Security & Compliance

Question 1

What is the AWS Shared Responsibility Model?

A) AWS: Security OF the Cloud (physical infrastructure, hardware, networking, hypervisor).
B) Security responsibilities are randomly assigned per service and documented in each service SLA.
C) The customer is responsible for all security including physical data centres and hardware.
D) AWS is responsible for all security including customer data, applications, and access management.

Answer 1

A) AWS: Security OF the Cloud (physical infrastructure, hardware, networking, hypervisor).

Question 2

What is AWS responsible for in the Shared Responsibility Model?

A) Security group rules, bucket policies, database user permissions, and network ACL rules.
B) Application code, OS configuration, firewall rules, and data backup strategies.
C) Physical data centre security, hardware and software infrastructure, networking, virtualisation, global…
D) Customer data encryption, IAM policies, OS patching on EC2, and application security.

Answer 2

C) Physical data centre security, hardware and software infrastructure, networking, virtualisation, global…

Question 3

What is the customer responsible for in the Shared Responsibility Model?

A) Customer data, platform/applications/IAM, OS/network/firewall configuration, client-side data encryption, server-side…
B) Physical hardware, hypervisor patches, data centre power and cooling, and network cables.
C) AWS global network infrastructure, Availability Zone design, and edge location management.
D) RDS engine patching, Lambda runtime updates, and S3 infrastructure durability.

Answer 3

A) Customer data, platform/applications/IAM, OS/network/firewall configuration, client-side data encryption, server-side…

Question 4

In the Shared Responsibility Model, who patches an EC2 OS?

A) The customer. EC2 is IaaS – AWS manages the physical host and hypervisor only.
B) It is shared equally — AWS patches the kernel; the customer patches user-space packages.
C) AWS — they manage all patching for EC2 as part of the managed compute service.
D) Neither — EC2 instances use immutable AMIs and are replaced rather than patched.

Answer 4

A) The customer. EC2 is IaaS – AWS manages the physical host and hypervisor only.

Question 5

In the Shared Responsibility Model, who patches an RDS DB engine?

A) It is shared — the customer patches minor versions; AWS patches major versions only.
B) AWS. RDS is a managed (PaaS) service – AWS handles OS and database engine patching.
C) Neither — RDS DB engines are containerised and automatically replaced rather than patched.
D) The customer — RDS only manages the hardware; DB engine patching is customer-owned.

Answer 5

B) AWS. RDS is a managed (PaaS) service – AWS handles OS and database engine patching.

Question 6

In the Shared Responsibility Model, who manages S3 bucket policies and encryption?

A) Neither — S3 is publicly accessible by default and does not support bucket policies.
B) AWS — S3 is a fully managed SaaS service and all policies are set by default.
C) It is shared — AWS manages encryption keys; customers manage bucket policy syntax.
D) The customer.

Answer 6

D) The customer.

Question 7

What is the key rule of the Shared Responsibility Model?

A) The higher the service tier (IaaS→SaaS), the more responsibility shifts to the customer.
B) AWS is always responsible for data security regardless of service type or configuration.
C) ‘If you put it there, you manage it.’ Managed services offload more responsibility to AWS; unmanaged services (like EC2)…
D) Security is always 100% the customer’s responsibility regardless of the service used.

Answer 7

C) ‘If you put it there, you manage it.’ Managed services offload more responsibility to AWS; unmanaged services (like EC2)…

Question 8

What is AWS Artifact?

A) A free self-service portal for downloading AWS compliance reports (SOC, PCI, ISO) and signing legal agreements like…
B) AWS Artifact is the managed container image registry for storing Docker images.
C) A CI/CD tool for packaging and deploying application artefacts to AWS services.
D) A service for storing and versioning application build outputs in S3-backed repositories.

Answer 8

A) A free self-service portal for downloading AWS compliance reports (SOC, PCI, ISO) and signing legal agreements like…

Question 9

What compliance frameworks does AWS support?

