Test yourself
AWS security engineering
Final exam · 60 questions · answers explained as you pick
IAM depth & escalation paths
12 questions
01When an SCP, a permission boundary, an identity policy, and a resource policy all apply, an action is allowed only if…
Incorrect — Allows are not "any one" — every ceiling must permit and no Deny may match.
Correct — Grants are additive but each ceiling is conjunctive; an explicit Deny always wins.
Incorrect — Recency plays no part in IAM evaluation.
Incorrect — A resource policy is one input, not an override of SCPs or boundaries.
02iam:PassRole is dangerous primarily because…
Correct — PassRole + RunInstances/CreateFunction is a classic privilege-escalation primitive.
Incorrect — PassRole has nothing to do with key rotation.
Incorrect — It does not affect logging.
Incorrect — Console login does not use PassRole.
03The correct way to constrain iam:PassRole is…
Incorrect — A wildcard PassRole lets a principal pass any role, including admin.
Correct — Limit which roles can be passed and to which service.
Incorrect — You always want it logged; the fix is scoping, not hiding.
Incorrect — The root user should never be used for routine actions.
04A permission boundary differs from an SCP in that it…
Incorrect — That is an SCP; boundaries cap an individual identity.
Incorrect — Neither boundaries nor SCPs grant — they only cap.
Correct — It lets you delegate role creation without allowing escalation past the ceiling.
Incorrect — It is an authorization ceiling, not encryption.
05iam:CreatePolicyVersion held by an identity is an escalation risk because…
Correct — Rewriting your own attached policy is self-escalation.
Incorrect — It edits policies, not logging.
Incorrect — Unrelated to KMS.
Incorrect — It is a well-known escalation path when scoped loosely.
06To find who can reach a resource or escalate, the AWS-native tool is…
Incorrect — That is a CDN, unrelated to access analysis.
Correct — They surface unintended access and reachable paths before an attacker walks them.
Incorrect — DNS, not access analysis.
Incorrect — Billing, not access.
07For human access at scale, the recommended pattern is…
Incorrect — IAM users sprawl and hold static keys.
Correct — People get short-lived, centrally-managed role sessions.
Incorrect — Shared logins destroy attribution.
Incorrect — A guaranteed leak.
08For CI/CD to get AWS credentials without stored keys, use…
Correct — Short-lived tokens scoped to the workload; nothing static to leak.
Incorrect — That is exactly the long-lived key you want to eliminate.
Incorrect — A shared node role gives every job the same broad access.
Incorrect — Root should never be used programmatically.
09An sts:AssumeRole trust policy controls…
Incorrect — That is the permission policy; the trust policy controls WHO may assume it.
Correct — Trust = principals + conditions; permissions are separate.
Incorrect — Not an encryption setting.
Incorrect — Unrelated to billing.
10A wildcard federation subject like "repo:acme/api:*" is risky because…
Correct — Pin the sub to specific refs/environments and assert the aud claim.
Incorrect — Performance is not the concern.
Incorrect — It does not disable anything — it over-trusts.
Incorrect — Federation is not region-limited.
11The AWS account root user should be…
Incorrect — Root has irrevocable power and should be dormant.
Correct — Root is the crown jewels; guard and monitor it.
Incorrect — Root access keys should not exist.
Incorrect — Sharing root destroys accountability.
12Standing admin access is riskier than just-in-time elevation because…
Correct — Elevate on demand rather than holding permanent privilege.
Incorrect — Speed is not the issue.
Incorrect — It can be logged; the problem is the standing exposure.
Incorrect — Standing access does not turn off MFA.
12 questions · explanations appear as you answer
Threat detection & findings
12 questions
01The two AWS services to enable everywhere as a baseline are…
Incorrect — Those are compute/storage, not the security baseline.
Correct — The trail records what happened; GuardDuty flags the suspicious.
Incorrect — Workloads, not detection.
Incorrect — Networking/CDN, not the baseline.
