device Defender
B) Use AWS WAF
C) Enable AWS Macie
D) Disable all network rules

Answer: A) Use AWS IoT Device Defender
Explanation: AWS IoT Device Defender helps secure IoT devices by monitoring for suspicious activity and vulnerabilities.

96. What is the best way to secure an AWS-hosted WordPress website?

A) Use AWS WAF and security groups
B) Allow all inbound traffic
C) Disable database encryption
D) Store user passwords in plain text

Answer: A) Use AWS WAF and security groups
Explanation: AWS WAF and security groups protect WordPress sites from brute-force attacks, SQL injection, and other web threats.

97. How can you ensure AWS EBS volumes remain secure?

A) Enable EBS encryption with AWS KMS
B) Disable all security policies
C) Allow unrestricted access to volumes
D) Share EBS volumes publicly

Answer: A) Enable EBS encryption with AWS KMS
Explanation: Encrypting Amazon EBS volumes with AWS KMS ensures stored data is secure and protected.

98. What AWS service allows auditing of IAM permissions and policies?

A) AWS IAM Access Analyzer
B) AWS WAF
C) AWS CloudTrail
D) AWS GuardDuty

Answer: A) AWS IAM Access Analyzer
Explanation: AWS IAM Access Analyzer helps audit IAM permissions to ensure resources are not unintentionally exposed.

99. What is a security risk when using Amazon RDS?

A) Enabling public access to the database
B) Using AWS IAM for authentication
C) Encrypting the database with AWS KMS
D) Using security groups to restrict access

Answer: A) Enabling public access to the database
Explanation: Exposing Amazon RDS to the public internet increases the risk of unauthorized access and attacks.

100. How can you protect AWS resources from accidental deletion?

A) Enable MFA Delete and resource tagging
B) Store credentials in an S3 bucket
C) Use AWS GuardDuty
D) Allow unrestricted IAM access

Answer: A) Enable MFA Delete and resource tagging
Explanation: MFA Delete and tagging policies help prevent accidental deletion of AWS resources.

101. What AWS security service helps you manage access to your AWS environment using temporary security credentials?

A) AWS Secrets Manager
B) AWS IAM
C) AWS STS (Security Token Service)
D) AWS WAF

Answer: C) AWS STS (Security Token Service)
Explanation: AWS STS provides temporary security credentials for users, applications, and federated identities to access AWS resources securely.

102. How can you prevent unauthorized access to Amazon RDS instances?

A) Use security groups to restrict inbound access
B) Allow all IPs to access the database
C) Store database credentials in plaintext
D) Disable IAM policies

Answer: A) Use security groups to restrict inbound access
Explanation: Security groups help limit access to RDS instances by allowing only trusted IPs or services to connect.

103. What AWS service helps detect security misconfigurations in AWS Lambda?

A) AWS CloudTrail
B) AWS Config
C) AWS Inspector
D) AWS Shield

Answer: B) AWS Config
Explanation: AWS Config monitors AWS Lambda function configurations and detects security misconfigurations to ensure compliance.

104. What AWS feature can restrict access to AWS Management Console based on geographic location?

A) IAM policies with geolocation conditions
B) AWS CloudTrail
C) AWS WAF
D) AWS Config

Answer: A) IAM policies with geolocation conditions
Explanation: IAM policy conditions can restrict AWS Console access based on geographic IP addresses to prevent unauthorized logins.

105. How can you protect AWS EC2 instances from SSH brute-force attacks?

A) Use Amazon VPC security groups to allow only trusted IPs
B) Allow SSH access from all IPs
C) Use AWS CloudTrail to disable SSH
D) Store SSH credentials in S3

Answer: A) Use Amazon VPC security groups to allow only trusted IPs
Explanation: Security groups should restrict SSH access to specific trusted IP addresses to prevent brute-force attacks.

106. What AWS security feature enables centralized logging across AWS accounts?

A) AWS WAF
B) AWS CloudTrail
C) AWS Lambda
D) AWS GuardDuty

Answer: B) AWS CloudTrail
Explanation: AWS CloudTrail enables centralized logging and monitoring of API activity across multiple AWS accounts.

107. How can you enforce encryption on all new Amazon S3 objects?

A) Use AWS Config rules
B) Manually encrypt each object
C) Enable AWS WAF
D) Allow public access to S3

Answer: A) Use AWS Config rules
Explanation: AWS Config rules can enforce policies that require all new S3 objects to be encrypted at rest.

