Domain 1.2: Security Controls

A company uses AWS Organizations. The security team wants to ensure that no IAM user or role can disable AWS CloudTrail in any member account, even if they have AdministratorAccess. How can this be achieved?

An enterprise uses AWS IAM Identity Center (AWS SSO) integrated with their on-premises Active Directory. Users are complaining that they cannot access a newly created AWS account within the organization. What is the MOST likely cause?

A company has a multi-account environment managed by AWS Control Tower. They want to ensure that any Amazon S3 bucket created in any account automatically has AWS Key Management Service (AWS KMS) default encryption enabled. How can this be enforced centrally?

An enterprise has a strict regulatory requirement that all API calls made within their AWS environment must be logged, and these logs must be stored in a centralized, highly secure account. The logs must be cryptographically verifiable to prove they have not been tampered with. How should this be configured?

An enterprise uses AWS Organizations. They want to ensure that developers in the 'Sandbox' Organizational Unit (OU) can only use a specific set of approved AWS services (e.g., EC2, S3, RDS), and are explicitly denied access to all other services. How can this be achieved?

A company is using AWS IAM Identity Center (AWS SSO). They want to enforce multi-factor authentication (MFA) for all users, but they want to allow users to register their own MFA devices without requiring administrator intervention. How can this be configured?

An architect is designing a secure, multi-account environment. They need to ensure that Amazon EC2 instances in private subnets can securely access AWS Systems Manager (SSM) without traversing the public internet. They also need to ensure that SSM access is restricted ONLY to resources within their specific AWS Organization. Which TWO configurations are required? (Select TWO)

A company is setting up a multi-account AWS environment using AWS Organizations. They need to ensure that no account can deploy resources in the ap-northeast-1 region, except for a specific 'Global-Security' account. What is the MOST operationally efficient way to achieve this?

An organization uses AWS Control Tower to manage its multi-account environment. They need to ensure that Amazon S3 Public Access is blocked across all accounts, and any non-compliant buckets are automatically remediated. Which combination of services provides the BEST solution?

A company requires strict data residency and encryption controls. They must use AWS KMS for encryption, but the key material must be generated and stored in an on-premises Hardware Security Module (HSM). Which TWO steps are required to implement this? (Select TWO)

A company is designing a multi-account architecture. They need to ensure that developers in 'Sandbox' accounts have administrative access, but they absolutely cannot disable AWS CloudTrail or modify AWS Config rules. Which TWO actions should the architect take? (Select TWO)

An organization is using AWS IAM Identity Center (successor to AWS SSO) integrated with their on-premises Active Directory. Users are complaining about access denied errors when assuming roles in member accounts, despite being in the correct AD groups. Which TWO areas should the architect investigate? (Select TWO)

A company has a strict regulatory requirement that all data stored in Amazon S3 must be encrypted using keys managed by the company, and the company must be able to immediately revoke access to the keys. Which encryption strategy should they use?

An organization is using AWS Organizations. They want to ensure that any new IAM user created in any member account automatically has a permissions boundary attached. If the boundary is not attached, the creation should fail. How can this be enforced centrally?

An enterprise has 100 AWS accounts. They want to ensure that Amazon GuardDuty is enabled in every account and region, and that all findings are aggregated into a central 'Security Tooling' account. What is the MOST operationally efficient way to achieve this?

An architect is designing a secure architecture for a financial application. The application runs on EC2 instances in a private subnet and needs to access Amazon S3 to store sensitive documents. The security team mandates that this traffic must not traverse the public internet and must be restricted to a specific S3 bucket. How should this be implemented?

A company is using AWS Organizations. They want to apply a Service Control Policy (SCP) to an Organizational Unit (OU) to prevent any user from deleting VPC Flow Logs. However, they want the 'NetworkAdmin' IAM role to be exempt from this restriction. How can this be achieved?

A company uses AWS Organizations. The CISO requires that no EC2 instances can be launched outside of the us-east-1 and eu-west-1 regions across all 50 member accounts. How can this be enforced centrally?

An architecture uses an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The security team requires that the EC2 instances only accept traffic from the ALB. How should the security groups be configured?

A company uses AWS IAM Identity Center (AWS SSO) for federation. They need to grant developers read-only access to production accounts, but full access to development accounts. What is the BEST way to manage this?

