Fundamentals Quiz - GlobeSec.ai

D1 Threat Detection & Incident Response

0/25 ▼

Q1. What AWS service continuously monitors for malicious activity and unauthorized behavior using threat intelligence?

A Amazon Inspector

B Amazon GuardDuty

C AWS Config

D Amazon Detective

✓ Explanation: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior using threat intelligence feeds, ML, and anomaly detection.
📖 GuardDuty User Guide →

Q2. Which service aggregates security findings from multiple AWS services into a single dashboard?

A AWS CloudTrail

B Amazon Detective

C AWS Security Hub

D AWS Trusted Advisor

✓ Explanation: AWS Security Hub provides a comprehensive view of security alerts and compliance status by aggregating findings from GuardDuty, Inspector, Macie, and other services.
📖 Security Hub User Guide →

Q3. What does Amazon Detective help you do?

A Encrypt data at rest

B Investigate and analyze security findings

C Block DDoS attacks

D Manage IAM policies

✓ Explanation: Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of security findings by automatically collecting log data and using ML to build visualizations.
📖 Detective User Guide →

Q4. Which AWS service can automatically remediate non-compliant resources using rules?

A AWS Config

B Amazon GuardDuty

C AWS Shield

D Amazon Macie

✓ Explanation: AWS Config rules can detect non-compliant resources and trigger automatic remediation actions through AWS Systems Manager Automation documents.
📖 AWS Config Remediation →

Q5. GuardDuty analyzes which of the following data sources? (Select the BEST answer)

A Only S3 access logs

B VPC Flow Logs, DNS logs, and CloudTrail events

C Only CloudWatch metrics

D Only IAM policy changes

✓ Explanation: GuardDuty analyzes VPC Flow Logs, DNS logs, CloudTrail management events, and optionally S3 data events and EKS audit logs to detect threats.
📖 GuardDuty Data Sources →

Q6. What is the first step in the AWS incident response framework?

A Eradicate the threat

B Contain the affected resources

C Prepare and establish procedures

D Restore from backup

✓ Explanation: The AWS incident response framework follows: Prepare, Detect, Contain, Eradicate, Recover, and Lessons Learned. Preparation is always the first step.
📖 AWS Security Incident Response Guide →

Q7. Which service would you use to automatically respond to a GuardDuty finding?

A Amazon SNS alone

B Amazon EventBridge with Lambda

C AWS Direct Connect

D Amazon S3

✓ Explanation: Amazon EventBridge can capture GuardDuty findings as events and trigger AWS Lambda functions to perform automated remediation actions.
📖 GuardDuty EventBridge Integration →

Q8. What type of finding does GuardDuty generate when it detects cryptocurrency mining on an EC2 instance?

A Recon:EC2

B CryptoCurrency:EC2

C Trojan:EC2

D UnauthorizedAccess:EC2

✓ Explanation: GuardDuty generates CryptoCurrency:EC2 finding types when it detects EC2 instances communicating with known cryptocurrency mining pools.
📖 GuardDuty EC2 Finding Types →

Q9. Which AWS service scans EC2 instances and container images for software vulnerabilities?

A Amazon GuardDuty

B Amazon Inspector

C AWS WAF

D AWS Shield

✓ Explanation: Amazon Inspector automatically discovers and scans EC2 instances, Lambda functions, and container images in ECR for software vulnerabilities and unintended network exposure.
📖 Amazon Inspector User Guide →

Q10. During an incident, what is the recommended approach for an EC2 instance you suspect is compromised?

A Immediately terminate the instance

B Isolate it by changing its security group

C Ignore it and monitor

D Reboot the instance

✓ Explanation: Best practice is to isolate the compromised instance by switching its security group to one that blocks all traffic, preserving the instance for forensic investigation.
📖 Isolate Affected Resources →

Q11. What does the 'Suppress' feature in GuardDuty do?

A Deletes findings permanently

B Archives findings matching filter criteria automatically

C Disables GuardDuty entirely

D Blocks the detected threat

✓ Explanation: Suppression rules in GuardDuty automatically archive findings that match specified filter criteria, reducing noise from known acceptable behaviors.
📖 GuardDuty Suppression Rules →

Q12. Which AWS service provides managed threat intelligence feeds?

A AWS WAF

B Amazon GuardDuty

C AWS CloudTrail

D Amazon CloudFront

✓ Explanation: GuardDuty integrates with AWS threat intelligence and third-party feeds (like CrowdStrike and Proofpoint) to identify known malicious IPs and domains.
📖 GuardDuty Threat Intelligence →

Q13. What is an Amazon EventBridge rule used for in security automation?

A Encrypting data at rest

B Routing events to targets based on patterns

C Creating VPC subnets

D Managing DNS records

✓ Explanation: EventBridge rules match incoming events (like GuardDuty findings) against patterns and route them to targets such as Lambda, SNS, or Step Functions for automated response.
📖 EventBridge Rules →

Q14. Which service helps you create an automated incident response workflow with multiple steps?

A Amazon S3

B AWS Step Functions

C Amazon RDS

D AWS Direct Connect

✓ Explanation: AWS Step Functions lets you orchestrate multiple Lambda functions and AWS service actions into complex, multi-step incident response workflows with error handling.
📖 Step Functions Developer Guide →

Q15. What is the purpose of enabling GuardDuty in a delegated administrator account?

A To reduce costs

B To centrally manage GuardDuty across all organization accounts

C To encrypt findings

D To create VPC endpoints

✓ Explanation: A delegated administrator account can enable and manage GuardDuty across all member accounts in an AWS Organization, providing centralized threat detection.
📖 GuardDuty with Organizations →

Q16. Which finding type indicates that an IAM credential may be compromised?

A Recon:IAMUser

B UnauthorizedAccess:IAMUser

C Policy:IAMUser

D All of these are valid finding types

✓ Explanation: GuardDuty has multiple IAM finding types including Recon:IAMUser, UnauthorizedAccess:IAMUser, and others that indicate different types of potentially compromised credential usage.
📖 GuardDuty IAM Finding Types →

Q17. What should you do with IAM access keys if you suspect they are compromised?

A Rotate them next month

B Immediately deactivate or delete them

C Share them with your manager

D Add more permissions to them

✓ Explanation: Compromised access keys should be immediately deactivated (not deleted initially, to preserve audit trail) and new keys issued if needed.
📖 Managing IAM Access Keys →

Q18. Which service can you use to create a forensic copy of an EBS volume during an investigation?

A AWS Backup

B EBS Snapshots

C Amazon S3 Glacier

D AWS DataSync

✓ Explanation: EBS Snapshots allow you to create point-in-time copies of EBS volumes for forensic analysis without disrupting the original evidence.
📖 Amazon EBS Snapshots →

Q19. What does Amazon Detective use to build its behavior graph?

