Domain 1.1: Secure Access

A company has multiple AWS accounts in an AWS Organizations organization. The security team wants to ensure that no user or role in any member account can disable AWS CloudTrail. What is the MOST efficient way to enforce this requirement?

A solutions architect is designing an application that will run on Amazon EC2 instances. The application needs to access an Amazon S3 bucket to read configuration files. What is the MOST secure way to grant the EC2 instances access to the S3 bucket?

A company wants to implement a federated identity solution for its employees to access the AWS Management Console. The company already uses an on-premises Microsoft Active Directory. Which TWO solutions will meet this requirement? (Select TWO.)

A mobile application needs to access Amazon DynamoDB directly to read user-specific data. The application uses a third-party identity provider (IdP) like Google or Facebook for user authentication. What is the MOST secure way to grant the mobile app access to DynamoDB?

A company is hosting a web application on Amazon EC2 instances. The application connects to an Amazon RDS for MySQL database. The security team mandates that database credentials must not be stored in the application code or configuration files. Which solution meets this requirement with the LEAST operational overhead?

A solutions architect is reviewing the security of an AWS account. The architect notices that the AWS account root user has been used recently to perform administrative tasks. What should the architect recommend to secure the root user? (Select the BEST answer.)

A company wants to enforce strict security controls on its AWS environment. They want to ensure that all IAM users are required to use Multi-Factor Authentication (MFA) before they can access any AWS services via the CLI or Management Console. Which TWO actions should a solutions architect take to meet this requirement? (Select TWO.)

A company wants to ensure that no AWS resources can be created in the ap-northeast-1 region across all of its AWS accounts. What is the MOST efficient way to enforce this?

An application running on an EC2 instance needs to access an Amazon DynamoDB table in a different AWS account. What is the MOST secure way to grant this access?

A mobile application requires users to sign in using their social media accounts (Google, Facebook). Once authenticated, the app needs temporary AWS credentials to upload files directly to Amazon S3. Which AWS service combination should be used?

A company uses AWS Organizations to manage multiple AWS accounts. They want to implement a single sign-on solution for their developers using their existing on-premises Microsoft Active Directory. Which TWO actions are required? (Select TWO.)

A company wants to ensure that developers can only launch EC2 instances of type 't3.micro' in their development AWS account. How can this be enforced?

A company stores sensitive documents in an Amazon S3 bucket. The security team requires that only IAM users from a specific AWS account can access the bucket. Which solution is the MOST secure and requires the LEAST operational overhead?

A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no user, including root users, can disable AWS CloudTrail in any member account. Which TWO actions should the solutions architect take? (Select TWO.)

An application running on Amazon EC2 needs to access an Amazon DynamoDB table. What is the MOST secure way to grant the EC2 instance access to DynamoDB?

A mobile application requires users to sign in using their social media accounts (Google, Facebook). Once authenticated, the application needs to access an Amazon S3 bucket to upload user-specific photos. Which AWS service combination is MOST appropriate?

A senior developer needs the ability to create new IAM roles for Lambda functions. However, the security team wants to ensure the developer cannot create roles with administrative privileges. How can this be enforced?

A company wants to allow external users to upload large video files directly to an Amazon S3 bucket without requiring AWS credentials. The upload URL should expire after 1 hour. Which TWO actions should the solutions architect take? (Select TWO.)

A company has multiple AWS accounts in an AWS Organizations organization. The security team wants to ensure that no user or role in any member account can disable AWS CloudTrail. <br/><br/>Which solution is the MOST secure and requires the LEAST operational overhead?

An application running on Amazon EC2 instances needs to access an Amazon DynamoDB table. Both resources are in the same AWS account. <br/><br/>What is the MOST secure way to grant the EC2 instances access to the DynamoDB table?

A company is building a mobile app that requires users to authenticate using their social media accounts (Google, Facebook). Once authenticated, the app needs to directly access an Amazon S3 bucket to upload profile pictures. <br/><br/>Which combination of AWS services should the solutions architect use to provide this functionality MOST securely?