A) Only US-specific frameworks — HIPAA, FedRAMP, and SOX. EU compliance is customer-managed.
B) HIPAA (healthcare), PCI-DSS (payment cards), SOC 1/2/3, ISO 27001, FedRAMP (US government), GDPR (EU data protection).
C) ISO 27001 only — all other frameworks require customers to conduct their own audits.
D) PCI-DSS and HIPAA only — all other compliance certifications require third-party audits.

Answer 9

B) HIPAA (healthcare), PCI-DSS (payment cards), SOC 1/2/3, ISO 27001, FedRAMP (US government), GDPR (EU data protection).

Question 10

What is the AWS Compliance Center?

A) The dashboard inside AWS Config that shows real-time compliance rule evaluation results.
B) A central location to research cloud-related regulatory requirements, browse country-specific laws, discover how…
C) A tool inside IAM that scans your policies for compliance violations automatically.
D) A paid service where AWS consultants help you pass compliance audits for your workloads.

Answer 10

B) A central location to research cloud-related regulatory requirements, browse country-specific laws, discover how…

Question 11

What is AWS Audit Manager?

A) A cost management service that audits AWS spending against budget thresholds.
B) A log analysis tool that detects unusual API activity and flags potential audit risks.
C) Continuously collects data to prepare for audits and ensure compliance with regulatory standards.
D) A service that automatically patches and remediates non-compliant resources in real time.

Answer 11

C) Continuously collects data to prepare for audits and ensure compliance with regulatory standards.

Question 12

What are the key security concepts: encryption at rest, encryption in transit, MFA?

A) At rest: data encrypted when stored (S3, EBS, RDS). In transit: encrypted while moving (TLS/SSL). MFA: extra code required at login.
B) MFA is only available for root accounts. Encryption at rest is enabled by default on all services. In transit requires Direct Connect.
C) Encryption at rest: data encrypted during network transfer. In transit: data encrypted on disk. MFA: role-based access control.
D) Encryption at rest only applies to S3. In transit only applies to RDS. MFA is optional for all users.

Answer 12

A) At rest: data encrypted when stored (S3, EBS, RDS). In transit: encrypted while moving (TLS/SSL). MFA: extra code required at login.

Question 13

What is ‘Defence in depth’?

A) Offloading all security responsibilities to AWS by using only managed services.
B) Protecting only the perimeter network to prevent all external threats from entering.
C) Applying multiple layers of security controls so that if one layer fails, others still protect the system.
D) Using a single, highly robust security control instead of many weaker individual controls.

Answer 13

C) Applying multiple layers of security controls so that if one layer fails, others still protect the system.

Question 14

What is IAM and what does it cost?

A) Identity and Access Management – controls WHO can do WHAT in your AWS account. It is free to use.
B) IAM is AWS’s network firewall service for controlling traffic to EC2 instances.
C) IAM is the audit logging service that records all API calls in your account.
D) IAM is a paid security service billed per user, group, and policy created per month.

Answer 14

A) Identity and Access Management – controls WHO can do WHAT in your AWS account. It is free to use.

Question 15

What are the 4 core IAM components?

A) Accounts, Organisations, Access Keys, and MFA Devices.
B) Certificates, Keys, Tokens, and Passwords — the four credential types.
C) Users – individual accounts for people or applications.
D) Root, Admin, Power User, and Read-Only — the four default permission tiers.

Answer 15

C) Users – individual accounts for people or applications.

Question 16

What is an IAM User?

A) A temporary identity with auto-expiring credentials used for programmatic access only.
B) An individual AWS account for a person or application.
C) An IAM User is the same as an IAM Role — both provide temporary assumed credentials.
D) A pre-built AWS user with AdministratorAccess that manages your account by default.

Answer 16

B) An individual AWS account for a person or application.

Question 17

What is an IAM Group?

A) A group of AWS accounts managed under a single AWS Organisation for billing purposes.
B) A temporary role that multiple users can assume simultaneously for shared tasks.
C) A collection of IAM users. Attach policies to the group and all users in the group inherit those permissions.
D) A security boundary equivalent to a VPC that isolates users from each other.