A Manual input only

B CloudTrail logs, VPC Flow Logs, and GuardDuty findings

C Only S3 access logs

D Only CloudWatch metrics

✓ Explanation: Detective automatically ingests CloudTrail logs, VPC Flow Logs, and GuardDuty findings to build a behavior graph that links related security events.
📖 Detective Source Data →

Q20. How does GuardDuty detect threats without deploying agents?

A It uses hardware sensors

B It analyzes AWS service log data via the AWS backend

C It requires manual log uploads

D It monitors physical servers

✓ Explanation: GuardDuty is agentless — it analyzes AWS service logs (VPC Flow Logs, CloudTrail, DNS) directly from the AWS infrastructure backend.
📖 How GuardDuty Works →

Q21. What is the recommended way to notify a security team about a critical GuardDuty finding?

A Check the console manually every day

B Use EventBridge to send to SNS topic

C Email the finding from personal email

D Post it on social media

✓ Explanation: Configure an EventBridge rule to match high-severity GuardDuty findings and send notifications to an SNS topic subscribed by the security team.
📖 GuardDuty Notifications →

Q22. Which AWS service performs automated security assessments against best practices?

A Amazon Inspector

B AWS CloudFormation

C Amazon DynamoDB

D AWS Lambda

✓ Explanation: Amazon Inspector runs automated security assessments that check for vulnerabilities and deviations from security best practices on your AWS workloads.
📖 Amazon Inspector Overview →

Q23. In incident response, what does 'containment' mean?

A Deleting all affected resources

B Limiting the blast radius to prevent further damage

C Ignoring the incident

D Writing a post-mortem

✓ Explanation: Containment is the phase where you take actions to limit the scope and impact of an incident, such as isolating compromised resources while preserving evidence.
📖 Contain the Incident →

Q24. What is the benefit of enabling GuardDuty S3 protection?

A It encrypts S3 buckets

B It monitors S3 data access events for suspicious activity

C It creates S3 backups

D It configures S3 lifecycle policies

✓ Explanation: GuardDuty S3 protection monitors CloudTrail S3 data events to detect suspicious activities like unusual data access patterns or access from malicious IP addresses.
📖 GuardDuty S3 Protection →

Q25. Which AWS service can be used to run commands on EC2 instances during incident response without SSH?

A AWS Direct Connect

B AWS Systems Manager Run Command

C Amazon CloudFront

D Amazon Route 53

✓ Explanation: Systems Manager Run Command lets you remotely and securely execute commands on EC2 instances without needing SSH access, useful for forensic data collection during incidents.
📖 SSM Run Command →

D2 Security Logging & Monitoring

0/25 ▼

Q1. Which AWS service records API calls made in your AWS account?

A Amazon CloudWatch

B AWS CloudTrail

C AWS Config

D Amazon GuardDuty

✓ Explanation: AWS CloudTrail records API calls made in your account, providing a history of AWS API calls for auditing, compliance, and operational troubleshooting.
📖 CloudTrail User Guide →

Q2. What is the difference between CloudTrail management events and data events?

A There is no difference

B Management events track control plane operations; data events track resource-level operations

C Data events are free; management events cost extra

D Management events only work in us-east-1

✓ Explanation: Management events capture control plane actions (e.g., creating an EC2 instance), while data events capture resource-level operations (e.g., S3 GetObject, Lambda Invoke).
📖 CloudTrail Event Types →

Q3. Which service provides real-time monitoring of AWS resources using metrics and alarms?

A AWS CloudTrail

B Amazon CloudWatch

C AWS Config

D Amazon Inspector

✓ Explanation: Amazon CloudWatch collects and tracks metrics, monitors log files, sets alarms, and automatically reacts to changes in your AWS resources in real-time.
📖 CloudWatch Overview →

Q4. What are VPC Flow Logs used for?

A Encrypting VPC traffic

B Capturing information about IP traffic going to and from network interfaces

C Creating VPC peering connections

D Managing route tables

✓ Explanation: VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC, useful for troubleshooting and security monitoring.
📖 VPC Flow Logs →

Q5. Where can VPC Flow Logs be published?

A Only to S3

B Only to CloudWatch Logs

C To CloudWatch Logs, S3, or Kinesis Data Firehose

D Only to DynamoDB

✓ Explanation: VPC Flow Logs can be published to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose for storage and analysis.
📖 Flow Log Destinations →

Q6. What does AWS Config continuously monitor and record?

A Network bandwidth usage

B Resource configurations and changes

C CPU utilization of EC2 instances

D DNS query logs

✓ Explanation: AWS Config continuously monitors and records your AWS resource configurations and allows you to evaluate them against desired configurations using Config rules.
📖 AWS Config Overview →

Q7. Which CloudWatch feature allows you to search and analyze log data?

A CloudWatch Metrics

B CloudWatch Logs Insights

C CloudWatch Dashboards

D CloudWatch Synthetics

✓ Explanation: CloudWatch Logs Insights is an interactive query service that lets you search and analyze log data in CloudWatch Logs using a purpose-built query language.
📖 CloudWatch Logs Insights →

Q8. What is a CloudTrail trail?

A A hiking path in AWS data centers

B A configuration that enables delivery of CloudTrail events to an S3 bucket

C A type of EC2 instance

D A VPC routing rule

✓ Explanation: A trail is a configuration that enables delivery of CloudTrail events to an Amazon S3 bucket, CloudWatch Logs, and/or CloudWatch Events.
📖 Creating a Trail →

Q9. How can you ensure CloudTrail log file integrity?

A Store logs in DynamoDB

B Enable CloudTrail log file validation

C Use HTTP instead of HTTPS

D Delete old logs regularly

✓ Explanation: CloudTrail log file validation creates a digitally signed digest file every hour, allowing you to verify that log files have not been modified or deleted.
📖 Log File Integrity Validation →

Q10. What is a CloudWatch alarm?

A A physical siren in the data center

B A resource that watches a metric and performs actions when thresholds are breached

C A type of security group

D A backup schedule

✓ Explanation: A CloudWatch alarm watches a single metric over a specified time period and performs one or more actions based on the metric value relative to a threshold.
📖 CloudWatch Alarms →

Q11. Which service can centralize logs from multiple AWS accounts?

A Amazon S3 with cross-account access

B Only CloudWatch in a single account

C Only local EC2 storage

D Amazon RDS

✓ Explanation: You can centralize logs by configuring CloudTrail and other services to deliver logs to a central S3 bucket in a logging account, with cross-account access policies.
📖 Cross-Account Log Delivery →

Q12. What is the purpose of a CloudWatch metric filter?

A To delete unwanted metrics

B To extract metric values from log events based on a pattern

C To encrypt CloudWatch data

D To create VPC flow logs

✓ Explanation: Metric filters define the terms and patterns to look for in log data as it is sent to CloudWatch Logs, turning log data into numerical CloudWatch metrics.
📖 CloudWatch Metric Filters →

Q13. Which AWS service can stream real-time log data for processing?