108. What AWS security best practice prevents unauthorized AWS Console logins?

A) Require Multi-Factor Authentication (MFA)
B) Allow root user access for all employees
C) Disable all IAM users
D) Store credentials in plaintext

Answer: A) Require Multi-Factor Authentication (MFA)
Explanation: MFA provides an additional layer of security by requiring a one-time code in addition to a password for authentication.

109. How can you protect AWS resources from unintended privilege escalation?

A) Apply the principle of least privilege in IAM policies
B) Grant all IAM users admin access
C) Use root user for all operations
D) Disable IAM logs

Answer: A) Apply the principle of least privilege in IAM policies
Explanation: The least privilege principle ensures users have only the necessary permissions to perform their job.

110. How can you track who accessed or modified AWS resources?

A) Use AWS CloudTrail logs
B) Delete all IAM policies
C) Disable logging
D) Store logs in public S3 buckets

Answer: A) Use AWS CloudTrail logs
Explanation: AWS CloudTrail logs record API calls and resource modifications, providing visibility into account activity.

111. How can you detect unusual activity in AWS accounts?

A) Enable AWS GuardDuty
B) Use AWS Marketplace
C) Disable IAM roles
D) Delete CloudTrail logs

Answer: A) Enable AWS GuardDuty
Explanation: AWS GuardDuty detects unusual API activity, suspicious network behavior, and potential threats using machine learning.

112. How can you ensure AWS database snapshots are secure?

A) Encrypt snapshots using AWS KMS
B) Store snapshots in a public S3 bucket
C) Delete snapshots frequently
D) Allow unrestricted access to snapshots

Answer: A) Encrypt snapshots using AWS KMS
Explanation: AWS KMS encryption ensures that RDS and EBS snapshots remain secure from unauthorized access.

113. What AWS security feature allows managing access permissions across multiple accounts?

A) AWS Organizations and SCPs
B) AWS Lambda
C) AWS Shield
D) AWS Macie

Answer: A) AWS Organizations and SCPs
Explanation: AWS Organizations and Service Control Policies (SCPs) help enforce security access rules across multiple AWS accounts.

114. How can you enforce logging of all AWS API activities?

A) Enable AWS CloudTrail
B) Use AWS Macie
C) Disable logging
D) Grant public access to logs

Answer: A) Enable AWS CloudTrail
Explanation: AWS CloudTrail ensures that all API activity is logged, improving security and compliance.

115. How can you prevent an AWS root user from accidentally deleting resources?

A) Enable MFA Delete and IAM role delegation
B) Allow root user access to all services
C) Use only root user for daily tasks
D) Store credentials in a text file

Answer: A) Enable MFA Delete and IAM role delegation
Explanation: MFA Delete and IAM delegation reduce the risk of accidental or unauthorized deletion by requiring additional authentication.

116. What AWS service helps monitor and analyze DNS queries for security threats?

A) AWS Route 53 Resolver Query Logging
B) AWS CloudTrail
C) AWS GuardDuty
D) AWS WAF

Answer: A) AWS Route 53 Resolver Query Logging
Explanation: Route 53 Resolver Query Logging helps detect malicious domain requests and DNS-based threats.

117. How can you secure AWS IoT devices from unauthorized access?

A) Use AWS IoT Device Defender
B) Disable AWS logging
C) Store IoT credentials in plaintext
D) Allow open connections to all devices

Answer: A) Use AWS IoT Device Defender
Explanation: AWS IoT Device Defender helps monitor and secure IoT devices against unauthorized access and threats.

118. How can you prevent accidental deletion of critical AWS resources?

A) Use resource tags and AWS IAM policies
B) Enable root user for daily tasks
C) Store credentials in a shared document
D) Disable encryption

Answer: A) Use resource tags and AWS IAM policies
Explanation: Resource tagging and IAM policies help enforce access restrictions, preventing accidental deletions.

119. What AWS feature protects against cross-account AWS service access?

A) IAM Role Trust Policies
B) AWS Lambda
C) AWS Shield
D) AWS WAF

Answer: A) IAM Role Trust Policies
Explanation: IAM Role Trust Policies control which AWS accounts and services can assume IAM roles across accounts.

120. How can you protect AWS Lambda functions from unauthorized modifications?

A) Use IAM permissions and AWS CloudTrail logging
B) Store function code in public repositories
C) Allow all users to modify Lambda settings
D) Disable function monitoring

Answer: A) Use IAM permissions and AWS CloudTrail logging
Explanation: IAM permissions ensure only authorized users modify functions, and CloudTrail logs all changes for auditing.

121. What AWS feature allows you to limit the number of API requests per user to prevent abuse?

A) AWS WAF Rate-Based Rules
B) AWS Security Hub
C) AWS CloudTrail
D) AWS GuardDuty

Answer: A) AWS WAF Rate-Based Rules
Explanation: AWS WAF Rate-Based Rules help protect APIs by limiting the number of requests per user, preventing DoS and brute-force attacks.

