Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 151

Which AWS service allows secure storage and automatic rotation of database credentials and API keys?

A) AWS Secrets Manager

B) AWS KMS

C) AWS IAM

D) AWS Macie

Answer: A) AWS Secrets Manager

Explanation:

AWS Secrets Manager enables secure storage and automated rotation of sensitive credentials, including database passwords, API keys, and tokens. It integrates with AWS services such as RDS, Redshift, and third-party applications, allowing applications to retrieve secrets securely without hardcoding them in code. KMS manages encryption keys but does not rotate application credentials. IAM manages access policies but does not handle secret storage or rotation. Macie discovers sensitive data but does not manage credentials. Secrets Manager ensures encryption of secrets, scheduled rotation, audit logging, fine-grained access control, and integration with CloudWatch and Lambda for automated monitoring and remediation, making it the correct service for secret storage and automated rotation.

Question 152

Which AWS service continuously monitors accounts for suspicious activity using machine learning and threat intelligence?

A) AWS GuardDuty

B) AWS Macie

C) AWS WAF

D) AWS Shield

Answer: A) AWS GuardDuty

Explanation:

AWS GuardDuty continuously analyzes CloudTrail logs, VPC Flow Logs, and DNS queries to detect unusual API activity, compromised credentials, or reconnaissance activity using machine learning and threat intelligence. Macie identifies sensitive data but does not detect threats. WAF protects web applications from malicious requests but does not monitor account activity. Shield mitigates DDoS attacks but does not provide account threat detection. GuardDuty provides actionable alerts, integrates with Security Hub for centralized monitoring, and can trigger automated remediation workflows, making it the correct service for detecting suspicious AWS account activity.

Question 153

Which AWS service protects web applications against SQL injection and cross-site scripting attacks?

A) AWS WAF

B) AWS Shield

C) AWS GuardDuty

D) AWS Macie

Answer: A) AWS WAF

Explanation:

AWS WAF inspects HTTP/HTTPS requests and filters malicious traffic using web ACL rules to prevent SQL injection and cross-site scripting (XSS) attacks. Shield mitigates DDoS attacks but does not block malicious application requests. GuardDuty detects anomalies but cannot enforce web application security rules. Macie discovers sensitive data but does not protect web applications. WAF integrates with CloudFront, ALB, and API Gateway to enforce security rules across applications at scale, making it the correct service for protecting applications against SQL injection and XSS attacks.

Question 154

Which AWS service monitors AWS resources for compliance and triggers automated remediation?

A) AWS Config

B) AWS GuardDuty

C) AWS Macie

D) AWS Shield

Answer: A) AWS Config

Explanation:

AWS Config continuously evaluates AWS resources against compliance rules and triggers automated remediation for non-compliant resources using Lambda or Systems Manager Run Command. GuardDuty detects threats but does not remediate resource configurations. Macie discovers sensitive data but does not enforce compliance. Shield protects against DDoS attacks but does not manage resource compliance. Config provides continuous auditing, historical tracking, automated enforcement of policies, and integration with Security Hub, making it the correct service for monitoring and remediating non-compliant resources.

Question 155

Which AWS service aggregates security findings from multiple AWS accounts into a centralized view?

A) AWS Security Hub

B) AWS GuardDuty

C) AWS Macie

D) AWS WAF

Answer: A) AWS Security Hub

Explanation:

AWS Security Hub collects findings from GuardDuty, Inspector, Macie, and Config across multiple accounts and regions. GuardDuty detects threats but does not aggregate findings. Macie identifies sensitive data but does not provide centralized dashboards. WAF protects applications but does not consolidate findings. Security Hub provides visualization of security posture, compliance assessment, prioritization of alerts, and integration with automated remediation workflows, making it the correct service for centralized aggregation of security findings

Question 156

Which AWS service detects unencrypted S3 buckets and triggers automated remediation?

A) AWS Config

B) AWS Macie

C) AWS KMS

D) AWS Shield

Answer: A) AWS Config

Explanation:

AWS Config monitors S3 bucket configurations and identifies buckets that do not comply with encryption policies. It can automatically remediate non-compliant buckets, such as applying default encryption using Lambda functions. Macie discovers sensitive data but does not enforce encryption. KMS manages keys but does not detect unencrypted buckets. Shield protects against DDoS attacks but does not manage compliance. Config’s continuous monitoring, automated remediation, and audit history make it the correct service for enforcing encryption compliance on S3 buckets.