An enterprise wants to enforce strict data perimeter controls. They must ensure that IAM principals in their organization can only access AWS resources from within their corporate network or their VPCs. Which TWO mechanisms should be used together? (Select TWO)

An architect is designing a secure ingress architecture for a web application. They need to protect against DDoS attacks, block malicious bots, and terminate SSL/TLS. Which THREE services should be combined at the edge? (Select THREE)

A financial services company uses AWS Organizations to manage 100+ accounts. The security team mandates that no Amazon S3 buckets can be made public, and all EBS volumes must be encrypted. Developers must still be able to create resources freely within these constraints. Which combination of actions should the Solutions Architect take to enforce these requirements with the LEAST operational overhead? (Select TWO)

An organization uses AWS IAM Identity Center (AWS SSO) integrated with an on-premises Active Directory. Users are complaining about access denied errors when trying to assume a specific IAM role in a member account, even though they are in the correct AD group. The Solutions Architect verifies the Permission Set is attached. What is the MOST likely cause of the issue?

A company is deploying a new microservices architecture using Amazon EKS. The security team requires that all pod-to-pod communication within the cluster be encrypted. Additionally, they must restrict which pods can communicate with each other based on labels. Which solution meets these requirements with the LEAST operational overhead?

An enterprise is migrating its on-premises data lake to Amazon S3. They have 5 PB of data. The data must be encrypted at rest using keys managed by the enterprise's on-premises Hardware Security Module (HSM). The migration must be completed within 30 days, and their internet connection is 1 Gbps, heavily utilized by other workloads. Which combination of steps should the architect take? (Select THREE)

A company requires that all IAM users authenticate using MFA before assuming any cross-account roles. They have a central Identity account and multiple workload accounts. How can the Solutions Architect enforce this requirement globally across the Organization?

An enterprise is designing a multi-account architecture. They need to ensure that developers in the 'Sandbox' accounts can experiment freely, but are strictly prohibited from provisioning resources in any region other than us-east-1 and eu-west-1. Furthermore, they must not be able to disable AWS CloudTrail. Which combination of actions will enforce these rules? (Select TWO)

A company uses Amazon Cognito User Pools for customer authentication. They want to implement a custom security requirement: if a user logs in from an IP address that is different from their last login, they must be prompted for Multi-Factor Authentication (MFA). If the IP is the same, MFA should be bypassed. How can the architect implement this logic?

A company is using AWS Control Tower. They want to ensure that all EBS volumes created in any member account are encrypted with a specific AWS KMS Customer Managed Key (CMK) owned by a central Security account. What is the MOST robust way to enforce this?

A company uses AWS Organizations to manage multiple accounts. The security team mandates that no Amazon S3 buckets can be made public, and all EBS volumes must be encrypted. Developers need the ability to manage their own IAM roles, but must not be able to bypass these security controls. Which combination of actions should the Solutions Architect take? (Select TWO)

A healthcare company is migrating to AWS and must comply with HIPAA. They are setting up a multi-account structure. They need to ensure that AWS CloudTrail logs are immutable, encrypted, and centrally stored. Additionally, they must automatically detect if any CloudTrail logging is disabled across the organization. Which combination of steps should the Architect take? (Select THREE)

A company has a web application deployed on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses Amazon RDS for MySQL. The security team wants to implement a Web Application Firewall (WAF) to protect against SQL injection and cross-site scripting (XSS) attacks. They also want to block requests from specific countries. Where should the Architect deploy AWS WAF?

A company is using AWS Organizations. The security team wants to ensure that no one, including the root user of member accounts, can disable AWS CloudTrail. They have applied a Service Control Policy (SCP) to the root of the organization denying the `cloudtrail:StopLogging` action. However, during an audit, they discover that an administrator in a member account was able to disable CloudTrail. What is the MOST likely reason for this?

A financial institution is building a data lake on Amazon S3. They must enforce strict data governance. Specifically, they need to ensure that sensitive data (like credit card numbers) is automatically discovered and masked before analysts can query it via Amazon Athena. They also need to manage fine-grained access control (column-level and row-level) to the data. Which combination of services should be used? (Select TWO)

An enterprise is migrating its on-premises Active Directory (AD) to AWS. They want to use AWS IAM Identity Center (successor to AWS SSO) to manage access to their 100+ AWS accounts. They want to maintain their existing AD as the single source of truth for user identities and passwords. Which architecture provides the MOST reliable and lowest latency authentication experience?

A company is running a containerized application on Amazon EKS. The application needs to access an Amazon S3 bucket to store user uploads. The security team mandates the principle of least privilege: only the specific pods running the upload service should have access to the S3 bucket, and no other pods in the cluster should have access. How should the Architect implement this?