A Amazon Glacier

B Amazon Kinesis Data Streams

C AWS Snowball

D Amazon EFS

✓ Explanation: Amazon Kinesis Data Streams can collect and process large streams of log data in real-time, enabling real-time security analytics and dashboards.
📖 Kinesis Data Streams →

Q14. What does enabling CloudTrail for all regions ensure?

A Higher costs only

B That API activity in any AWS region is captured

C Faster API response times

D Automatic resource deletion

✓ Explanation: An all-regions trail ensures that API activity in any AWS region is logged, preventing gaps in visibility if resources are created in unexpected regions.
📖 Multi-Region Trails →

Q15. How can you be alerted when a specific API call is made (e.g., deleting a security group)?

A Manually check logs daily

B Create a CloudWatch alarm based on a CloudTrail metric filter

C Use Amazon S3 versioning

D Enable auto-scaling

✓ Explanation: Send CloudTrail logs to CloudWatch Logs, create a metric filter for the specific API call, then create a CloudWatch alarm on that metric to trigger an SNS notification.
📖 CloudTrail + CloudWatch Alarms →

Q16. What is Amazon CloudWatch Logs?

A A physical log storage facility

B A service for monitoring, storing, and accessing log files from AWS resources

C A database service

D A networking service

✓ Explanation: CloudWatch Logs enables you to centralize logs from your systems, applications, and AWS services for monitoring, storage, and analysis.
📖 CloudWatch Logs Overview →

Q17. What is the retention period for CloudWatch Logs by default?

A 30 days

B 90 days

C Logs never expire (indefinite retention)

D 7 days

✓ Explanation: By default, CloudWatch Logs are kept indefinitely and never expire. You can configure a retention policy from 1 day to 10 years, or keep them indefinitely.
📖 Log Retention Settings →

Q18. Which feature allows you to automatically act on CloudWatch Logs data in real-time?

A CloudWatch Logs subscription filters

B CloudWatch Dashboards

C CloudTrail Insights

D AWS Config rules

✓ Explanation: Subscription filters allow you to route log data in real-time to services like Lambda, Kinesis, or Firehose for processing, analysis, or alerting.
📖 Subscription Filters →

Q19. What does CloudTrail Insights detect?

A Software vulnerabilities

B Unusual API call volume or error rate activity

C Network latency issues

D Storage capacity problems

✓ Explanation: CloudTrail Insights detects unusual operational activity in your account, such as spikes in API call volume or elevated error rates, indicating potential security issues.
📖 CloudTrail Insights →

Q20. Where should you store long-term CloudTrail logs for cost-effective archival?

A Amazon EBS volumes

B Amazon S3 with lifecycle policies to Glacier

C Amazon EC2 local storage

D Amazon DynamoDB

✓ Explanation: Store CloudTrail logs in S3 with lifecycle policies that transition older logs to S3 Glacier or Glacier Deep Archive for cost-effective long-term archival.
📖 S3 Lifecycle Policies →

Q21. What are AWS Config conformance packs?

A A collection of AWS Config rules and remediation actions packaged together

B A type of EC2 instance pack

C A billing discount program

D A VPC configuration bundle

✓ Explanation: Conformance packs are collections of Config rules and remediation actions that can be deployed as a single entity, useful for compliance frameworks like PCI DSS or HIPAA.
📖 Config Conformance Packs →

Q22. Which service helps you visualize and analyze AWS resource configurations over time?

A Amazon QuickSight

B AWS Config Timeline

C AWS CloudFormation

D Amazon ECS

✓ Explanation: AWS Config provides a configuration timeline that shows how a resource's configuration changed over time, helping you troubleshoot and audit changes.
📖 Config Resource Timeline →

Q23. What is the purpose of an S3 access log?

A To encrypt S3 objects

B To record detailed records of requests made to an S3 bucket

C To compress S3 objects

D To replicate S3 objects

✓ Explanation: S3 server access logging provides detailed records for all requests made to a bucket, including requester, bucket name, request time, action, and response status.
📖 S3 Server Access Logging →

Q24. How can you monitor unauthorized access attempts to your AWS account?

A Only by manually reviewing console

B Use CloudTrail with CloudWatch alarms for failed API calls

C Use Amazon RDS audit logs only

D There is no way to monitor this

✓ Explanation: Configure CloudTrail to log all API calls, create CloudWatch metric filters for failed authentication or authorization events, and set alarms to notify your security team.
📖 Monitoring with CloudTrail →

Q25. What is the benefit of using Amazon OpenSearch Service for security logs?

A It replaces CloudTrail entirely

B It provides full-text search, visualization, and analysis of log data

C It only stores logs for 24 hours

D It automatically fixes security issues

✓ Explanation: Amazon OpenSearch Service provides powerful full-text search, log analytics, and visualization (via OpenSearch Dashboards) for centralized security log analysis.
📖 OpenSearch Service Overview →

D3 Infrastructure Security

0/25 ▼

Q1. What is an Amazon VPC?

A A virtual private cloud that provides an isolated network environment

B A type of EC2 instance

C A database service

D A content delivery network

✓ Explanation: Amazon VPC (Virtual Private Cloud) lets you provision a logically isolated section of the AWS cloud where you can launch resources in a virtual network you define.
📖 Amazon VPC User Guide →

Q2. What is the difference between a security group and a network ACL (NACL)?

A They are identical

B Security groups are stateful at the instance level; NACLs are stateless at the subnet level

C NACLs are stateful; security groups are stateless

D Neither supports inbound rules

✓ Explanation: Security groups are stateful (return traffic automatically allowed) and operate at the instance level. NACLs are stateless (must define both inbound and outbound rules) and operate at the subnet level.
📖 VPC Security Comparison →

Q3. Which AWS service protects web applications from common web exploits?

A AWS Shield

B AWS WAF

C Amazon GuardDuty

D AWS CloudTrail

✓ Explanation: AWS WAF (Web Application Firewall) protects web applications from common web exploits like SQL injection, XSS, and allows you to create custom rules to filter traffic.
📖 AWS WAF Developer Guide →

Q4. What does AWS Shield protect against?

A SQL injection attacks

B Distributed Denial of Service (DDoS) attacks

C Phishing emails

D Data exfiltration

✓ Explanation: AWS Shield provides protection against DDoS attacks. Shield Standard is free and automatic; Shield Advanced provides enhanced protections and 24/7 DDoS response team access.
📖 AWS Shield Overview →

Q5. What is a bastion host used for?

A Hosting a public website

B Providing secure access to instances in private subnets

C Storing database backups

D Running batch processing jobs

✓ Explanation: A bastion host (jump box) is a server in a public subnet that provides secure access to instances in private subnets, minimizing the attack surface.
📖 Bastion Host Best Practices →

Q6. Which AWS service can replace traditional bastion hosts for remote access?

A Amazon CloudFront

B AWS Systems Manager Session Manager

C Amazon RDS Proxy

D AWS Direct Connect

✓ Explanation: Systems Manager Session Manager provides secure shell access to EC2 instances without opening inbound ports, managing SSH keys, or using bastion hosts.
📖 Session Manager →

Q7. What is a VPC endpoint?