Question 157

Which AWS service provides centralized and fine-grained access control for users, groups, and roles?

A) AWS IAM

B) AWS Security Hub

C) AWS Config

D) AWS Macie

Answer: A) AWS IAM

Explanation:

AWS IAM allows administrators to define granular policies for users, groups, and roles across AWS accounts. Security Hub aggregates findings but does not manage access. Config monitors compliance but does not enforce permissions. Macie identifies sensitive data but cannot control access. IAM supports multi-factor authentication, conditional policies, and cross-account roles, making it the correct service for implementing fine-grained access control and centralized permission management.

Question 158

Which AWS service manages encryption keys and supports automatic key rotation across AWS services?

A) AWS KMS

B) AWS CloudTrail

C) AWS Secrets Manager

D) AWS Macie

Answer: A) AWS KMS

Explanation:

AWS KMS enables the creation, management, and automatic rotation of encryption keys used across AWS services, including S3, EBS, and RDS. CloudTrail logs key usage but does not manage encryption keys. Secrets Manager rotates secrets but does not handle general encryption keys. Macie identifies sensitive data but does not encrypt it. KMS provides centralized key management, fine-grained access control, audit logging, and compliance support, making it the correct service for encryption key management and rotation.

Question 159

Which AWS service analyzes account activity using machine learning and threat intelligence to detect suspicious behavior?

A) AWS GuardDuty

B) AWS Macie

C) AWS WAF

D) AWS Shield

Answer: A) AWS GuardDuty

Explanation:

GuardDuty monitors AWS accounts by analyzing CloudTrail logs, VPC Flow Logs, and DNS logs using machine learning and threat intelligence feeds. Macie discovers sensitive data but does not detect threats. WAF protects applications but does not monitor account behavior. Shield mitigates DDoS attacks but does not detect anomalies. GuardDuty provides actionable alerts, integrates with Security Hub for centralized monitoring, and supports automated remediation workflows, making it the correct service for detecting suspicious activity in AWS accounts.

Question 160

Which AWS service protects web applications from SQL injection and XSS attacks?

A) AWS WAF

B) AWS Shield

C) AWS GuardDuty

D) AWS Macie

Answer: A) AWS WAF

Explanation:

AWS WAF inspects HTTP/HTTPS requests and filters malicious traffic using web ACL rules to block SQL injection and XSS attacks. Shield mitigates network-level DDoS attacks but does not block application-layer threats. GuardDuty detects anomalous behavior but cannot enforce web security rules. Macie identifies sensitive data but does not protect applications. WAF integrates with CloudFront, ALB, and API Gateway to enforce security rules across multiple applications, making it the correct service for protecting web applications.

Question 161

Which AWS service monitors resources and automatically remediates non-compliant configurations?

A) AWS Config

B) AWS GuardDuty

C) AWS Macie

D) AWS Shield

Answer: A) AWS Config

Explanation:

AWS Config is a fully managed service that provides continuous monitoring, assessment, and enforcement of AWS resource configurations, enabling organizations to maintain security, governance, and compliance in dynamic cloud environments. As organizations increasingly adopt AWS services across multiple accounts and regions, ensuring that resources remain compliant with organizational policies, industry standards, and regulatory requirements becomes complex. Manual auditing and remediation are time-consuming, prone to human error, and do not scale well. AWS Config addresses these challenges by offering continuous evaluation of resources, automated remediation, historical tracking, and integration with other AWS services for centralized visibility and enforcement.

A primary capability of Config is its ability to evaluate AWS resources against predefined compliance rules. Administrators can create managed or custom Config rules to enforce security and operational policies across services such as Amazon S3, Amazon EC2, Amazon RDS, AWS Lambda, and IAM. For example, Config can verify whether S3 buckets are encrypted, whether security groups restrict access to approved ports, or whether EC2 instances comply with required tagging standards. Once a resource is created or modified, Config continuously evaluates its configuration against the rules and marks it as compliant or non-compliant. This continuous evaluation ensures that deviations are detected in near real-time, reducing the risk of misconfigurations leading to security incidents or regulatory violations.

One of the key strengths of Config is its automated remediation capabilities, which are critical for maintaining compliance in large-scale environments. When a resource is found to be non-compliant, Config can trigger automated actions through AWS Lambda functions or Systems Manager Run Command. For example, if Config detects an unencrypted EBS volume, it can automatically encrypt the volume or create a snapshot for migration to an encrypted volume. Similarly, if a security group allows unrestricted SSH access, Config can invoke a Lambda function to modify the rule to restrict access to approved IP addresses. This automation reduces the operational overhead associated with manual remediation and ensures that policy enforcement is consistent and timely.

