Preguntas de práctica

Pregunta 1

A company operates 10 Amazon OpenSearch Service domains with Auto-Tune enabled across 2 AWS Regions and needs to visualize every Auto-Tune action (for example, memory or shard rebalancing adjustments) on an Amazon CloudWatch dashboard at 1-minute resolution for the last 24 hours; which solution will meet this requirement?

Pregunta 2

(Selecciona 2)

A logistics enterprise operates a multi-OU AWS Organizations setup across two AWS Regions with 68 member accounts and has acquired a fintech startup that uses 11 standalone AWS accounts with separate billing; the platform team must centralize administration under a single management account while retaining break-glass full administrative control across all imported accounts and must centrally aggregate and group security findings across the entire environment with new accounts automatically included as they are onboarded; which combination of actions should the platform team take to meet these requirements with minimal operational overhead? (Choose two.)

Análisis de la pregunta

Core Concept: This question tests AWS Organizations account onboarding and centralized security operations. Specifically: (1) how the management account retains emergency (break-glass) administrative access to member accounts, and (2) how to centrally aggregate and automatically include security findings across all accounts using an organization-integrated security service. Why the Answer is Correct: To centralize administration, the startup’s standalone accounts should be invited into the existing AWS Organization. For break-glass full administrative control, the management account needs a cross-account role in each member account that it can assume with AdministratorAccess. The canonical mechanism is the OrganizationAccountAccessRole (or an equivalent admin role) that trusts the management account; this is exactly what option B describes and is aligned with how Organizations enables centralized access after account creation/invitation. For centralized aggregation and grouping of security findings with automatic inclusion of newly onboarded accounts, AWS Security Hub is the correct service. When integrated with AWS Organizations, Security Hub supports delegated administrator, multi-account/multi-Region aggregation, and auto-enrollment of new organization accounts, minimizing ongoing operational overhead (option C). Key AWS Features: - AWS Organizations: account invitation and consolidated governance. - Cross-account IAM role (OrganizationAccountAccessRole): trusted by the management account; grants AdministratorAccess for emergency access. - AWS Security Hub + Organizations: delegated admin, organization-wide enablement, automatic account enrollment, and centralized findings aggregation across accounts/Regions. - Best practice: use delegated administrator for security tooling to avoid using the management account for day-to-day operations. Common Misconceptions: - SCPs do not “grant” permissions; they only set permission guardrails (maximum allowed). Therefore, an SCP cannot by itself create break-glass admin access for the management account. - Firewall Manager is for centralized firewall policy management (WAF, Shield Advanced, security groups, etc.), not a general security findings aggregator. - Amazon Inspector produces vulnerability findings, but it is not the broad, cross-service findings aggregation layer requested. Exam Tips: - Remember: IAM policies grant permissions; SCPs restrict them. - For org-wide security findings aggregation with auto-enrollment, think “Security Hub + Organizations + delegated admin.” - For centralized admin access into member accounts, look for “assume role into member accounts” patterns (OrganizationAccountAccessRole or equivalent).

Pregunta 3

A DevOps engineer is building a data-forwarding service where an AWS Lambda function reads batched records from an Amazon Kinesis Data Streams shard and forwards them to an internal ERP SOAP endpoint over a VPC. Roughly 12% of incoming records fail validation and must be handled manually; the Lambda event source mapping is configured with an Amazon SQS dead-letter queue (DLQ) as an on-failure destination, and the function uses batch processing with retries enabled. During load testing, the engineer observes that the DLQ contains many records that have no data issues and were already accepted by the ERP service, indicating that successful items from partially failing batches are being retried and eventually sent to the DLQ along with the failures. Which event source configuration change should the engineer implement to reduce the number of error-free records sent to the DLQ while preserving current throughput and retry behavior?

Pregunta 4

A global media company uses AWS Organizations with two OUs (root and analytics); the root OU has a single SCP that contains one Allow statement for all actions on all resources, while the analytics OU (which contains four accounts including the ext-ml account, ID 222222222222) has an SCP that allows only s3:* and glue:* and explicitly denies all other actions by using a Deny statement with NotAction [s3:, glue:] on all resources; in the ext-ml account, a DevOps engineer's IAM user has the AdministratorAccess policy attached, and when the engineer attempts in us-east-1 to create an Amazon RDS db.m6g.large instance via the console and AWS CLI (rds:CreateDBInstance), the request fails with AccessDeniedException indicating it was blocked by an organization service control policy. Which change will allow the engineer to successfully create the RDS instance in the ext-ml account?