A company wants to enforce a policy that all IAM users must use Multi-Factor Authentication (MFA). If a user does not have MFA enabled, they should only be able to manage their own credentials and MFA device, and should be denied access to all other AWS services. <br/><br/>How can a solutions architect implement this requirement?

An application uses Amazon API Gateway and AWS Lambda. The API is public, but the company wants to restrict access so that only users who have authenticated via a third-party OpenID Connect (OIDC) identity provider can call the API. <br/><br/>What is the MOST appropriate way to secure the API?

A developer needs to grant an external partner AWS account access to an Amazon SNS topic in their account. <br/><br/>What is the MOST secure way to grant this access?

A company needs to grant an external auditor read-only access to specific AWS resources. The auditor has their own AWS account. What is the MOST secure way to grant this access?

An application running on EC2 instances needs to access objects in an S3 bucket. The security team mandates that no hardcoded credentials are used. How should a solutions architect meet this requirement?

A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no user or role in any member account can disable AWS CloudTrail. What is the MOST efficient way to enforce this?

A mobile application needs to authenticate users using their social media accounts (Google, Facebook). Once authenticated, the application needs to access an Amazon DynamoDB table directly to store user preferences. Which TWO Amazon Cognito components are required? (Select TWO.)

A company has 50 AWS accounts managed by AWS Organizations. They want to provide their employees with single sign-on (SSO) access to these accounts using their existing on-premises Active Directory. Which AWS service should they use?

A company has multiple AWS accounts in an AWS Organizations organization. The security team wants to ensure that AWS CloudTrail is enabled across all accounts and cannot be disabled by any local account administrators.<br/><br/>What is the MOST secure way to achieve this?

A company has two AWS accounts: Account A for development and Account B for production. Developers in Account A need to access an Amazon S3 bucket in Account B to read configuration files.<br/><br/>Which solution meets this requirement with the LEAST operational overhead?

A mobile application needs to authenticate users using their social media accounts (Facebook, Google) and then grant them temporary access to upload photos directly to an Amazon S3 bucket.<br/><br/>Which AWS service combination should a solutions architect use?

A company is running an application on Amazon EC2 instances. The application needs to connect to an Amazon RDS for MySQL database. The company wants to avoid storing database credentials in the application code or configuration files.<br/><br/>Which solution meets these requirements MOST securely?

A company has 50 AWS accounts managed by AWS Organizations. The IT team wants to implement a centralized authentication solution for their employees to access the AWS Management Console across all accounts using their existing on-premises Active Directory credentials.<br/><br/>Which AWS service should be used?

A company wants to restrict access to an Amazon S3 bucket so that only requests originating from a specific Amazon Virtual Private Cloud (VPC) are allowed. <br/><br/>Which TWO actions must a solutions architect take to meet this requirement? (Select TWO.)

An application requires access to a third-party API using an API key. The security team mandates that the API key must be encrypted at rest and automatically rotated every 30 days.<br/><br/>Which AWS service should be used to store the API key?

A company has multiple AWS accounts in an AWS Organizations organization. The security team needs to ensure that no user or role in any account can disable AWS CloudTrail. What is the MOST secure and efficient way to meet this requirement?

An application runs on Amazon EC2 instances and needs to access an Amazon S3 bucket. What is the MOST secure way to grant the EC2 instances access to the S3 bucket?

A company wants to implement federated access to the AWS Management Console for its employees using their existing on-premises Active Directory. Which TWO services or features can be used to achieve this? (Select TWO.)

A company is building a mobile application that requires users to sign in using their social media accounts (Facebook, Google). The application needs to access AWS resources like Amazon DynamoDB after authentication. Which AWS service should be used?

A security team wants to enforce MFA for all IAM users before they can terminate EC2 instances. How can a Solutions Architect implement this requirement?

A company needs to grant a third-party vendor access to an S3 bucket in its AWS account. The vendor will access the bucket from their own AWS account. What is the MOST secure way to grant this access?

A developer needs to pass a database password to an AWS Lambda function. The password must be encrypted and rotated automatically every 30 days. Which AWS service should be used?