122. How can you protect AWS credentials when deploying applications on EC2?

A) Use IAM roles instead of hardcoded credentials
B) Store credentials in plaintext in EC2 instances
C) Use the root user for all API calls
D) Allow unrestricted access to EC2

Answer: A) Use IAM roles instead of hardcoded credentials
Explanation: IAM roles provide temporary security credentials without exposing API keys in code.

123. What AWS service helps detect compromised EC2 instances?

A) AWS Shield
B) AWS GuardDuty
C) AWS WAF
D) AWS IAM

Answer: B) AWS GuardDuty
Explanation: AWS GuardDuty analyzes EC2 activity to detect compromised instances, unusual behavior, and potential threats.

124. What AWS security feature ensures that an EC2 instance only has access to necessary AWS resources?

A) IAM instance profiles
B) AWS WAF
C) AWS Security Hub
D) AWS CloudTrail

Answer: A) IAM instance profiles
Explanation: IAM instance profiles ensure EC2 instances only receive the minimum required permissions for accessing AWS resources.

125. How can you protect AWS databases from SQL injection attacks?

A) Use AWS WAF with SQL injection rules
B) Allow unrestricted database access
C) Disable encryption
D) Store credentials in a public S3 bucket

Answer: A) Use AWS WAF with SQL injection rules
Explanation: AWS WAF can block SQL injection attempts by filtering malicious queries before they reach the database.

126. How can you protect AWS Lambda from excessive execution that could lead to high costs?

A) Set concurrency limits for Lambda functions
B) Allow unlimited Lambda invocations
C) Disable logging for Lambda
D) Store all Lambda execution results in public S3

Answer: A) Set concurrency limits for Lambda functions
Explanation: Concurrency limits prevent excessive execution and control costs by restricting the number of Lambda function invocations.

127. What is the best way to restrict network access to AWS RDS instances?

A) Use VPC security groups and private subnets
B) Allow all incoming connections
C) Store database credentials in plaintext
D) Delete all security groups

Answer: A) Use VPC security groups and private subnets
Explanation: Security groups and private subnets prevent unauthorized access to RDS instances by restricting inbound traffic.

128. What AWS service helps analyze permissions to ensure IAM policies do not allow unintended access?

A) IAM Access Analyzer
B) AWS WAF
C) AWS Shield
D) AWS CloudTrail

Answer: A) IAM Access Analyzer
Explanation: IAM Access Analyzer helps identify and analyze policies that allow unintended access to AWS resources.

129. What AWS security service provides centralized management for security group rules across multiple accounts?

A) AWS Firewall Manager
B) AWS GuardDuty
C) AWS CloudTrail
D) AWS Lambda

Answer: A) AWS Firewall Manager
Explanation: AWS Firewall Manager allows centralized management of security groups, AWS WAF rules, and AWS Shield protections across multiple AWS accounts.

130. What is the recommended way to secure an Amazon API Gateway endpoint?

A) Use AWS IAM authentication, API keys, and AWS WAF
B) Allow public access to all endpoints
C) Store API keys in public repositories
D) Disable CloudWatch monitoring

Answer: A) Use AWS IAM authentication, API keys, and AWS WAF
Explanation: API Gateway should be protected using IAM authentication, API keys, and AWS WAF to prevent unauthorized access and attacks.

131. What AWS security service helps prevent unauthorized access to AWS services by enforcing network restrictions?

A) AWS Network Firewall
B) AWS Secrets Manager
C) AWS CloudTrail
D) AWS Security Hub

Answer: A) AWS Network Firewall
Explanation: AWS Network Firewall enforces network security policies to control ingress and egress traffic in VPCs.

132. How can you prevent unintended AWS resource modifications?

A) Use AWS Config rules and IAM policies
B) Disable logging
C) Grant all IAM users admin access
D) Store credentials in plaintext

Answer: A) Use AWS Config rules and IAM policies
Explanation: AWS Config rules and IAM policies prevent unauthorized changes and enforce security compliance.

133. What AWS feature protects Lambda functions from unauthorized execution?

A) IAM execution roles with least privilege
B) Allow all users to execute functions
C) Disable function logging
D) Use AWS WAF

Answer: A) IAM execution roles with least privilege
Explanation: IAM execution roles restrict AWS Lambda to only necessary permissions for secure execution.