Pregunta 5

(Selecciona 2)

A media streaming startup operates a multi-account environment in AWS Organizations with all features enabled. The operations (source) account uses AWS Backup in us-west-2 to protect 120 Amazon EBS volumes and encrypts recovery points with a customer managed KMS key (alias/ops-backup). To meet DR requirements, the company configured cross-account copy in the management account, created a backup vault named dr-vault and a customer managed KMS key (alias/dr-backup) in a newly created DR account, and then updated the backup plan in the operations account to copy all recovery points to the DR account's dr-vault. When a backup job runs in the operations account, recovery points are created successfully in the operations account, but no copies appear in the DR account's dr-vault. Which combination of steps will allow AWS Backup to copy recovery points to the DR account's vault? (Choose two.)

Análisis de la pregunta

Core Concept: This question tests AWS Backup cross-account copy prerequisites in an AWS Organizations environment, specifically the two authorization layers involved: (1) the destination backup vault access policy and (2) AWS KMS key policies for encrypting the copied recovery points. Even with Organizations “all features,” AWS Backup still requires explicit resource-based permissions on the destination vault and KMS permissions to use the destination CMK. Why the Answer is Correct: For cross-account copy, AWS Backup in the source account must be allowed to write into the destination vault in the DR account. That permission is granted by a resource-based policy on the destination backup vault (dr-vault). Without it, the copy operation is denied and no recovery points appear in the DR vault. Additionally, because the destination vault encrypts recovery points with a customer managed KMS key (alias/dr-backup), the AWS Backup service (acting on behalf of the source account) must be permitted by the destination CMK key policy to use the key for encryption operations (e.g., GenerateDataKey, Encrypt, Decrypt as required by the service). If the key policy does not allow this, AWS Backup cannot encrypt the copied recovery point in the DR account and the copy fails. Key AWS Features: - AWS Backup cross-account copy requires a destination vault access policy that allows the source account to perform copy/write actions. - AWS KMS CMKs are controlled primarily by key policies (not just IAM). Cross-account usage must be explicitly allowed in the key policy. - In multi-account DR designs, the destination account typically owns the vault and CMK; the source account is granted limited permissions to copy into that vault. Common Misconceptions: A frequent mistake is assuming that enabling AWS Organizations “all features” automatically authorizes cross-account backup copy. It does not; vault policies and KMS key policies still must be configured. Another misconception is thinking the source CMK must be shared with the DR account; for copy, AWS Backup re-encrypts using the destination CMK, so the critical permission is on the destination CMK. Exam Tips: When you see “cross-account copy” + “customer managed KMS key,” immediately check for two required permissions: destination vault policy (resource-based) and destination KMS key policy. If copies don’t appear, it’s almost always one (or both) of these missing permissions rather than the source vault policy.

¿Quieres practicar todas las preguntas en cualquier lugar?

Descarga Cloud Pass gratis — incluye exámenes de práctica, seguimiento de progreso y más.

Pregunta 6

A global logistics company ingests telemetry from 12,000 handheld scanners across 3 AWS Regions; each device type writes to a dedicated Amazon CloudWatch Logs log group per Region, totaling about 90 log groups. Over the past 14 days, CloudWatch Logs ingestion charges have increased by 68% with no planned changes. A DevOps engineer must quickly determine which device types or Regions are driving the spike in ingestion to prioritize remediation. Which solution is the MOST operationally efficient?

Pregunta 7

A DevOps engineer deploys an Auto Scaling group of 8 Amazon EC2 instances without public IPs across two private subnets (10.20.1.0/24 and 10.20.2.0/24) in us-east-2; due to a new FedRAMP High control, the VPC has no internet gateway or NAT gateway and all internet egress is prohibited, and the user data uses the AWS CLI to download artifacts from s3://company-artifacts-prod/builds/2.7.4/app.tar.gz at boot, yet while the instances report healthy status checks the application is not installed because the download fails. Which action will install the application while complying with the no-internet egress requirement?

Pregunta 8

A university consortium uses AWS Organizations across two Regions with four OUs and a delegated administrator account named platform-ops, and the research OU (58 AWS accounts) must ensure that, before any AWS CloudFormation stack create or update runs in us-east-1 or eu-west-1, every Amazon EBS volume and Amazon SQS queue defined in the stack has server-side encryption enabled with the KMS key alias alias/research-default and that this control is enforced consistently across all accounts in that OU—what solution will enforce this policy prior to CloudFormation stack operations in those accounts?

Pregunta 9

A telemedicine company's real-time consultation platform has grown from 8,000 daily active users to 60,000 across 7 countries, its microservices run on Amazon Elastic Kubernetes Service (Amazon EKS) that scales up to 2,500 nodes during 20-minute peak windows, and security reviews show sporadic unauthorized sign-in attempts and abrupt session drops, so the company requires platform-wide additional protections and a single summarized view across all AWS accounts that shows login attempts, API calls, and network traffic, permits network traffic analysis while minimizing raw log management overhead, and enables rapid investigation of potentially malicious activity involving the EKS workload—what solution best meets these requirements?