In contrast, other AWS services provide complementary functions but do not offer end-to-end compliance enforcement. Amazon GuardDuty is designed to detect threats such as anomalous API calls, malicious activity, or compromised credentials, but it does not remediate misconfigured resources. Amazon Macie identifies and classifies sensitive data in Amazon S3, highlighting potential exposure risks, yet it does not enforce encryption or other compliance policies. AWS Shield protects against volumetric and application-layer DDoS attacks but does not monitor or remediate resource configurations. AWS Config stands out because it combines monitoring, compliance evaluation, and automated remediation in a single service, enabling organizations to proactively enforce policies.

Config also provides historical tracking and auditing of resources. Each configuration change is recorded, allowing administrators to view a timeline of resource configurations and compliance status over time. This historical record is invaluable for regulatory compliance, internal audits, and forensic investigations. For instance, if an EC2 instance is found to have been launched without the required security group restrictions, Config provides a detailed record of when the instance was created, when it deviated from policy, and the actions taken to remediate it. This capability enhances accountability and transparency while simplifying audit reporting.

Scalability is another key advantage. AWS Config supports multi-account and multi-region aggregation, enabling security and compliance teams to monitor resources across all organizational units from a central account. By leveraging AWS Organizations integration, administrators can aggregate compliance findings into a central dashboard, providing a unified view of policy adherence across the enterprise. This centralized approach allows teams to quickly detect systemic issues, prioritize remediation efforts, and enforce consistent standards across all accounts and regions, even in large and complex AWS environments.

Config also integrates seamlessly with other AWS services to enhance compliance operations. Amazon CloudWatch can be used to generate alerts for non-compliant resources, while AWS Systems Manager can automate remediation workflows. AWS Security Hub can aggregate Config findings with other security insights, such as GuardDuty alerts or Macie discoveries, providing a holistic view of organizational security and compliance posture. This integration allows organizations to implement a closed-loop compliance and security framework, where detection, alerting, remediation, and reporting are automated and coordinated.

Another important capability of AWS Config is custom rule creation. Organizations can define rules in AWS Lambda to enforce specific business policies that are not covered by AWS-managed rules. For example, a company may require that all RDS instances enforce encryption at rest using customer-managed KMS keys or that specific tags be applied to all resources for cost allocation and governance. Custom rules allow organizations to tailor compliance policies to unique operational requirements, ensuring that Config remains flexible and adaptable to changing business and regulatory needs.

Automated remediation and continuous monitoring in Config help organizations reduce risk exposure. By ensuring that non-compliant resources are detected and corrected quickly, Config prevents misconfigurations from becoming security vulnerabilities. This proactive enforcement reduces the likelihood of data breaches, unauthorized access, and policy violations, while also supporting compliance with standards such as PCI DSS, HIPAA, ISO 27001, and SOC 2.

AWS Config is the correct service for monitoring and remediating non-compliant AWS resources. While GuardDuty detects threats, Macie discovers sensitive data, and Shield mitigates DDoS attacks, only Config provides continuous evaluation, automated remediation, historical tracking, multi-account aggregation, custom rules, and integration with other AWS security services. By leveraging Config, organizations can maintain a consistent security posture, enforce compliance policies efficiently, reduce operational overhead, and demonstrate accountability for their cloud resources. AWS Config provides a comprehensive, scalable, and automated solution for ensuring that AWS environments remain secure, compliant, and aligned with organizational policies, making it a cornerstone of enterprise cloud governance and security strategy.

Question 162

Which AWS service aggregates security findings from multiple accounts into a centralized view?

A) AWS Security Hub

B) AWS GuardDuty

C) AWS Macie

D) AWS WAF

Answer: A) AWS Security Hub

Explanation:

AWS Security Hub is a fully managed service that provides a centralized platform for aggregating, organizing, and visualizing security findings across multiple AWS accounts and regions, enabling organizations to maintain a comprehensive view of their security posture. In complex cloud environments, security data is often dispersed across various services and accounts, making it challenging for security teams to monitor risks, prioritize alerts, and respond effectively. Security Hub addresses this challenge by integrating findings from multiple AWS security services—such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, and AWS Config—into a single, unified console, providing actionable insights and supporting automated workflows to remediate risks efficiently.