A A physical cable in a data center

B A private connection between your VPC and AWS services without internet

C A public IP address

D A DNS record

✓ Explanation: VPC endpoints enable private connections between your VPC and supported AWS services without requiring an internet gateway, NAT device, or VPN connection.
📖 VPC Endpoints →

Q8. What are the two types of VPC endpoints?

A Public and private

B Gateway endpoints and interface endpoints

C TCP and UDP endpoints

D IPv4 and IPv6 endpoints

✓ Explanation: Gateway endpoints (for S3 and DynamoDB) route traffic via route tables. Interface endpoints (powered by PrivateLink) create ENIs in your subnet for most other AWS services.
📖 VPC Endpoint Types →

Q9. What does AWS WAF rate-based rule do?

A Encrypts traffic faster

B Blocks IP addresses that exceed a specified request rate

C Routes traffic to multiple regions

D Manages DNS records

✓ Explanation: WAF rate-based rules automatically block IP addresses that send requests exceeding a configurable threshold within a 5-minute period, helping prevent HTTP floods.
📖 WAF Rate-Based Rules →

Q10. What is network segmentation in AWS?

A Splitting a single EC2 instance into multiple parts

B Using subnets, security groups, and NACLs to isolate resources

C Connecting two AWS regions

D Deleting unused VPCs

✓ Explanation: Network segmentation uses subnets, security groups, NACLs, and route tables to isolate groups of resources, limiting blast radius and enforcing least-privilege network access.
📖 VPC Security Best Practices →

Q11. What is the default behavior of a security group?

A Allow all inbound, deny all outbound

B Deny all inbound, allow all outbound

C Allow all inbound and outbound

D Deny all inbound and outbound

✓ Explanation: By default, a security group denies all inbound traffic and allows all outbound traffic. You must explicitly add inbound rules to allow traffic.
📖 Security Group Rules →

Q12. What is the default behavior of a network ACL?

A Deny all traffic

B Allow all inbound and outbound traffic

C Allow only HTTPS traffic

D Block all outbound traffic

✓ Explanation: The default NACL allows all inbound and outbound traffic. Custom NACLs deny all traffic by default until you add allow rules.
📖 Network ACLs →

Q13. Which AWS service provides a managed firewall for your VPC?

A AWS Shield

B AWS Network Firewall

C Amazon CloudFront

D AWS Direct Connect

✓ Explanation: AWS Network Firewall is a managed network firewall and intrusion prevention service that lets you filter traffic at the perimeter of your VPC.
📖 AWS Network Firewall →

Q14. What is AWS PrivateLink?

A A public CDN service

B A technology that provides private connectivity between VPCs and services

C A VPN client for mobile devices

D An email encryption service

✓ Explanation: AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet.
📖 AWS PrivateLink →

Q15. What is the purpose of a NAT Gateway?

A To host public websites

B To allow instances in private subnets to access the internet for outbound traffic

C To store encrypted data

D To monitor CloudTrail logs

✓ Explanation: A NAT Gateway enables instances in private subnets to connect to the internet for outbound traffic (like software updates) while preventing inbound connections from the internet.
📖 NAT Gateways →

Q16. What does AWS Shield Advanced provide beyond Shield Standard?

A Basic DDoS protection only

B Enhanced detection, 24/7 DDoS response team, and cost protection

C Only email notifications

D Free SSL certificates

✓ Explanation: Shield Advanced provides enhanced DDoS detection, real-time metrics, access to the AWS DDoS Response Team (DRT), cost protection during attacks, and WAF integration.
📖 Shield Advanced Features →

Q17. How can you restrict access to an S3 bucket to only traffic from your VPC?

A Use IAM user passwords

B Use an S3 bucket policy with a VPC endpoint condition

C Turn off S3 versioning

D Use Amazon RDS proxy

✓ Explanation: Create a VPC gateway endpoint for S3 and add a bucket policy condition (aws:sourceVpce) to restrict access to only requests coming through that specific VPC endpoint.
📖 S3 VPC Endpoint Policies →

Q18. What is AWS Systems Manager Patch Manager used for?

A Managing DNS records

B Automating the patching process for managed instances

C Creating VPC subnets

D Monitoring CloudWatch metrics

✓ Explanation: Patch Manager automates the process of patching managed instances with security-related and other updates for operating systems and applications.
📖 Patch Manager →

Q19. What is a public subnet vs. a private subnet?

A They are the same thing

B A public subnet has a route to an internet gateway; a private subnet does not

C A private subnet is always in us-east-1

D A public subnet cannot have EC2 instances

✓ Explanation: A public subnet has a route table entry pointing to an internet gateway, allowing resources with public IPs to communicate with the internet. A private subnet has no such route.
📖 VPC Subnets →

Q20. What is the purpose of AWS Firewall Manager?

A To manage physical firewalls

B To centrally configure and manage firewall rules across accounts and resources

C To encrypt network traffic

D To create VPN connections

✓ Explanation: AWS Firewall Manager lets you centrally configure and manage firewall rules for WAF, Shield Advanced, security groups, Network Firewall, and Route 53 Resolver DNS Firewall across your organization.
📖 AWS Firewall Manager →

Q21. What is a security group rule evaluation order?

A Rules are evaluated top to bottom like NACLs

B All rules are evaluated and the most restrictive wins

C All rules are evaluated; if any rule allows, traffic is permitted

D Only the first matching rule applies

✓ Explanation: Security groups evaluate all rules before deciding whether to allow traffic. If any rule allows the traffic, it is permitted. There is no deny rule in security groups.
📖 Security Group Rule Evaluation →

Q22. How are NACL rules evaluated?

A All rules are evaluated at once

B Rules are evaluated in order by rule number (lowest first); first match wins

C Only the last rule matters

D Rules are evaluated alphabetically

✓ Explanation: NACL rules are evaluated in order starting with the lowest numbered rule. The first rule that matches the traffic is applied, and subsequent rules are not evaluated.
📖 NACL Rule Evaluation →

Q23. What AWS service provides DNS-level protection for your VPC?

A Amazon CloudFront

B Route 53 Resolver DNS Firewall

C Amazon GuardDuty

D AWS Certificate Manager

✓ Explanation: Route 53 Resolver DNS Firewall lets you filter and regulate outbound DNS traffic from your VPC, blocking access to known malicious domains.
📖 Route 53 DNS Firewall →

Q24. What is the purpose of a VPN connection in AWS?

A To host a website

B To create an encrypted connection between your on-premises network and AWS VPC

C To delete CloudTrail logs

D To create S3 buckets

✓ Explanation: AWS VPN creates encrypted tunnels between your on-premises network (or client devices) and your AWS VPC, extending your network securely into the cloud.
📖 AWS Site-to-Site VPN →

Q25. What does AWS Systems Manager Inventory collect?