02GuardDuty primarily works by…
Correct — It is agentless log/behavior analysis, not inline blocking.
Incorrect — It detects and alerts; it does not sit inline.
Incorrect — Not an encryption service.
Incorrect — Unrelated to detection.
03Security Hub’s role relative to GuardDuty/Inspector/Config is to…
Incorrect — It aggregates, it does not replace the sources.
Correct — It is the single pane that dedupes and scores findings.
Incorrect — That is Inspector; Security Hub aggregates.
Incorrect — Not a DNS tool.
04Amazon Detective is used to…
Incorrect — It does not enforce.
Incorrect — That is S3 object-lock; Detective analyzes.
Correct — It accelerates root-cause during triage.
Incorrect — Unrelated.
05Delegating GuardDuty to a security account and auto-enabling all members prevents…
Correct — Coverage becomes an org property, not a checklist to forget.
Incorrect — You still need the trail feeding it.
Incorrect — Findings can still be encrypted.
Incorrect — IAM is unaffected.
06Routing findings to EventBridge → SOAR/Lambda instead of a console lets you…
Incorrect — You still log; you add automation.
Correct — Detection without response is theatre.
Incorrect — The opposite — you act on its output.
Incorrect — Findings stay internal.
07Alert quality matters because…
Correct — Tune, dedupe, and prioritize by severity and asset criticality.
Incorrect — Volume without signal degrades response.
Incorrect — They are signals, not crypto.
Incorrect — Not the primary reason.
08GuardDuty can extend coverage to which of these with dedicated protections?
Incorrect — It has multiple protection plans beyond EC2.
Correct — Enable the plans relevant to your workloads.
Incorrect — IAM anomaly is one signal, not the whole scope.
Incorrect — DNS is one input among several.
09Inspector in a modern AWS setup scans…
Incorrect — That is a narrow legacy view.
Incorrect — That is GuardDuty’s input, not Inspector.
Correct — It is continuous CVE scanning across those resource types.
Incorrect — That is Macie’s job.
10A metric/anomaly alert on mass GetObject or kms:DisableKey catches…
Correct — A permitted action at abnormal volume/pattern is the tell.
Incorrect — It covers control-plane behavior too.
Incorrect — Behavioral signals are high value.
Incorrect — Far broader than that.
11The value of enabling CloudTrail data events (S3/Lambda) is…
Incorrect — Data events cost extra and are off by default; scope them.
Correct — Management events alone miss the data-plane story.
Incorrect — They complement, not replace.
Incorrect — Logging is not encryption.
12Findings should feed a pipeline that…
Correct — A dashboard nobody watches is not a control.
Incorrect — That is pure noise.
Incorrect — You preserve logs, not delete them.
Incorrect — Never blind your own detection.
12 questions · explanations appear as you answer
Data protection & encryption
12 questions
01Envelope encryption with KMS means…
Incorrect — It is a two-tier hierarchy, not double-encryption.
Correct — Only KMS can unwrap the stored data key; bulk data never touches KMS.
Incorrect — The payload is what is protected.
Incorrect — Encoding is not encryption.
02A KMS key policy controls…
Correct — A bucket reader without key permission sees only ciphertext.
Incorrect — That is S3 Block Public Access.
Incorrect — Networking, not KMS.
Incorrect — Unrelated to KMS.
03Disabling a customer-managed KMS key gives you…
Incorrect — It does not speed anything up.
Correct — A capability a provider-owned key cannot offer.
Incorrect — Rotation, not disabling, adds a new version; disabling blocks decrypt.
Incorrect — The opposite of what happens.
04Rotating a KMS CMK does not require re-encrypting all data because…
Correct — Envelope encryption makes rotation cheap and non-disruptive.
Incorrect — It is encrypted — that is the point.
Incorrect — CMKs are never public.
Incorrect — Old data remains readable.
05A KMS grant is preferable to a broad key-policy statement when…
Incorrect — That is exactly what grants avoid.