134. What AWS service helps detect data exfiltration attempts?

A) AWS GuardDuty
B) AWS WAF
C) AWS KMS
D) AWS Inspector

Answer: A) AWS GuardDuty
Explanation: AWS GuardDuty detects data exfiltration attempts, unauthorized data transfers, and suspicious network activity.

135. What AWS feature prevents security group misconfigurations?

A) AWS Firewall Manager
B) AWS KMS
C) AWS WAF
D) AWS GuardDuty

Answer: A) AWS Firewall Manager
Explanation: AWS Firewall Manager helps prevent security group misconfigurations across multiple AWS accounts.

136. How can you ensure encryption for AWS Kinesis data streams?

A) Enable server-side encryption using AWS KMS
B) Allow all users to access Kinesis
C) Store data in plaintext
D) Disable encryption

Answer: A) Enable server-side encryption using AWS KMS
Explanation: AWS Kinesis supports server-side encryption with AWS KMS to secure data in transit and at rest.

137. What AWS service helps secure Kubernetes workloads in AWS?

A) Amazon EKS with IAM roles
B) AWS WAF
C) AWS Config
D) AWS GuardDuty

Answer: A) Amazon EKS with IAM roles
Explanation: Amazon EKS (Elastic Kubernetes Service) integrates with IAM roles to provide secure access control for Kubernetes workloads.

138. What AWS service allows private network access to AWS services without internet exposure?

A) AWS PrivateLink
B) AWS Route 53
C) AWS WAF
D) AWS Shield

Answer: A) AWS PrivateLink
Explanation: AWS PrivateLink enables secure, private access to AWS services without using the public internet.

139. How can you enforce least privilege access for AWS users?

A) Use IAM policies with permission boundaries
B) Grant full admin access to all users
C) Allow unrestricted API calls
D) Store IAM credentials in public S3

Answer: A) Use IAM policies with permission boundaries
Explanation: IAM permission boundaries enforce least privilege access by limiting maximum permissions for AWS users.

140. What AWS service monitors real-time network traffic for threats?

A) AWS VPC Traffic Mirroring
B) AWS CloudTrail
C) AWS IAM
D) AWS Macie

Answer: A) AWS VPC Traffic Mirroring
Explanation: AWS VPC Traffic Mirroring allows real-time monitoring of network traffic, helping detect security threats.

141. What AWS feature helps prevent unauthorized copying of sensitive data from S3?

A) AWS Macie
B) AWS WAF
C) AWS Shield
D) AWS KMS

Answer: A) AWS Macie
Explanation: AWS Macie detects sensitive data exposure and can help prevent unauthorized data movement in Amazon S3.

142. How can you secure an Amazon CloudFront distribution against unauthorized access?

A) Use Signed URLs or Signed Cookies
B) Disable HTTPS
C) Allow unrestricted access
D) Store credentials in plaintext

Answer: A) Use Signed URLs or Signed Cookies
Explanation: Signed URLs and Signed Cookies ensure that only authorized users can access CloudFront-distributed content.

143. What AWS service can help detect open security ports in EC2 instances?

A) AWS Inspector
B) AWS Macie
C) AWS CloudTrail
D) AWS Security Hub

Answer: A) AWS Inspector
Explanation: AWS Inspector scans EC2 instances for vulnerabilities, including open security ports that could be exploited.

144. What AWS security feature prevents unauthorized root account access?

A) Enabling MFA for the root user
B) Storing root credentials in public GitHub repositories
C) Allowing unrestricted login from any IP
D) Using IAM access keys for the root account

Answer: A) Enabling MFA for the root user
Explanation: MFA (Multi-Factor Authentication) adds an extra security layer to prevent unauthorized access to the AWS root account.

145. How can you prevent an EC2 instance from being accessed by unauthorized users?

A) Use security groups and restrict inbound access
B) Allow SSH from any IP address
C) Store SSH keys in a public repository
D) Enable root login for all users

Answer: A) Use security groups and restrict inbound access
Explanation: Security groups allow administrators to restrict inbound traffic to specific IPs, improving security.

146. How can you enforce mandatory encryption for Amazon S3 bucket objects?

A) Use S3 bucket policies to require encryption
B) Allow public access to S3
C) Store credentials in S3
D) Disable encryption

Answer: A) Use S3 bucket policies to require encryption
Explanation: S3 bucket policies can enforce encryption rules, ensuring all uploaded objects are encrypted.

147. What AWS service provides security threat intelligence for AWS workloads?

A) AWS GuardDuty
B) AWS Secrets Manager
C) AWS Lambda
D) AWS CodePipeline

Answer: A) AWS GuardDuty
Explanation: AWS GuardDuty provides threat detection for AWS workloads, using machine learning to detect suspicious activity.