Answer 17

C) A collection of IAM users. Attach policies to the group and all users in the group inherit those permissions.

Question 18

What is an IAM Role?

A) An IAM identity with specific permissions that can be assumed temporarily by trusted entities (EC2…
B) An IAM Role is the same as an IAM Policy — both define what actions are allowed.
C) A group of permissions that can only be used by IAM Users, not services.
D) A permanent credential set stored in IAM for machine-to-machine authentication.

Answer 18

A) An IAM identity with specific permissions that can be assumed temporarily by trusted entities (EC2…

Question 19

What is an IAM Policy?

A) A billing rule that restricts spending on specific AWS services.
B) A network firewall rule that controls traffic to IAM-protected resources.
C) A JSON document that defines Allow or Deny permissions for specific actions on specific AWS resources.
D) A CloudFormation template that provisions IAM users and groups automatically.

Answer 19

C) A JSON document that defines Allow or Deny permissions for specific actions on specific AWS resources.

Question 20

What is the structure of an IAM Policy JSON?

A) Version, Statement array containing: Effect (Allow/Deny), Action (e.g. s3:GetObject), Resource (e.g.
B) Allow/Deny, Username, Password, and AccessKey fields in a flat key-value structure.
C) Principal, Action, Resource, Condition — all four fields are required in every statement.
D) ServiceName, PermissionLevel (Read/Write/Admin), and ResourceARN only.

Answer 20

A) Version, Statement array containing: Effect (Allow/Deny), Action (e.g. s3:GetObject), Resource (e.g.

Question 21

What are the 3 types of IAM policies?

A) Global policies, Regional policies, and Resource-level policies.
B) Read policies, Write policies, and Admin policies — the three access level tiers.
C) 1. AWS Managed – pre-built by AWS (e.g. AdministratorAccess, ReadOnlyAccess) | …
D) Account policies, User policies, and Service policies.

Answer 21

C) 1. AWS Managed – pre-built by AWS (e.g. AdministratorAccess, ReadOnlyAccess) | …

Question 22

List the 8 IAM best practices.

A) 1. Use root for daily tasks 2. Create shared team users 3. Assign permissions per resource 4. Grant all permissions 5. Enable MFA only for root 6. Store credentials in code 7. Rotate annually 8. Use inline policies only
B) Lock down root + MFA, individual IAM users, use groups for permissions, least privilege, MFA for all privileged users, roles for services/apps, rotate credentials, use IAM Access Analyzer.
C) 1. Enable MFA only on production accounts 2. Use groups sparingly 3. Grant permissions one at a time 4. Store keys in environment variables 5. Rotate after breaches only 6. Use root for billing only 7. Share access keys via email 8. Review permissions annually
D) 1. Share root credentials with trusted admins 2. Use one IAM user per team 3. Assign permissions individually 4. Grant maximum access 5. Disable MFA for simplicity 6. Use access keys for all services 7. Never rotate credentials 8. Skip Access Analyzer

Answer 22

B) Lock down root + MFA, individual IAM users, use groups for permissions, least privilege, MFA for all privileged users, roles for services/apps, rotate credentials, use IAM Access Analyzer.

Question 23

What is the Principle of Least Privilege?

A) Grant all users administrator access by default and restrict only when abuse is detected.
B) Grant identities only the minimum permissions required to perform their job – nothing extra.
C) Each AWS account should have the least possible number of IAM users to reduce attack surface.
D) Only the root user should have access to billing; all other users get read-only by default.

Answer 23

B) Grant identities only the minimum permissions required to perform their job – nothing extra.

Question 24

What is AWS Organizations?

A) A paid premium service for enterprises to manage AWS service quotas across accounts.
B) A service for centrally managing multiple AWS accounts.
C) AWS Organizations is the same as AWS Control Tower — both manage multi-account setups.
D) A tool for organising AWS resources into logical groups within a single account.

Answer 24

B) A service for centrally managing multiple AWS accounts.