Correct — Grants scope and can be retired without editing the key policy.
Incorrect — Grants do not disable keys.
Incorrect — Grants are about access, not rotation.
06Amazon Macie is used to…
Incorrect — That is Block Public Access.
Incorrect — That is GuardDuty.
Correct — It tells you where sensitive data actually lives.
Incorrect — That is Secrets Manager.
07The primary defense against accidental public S3 is…
Incorrect — Hope is not a control.
Correct — Account BPA overrides risky ACLs org-wide.
Incorrect — That increases exposure.
Incorrect — That removes visibility, not risk.
08SSE-KMS over SSE-S3 for a bucket gives you…
Correct — You gain governance SSE-S3’s provider key cannot offer.
Incorrect — Both encrypt; SSE-KMS adds control.
Incorrect — Throughput is not the differentiator.
Incorrect — Encryption mode does not change access.
09S3 Bucket Keys reduce…
Incorrect — They do not shrink objects.
Correct — A bucket-level key cuts the volume of GenerateDataKey/Decrypt calls.
Incorrect — Unrelated to policies.
Incorrect — Not a networking feature.
10Dual control (separate key admin from data admin) prevents…
Incorrect — Performance is not the point.
Correct — Two independent permissions are needed for plaintext.
Incorrect — It does not block rotation.
Incorrect — Both actions are still logged.
11For regulated data needing non-exportable, FIPS-validated keys, use…
Correct — Hardware-backed keys that never leave the module, with attestable custody.
Incorrect — That is about geography, not hardware custody.
Incorrect — Storage tiering, not key custody.
Incorrect — That signs URLs, not data-at-rest keys.
12Secrets Manager over a KMS-encrypted config file adds…
Incorrect — The manager adds lifecycle features a file lacks.
Correct — Secrets become a governed resource, not a copied file.
Incorrect — Not the value proposition.
Incorrect — The opposite — tighter control.
12 questions · explanations appear as you answer
Network security & segmentation
12 questions
01A security group is fundamentally…
Correct — Deny-by-default; you open only what is needed and replies flow back.
Incorrect — That describes a NACL, not a security group.
Incorrect — It filters traffic, not API permissions.
Incorrect — Not a resolver.
02A network ACL differs from a security group because it is…
Incorrect — That is a security group.
Correct — You must allow both directions explicitly.
Incorrect — Unrelated to IAM.
Incorrect — Unrelated to encryption.
03Referencing security groups by group ID instead of CIDR…
Correct — The DB SG allows the app SG — no IP list to maintain.
Incorrect — Performance is not the concern.
Incorrect — It works in private subnets.
Incorrect — Unrelated.
04Putting databases in private subnets means…
Correct — You remove the public attack surface on the data tier.
Incorrect — Backups work fine.
Incorrect — Auth is still required.
Incorrect — Encryption is a separate setting.
05VPC endpoints (Gateway/Interface / PrivateLink) let you…
Incorrect — The opposite — they keep traffic private.
Correct — The data plane stays on the AWS backbone.
Incorrect — Connectivity, not storage encryption.
Incorrect — Not an authorization control.
06Controlling egress (not just ingress) matters because…
Correct — A compromised workload with open egress phones home freely.
Incorrect — Performance is not the point.
Incorrect — Ingress is filtered too; egress is the neglected half.
Incorrect — Complementary, not a replacement.
07AWS Network Firewall adds capability that security groups/NACLs lack, namely…
Incorrect — It is a network control, not IAM.
Correct — It enables deep egress filtering and Suricata-style rules.
Incorrect — Not an encryption service.
Incorrect — Unrelated.
08VPC flow logs are valuable for…
Incorrect — They record; they do not enforce.
Correct — A key forensic and detection input.
Incorrect — They are logs, not crypto.
Incorrect — Unrelated to addressing.
09A WAF in front of an ALB/CloudFront primarily…
Incorrect — It complements it.
Correct — It is not a substitute for secure code.
Incorrect — It inspects HTTP.