148. What AWS feature allows organizations to apply security policies to AWS accounts?

A) AWS Organizations Service Control Policies (SCPs)
B) AWS Lambda
C) AWS CloudFormation
D) AWS Route 53

Answer: A) AWS Organizations Service Control Policies (SCPs)
Explanation: SCPs allow organizations to enforce security policies across multiple AWS accounts, preventing unauthorized actions.

149. How can you prevent unauthorized changes to critical AWS resources?

A) Enable AWS Config with compliance rules
B) Grant full admin access to all users
C) Store IAM credentials in public repositories
D) Delete all security groups

Answer: A) Enable AWS Config with compliance rules
Explanation: AWS Config helps enforce security policies and prevent unauthorized modifications to critical AWS resources.

150. What AWS feature allows detailed access logging for S3 buckets?

A) S3 Server Access Logging
B) AWS IAM
C) AWS Lambda
D) AWS Secrets Manager

Answer: A) S3 Server Access Logging
Explanation: S3 Server Access Logging records detailed access information about requests made to S3 buckets, improving security auditing.

151. What AWS feature helps organizations enforce security policies across accounts?

A) AWS Organizations SCPs
B) AWS Auto Scaling
C) AWS CloudTrail
D) AWS CodeBuild

Answer: A) AWS Organizations SCPs
Explanation: AWS Organizations Service Control Policies (SCPs) enforce security policies across multiple AWS accounts.

152. How can you monitor and log DNS queries for security auditing in AWS?

A) AWS Route 53 Resolver Query Logging
B) AWS WAF
C) AWS Shield
D) AWS IAM

Answer: A) AWS Route 53 Resolver Query Logging
Explanation: Route 53 Resolver Query Logging captures DNS query logs for security auditing and threat detection.

153. What AWS security feature allows centralized control of firewall rules?

A) AWS Firewall Manager
B) AWS CloudTrail
C) AWS Lambda
D) AWS CodePipeline

Answer: A) AWS Firewall Manager
Explanation: AWS Firewall Manager provides centralized control of AWS WAF, security groups, and AWS Shield protections across accounts.

154. What AWS security service detects anomalous API activity?

A) AWS GuardDuty
B) AWS S3
C) AWS CodeDeploy
D) AWS KMS

Answer: A) AWS GuardDuty
Explanation: AWS GuardDuty detects anomalous API activity and suspicious behavior using machine learning.

155. What AWS service can automatically rotate database credentials?

A) AWS Secrets Manager
B) AWS Shield
C) AWS Auto Scaling
D) AWS Route 53

Answer: A) AWS Secrets Manager
Explanation: AWS Secrets Manager allows automatic credential rotation, preventing static password exposure.

156. What is the best practice for securing AWS IAM roles?

A) Use least privilege principle
B) Assign all users full admin access
C) Store IAM credentials in plaintext
D) Allow unrestricted API calls

Answer: A) Use least privilege principle
Explanation: The principle of least privilege ensures IAM roles have only the necessary permissions, reducing security risks.

157. How can you ensure AWS security best practices are followed in an account?

A) Use AWS Security Hub
B) Disable all IAM users
C) Allow unrestricted root user access
D) Store credentials in GitHub

Answer: A) Use AWS Security Hub
Explanation: AWS Security Hub provides centralized security monitoring and compliance checks across AWS environments.

158. What AWS feature provides protection against automated bot attacks?

A) AWS WAF Bot Control
B) AWS Lambda
C) AWS Route 53
D) AWS CodePipeline

Answer: A) AWS WAF Bot Control
Explanation: AWS WAF Bot Control helps protect applications from automated bots, scrapers, and DDoS attacks.

159. How can you secure a private Amazon S3 bucket from unauthorized access?

A) Enable S3 Block Public Access
B) Allow unrestricted access
C) Store credentials inside the bucket
D) Disable encryption

Answer: A) Enable S3 Block Public Access
Explanation: S3 Block Public Access prevents unintended exposure of S3 objects to unauthorized users.

160. What AWS feature provides detailed logging of IAM user and role activity?

A) AWS CloudTrail
B) AWS CodeCommit
C) AWS Lambda
D) AWS Auto Scaling

Answer: A) AWS CloudTrail
Explanation: AWS CloudTrail provides detailed logging of IAM user and role API activity, enabling security auditing.

161. What AWS security feature ensures that IAM users cannot access AWS resources from unauthorized IP addresses?

A) IAM policy conditions
B) AWS Shield
C) AWS CloudTrail
D) AWS Lambda

Answer: A) IAM policy conditions
Explanation: IAM policy conditions can be used to restrict access to AWS resources based on IP address, ensuring that only trusted sources can access AWS.