Question 25

What is an Organizational Unit (OU) in AWS Organizations? A) A service quota group that limits the number of resources per AWS account. B) An individual AWS account that has been designated as a billing payer account. C) An OU is an IAM Group that spans multiple AWS accounts for federated access. D) A logical grouping of AWS accounts within an Organisation (e.g. Dev, Prod, Finance OUs).

Answer 25

D) A logical grouping of AWS accounts within an Organisation (e.g. Dev, Prod, Finance OUs).

Question 26

What are Service Control Policies (SCPs)? A) Policies that grant specific permissions to member accounts in an Organisation. B) Permission guardrails applied at the root, OU, or account level in AWS Organizations. C) Billing policies that set maximum spend limits on member accounts. D) SCPs are IAM policies attached to the root user of the management account.

Answer 26

B) Permission guardrails applied at the root, OU, or account level in AWS Organizations.

Question 27

What are the benefits of AWS Organizations consolidated billing? A) The management account pays upfront for all member accounts at a fixed annual rate. B) Each account is billed independently but receives a 10% flat discount automatically. C) Consolidated billing removes all data transfer charges between member accounts. D) Single payment method for all accounts; volume discounts apply across the combined usage; Reserved Instances and...

Answer 27

D) Single payment method for all accounts; volume discounts apply across the combined usage; Reserved Instances and...

Question 28

What does Amazon GuardDuty do? A) Intelligent threat detection using ML. B) Blocks DDoS attacks in real time using machine learning and traffic analysis. C) Discovers and classifies sensitive data stored in S3 buckets using ML. D) Scans EC2 instances for software vulnerabilities and unpatched CVEs.

Answer 28

A) Intelligent threat detection using ML.

Question 29

What does Amazon Inspector do? A) Detects threats by analysing CloudTrail logs and VPC Flow Logs with ML. B) Aggregates security findings from GuardDuty, Config, and Macie into a central dashboard. C) Monitors network traffic in VPCs for intrusion detection and prevention. D) Automated security assessments of EC2 instances, container images in ECR, and Lambda functions for software...

Answer 29

D) Automated security assessments of EC2 instances, container images in ECR, and Lambda functions for software...

Question 30

What does AWS Macie do? A) Macie monitors EC2 instances for malware and removes infected files automatically. B) Uses ML to automatically discover, classify, and protect sensitive data (PII) stored in Amazon S3. C) Macie is a DDoS protection service that filters malicious traffic at the network edge. D) Macie aggregates compliance findings and generates audit-ready reports for regulators.

Answer 30

B) Uses ML to automatically discover, classify, and protect sensitive data (PII) stored in Amazon S3.

Question 31

What does AWS CloudTrail record? A) All API calls in your AWS account – who did what, when, and from where. B) EC2 instance performance metrics like CPU, memory, disk I/O, and network throughput. C) Only security-related events such as failed login attempts and policy violations. D) Network packet captures for all traffic entering and leaving your VPC.

Answer 31

A) All API calls in your AWS account – who did what, when, and from where.

Question 32

What are the 3 types of CloudTrail events? A) Security Events, Compliance Events, and Billing Events. B) Management Events: create/modify/delete operations on resources. | ... C) Read Events, Write Events, and Admin Events. D) Account Events, Service Events, and Resource Events.

Answer 32

B) Management Events: create/modify/delete operations on resources. | ...

Question 33

What does AWS Config do? A) Config monitors network traffic and blocks requests that violate security policies. B) Config is a log aggregation service that collects application logs from EC2 instances. C) Assesses, audits, and evaluates the configuration of AWS resources over time. Configuration history tracks changes. D) Config deploys infrastructure changes automatically when drift from a template is detected.

Answer 33

C) Assesses, audits, and evaluates the configuration of AWS resources over time. Configuration history tracks changes.

Question 34

What is AWS Security Hub? A) Security Hub is the primary interface for managing IAM users and policies. B) A central security findings aggregator and compliance dashboard. C) Security Hub is a DDoS mitigation service that protects web applications. D) Security Hub is a log storage service that archives CloudTrail events long-term.

Answer 34

B) A central security findings aggregator and compliance dashboard.

