Cloud Practitioner · 30% of the exam

Security and Compliance: free practice questions

5 sample questions from our 75-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real AWS exam.

1. A security engineer wants to give an external auditing firm read-only access to specific AWS resources in the company's account. The auditors have their own AWS account. The company does not want to create long-term IAM credentials for the auditors. Which approach follows AWS best practices?

  • A. Create an IAM user for the auditing firm, attach a read-only policy, and share the access key
  • B. Create an IAM role with a read-only policy and a trust policy that allows the auditing firm's AWS account to assume it✓ Correct
  • C. Enable AWS Artifact and grant the auditing firm access to download compliance reports
  • D. Share the company's AWS Management Console login URL and a temporary IAM user password
Explanation

Using an IAM role with cross-account trust is the AWS-recommended pattern for granting external parties access. The auditors assume the role from their own account, receiving temporary STS credentials scoped to the read-only policy—no long-term credentials are needed. Creating an IAM user with an access key produces long-term credentials that must be managed and rotated, violating the requirement. AWS Artifact provides compliance documents, not live resource access. Sharing a console login URL and temporary password still involves long-term credentials and is not a scalable or secure practice for cross-account access.

2. A company is migrating a legacy application to AWS. The application requires TLS/SSL certificates for its public-facing domain. The team wants to provision and renew these certificates automatically without manual intervention. Which service should they use?

  • A. AWS KMS to generate and manage certificate keys
  • B. AWS Certificate Manager (ACM) to provision and auto-renew public SSL/TLS certificates✓ Correct
  • C. AWS Secrets Manager to store and rotate the certificate files
  • D. AWS CloudHSM to issue certificates using a dedicated hardware security module
Explanation

AWS Certificate Manager (ACM) provisions, manages, and automatically renews public SSL/TLS certificates for use with AWS services like ALB, CloudFront, and API Gateway at no additional cost. AWS KMS manages encryption keys for data at rest and does not issue or manage SSL/TLS certificates. AWS Secrets Manager stores and rotates secrets such as database passwords and API keys, but it does not provision or renew public TLS certificates. AWS CloudHSM provides a dedicated hardware security module for custom key management and can be used for private certificate authorities, but it requires significant manual operational overhead and is not the purpose-built solution for automatic public certificate management.

3. A company just created a new AWS account. The IT administrator wants to set up IAM following AWS security best practices from day one. Which TWO actions should the administrator take FIRST? (Select TWO)

  • A. Enable multi-factor authentication (MFA) on the root account user✓ Correct
  • B. Create programmatic access keys for the root account to use in automated scripts
  • C. Create an IAM user or role with administrative permissions for day-to-day management tasks instead of using the root account✓ Correct
  • D. Attach the AdministratorAccess policy to all IAM users by default so they can get started quickly
  • E. Share the root account password with all senior engineers so multiple people can manage the account
Explanation

The two highest-priority IAM best practices for a new account are: (1) enabling MFA on the root account to protect it from unauthorized access, and (2) creating a separate IAM administrative identity so the root account is not used for daily tasks. Option B is explicitly prohibited by AWS—root account access keys should never be created. Option D violates least privilege; not all users need administrative access. Option E violates individual accountability and is a severe security risk—root credentials must never be shared.

4. A company's web application is being targeted by a flood of HTTP requests from thousands of different IP addresses, making it impossible to block by IP alone. The requests are well-formed HTTP GET requests but are overwhelming the application servers. Which AWS service should the security team configure to mitigate this attack with rate-based rules?

  • A. AWS Shield Standard, which automatically absorbs volumetric DDoS attacks at no extra cost
  • B. Amazon GuardDuty, which detects the threat and automatically blocks offending IP addresses
  • C. AWS WAF with a rate-based rule that counts requests from a single IP over a five-minute window and blocks IPs exceeding the threshold✓ Correct
  • D. AWS Network Firewall deployed in the VPC to inspect and drop packets exceeding a defined rate
Explanation

AWS WAF rate-based rules are specifically designed for this scenario. They count requests from individual IP addresses over a configurable time window and automatically block IPs that exceed the threshold, mitigating HTTP flood attacks even when many source IPs are involved. Option A (AWS Shield Standard) provides automatic protection against common DDoS infrastructure attacks but does not offer customizable rate-based rules for HTTP-layer floods. Option B (GuardDuty) detects threats and generates findings but does not automatically block traffic—it is a detection service, not a mitigation tool. Option D (AWS Network Firewall) can perform packet filtering but is not the purpose-built tool for HTTP rate limiting at the application layer; WAF is more appropriate for this use case.

5. A company's IT administrator is setting up AWS IAM for a newly created AWS account. They want to follow AWS security best practices from the start. Which TWO actions should they take FIRST? (Select TWO)

  • A. Enable MFA on the AWS account root user✓ Correct
  • B. Create IAM access keys for the root user to use in the AWS CLI
  • C. Create individual IAM users for each person who needs AWS access✓ Correct
  • D. Share the root user credentials with the senior administrator for backup access
  • E. Attach the AdministratorAccess policy directly to every IAM user for convenience
Explanation

Correct: 'Enable MFA on the AWS account root user' — the root user has unrestricted access to all resources, so enabling MFA immediately is a critical first step to protect it. Correct: 'Create individual IAM users for each person who needs AWS access' — creating individual IAM users allows unique credentials, individual permissions, and auditability for each person. | Wrong: 'Create IAM access keys for the root user' — AWS explicitly recommends never creating root user access keys; use IAM users or roles for programmatic access. | Wrong: 'Share the root user credentials' — credentials should never be shared; this violates the principle of least privilege and makes auditing impossible. | Wrong: 'Attach AdministratorAccess to every user' — this violates least privilege; users should receive only the permissions they need to perform their job functions.

70 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free