162. What AWS service helps protect against credential leaks by detecting exposed access keys in public repositories?

A) AWS IAM Access Analyzer
B) AWS Secrets Manager
C) AWS CodeGuru
D) Amazon Macie

Answer: A) AWS IAM Access Analyzer
Explanation: AWS IAM Access Analyzer helps detect exposed credentials and unintended access to AWS resources.

163. How can you enforce security best practices for AWS Lambda function permissions?

A) Assign the least privilege IAM role to Lambda functions
B) Allow Lambda functions to assume admin roles
C) Store access keys in Lambda function environment variables
D) Disable logging for Lambda functions

Answer: A) Assign the least privilege IAM role to Lambda functions
Explanation: Applying least privilege permissions ensures AWS Lambda functions only access required AWS resources, reducing security risks.

164. What AWS service allows organizations to define and enforce security baselines across AWS accounts?

A) AWS Control Tower
B) AWS Secrets Manager
C) AWS CodePipeline
D) AWS CloudFront

Answer: A) AWS Control Tower
Explanation: AWS Control Tower enables organizations to define security baselines and enforce governance across multiple AWS accounts.

165. How can you protect against unauthorized access to AWS Systems Manager Session Manager?

A) Enforce IAM policies that restrict session access
B) Store credentials in plaintext
C) Use root credentials for all sessions
D) Allow unrestricted access

Answer: A) Enforce IAM policies that restrict session access
Explanation: IAM policies help restrict access to AWS Systems Manager Session Manager, ensuring only authorized users can start sessions.

166. What AWS service helps identify public and private Amazon S3 buckets?

A) AWS Config
B) AWS Secrets Manager
C) AWS Lambda
D) AWS WAF

Answer: A) AWS Config
Explanation: AWS Config can be used to track and identify public or private Amazon S3 buckets, ensuring compliance with security best practices.

167. How can you enforce security compliance on new AWS resources automatically?

A) Use AWS Config rules
B) Allow unrestricted IAM access
C) Store credentials in plaintext
D) Disable AWS CloudTrail

Answer: A) Use AWS Config rules
Explanation: AWS Config rules ensure that new AWS resources comply with security best practices and compliance policies.

168. What AWS service provides insights into permissions that have not been used over time?

A) IAM Access Analyzer
B) AWS GuardDuty
C) AWS Secrets Manager
D) AWS Shield

Answer: A) IAM Access Analyzer
Explanation: IAM Access Analyzer identifies unused permissions, helping to remove excessive privileges and enforce least privilege access.

169. How can you protect Amazon RDS databases from unauthorized access?

A) Use IAM authentication and security groups
B) Allow all IP addresses to connect
C) Disable encryption
D) Store credentials in public S3 buckets

Answer: A) Use IAM authentication and security groups
Explanation: IAM authentication and security groups ensure that only authorized users and applications can access Amazon RDS databases.

170. What AWS service helps protect workloads from known vulnerabilities by automatically patching instances?

A) AWS Systems Manager Patch Manager
B) AWS Lambda
C) AWS Macie
D) AWS IAM

Answer: A) AWS Systems Manager Patch Manager
Explanation: AWS Systems Manager Patch Manager helps automate patching of EC2 instances to protect against known security vulnerabilities.

171. What AWS service helps analyze security configurations and provides recommendations?

A) AWS Trusted Advisor
B) AWS IAM
C) AWS CodeBuild
D) AWS Route 53

Answer: A) AWS Trusted Advisor
Explanation: AWS Trusted Advisor reviews security configurations and provides recommendations to improve AWS security posture.

172. What AWS security feature helps prevent privilege escalation attacks?

A) IAM permission boundaries
B) AWS CloudFront
C) AWS Shield
D) AWS Macie

Answer: A) IAM permission boundaries
Explanation: IAM permission boundaries help prevent privilege escalation by restricting the maximum permissions that IAM roles or users can receive.

173. How can you secure data at rest in AWS Redshift?

A) Enable encryption using AWS KMS
B) Disable encryption
C) Store database credentials in public repositories
D) Allow unrestricted access

Answer: A) Enable encryption using AWS KMS
Explanation: AWS KMS (Key Management Service) enables encryption at rest, ensuring data security in Amazon Redshift.

174. What AWS feature allows real-time monitoring of user activity within AWS accounts?

A) AWS CloudTrail
B) AWS Route 53
C) AWS Lambda
D) AWS Auto Scaling

Answer: A) AWS CloudTrail
Explanation: AWS CloudTrail enables real-time monitoring of user API activity, helping detect security issues.

