AWS Certified SysOps Administrator - Associate · Domain 4 · 16% of exam

Security and Compliance

Drill 20 practice questions focused entirely on Security and Compliance for the AWS SOA-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A SysOps administrator must enable HTTPS for a public-facing web application served by an Application Load Balancer (ALB). Security requires that the TLS certificate be automatically renewed to avoid expiration-related outages, and that no certificate private keys are ever stored on or accessible by the EC2 instances. Which approach meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 2 of 20

A SysOps administrator manages a public-facing website behind an Application Load Balancer using an ACM certificate that was issued with DNS validation. The certificate is approaching its expiration date, and CloudWatch shows the certificate is NOT being automatically renewed. The domain's DNS is hosted in Amazon Route 53 in the same account. What is the MOST likely cause of the failed automatic renewal?

Reviewed for accuracy · Report an issue
Question 3 of 20

A SysOps administrator must produce evidence for an upcoming compliance audit showing which S3 buckets, IAM roles, and KMS keys in the account can be accessed by principals outside the AWS Organization. The solution must continuously monitor for new external access and require minimal ongoing effort. What should the administrator do?

Reviewed for accuracy · Report an issue
Question 4 of 20

A SysOps administrator is conducting a quarterly access review for a large AWS account. Security policy requires identifying IAM roles that have permissions granted but have not been used within the last 90 days, so that unnecessary privileges can be removed to enforce least privilege. The administrator wants a managed, automated way to surface these findings without writing custom scripts to parse CloudTrail logs. Which approach should be used?

Reviewed for accuracy · Report an issue
Question 5 of 20

A SysOps administrator manages 40 IAM users who all require identical S3 and CloudWatch read permissions. The company frequently onboards and offboards staff, and the security team complains that permissions drift because policies are attached inconsistently to individual users. Which approach best ensures consistent, maintainable permission management?

Reviewed for accuracy · Report an issue
Question 6 of 20

A SysOps administrator must allow a team of application developers to create new IAM roles for their Lambda functions. Security policy requires that any role the developers create must never be able to grant permissions beyond a defined set of services (Lambda, DynamoDB, and CloudWatch Logs), even if the developer attaches broader policies. The developers should still be able to create and manage roles independently. What is the MOST effective way to enforce this constraint?

Reviewed for accuracy · Report an issue
Question 7 of 20

A SysOps administrator attaches an IAM policy to a group that explicitly allows all Amazon S3 actions on a company data bucket. A separate managed policy attached to one user in that group includes an explicit deny for s3:DeleteObject on the same bucket. When that user attempts to delete an object from the bucket, the action fails. What is the reason for this behavior?

Reviewed for accuracy · Report an issue
Question 8 of 20

A SysOps administrator is configuring an IAM role that a third-party SaaS monitoring vendor will assume to read CloudWatch metrics in the company's AWS account. The vendor manages a single AWS account that they use to access many of their customers' accounts. The security team is concerned that another of the vendor's customers could trick the vendor into accessing this company's account. Which configuration best mitigates this confused deputy risk?

Reviewed for accuracy · Report an issue
Question 9 of 20

A SysOps administrator must prove to auditors that a specific Lambda function is the only workload decrypting sensitive records with a customer managed KMS key, and that each decryption request can be tied to a particular tenant. The team currently uses a shared symmetric CMK. Which approach best meets these requirements with the least custom code?

Reviewed for accuracy · Report an issue
Question 10 of 20

A company uses a customer managed KMS key to encrypt sensitive data. A newly deployed Lambda function must temporarily be granted permission to decrypt objects with this key for a scheduled 6-hour batch job, after which the access should be automatically revoked without modifying the key policy or the function's IAM role. A SysOps administrator wants the least disruptive, auditable way to provide this scoped, revocable permission. Which approach BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 11 of 20

A SysOps administrator accidentally scheduled deletion of a customer managed AWS KMS key that is still used to encrypt an active Amazon EBS volume and several S3 objects. The key was scheduled for deletion with the default waiting period. The administrator realizes the mistake two days later and needs to prevent data loss. What is the correct action?

Reviewed for accuracy · Report an issue
Question 12 of 20

A company stores sensitive reports in an S3 bucket encrypted with a customer managed AWS KMS key in Account A. An analytics team operating in Account B needs to read and decrypt these objects using their IAM role. The bucket policy has already been updated to grant Account B's role s3:GetObject access, but the analytics team still receives an AccessDenied error when downloading objects. What is the MOST likely cause and correct remediation?

Reviewed for accuracy · Report an issue
Question 13 of 20

A SysOps administrator manages an AWS KMS customer managed key that was created by importing external key material to satisfy a regulatory requirement for on-premises key generation. During a compliance review, the auditor asks the administrator to enable automatic annual key rotation on this key. The administrator opens the key in the KMS console but finds that the automatic rotation option cannot be enabled. What is the correct explanation and remediation?

Reviewed for accuracy · Report an issue
Question 14 of 20

A SysOps administrator manages an application that stores encrypted DynamoDB Global Table data in us-east-1 and eu-west-1. Client-side envelope encryption is used, and the same encrypted payloads must be decryptable in both Regions without making a cross-Region API call to a single KMS key. What is the MOST appropriate way to configure AWS KMS for this requirement?

Reviewed for accuracy · Report an issue
Question 15 of 20

A SysOps administrator discovers that several S3 buckets across an account have overly permissive bucket policies and ACLs that grant public read access to objects. The compliance team requires that no bucket in the account can be made public, regardless of individual bucket policies or ACLs that developers might apply in the future. What is the MOST effective way to enforce this requirement?

Reviewed for accuracy · Report an issue
Question 16 of 20

A company stores sensitive customer data in an Amazon S3 bucket. A compliance audit requires that all requests to the bucket must use encryption in transit, and any request made over an unencrypted connection must be denied. The SysOps administrator must enforce this at the bucket level without modifying application code. Which action meets this requirement?

Reviewed for accuracy · Report an issue
Question 17 of 20

A media company stores private video files in an S3 bucket that has Block Public Access enabled. A mobile application needs to allow authenticated end users to download a specific video file for a limited time (15 minutes) without granting them long-term AWS credentials or making the object public. What is the MOST appropriate way to provide this temporary access?

Reviewed for accuracy · Report an issue
Question 18 of 20

A SysOps administrator manages an S3 bucket that stores millions of small objects, all encrypted with server-side encryption using an AWS KMS customer managed key (SSE-KMS). After enabling encryption, the AWS bill shows a large increase in AWS KMS request charges because every object upload and download triggers a separate KMS API call. The administrator must reduce KMS costs while keeping the objects encrypted with the same KMS key. What is the MOST cost-effective action?

Reviewed for accuracy · Report an issue
Question 19 of 20

A company uses AWS Organizations with all features enabled. The compliance team requires that member accounts in the 'Production' OU can only create and manage resources in the eu-west-1 and eu-central-1 Regions, regardless of any IAM permissions granted within those accounts. Global services such as IAM and CloudFront must remain functional. What is the MOST effective way to enforce this restriction?

Reviewed for accuracy · Report an issue
Question 20 of 20

A SysOps administrator manages a multi-account AWS Organization. The security team requires that developers in a member account can create IAM roles for their applications, but those created roles must never be able to modify billing, leave the organization, or access CloudTrail settings. Additionally, the developers themselves must never be able to grant more permissions than a defined maximum, even when creating new roles. Which combination of controls correctly enforces these requirements?

Reviewed for accuracy · Report an issue

More SOA-C02 practice

Keep going with the other AWS Certified SysOps Administrator - Associate domains, or take a full timed mock exam.

← Back to SOA-C02 overview