A company is using AWS Organizations with all features enabled. The security team wants to ensure that no IAM user or role in any member account can access AWS services in regions other than us-east-1 and eu-west-1. However, they need to ensure that global services like AWS IAM and Amazon CloudFront continue to function normally. How can this be achieved?

An enterprise has a strict compliance requirement that all Amazon EBS volumes must be encrypted with a specific AWS KMS Customer Managed Key (CMK). They want to enforce this automatically so that if a developer forgets to specify the encryption key during instance launch, the volume is still encrypted with the correct CMK, and the launch does not fail. How can the Architect achieve this with the LEAST operational overhead?

A company is using AWS Organizations. They want to implement a centralized logging solution where all AWS CloudTrail logs and VPC Flow Logs from 100+ member accounts are sent to a single Amazon S3 bucket in a dedicated 'Log Archive' account. The security team wants to ensure that no one, not even the administrators of the member accounts, can modify or delete the logs once they are written. Which solution is the MOST secure and scalable?

A company has a multi-tier application running in a VPC. The web tier is in public subnets, and the application and database tiers are in private subnets. The security team wants to implement microsegmentation to ensure that the web tier can only communicate with the application tier on port 8080, and the application tier can only communicate with the database tier on port 3306. All other internal traffic must be blocked. What is the MOST scalable way to implement this?

An enterprise uses AWS Organizations with all features enabled. The CISO mandates that no AWS account can disable AWS CloudTrail, and this rule must apply to the root user of member accounts. What is the MOST secure way to enforce this?

A company stores highly sensitive PII in Amazon S3. They require that data is encrypted at rest using keys managed by the company. The company must be able to immediately revoke access to the keys, rendering the data unreadable. Which encryption strategy meets these requirements?

An architecture includes an Application Load Balancer (ALB) fronting an Amazon ECS cluster. The security team wants to block malicious IP addresses, prevent SQL injection attacks, and ensure that only traffic from the ALB can reach the ECS tasks. Which combination of services and configurations should be used?

A company uses AWS IAM Identity Center (AWS SSO) integrated with their on-premises Active Directory. Developers need CLI access to AWS accounts. The security policy mandates that long-term IAM access keys must not be used. How should developers authenticate to the AWS CLI?

An enterprise wants to centrally manage and automate the rotation of database credentials for Amazon RDS instances across 50 AWS accounts. The solution must ensure that applications can retrieve the latest credentials without code changes. Which approach is MOST architecturally sound?

An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amazon S3 buckets across all accounts must block public access. If a bucket is created without this setting, it must be automatically remediated within minutes. Which solution meets these requirements with the LEAST operational overhead?

A financial company requires that all EBS volumes, S3 buckets, and RDS databases be encrypted using customer-managed keys. The company has a strict requirement that the cryptographic material must be generated and stored in a single-tenant hardware appliance under their exclusive control. Which AWS service should the architect use?

An enterprise uses AWS Organizations. The security team wants to ensure that no IAM user or role in any member account can disable AWS CloudTrail. However, the central security team's IAM role in the management account must retain this ability. How should this be implemented?

An enterprise is migrating its Active Directory to AWS. They want to use AWS Managed Microsoft AD. They have a requirement to share this directory with 20 other AWS accounts in their AWS Organization so that EC2 instances in those accounts can seamlessly join the domain. What is the MOST operationally efficient way to achieve this?

A company has a multi-tier application running on AWS. The web tier is in a public subnet, and the application and database tiers are in private subnets. The application tier needs to download software updates from the internet. The security team requires that the application tier's outbound internet access be restricted to only the specific domains of the software vendors. How can this be achieved?

An enterprise has a strict compliance requirement that all Amazon EBS volumes must be encrypted. They want to ensure that no unencrypted EBS volumes can be created in their AWS accounts, even by administrators. What is the MOST robust way to enforce this?

A media company stores petabytes of video archives in Amazon S3 Glacier Deep Archive. They receive a legal request to place a 'legal hold' on a specific set of archives, ensuring they cannot be deleted or modified by anyone, including the root user, until the hold is lifted. How should this be implemented?

A company requires that all IAM users authenticate using Multi-Factor Authentication (MFA) before they can access any AWS APIs via the CLI. How can the Solutions Architect enforce this requirement globally across the AWS account?

A company is designing a secure network architecture. They have a VPC with public and private subnets. EC2 instances in the private subnets need to download patches from the internet. The security team requires that all outbound traffic be inspected for malware and that access to specific domains can be blocked. Which combination of services should be used? (Select TWO)