175. What AWS security feature helps detect insider threats within an organization?

A) AWS GuardDuty
B) AWS Lambda
C) AWS CodeCommit
D) AWS Secrets Manager

Answer: A) AWS GuardDuty
Explanation: AWS GuardDuty analyzes AWS account behavior to detect insider threats and suspicious activity.

176. What AWS service helps enforce security compliance across AWS Organizations?

A) AWS Organizations SCPs
B) AWS IAM Access Analyzer
C) AWS Lambda
D) AWS CloudFormation

Answer: A) AWS Organizations SCPs
Explanation: AWS Organizations Service Control Policies (SCPs) help enforce security policies across multiple AWS accounts.

177. How can you detect security vulnerabilities in Amazon EKS clusters?

A) Use AWS Inspector to scan EKS workloads
B) Disable IAM permissions
C) Delete EKS worker nodes
D) Allow unrestricted access to the EKS API

Answer: A) Use AWS Inspector to scan EKS workloads
Explanation: AWS Inspector provides automated vulnerability assessments for Amazon EKS clusters.

178. What AWS security feature prevents an IAM role from assuming a higher-privilege role?

A) IAM permission boundaries
B) AWS WAF
C) AWS CloudFront
D) AWS Security Hub

Answer: A) IAM permission boundaries
Explanation: IAM permission boundaries ensure that an IAM role cannot escalate privileges beyond its defined scope.

179. How can you secure AWS Glue job credentials?

A) Use AWS Secrets Manager
B) Store credentials in plaintext
C) Allow unrestricted Glue job execution
D) Disable encryption

Answer: A) Use AWS Secrets Manager
Explanation: AWS Secrets Manager securely stores AWS Glue job credentials, preventing exposure of sensitive data.

180. How can you prevent unauthorized modification of AWS KMS encryption keys?

A) Use IAM policies to restrict key management access
B) Store encryption keys in plaintext
C) Disable AWS CloudTrail
D) Allow unrestricted IAM access

Answer: A) Use IAM policies to restrict key management access
Explanation: IAM policies help control access to AWS KMS keys, preventing unauthorized modifications.

181. What AWS service allows you to centrally manage security policies across multiple AWS accounts?

A) AWS Organizations
B) AWS Shield
C) AWS WAF
D) AWS CloudTrail

Answer: A) AWS Organizations
Explanation: AWS Organizations allows centralized management of security policies, access controls, and compliance across multiple AWS accounts.

182. How can you prevent unauthorized changes to AWS IAM policies?

A) Use IAM permissions with MFA requirements
B) Allow all users to modify IAM policies
C) Store IAM policies in a public repository
D) Disable IAM auditing

Answer: A) Use IAM permissions with MFA requirements
Explanation: Enforcing multi-factor authentication (MFA) for IAM policy changes adds an extra layer of security, preventing unauthorized modifications.

183. What AWS service can be used to analyze security events and provide actionable insights?

A) AWS Security Hub
B) AWS CodePipeline
C) AWS Lambda
D) AWS CloudFront

Answer: A) AWS Security Hub
Explanation: AWS Security Hub aggregates security alerts and compliance findings from multiple AWS services, providing insights for remediation.

184. How can you prevent unauthorized API Gateway access?

A) Use IAM authentication and resource policies
B) Allow public access without authentication
C) Disable logging for API Gateway
D) Store API keys in plaintext

Answer: A) Use IAM authentication and resource policies
Explanation: IAM authentication and resource policies ensure that API Gateway is accessible only by authorized users and services.

185. What AWS security service helps detect unintended public access to AWS resources?

A) AWS Config
B) AWS Lambda
C) AWS CloudFront
D) AWS CodeDeploy

Answer: A) AWS Config
Explanation: AWS Config detects security misconfigurations, such as publicly accessible S3 buckets or open security groups.

186. How can you protect AWS Step Functions from unauthorized execution?

A) Use IAM role permissions to restrict execution
B) Store function definitions in a public repository
C) Disable logging for Step Functions
D) Allow all users full access

Answer: A) Use IAM role permissions to restrict execution
Explanation: IAM role-based access controls help restrict execution only to authorized users and services.

187. What AWS feature allows automated threat detection for AWS workloads?

A) AWS GuardDuty
B) AWS CodeBuild
C) AWS CloudFormation
D) AWS Route 53

Answer: A) AWS GuardDuty
Explanation: AWS GuardDuty provides automated threat detection using machine learning and behavior analytics.