Question 35

What is Amazon Detective? A) Analyses and investigates root causes of security findings. Ingests VPC Flow Logs, CloudTrail, and GuardDuty findings. B) Detective is a penetration testing service that simulates attacks on your AWS workloads. C) Detective automatically remediates security findings identified by GuardDuty. D) Detective blocks suspicious IP addresses identified in VPC Flow Logs in real time.

Answer 35

A) Analyses and investigates root causes of security findings. Ingests VPC Flow Logs, CloudTrail, and GuardDuty findings.

Question 36

What is AWS Shield? A) Shield is a vulnerability scanning service for EC2 instances and container images. B) Shield is a secrets management service that rotates API keys and passwords. C) Shield is a web application firewall that filters SQL injection and XSS attacks. D) DDoS protection. Shield Standard is free for all customers.

Answer 36

D) DDoS protection. Shield Standard is free for all customers.

Question 37

What is AWS WAF (Web Application Firewall)? A) WAF is an intrusion detection service that monitors OS-level activity on EC2 instances. B) Monitors HTTP requests, blocking SQL injection and XSS. C) WAF is a network firewall for VPCs that filters traffic between subnets. D) WAF is a DDoS mitigation service that absorbs volumetric network attacks at Layer 3/4.

Answer 37

B) Monitors HTTP requests, blocking SQL injection and XSS.

Question 38

What is AWS Network Firewall? A) Network Firewall is an instance-level firewall that replaces Security Groups. B) Network Firewall is the same as a Network ACL — both are stateless subnet firewalls. C) Network Firewall is a cloud-based antivirus service for EC2 workloads. D) A stateful managed network firewall and intrusion detection/prevention service for VPCs.

Answer 38

D) A stateful managed network firewall and intrusion detection/prevention service for VPCs.

Question 39

What is the difference between a Security Group and a Network ACL (NACL)? A) Security Groups are stateless; NACLs are stateful. Both operate at the subnet level. B) NACLs operate at the instance level; Security Groups operate at the subnet level. C) Security Groups support deny rules; NACLs support only allow rules. D) Security Group: instance-level firewall, stateful (return traffic auto-allowed), allow rules only, all rules evaluated simultaneously.

Answer 39

D) Security Group: instance-level firewall, stateful (return traffic auto-allowed), allow rules only, all rules evaluated simultaneously.

Question 40

What are VPC Flow Logs? A) Flow Logs are billing logs that record data transfer costs per network interface. B) Capture information about IP traffic going to and from network interfaces in a VPC. C) Flow Logs are real-time packet captures of all network traffic in a VPC. D) Flow Logs automatically block traffic that violates Security Group rules.

Answer 40

B) Capture information about IP traffic going to and from network interfaces in a VPC.

Question 41

What is AWS KMS? A) KMS is a certificate management service for provisioning SSL/TLS certificates. B) KMS is a secrets storage service for database passwords and API keys. C) Key Management Service – create and manage cryptographic keys used to encrypt/decrypt data. D) KMS is an HSM service where all keys are stored on dedicated hardware modules.

Answer 41

C) Key Management Service – create and manage cryptographic keys used to encrypt/decrypt data.

Question 42

What is AWS Secrets Manager? A) Secrets Manager is an IAM policy generator that creates least-privilege policies. B) Secrets Manager is a key management service for creating encryption keys. C) Stores, rotates, and retrieves secrets (passwords, API keys, DB credentials). D) Secrets Manager is a certificate authority for issuing internal SSL certificates.

Answer 42

C) Stores, rotates, and retrieves secrets (passwords, API keys, DB credentials).

Question 43

What is AWS Certificate Manager (ACM)? A) ACM is an identity provider that enables SAML and OIDC federation for AWS access. B) Provisions, manages, and deploys public and private SSL/TLS certificates for AWS websites and applications. C) ACM is a secrets storage service for API keys and database passwords. D) ACM is a KMS-integrated service for creating and managing encryption keys.

Answer 43

B) Provisions, manages, and deploys public and private SSL/TLS certificates for AWS websites and applications.