A core capability of Security Hub is its aggregation of findings. Security findings from GuardDuty, Inspector, Macie, and Config are automatically collected and normalized into a common format called the AWS Security Finding Format (ASFF). This standardization ensures consistency across different sources and allows security teams to analyze and prioritize findings without having to interpret disparate data structures. For example, GuardDuty generates findings related to anomalous API calls, suspicious network activity, or compromised credentials. Inspector identifies vulnerabilities and misconfigurations in EC2 instances or container images. Macie discovers sensitive data, such as personally identifiable information (PII), in S3 buckets. Config evaluates resource compliance against predefined rules, such as ensuring encryption of S3 buckets or enforcing restricted security group configurations. Security Hub consolidates all of these findings, providing a single pane of glass to view the organization’s overall security posture.

While other AWS services provide essential security functionality, they do not offer the same centralized aggregation capabilities. Amazon GuardDuty excels at detecting threats and anomalies within AWS accounts but does not consolidate findings across multiple accounts or integrate findings from other services. Amazon Macie identifies sensitive data in S3 but does not provide a centralized dashboard or prioritize findings across accounts. AWS WAF protects web applications from exploits but does not provide visibility into the organization’s broader security posture. Security Hub complements these services by consolidating their outputs, normalizing the findings, and allowing administrators to analyze, visualize, and act on security data in a coordinated manner.

Security Hub also provides compliance assessment capabilities, which allow organizations to evaluate their AWS environments against industry standards and best practices. It includes built-in compliance standards such as the CIS AWS Foundations Benchmark, PCI DSS, and AWS Foundational Security Best Practices. Security Hub continuously monitors resources, compares configurations and activity against these standards, and generates findings for non-compliant resources. This integration reduces the effort required for internal audits and regulatory reporting, as teams can quickly identify gaps and track remediation progress over time.

Another important feature of Security Hub is prioritization of findings. Not all findings represent the same level of risk; some indicate critical vulnerabilities or potential compromises, while others are lower-priority configuration issues. Security Hub allows administrators to filter, categorize, and prioritize findings based on severity, resource type, account, or region. By focusing on the most critical security issues first, organizations can optimize response efforts, reduce risk exposure, and improve operational efficiency. Security Hub’s integration with Amazon CloudWatch and AWS Lambda enables automated response workflows, such as remediating non-compliant configurations, isolating compromised resources, or notifying security teams of high-severity threats.

Historical tracking and reporting are additional advantages of Security Hub. By maintaining a record of findings over time, Security Hub allows security teams to analyze trends, measure improvement, and demonstrate compliance. This longitudinal view is particularly valuable for organizations that must report to regulatory authorities or internal governance bodies. Security Hub findings can be exported to SIEM (Security Information and Event Management) systems or third-party tools for advanced analysis, correlation with other data sources, and integration into broader enterprise security operations.

Scalability is another critical feature. Security Hub supports multi-account and multi-region aggregation, making it suitable for large enterprises with complex AWS environments. Organizations can designate a master Security Hub account to aggregate findings from member accounts across different regions. This centralized model provides security teams with a unified view of security risks, enabling consistent policy enforcement, rapid detection of cross-account threats, and efficient remediation. Security Hub also supports custom insights and automated actions, allowing teams to define specific criteria for alerts and remediation workflows tailored to organizational requirements.

Security Hub enhances operational efficiency by providing a single pane of glass for monitoring, analyzing, and responding to security events. By consolidating disparate findings into one dashboard, organizations reduce alert fatigue, eliminate the need to manually correlate data across services, and gain actionable insights to proactively secure AWS workloads. For example, if Config identifies an unencrypted S3 bucket while Macie detects sensitive PII in the same bucket, Security Hub can correlate these findings and escalate them as a high-priority security event. This integrated approach improves situational awareness, speeds response times, and ensures that security teams focus on the most critical threats and compliance issues.

AWS Security Hub is the correct service for centralized aggregation of security findings across multiple AWS accounts and regions. While GuardDuty detects threats, Inspector identifies vulnerabilities, Macie discovers sensitive data, and Config monitors resource compliance, only Security Hub consolidates all findings, normalizes them into a common format, prioritizes alerts, provides compliance assessment, supports automated remediation, and offers historical tracking and reporting. By using Security Hub, organizations can achieve a unified view of their security posture, enforce consistent security policies across accounts, automate responses to critical threats, and maintain regulatory compliance, making it a cornerstone of AWS security management. Security Hub enables proactive, scalable, and efficient security operations, ensuring that organizations maintain a strong security posture in dynamic cloud environments.