188. What is the best way to secure an AWS-hosted WordPress website from brute force attacks?

A) Enable AWS WAF and rate limiting
B) Store WordPress credentials in a public repository
C) Disable security group restrictions
D) Allow unrestricted admin logins

Answer: A) Enable AWS WAF and rate limiting
Explanation: AWS WAF with rate limiting helps protect WordPress from brute-force attacks, SQL injection, and other web-based threats.

189. How can you prevent unauthorized data transfers from an AWS account?

A) Use AWS CloudTrail and AWS Config rules
B) Allow unrestricted S3 access
C) Store sensitive data in plaintext
D) Disable all IAM security policies

Answer: A) Use AWS CloudTrail and AWS Config rules
Explanation: AWS CloudTrail logs API activity, while AWS Config rules enforce security policies to prevent unauthorized data transfers.

190. What AWS security feature helps protect against account takeover attempts?

A) AWS GuardDuty
B) AWS Route 53
C) AWS CodeDeploy
D) AWS CloudFormation

Answer: A) AWS GuardDuty
Explanation: AWS GuardDuty detects account takeover attempts by identifying suspicious login behaviors, API calls, and access anomalies.

191. How can you prevent unauthorized users from creating new AWS accounts under an AWS Organization?

A) Use Service Control Policies (SCPs)
B) Allow unrestricted user permissions
C) Disable IAM policies
D) Store AWS root credentials in public repositories

Answer: A) Use Service Control Policies (SCPs)
Explanation: SCPs (Service Control Policies) allow organizations to prevent unauthorized users from creating new AWS accounts.

192. What AWS feature allows centralized key management and encryption across AWS services?

A) AWS Key Management Service (KMS)
B) AWS WAF
C) AWS Lambda
D) AWS GuardDuty

Answer: A) AWS Key Management Service (KMS)
Explanation: AWS KMS enables centralized key management and encryption for securing AWS data and services.

193. How can you detect policy violations in AWS environments?

A) Use AWS Config rules and AWS Security Hub
B) Allow unrestricted security group rules
C) Disable AWS IAM policies
D) Store credentials in public repositories

Answer: A) Use AWS Config rules and AWS Security Hub
Explanation: AWS Config rules and AWS Security Hub continuously monitor AWS resources for policy violations and compliance issues.

194. How can you enforce security best practices across multiple AWS accounts?

A) Use AWS Control Tower
B) Allow unrestricted user access
C) Disable AWS Organizations
D) Store IAM policies in a text file

Answer: A) Use AWS Control Tower
Explanation: AWS Control Tower helps manage security, compliance, and governance across multiple AWS accounts.

195. What AWS security service helps protect against malicious IP addresses?

A) AWS WAF IP reputation lists
B) AWS Lambda
C) AWS CloudFormation
D) AWS CodePipeline

Answer: A) AWS WAF IP reputation lists
Explanation: AWS WAF IP reputation lists help block traffic from known malicious IP addresses.

196. How can you protect AWS IAM users from phishing attacks?

A) Require Multi-Factor Authentication (MFA)
B) Allow IAM users to share passwords
C) Store IAM credentials in public repositories
D) Use root credentials for all operations

Answer: A) Require Multi-Factor Authentication (MFA)
Explanation: MFA adds an extra security layer, making phishing attacks less effective.

197. How can you ensure Amazon EBS volumes are encrypted by default?

A) Enable AWS KMS encryption for new EBS volumes
B) Disable EBS encryption
C) Allow public access to EBS volumes
D) Store EBS snapshots in plaintext

Answer: A) Enable AWS KMS encryption for new EBS volumes
Explanation: AWS KMS encryption ensures that all new EBS volumes are encrypted by default for security.

198. What AWS security service helps analyze IAM permissions to reduce excessive privileges?

A) AWS IAM Access Analyzer
B) AWS Lambda
C) AWS CloudFront
D) AWS CodeDeploy

Answer: A) AWS IAM Access Analyzer
Explanation: AWS IAM Access Analyzer identifies unnecessary permissions to help reduce excessive privileges.

199. What AWS service helps secure EC2 instances by providing patch management?

A) AWS Systems Manager Patch Manager
B) AWS Lambda
C) AWS Route 53
D) AWS CloudFormation

Answer: A) AWS Systems Manager Patch Manager
Explanation: AWS Patch Manager helps automate security patching for EC2 instances, improving security compliance.

200. How can you prevent unauthorized modifications to AWS Security Groups?

A) Use AWS Config rules to monitor changes
B) Allow unrestricted access to Security Groups
C) Delete all Security Groups
D) Store Security Group configurations in plaintext

Answer: A) Use AWS Config rules to monitor changes
Explanation: AWS Config rules help detect and prevent unauthorized modifications to security groups.