Question 44

What is AWS IAM Identity Center (formerly SSO)? A) IAM Identity Center is AWS's MFA management service for hardware token devices. B) IAM Identity Center is a paid upgrade to IAM that enables role-based access control. C) IAM Identity Center is a tool for creating and managing individual IAM users at scale. D) Centrally manages single sign-on (SSO) access across multiple AWS accounts and applications.

Answer 44

D) Centrally manages single sign-on (SSO) access across multiple AWS accounts and applications.

Question 45

What is AWS CloudHSM? A) CloudHSM is a managed secrets rotation service that automatically updates credentials. B) CloudHSM is a VPN service that uses hardware-accelerated encryption for Direct Connect. C) Provides a hardware security module (HSM) in the cloud. D) CloudHSM is a DDoS protection service using dedicated hardware at the network edge.

Answer 45

C) Provides a hardware security module (HSM) in the cloud.

Question 46

What is AWS Firewall Manager? A) Firewall Manager replaces Security Groups and NACLs with a unified policy engine. B) Firewall Manager is a Network Firewall deployment tool for a single VPC. C) Manages security services (WAF rules, security groups, network firewall) across multiple AWS accounts. D) Firewall Manager is a WAF rule testing service that simulates web attacks.

Answer 46

C) Manages security services (WAF rules, security groups, network firewall) across multiple AWS accounts.

Question 47

What is AWS Resource Access Manager? A) Resource Access Manager encrypts shared resources to ensure only authorised access. B) Securely shares AWS resources across accounts, organisations, and OUs. C) Resource Access Manager is a billing tool for chargeback across multiple accounts. D) Resource Access Manager manages service quotas and limits across AWS accounts.

Answer 47

B) Securely shares AWS resources across accounts, organisations, and OUs.

Question 48

What is AWS Private Certificate Authority? A) A managed private CA that issues certificates for authenticating internal users, computers, and applications. B) Private CA issues public SSL certificates trusted by all internet browsers. C) Private CA is the same as ACM — both provision and manage SSL/TLS certificates. D) Private CA is a KMS feature that manages asymmetric key pairs for code signing.

Answer 48

A) A managed private CA that issues certificates for authenticating internal users, computers, and applications.

Question 49

What is the IAM root user? A) The root user is automatically deleted after the first IAM user is created. B) The root user has the same permissions as an IAM administrator and can be used safely. C) Automatically created when a new AWS account is made, with full permissions to do anything. D) The root user can be restricted by SCPs applied from a parent AWS Organization.

Answer 49

C) Automatically created when a new AWS account is made, with full permissions to do anything.

Question 50

What happens to a new IAM user's permissions by default? A) New IAM users are implicitly denied ALL permissions by default – they cannot access any AWS service or... B) New IAM users inherit the permissions of the group they are first added to. C) New IAM users get read-only access to all AWS services by default for safety. D) New IAM users automatically receive the permissions of the IAM user who created them.

Answer 50

A) New IAM users are implicitly denied ALL permissions by default – they cannot access any AWS service or...

Question 51

What is AWS Security Lake? A) Collects security logs and events from multiple sources including on-premises environments, AWS services, and... B) Security Lake is a SIEM service that automatically responds to and remediates threats. C) Security Lake is an S3-backed log archive service that encrypts logs using KMS only. D) Security Lake is a compliance dashboard that aggregates Config and GuardDuty findings.

Answer 51

A) Collects security logs and events from multiple sources including on-premises environments, AWS services, and...

Question 52

What WAF rule components do you define in a web ACL? A) 1. The resource to monitor (e.g. CloudFront distribution, ALB, API Gateway). | ... B) HTTP method, request path, and response code — the three WAF rule matching criteria. C) IP address whitelist, rate limit, and geographic block — the three mandatory WAF settings. D) Only an action (Allow or Block) — WAF automatically determines inspection criteria.

Answer 52

A) 1. The resource to monitor (e.g. CloudFront distribution, ALB, API Gateway). | ...