A Financial billing data

B Metadata about managed instances like installed applications and OS patches

C VPC flow log data

D CloudTrail event data

✓ Explanation: Systems Manager Inventory collects metadata from managed instances about installed applications, OS patches, network configurations, running services, and more.
📖 SSM Inventory →

D4 Identity & Access Management

0/25 ▼

Q1. What does the principle of least privilege mean?

A Give users full admin access

B Grant only the permissions needed to perform a task

C Deny all access by default permanently

D Use root account for everything

✓ Explanation: Least privilege means granting users, roles, and services only the minimum permissions they need to perform their specific tasks — nothing more.
📖 IAM Least Privilege →

Q2. What is an IAM policy?

A A physical security document

B A JSON document that defines permissions for AWS resources

C A network routing rule

D A type of EC2 instance

✓ Explanation: An IAM policy is a JSON document with statements that define which actions are allowed or denied on which AWS resources, and under what conditions.
📖 IAM Policies →

Q3. What is the difference between an IAM user and an IAM role?

A They are the same thing

B Users have long-term credentials; roles provide temporary credentials

C Roles can only be used by EC2 instances

D Users cannot have policies attached

✓ Explanation: IAM users have permanent long-term credentials (password, access keys). IAM roles provide temporary security credentials and can be assumed by users, services, or applications.
📖 IAM Identities →

Q4. What is AWS STS (Security Token Service)?

A A storage service

B A service that provides temporary, limited-privilege security credentials

C A database query service

D A content delivery network

✓ Explanation: AWS STS enables you to request temporary, limited-privilege credentials for IAM users or federated users, commonly used with AssumeRole.
📖 AWS STS API Reference →

Q5. What is an IAM policy condition?

A A mandatory policy element

B An optional element that specifies circumstances under which a policy grants permission

C A type of IAM group

D A billing feature

✓ Explanation: Conditions are optional policy elements that specify circumstances (like source IP, time, MFA status) under which a policy statement is in effect.
📖 IAM Policy Conditions →

Q6. What does an explicit deny in an IAM policy do?

A It has lower priority than allow

B It always overrides any allow statement

C It only works on weekdays

D It is ignored if there is an allow

✓ Explanation: An explicit deny in an IAM policy always takes precedence over any allow statement. If any policy explicitly denies an action, it is denied regardless of other policies.
📖 Policy Evaluation Logic →

Q7. What is AWS Organizations?

A A social media platform

B A service for centrally managing and governing multiple AWS accounts

C A code repository service

D A compute service

✓ Explanation: AWS Organizations lets you centrally manage multiple AWS accounts, create organizational units, apply policies, and consolidate billing.
📖 AWS Organizations →

Q8. What is a Service Control Policy (SCP)?

A A policy that grants permissions to IAM users

B A policy that sets maximum permissions boundaries for accounts in an organization

C A firewall rule

D A VPC configuration

✓ Explanation: SCPs set the maximum available permissions for member accounts in an organization. They don't grant permissions but limit what IAM policies in those accounts can allow.
📖 Service Control Policies →

Q9. What is IAM federation?

A Combining two AWS accounts into one

B Allowing external identities to access AWS resources without creating IAM users

C A type of database replication

D A load balancing technique

✓ Explanation: Federation allows users from external identity providers (like Active Directory, SAML, or OIDC) to access AWS resources using temporary credentials without separate IAM users.
📖 IAM Identity Providers →

Q10. What is an IAM permissions boundary?

A A physical boundary around data centers

B An advanced feature that sets the maximum permissions an IAM entity can have

C A network security group

D A billing limit

✓ Explanation: A permissions boundary is a managed policy that sets the maximum permissions that an identity-based policy can grant to an IAM entity (user or role), acting as a guardrail.
📖 Permissions Boundaries →

Q11. What is the purpose of the IAM Access Analyzer?

A To create new IAM users

B To identify resources shared with external entities and validate policies

C To monitor EC2 CPU usage

D To encrypt S3 objects

✓ Explanation: IAM Access Analyzer identifies resources (like S3 buckets, IAM roles) shared with external entities and helps you validate IAM policies to ensure they grant intended access.
📖 IAM Access Analyzer →

Q12. What is cross-account access in AWS?

A Accessing resources from a different cloud provider

B Allowing an IAM entity in one account to access resources in another account

C Merging two accounts permanently

D Using multiple regions simultaneously

✓ Explanation: Cross-account access uses IAM roles with trust policies to allow principals in one AWS account to assume a role in another account and access its resources.
📖 Cross-Account Access Tutorial →

Q13. What is MFA (Multi-Factor Authentication) in AWS?

A A single password system

B An additional layer of security requiring a second verification factor beyond password

C A type of encryption algorithm

D A VPC feature

✓ Explanation: MFA adds an extra layer of security by requiring users to provide a second factor (like a code from a virtual MFA device or hardware token) in addition to their password.
📖 Using MFA in AWS →

Q14. What is an IAM role trust policy?

A A document that defines who can assume the role

B A document that defines what actions the role can perform

C A billing agreement

D A security group rule

✓ Explanation: A trust policy (attached to a role) defines which principals (users, services, accounts) are allowed to assume the role. It's separate from the permissions policy.
📖 IAM Role Concepts →

Q15. Why should you avoid using the AWS root account for daily tasks?

A It's slower than IAM users

B The root account has unrestricted access and cannot be limited by policies

C Root accounts don't support MFA

D Root accounts cost more

✓ Explanation: The root account has complete, unrestricted access to all resources and cannot be limited by IAM policies or SCPs. Use it only for tasks that specifically require root access.
📖 Root Account Best Practices →

Q16. What is AWS IAM Identity Center (formerly AWS SSO)?

A A physical data center

B A service for centrally managing SSO access to multiple AWS accounts and applications

C A database migration service

D A code deployment service

✓ Explanation: IAM Identity Center provides centralized single sign-on access to multiple AWS accounts and business applications, supporting SAML 2.0 and built-in identity store.
📖 IAM Identity Center →

Q17. What is a resource-based policy?

A A policy attached to an IAM user

B A policy attached directly to a resource (like an S3 bucket or SQS queue)

C A network ACL rule

D An EC2 security group

✓ Explanation: Resource-based policies are JSON policies attached directly to AWS resources (S3 buckets, SQS queues, Lambda functions) that specify who can access the resource and what actions they can perform.
📖 Identity vs Resource Policies →

Q18. What does the IAM policy element 'Effect' specify?

A The AWS region

B Whether the statement allows or denies access

C The resource ARN

D The IAM user name

✓ Explanation: The Effect element specifies whether the policy statement results in an Allow or Deny. Every policy statement must include an Effect element.
📖 Policy Element: Effect →

Q19. What is an inline policy vs. a managed policy?

A They work exactly the same way

B Inline policies are embedded in a single entity; managed policies are standalone and reusable

C Managed policies cannot be attached to roles

D Inline policies are always more powerful

✓ Explanation: Inline policies are embedded directly in a single user, group, or role. Managed policies are standalone objects that can be attached to multiple entities, making them reusable and easier to manage.
📖 Managed vs Inline Policies →

Q20. What is the purpose of the 'aws:SourceIp' condition key?