Incorrect — Unrelated to identity.
10Route 53 Resolver DNS Firewall contributes by…
Correct — It cuts off C2/exfil domains and gives visibility.
Incorrect — Not an encryption tool.
Incorrect — That is DHCP/IPAM.
Incorrect — Not the purpose.
11The default VPC is a poor production starting point because…
Correct — Build VPCs deliberately with private subnets and scoped egress.
Incorrect — Security groups still apply.
Incorrect — Networking does not turn off IAM.
Incorrect — Cost is not the reason.
12Terminating TLS at the ALB and leaving the internal hop plaintext…
Correct — An internal network is not inherently trusted.
Incorrect — That assumption is a classic mistake.
Incorrect — Nothing encrypts a plaintext hop.
Incorrect — ACM does not require plaintext backends.
12 questions · explanations appear as you answer
Guardrails, IR & forensics
12 questions
01Service Control Policies apply to…
Incorrect — They act above individual users.
Correct — They cap the maximum available permissions for the account.
Incorrect — Bucket policies do that; SCPs are org-wide.
Incorrect — They target accounts/OUs, though can condition on region.
02A preventive guardrail (SCP) differs from a detective control because it…
Correct — The misconfig never happens instead of being reported.
Incorrect — That is a detective/alerting control.
Incorrect — It acts before the action.
Incorrect — It is a hard limit.
03Control Tower / Landing Zone Accelerator provides…
Incorrect — Unrelated to orchestration.
Correct — New accounts arrive secure-by-default, no checklist to forget.
Incorrect — Not a delivery network.
Incorrect — That is Secrets Manager.
04An organization CloudTrail delivered to a dedicated log-archive account…
Correct — Segregating logs protects evidence integrity.
Incorrect — Not a performance measure.
Incorrect — Logs should still be encrypted.
Incorrect — It strengthens it.
05Making the audit-log bucket immutable (Object Lock) defends against…
Incorrect — Immutability is about integrity, not speed.
Correct — Write-once retention preserves evidence.
Incorrect — It may raise cost, not lower it.
Incorrect — It protects logs, not IAM.
06Alerting on cloudtrail:StopLogging / DeleteTrail is high-value because…
Correct — “Someone touched logging” is a near-certain intrusion signal.
Incorrect — Not a cost measure.
Incorrect — Alerting is not encryption.
Incorrect — Unrelated.
07On a confirmed compromised access key, the first action is…
Incorrect — Destroying everything is not measured containment.
Correct — Contain first; the trail tells you the blast radius.
Incorrect — Too broad and slow for the immediate threat.
Incorrect — Active compromise is not backlog work.
08Isolating a compromised EC2 instance for forensics means…
Correct — Contain and capture evidence rather than destroying it.
Incorrect — Termination discards volatile memory and the disk.
Incorrect — A reboot can wipe volatile evidence.
Incorrect — That worsens exposure.
09After containment, hunting for persistence means looking for…
Incorrect — A competent attacker plants a second way in.
Correct — Persistence hides in the control plane; find it before restoring.
Incorrect — Metrics are not persistence indicators.
Incorrect — Cost anomalies are weak signals, not the hunt.
10Revoking active role sessions (not just the key) is done by…
Correct — Otherwise already-issued short-lived credentials stay valid until expiry.
Incorrect — Unrelated to sessions.
Incorrect — Does not revoke STS sessions.
Incorrect — A reboot does not invalidate STS tokens.
11AWS Config’s role in guardrails/IR is to…
Incorrect — That is an SCP; Config records and evaluates.
Correct — It answers “what did this resource look like when?”.
Incorrect — Not an encryption service.
Incorrect — Unrelated.
12A pre-written IR runbook matters because…
Correct — Speed and correctness come from practice, not invention mid-incident.
Incorrect — It uses the trail; it does not replace it.
Incorrect — Runbooks are procedures.
Incorrect — Not its purpose.
12 questions · explanations appear as you answer