Análisis de la pregunta

Core concept: This question tests AWS threat detection and investigation across accounts for an EKS-based workload with minimal log-management overhead. The key services are Amazon GuardDuty (managed threat detection using CloudTrail, VPC Flow Logs, DNS logs, and EKS audit logs) and Amazon Detective (managed investigation that correlates signals into a unified view). Why the answer is correct: The company needs (1) platform-wide additional protections, (2) a single summarized view across all AWS accounts showing login attempts, API calls, and network traffic, (3) network traffic analysis while minimizing raw log management, and (4) rapid investigation of suspicious activity involving EKS. Enabling GuardDuty for EKS Audit Log Monitoring provides detections for suspicious Kubernetes control-plane activity (e.g., anomalous kubectl exec, suspicious API calls, privilege escalation patterns) in addition to its standard detections for IAM/console sign-in anomalies, API calls (via CloudTrail management events), and network threats (via VPC Flow Logs/DNS). Amazon Detective then provides the “single summarized view” and rapid investigation capability by automatically aggregating and correlating GuardDuty findings plus related activity (CloudTrail, VPC Flow Logs, and other context) across accounts using multi-account management (typically via AWS Organizations). This meets the requirement to minimize raw log management because you do not need to build and operate an S3/Athena/QuickSight pipeline just to investigate incidents. Key AWS features / best practices: - GuardDuty EKS Audit Log Monitoring: detects threats from Kubernetes audit events without you building custom analytics. - Detective: investigation graphs, entity timelines, and cross-account context to pivot from a GuardDuty finding to related API calls, IAM principals, and network connections. - Use delegated administrator in AWS Organizations for centralized enablement and visibility across accounts. Common misconceptions: Storing logs in S3 and querying with Athena/QuickSight can create dashboards, but it increases operational overhead and does not provide the same managed correlation/investigation workflow as Detective. CloudWatch Container Insights is for performance/operational telemetry, not security investigation. Exam tips: When requirements include “rapid investigation,” “summarized view,” and “minimize log management,” think GuardDuty (detect) + Detective (investigate). For EKS-specific suspicious activity, look for “GuardDuty for EKS Audit Logs.”

Pregunta 10

A healthcare company uses customer managed AWS KMS keys with automatic rotation disabled due to imported key material requirements and performs manual rotation, and the security team wants to receive an alert if any active key in us-east-1 or eu-west-1 has not been rotated within the last 120 days; which solution will accomplish this?

Análisis de la pregunta

Core Concept: This question is about building a custom compliance check for customer managed AWS KMS keys when automatic rotation cannot be used because the keys rely on imported key material. The requirement is to alert when any active key in us-east-1 or eu-west-1 has gone more than 120 days without manual rotation, which requires custom evaluation logic rather than a native KMS feature. Why the Answer is Correct: AWS Config is the best fit because it is designed for continuous compliance evaluation and supports custom rules backed by AWS Lambda. A custom rule can evaluate KMS keys in each required Region, determine whether a key is active, and compare the key’s last known manual rotation date against the 120-day threshold. Because KMS does not natively expose an age-based alert for manually rotated imported key material, the implementation must rely on metadata your organization records for each rotation event, such as a tag, a parameter, or another authoritative store updated during the rotation process. When a key is overdue, the rule can mark it NON_COMPLIANT and trigger an SNS notification directly or through an EventBridge rule on Config compliance changes. Key AWS Features: 1. AWS Config custom rules allow organization-specific compliance logic that is not available through managed rules. 2. Regional deployment supports checking KMS keys separately in us-east-1 and eu-west-1, with optional aggregation for centralized visibility. 3. Lambda-backed evaluation enables custom comparison logic against a 120-day threshold and active key state. 4. SNS and EventBridge can be used to notify the security team when a key becomes noncompliant. Common Misconceptions: A common mistake is assuming AWS KMS can directly notify when a key is older than a threshold or when manual rotation is overdue. Another misconception is that Trusted Advisor or Security Hub provides a built-in control for this exact imported-key-material manual-rotation requirement. In reality, this is a custom compliance use case that needs AWS Config plus supporting metadata about when manual rotation occurred. Exam Tips: When a question asks for continuous compliance monitoring with a custom threshold and alerting, AWS Config is usually the strongest answer. Be cautious with KMS manual rotation scenarios, because imported key material disables automatic rotation and KMS does not provide a native overdue-rotation alarm. On the exam, prefer AWS Config custom rules over general security dashboards when the requirement is precise, customizable, and compliance-oriented.

Practice Test #2

Respuestas y explicaciones verificadas por triple IA

Preguntas de práctica

Historias de éxito(6)

Otros exámenes de práctica

Practice Test #1

Comienza a practicar ahora