A To encrypt data

B To restrict access based on the requester's IP address

C To set the AWS region

D To choose the instance type

✓ Explanation: The aws:SourceIp condition key restricts access to AWS resources based on the IP address from which the API request originates, useful for office IP restrictions.
📖 Global Condition Keys →

Q21. What happens if there is no explicit allow or deny for a request in IAM?

A The request is allowed by default

B The request is denied by default (implicit deny)

C The request is queued for manual review

D An error is thrown

✓ Explanation: AWS follows a default-deny model. If no policy explicitly allows an action, the request is implicitly denied. You must explicitly grant permissions for any action.
📖 Policy Evaluation Logic →

Q22. What is an IAM group?

A A collection of AWS accounts

B A collection of IAM users to which you can attach policies

C A type of EC2 instance family

D A security group

✓ Explanation: An IAM group is a collection of IAM users. Policies attached to a group apply to all users in that group, simplifying permissions management.
📖 IAM User Groups →

Q23. What is the AWS policy evaluation logic order?

A Allow, then Deny

B Explicit Deny > Explicit Allow > Implicit Deny

C Implicit Deny > Explicit Allow > Explicit Deny

D All denies are ignored

✓ Explanation: AWS evaluates policies in this order: 1) Explicit Deny (always wins), 2) Explicit Allow, 3) Implicit Deny (default). SCPs and permission boundaries are also evaluated.
📖 Policy Evaluation Logic →

Q24. What is an IAM instance profile?

A A user's profile picture

B A container for an IAM role that can be attached to an EC2 instance

C A type of AMI

D A CloudWatch metric

✓ Explanation: An instance profile is a container for an IAM role. When you attach a role to an EC2 instance, you're actually attaching an instance profile that contains the role.
📖 Instance Profiles →

Q25. What is the purpose of the 'aws:MultiFactorAuthPresent' condition key?

A To check if encryption is enabled

B To verify that the request was authenticated using MFA

C To count the number of users

D To check VPC connectivity

✓ Explanation: The aws:MultiFactorAuthPresent condition key checks whether the API request was made using multi-factor authentication, allowing you to require MFA for sensitive actions.
📖 MFA Condition Key →

D5 Data Protection

0/25 ▼

Q1. What is AWS KMS (Key Management Service)?

A A physical key storage facility

B A managed service for creating and controlling encryption keys

C A database migration tool

D A code deployment service

✓ Explanation: AWS KMS is a managed service that makes it easy to create and manage cryptographic keys used to encrypt your data across AWS services and applications.
📖 AWS KMS Overview →

Q2. What is the difference between encryption at rest and encryption in transit?

A There is no difference

B At rest protects stored data; in transit protects data moving between systems

C In transit only applies to S3

D At rest only applies to EBS

✓ Explanation: Encryption at rest protects data stored on disk/storage. Encryption in transit (using TLS/SSL) protects data as it moves between systems, services, or users.
📖 AWS Data Encryption →

Q3. What is an S3 bucket policy?

A A backup schedule for S3

B A resource-based policy that controls access to an S3 bucket and its objects

C A lifecycle rule for object expiration

D A versioning configuration

✓ Explanation: An S3 bucket policy is a resource-based JSON policy attached to an S3 bucket that defines which principals can perform which actions on the bucket and its objects.
📖 S3 Bucket Policies →

Q4. What does AWS Secrets Manager do?

A Manages physical office secrets

B Stores, rotates, and retrieves database credentials and other secrets

C Encrypts EC2 instances

D Monitors VPC traffic

✓ Explanation: AWS Secrets Manager helps you store, manage, and automatically rotate credentials like database passwords, API keys, and other secrets securely.
📖 Secrets Manager User Guide →

Q5. What is AWS Certificate Manager (ACM)?

A A certification exam service

B A service for provisioning, managing, and deploying SSL/TLS certificates

C A storage service

D A database service

✓ Explanation: ACM lets you provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and connected resources, with automatic renewal.
📖 ACM User Guide →

Q6. What is Amazon Macie?

A A compute service

B A security service that uses ML to discover and protect sensitive data in S3

C A database query optimizer

D A VPN client

✓ Explanation: Amazon Macie uses machine learning and pattern matching to discover and protect sensitive data (like PII, financial data) stored in Amazon S3.
📖 Amazon Macie User Guide →

Q7. What is server-side encryption (SSE) in S3?

A Encryption performed by the client application

B Encryption performed by S3 when it writes objects to storage

C A type of load balancing

D A DNS feature

✓ Explanation: Server-side encryption means Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it when you access it.
📖 S3 Server-Side Encryption →

Q8. What are the three types of S3 server-side encryption?

A AES, RSA, and DES

B SSE-S3, SSE-KMS, and SSE-C

C Public, private, and hybrid

D Standard, Express, and Premium

✓ Explanation: SSE-S3 uses S3-managed keys, SSE-KMS uses AWS KMS-managed keys (with audit trail), and SSE-C lets you provide your own encryption keys.
📖 S3 Encryption Options →

Q9. What is a KMS key policy?

A A network routing policy

B A resource-based policy that controls access to a KMS key

C An S3 lifecycle policy

D A billing policy

✓ Explanation: A KMS key policy is a resource-based policy that determines who can use and manage a KMS key. Unlike most AWS resources, KMS keys REQUIRE a key policy.
📖 KMS Key Policies →

Q10. What is envelope encryption?

A Encrypting the physical envelope of a hard drive

B Encrypting data with a data key, then encrypting the data key with a master key

C Using two passwords for one account

D Encrypting data twice with the same key

✓ Explanation: Envelope encryption encrypts your data with a data encryption key (DEK), then encrypts the DEK with a KMS master key. This is how KMS handles large data encryption.
📖 Envelope Encryption →

Q11. What is S3 Block Public Access?

A A firewall for EC2

B Account and bucket-level settings that prevent public access to S3 resources

C A CDN feature

D A VPC setting

✓ Explanation: S3 Block Public Access provides settings at the account and bucket level to ensure S3 resources never become publicly accessible, overriding bucket policies and ACLs.
📖 S3 Block Public Access →

Q12. What does AWS CloudHSM provide?

A Cloud-based file storage

B Dedicated hardware security modules for cryptographic key management

C A monitoring dashboard

D A code repository

✓ Explanation: AWS CloudHSM provides dedicated FIPS 140-2 Level 3 validated hardware security modules in the cloud, giving you full control over your cryptographic keys.
📖 CloudHSM User Guide →

Q13. How does KMS key rotation work with AWS-managed keys?

A You must manually rotate keys every year

B AWS automatically rotates the key material every year

C Keys are never rotated

D Rotation happens every 30 days

✓ Explanation: For AWS-managed KMS keys, AWS automatically rotates the key material every year. For customer-managed keys, you can enable automatic annual rotation.
📖 KMS Key Rotation →

Q14. What is the purpose of S3 Object Lock?

A To prevent objects from being deleted or overwritten for a retention period

B To encrypt S3 objects

C To compress S3 objects

D To replicate S3 objects

✓ Explanation: S3 Object Lock uses a WORM (Write Once Read Many) model to prevent objects from being deleted or overwritten for a fixed retention period or indefinitely.
📖 S3 Object Lock →

Q15. What is client-side encryption?

A Encryption performed by AWS S3

B Encryption performed by the application before sending data to AWS

C A type of VPN encryption

D A load balancer feature

✓ Explanation: Client-side encryption means you encrypt data on the client side before uploading it to AWS. AWS never sees the unencrypted data or the encryption keys.
📖 S3 Client-Side Encryption →

Q16. What is the difference between KMS symmetric and asymmetric keys?

A There is no difference

B Symmetric uses one key for encrypt/decrypt; asymmetric uses a public/private key pair

C Asymmetric keys are always faster

D Symmetric keys can only encrypt, not decrypt

✓ Explanation: Symmetric KMS keys use a single 256-bit AES key for both encryption and decryption. Asymmetric keys use a mathematically related public/private key pair for different operations.
📖 Symmetric vs Asymmetric Keys →

Q17. How can you prevent accidental deletion of S3 objects?

A Disable all S3 access

B Enable S3 versioning and MFA Delete

C Use only IAM users

D Turn off CloudTrail

✓ Explanation: S3 versioning preserves all versions of objects (allowing recovery), and MFA Delete requires multi-factor authentication to permanently delete object versions.
📖 S3 Versioning →

Q18. What does AWS Secrets Manager automatic rotation do?

A Rotates EC2 instances

B Automatically changes the secret value (e.g., database password) on a schedule

C Deletes old secrets permanently

D Rotates KMS keys

✓ Explanation: Secrets Manager can automatically rotate secrets (like RDS database passwords) on a configurable schedule using a Lambda rotation function, ensuring credentials stay fresh.
📖 Secret Rotation →

Q19. What is the purpose of Amazon S3 default encryption?

A To speed up S3 uploads

B To automatically encrypt all new objects stored in the bucket

C To compress objects

D To version objects

✓ Explanation: S3 default encryption ensures that all new objects stored in a bucket are automatically encrypted using your chosen encryption method (SSE-S3, SSE-KMS, or DSSE-KMS).
📖 S3 Default Encryption →

Q20. What is a KMS grant?

A A financial grant from AWS

B A mechanism to delegate use of a KMS key to other AWS principals

C A type of S3 bucket policy

D An IAM user group

✓ Explanation: KMS grants allow you to programmatically delegate use of KMS keys to other AWS principals without modifying the key policy, commonly used by AWS services.
📖 KMS Grants →

Q21. What encryption does EBS use by default when encryption is enabled?

A RSA-2048

B AES-256

C DES-56

D Blowfish-128

✓ Explanation: When EBS encryption is enabled, it uses AES-256 encryption algorithm with keys managed by AWS KMS to encrypt data at rest on the volume.
📖 EBS Encryption →

Q22. How does ACM handle certificate renewal?

A You must manually renew every certificate

B ACM automatically renews managed certificates before they expire

C Certificates never expire

D You must contact AWS support

✓ Explanation: ACM automatically attempts to renew certificates it manages before they expire, ensuring continuous TLS/SSL protection without manual intervention.
📖 ACM Managed Renewal →

Q23. What is the difference between SSE-KMS and SSE-S3?

A They are identical

B SSE-KMS provides an audit trail and key management control; SSE-S3 is fully managed by S3

C SSE-S3 is more secure

D SSE-KMS does not support encryption

✓ Explanation: SSE-KMS uses KMS keys with CloudTrail audit logging of key usage and fine-grained access control. SSE-S3 uses Amazon-managed keys with no separate audit trail or key control.
📖 SSE-KMS vs SSE-S3 →

Q24. What is AWS Parameter Store in Systems Manager?

A An EC2 configuration tool

B A service for securely storing configuration data and secrets

C A network monitoring tool

D A billing service

✓ Explanation: Systems Manager Parameter Store provides secure, hierarchical storage for configuration data and secrets like database strings, passwords, and license codes.
📖 SSM Parameter Store →

Q25. What is the benefit of using VPC endpoints for KMS?

A Faster encryption speed

B KMS API calls stay within your VPC without traversing the internet

C Lower KMS key costs

D Automatic key rotation

✓ Explanation: A VPC endpoint for KMS ensures that API calls to KMS remain within your VPC and the AWS network, never traversing the public internet, enhancing security posture.
📖 KMS VPC Endpoint →

D6 Management & Security Governance

0/25 ▼

Q1. What is AWS Control Tower?

A A physical security tower

B A service that automates the setup and governance of a multi-account AWS environment

C A database management tool

D A code deployment pipeline

✓ Explanation: AWS Control Tower automates the setup of a well-architected multi-account environment based on best practices, with guardrails for ongoing governance.
📖 Control Tower User Guide →

Q2. What are AWS Control Tower guardrails?

A Physical barriers in data centers

B High-level rules that provide governance for your AWS environment

C A type of EC2 instance

D Network security groups

✓ Explanation: Guardrails are pre-configured governance rules for security, compliance, and operations. They come in two types: preventive (SCPs) and detective (Config rules).
📖 Control Tower Guardrails →

Q3. What is the purpose of AWS Organizations organizational units (OUs)?

A To organize physical servers

B To group accounts for applying policies and governance

C To create VPC subnets

D To manage DNS records

✓ Explanation: OUs let you group AWS accounts hierarchically, making it easier to apply policies (like SCPs) to groups of accounts based on function, environment, or compliance requirements.
📖 Managing OUs →

Q4. What is a tagging strategy in AWS?

A Labeling physical servers

B A consistent approach to assigning metadata tags to AWS resources for management

C A DNS routing method

D A type of encryption

✓ Explanation: A tagging strategy defines conventions for assigning key-value metadata tags to resources for cost allocation, access control, automation, and organizational purposes.
📖 AWS Tagging Best Practices →

Q5. What AWS service can enforce mandatory tags on resources?

A Amazon S3

B AWS Organizations tag policies

C Amazon CloudFront

D Amazon RDS

✓ Explanation: AWS Organizations tag policies let you define tagging rules and enforce standardized tags across your organization's resources for consistency.
📖 Tag Policies →

Q6. What is AWS Config used for in governance?

A Creating EC2 instances

B Evaluating resource configurations against compliance rules

C Managing DNS records

D Load balancing traffic

✓ Explanation: AWS Config evaluates your resource configurations against desired configurations defined as Config rules, helping maintain compliance and governance standards.
📖 Config Rule Evaluation →

Q7. What is the difference between preventive and detective guardrails?

A They are the same thing

B Preventive guardrails block non-compliant actions; detective guardrails detect non-compliance

C Detective guardrails are more expensive

D Preventive guardrails only work in us-east-1

✓ Explanation: Preventive guardrails (implemented as SCPs) prevent non-compliant actions from occurring. Detective guardrails (implemented as Config rules) detect and alert on non-compliance.
📖 Guardrail Types →

Q8. What is the AWS Well-Architected Framework's Security pillar focused on?

A Cost optimization

B Protecting information, systems, and assets through risk assessments and mitigation

C Performance efficiency only

D Operational excellence only

✓ Explanation: The Security pillar focuses on protecting information, systems, and assets through identity management, detection, infrastructure protection, data protection, and incident response.
📖 Security Pillar →

Q9. What is a consolidated billing benefit of AWS Organizations?

A Each account gets a separate bill

B Combined usage across accounts can qualify for volume pricing discounts

C Billing is eliminated entirely

D Only the root account is billed

✓ Explanation: Consolidated billing combines usage from all accounts in the organization, potentially qualifying for volume pricing discounts and simplifying cost management.
📖 Consolidated Billing →

Q10. What is the purpose of the AWS CloudFormation service?

A Monitoring network traffic

B Modeling and provisioning AWS resources using infrastructure as code

C Managing IAM users

D Storing encryption keys

✓ Explanation: AWS CloudFormation lets you model and provision AWS resources using templates (infrastructure as code), enabling consistent, repeatable deployments with version control.
📖 CloudFormation User Guide →

Q11. How can you prevent member accounts from leaving an AWS Organization?

A There is no way to prevent this

B Use a Service Control Policy to deny the LeaveOrganization action

C Disable IAM in member accounts

D Use security groups

✓ Explanation: An SCP can explicitly deny the organizations:LeaveOrganization action, preventing member accounts from removing themselves from the organization.
📖 SCP Examples →

Q12. What is AWS Audit Manager?

A A physical audit tool

B A service that continuously audits AWS usage to simplify compliance assessment

C A code review tool

D A networking tool

✓ Explanation: AWS Audit Manager continuously audits your AWS usage to simplify how you assess risk and compliance with regulations and industry standards like GDPR, HIPAA, and PCI DSS.
📖 Audit Manager User Guide →

Q13. What is the purpose of the AWS Trusted Advisor?

A To create IAM policies

B To provide real-time guidance on AWS best practices across multiple categories

C To deploy CloudFormation stacks

D To manage S3 buckets

✓ Explanation: Trusted Advisor inspects your AWS environment and provides recommendations on cost optimization, performance, security, fault tolerance, and service limits.
📖 AWS Trusted Advisor →

Q14. What is an AWS Config aggregator?

A A type of load balancer

B A resource that collects Config data from multiple accounts and regions

C A VPC component

D An IAM policy type

✓ Explanation: A Config aggregator collects AWS Config configuration and compliance data from multiple accounts and regions into a single account, providing an organization-wide compliance view.
📖 Config Aggregators →

Q15. What does the Security pillar's 'shared responsibility model' define?

A That AWS handles all security

B That security responsibilities are divided between AWS and the customer

C That customers handle all security

D That security is optional

✓ Explanation: The shared responsibility model defines that AWS is responsible for security OF the cloud (infrastructure), while customers are responsible for security IN the cloud (data, access, applications).
📖 Shared Responsibility Model →

Q16. What is the purpose of AWS Service Catalog?

A A marketplace for physical hardware

B Enables organizations to create and manage catalogs of approved IT services

C A monitoring dashboard

D A DNS management tool

✓ Explanation: AWS Service Catalog lets you create and manage catalogs of approved IT services (CloudFormation templates) that users can deploy, ensuring compliance and standardization.
📖 Service Catalog Admin Guide →

Q17. What is an AWS Config rule?

A A network ACL rule

B A desired configuration setting that AWS Config evaluates resources against

C A firewall rule

D A routing rule

✓ Explanation: A Config rule represents your desired configuration settings. AWS Config continuously evaluates your resources against these rules and flags non-compliant resources.
📖 AWS Config Rules →

Q18. How does AWS Control Tower Landing Zone work?

A It creates a physical landing zone

B It sets up a baseline multi-account environment with security and logging accounts

C It deploys EC2 instances

D It creates VPN connections

✓ Explanation: A Landing Zone is a well-architected, multi-account baseline that includes a security account for auditing and a log archive account for centralized logging.
📖 Landing Zone Overview →

Q19. What is the purpose of enabling AWS CloudTrail organization trail?

A To track physical access to data centers

B To log API activity across all accounts in the organization to a central location

C To create VPC subnets

D To manage IAM passwords

✓ Explanation: An organization trail logs API activity for all AWS accounts in the organization to a central S3 bucket, providing comprehensive visibility across your entire organization.
📖 Organization Trails →

Q20. What are AWS Config managed rules?

A Rules you must write from scratch

B Pre-built rules created and maintained by AWS for common compliance checks

C Physical security rules

D VPC routing rules

✓ Explanation: AWS Config managed rules are pre-built rules maintained by AWS that check for common compliance requirements like encrypted EBS volumes, S3 bucket logging, and MFA on root accounts.
📖 Config Managed Rules List →

Q21. What is the benefit of multi-account strategy in AWS?

A It increases costs significantly

B It provides isolation, reduces blast radius, and simplifies governance

C It makes management more complex with no benefits

D It is required by AWS

✓ Explanation: A multi-account strategy provides workload isolation, limits blast radius of incidents, enables fine-grained access control, and simplifies billing and compliance per account.
📖 Multi-Account Strategy →

Q22. What is AWS License Manager used for?

A Creating software licenses

B Managing and tracking software license usage across AWS and on-premises

C Managing AWS account licenses

D Creating SSL certificates

✓ Explanation: AWS License Manager helps you manage software licenses from vendors like Microsoft, SAP, and Oracle across AWS and on-premises environments, ensuring compliance.
📖 License Manager →

Q23. What does the AWS Config remediation feature do?

A Deletes non-compliant resources

B Automatically or manually corrects non-compliant resource configurations

C Sends billing alerts

D Creates new Config rules

✓ Explanation: Config remediation actions (manual or automatic) can correct non-compliant resources by executing SSM Automation documents to bring resources back into compliance.
📖 Config Remediation →

Q24. What is the purpose of AWS Security Hub standards?

A Physical security standards for data centers

B Pre-defined collections of security checks based on industry frameworks

C A type of EC2 instance standard

D Network bandwidth standards

✓ Explanation: Security Hub standards (like CIS AWS Foundations, PCI DSS, AWS Foundational Security Best Practices) are pre-defined collections of automated security checks mapped to compliance frameworks.
📖 Security Hub Standards →

Q25. What is the recommended account structure in AWS Control Tower?

A One account for everything

B Management account, log archive account, and audit (security) account as a baseline

C Only production and development accounts

D One account per IAM user

✓ Explanation: Control Tower recommends a management account for organization management, a log archive account for centralized logging, and an audit account for security tooling as the baseline.
📖 Control Tower Account Structure →

AWS Security Fundamentals Quiz