Question 163

Which AWS service detects unencrypted S3 buckets and triggers automatic remediation?

A) AWS Config

B) AWS Macie

C) AWS KMS

D) AWS Shield

Answer: A) AWS Config

Explanation:

AWS Config is a fully managed service designed to monitor, evaluate, and maintain compliance of AWS resource configurations, providing organizations with continuous visibility into their cloud environment. One of the most critical use cases for Config is enforcing encryption compliance for Amazon S3 buckets, ensuring that sensitive data is protected at rest in accordance with organizational policies and regulatory standards. In modern cloud environments, where resources are dynamically provisioned and modified, manual enforcement of encryption is both error-prone and inefficient. AWS Config addresses this challenge by offering continuous evaluation, automated remediation, historical tracking, and centralized management of compliance rules.

In addition to detection, Config provides automated remediation capabilities, which are critical for enforcing security policies consistently. When an S3 bucket is identified as non-compliant, Config can trigger AWS Lambda functions or Systems Manager Automation runbooks to automatically remediate the issue. For example, a Lambda function can enable default server-side encryption on the bucket using a specified KMS key, ensuring that all new objects are encrypted. This automation reduces the risk of human error, ensures policy adherence across dynamic environments, and accelerates the resolution of non-compliant configurations. Automated remediation is especially important in multi-account and multi-region environments, where manual intervention would be time-consuming and error-prone.

While AWS Config provides robust monitoring and enforcement, other services offer complementary but distinct capabilities. Amazon Macie identifies sensitive data stored in S3 buckets, including personally identifiable information (PII) and financial records, but it does not enforce encryption or remediate non-compliant buckets. Macie’s strength lies in data discovery and classification, helping organizations understand where sensitive information resides and generate alerts for potential exposure, but compliance enforcement must be handled by Config or other management tools. AWS Key Management Service (KMS) manages encryption keys used by S3, EBS, and other AWS services, including key creation, rotation, and access policies, but KMS does not evaluate whether buckets are encrypted. KMS ensures that encryption is applied correctly if configured, but it cannot detect or enforce compliance independently. AWS Shield protects against distributed denial-of-service (DDoS) attacks but does not monitor resource configurations or enforce encryption. Unlike these services, Config combines monitoring, assessment, and enforcement in a single solution.

Another key capability of AWS Config is historical tracking and auditing of S3 bucket configurations. Config records snapshots of resource configurations and maintains a history of changes, creating an auditable timeline of how buckets and their encryption settings have evolved over time. This historical data is invaluable for regulatory compliance, internal audits, and forensic investigations. For instance, if an unencrypted S3 bucket is discovered during a PCI DSS audit, administrators can use Config’s historical records to determine when the bucket became non-compliant, who modified it, and whether remediation actions were applied. This visibility strengthens accountability, supports compliance reporting, and enables organizations to demonstrate adherence to policies and standards.

Config’s capabilities are also scalable and suitable for multi-account environments. By integrating with AWS Organizations, administrators can aggregate configuration and compliance data across multiple accounts and regions into a central account, providing a unified view of S3 bucket compliance. This centralized approach allows security teams to enforce consistent encryption policies across all accounts, monitor trends, and detect deviations in real-time, ensuring that sensitive data remains protected across the entire organization. Centralized monitoring simplifies governance, reduces operational overhead, and allows security teams to focus on high-priority issues.

Config further supports integration with alerting and workflow automation. Non-compliant findings can trigger notifications through Amazon SNS, enabling rapid response, or invoke additional automation workflows via Lambda or Systems Manager. These workflows can not only remediate non-compliant buckets but also document remediation actions, ensuring that changes are auditable. This closed-loop approach combines monitoring, automated remediation, and reporting, providing a comprehensive compliance management framework that minimizes risk and operational burden.

Additionally, AWS Config provides compliance insights through dashboards and reporting. Security and operations teams can use these dashboards to view compliance trends, track the number of non-compliant buckets over time, and prioritize remediation based on business-critical data. Config also integrates with AWS Security Hub, which allows organizations to consolidate compliance findings with security alerts from GuardDuty, Inspector, and Macie, providing a holistic view of the security and compliance posture of the AWS environment.

AWS Config is the correct service for enforcing S3 bucket encryption compliance. While Macie discovers sensitive data, KMS manages encryption keys, and Shield protects against DDoS attacks, only Config provides continuous monitoring, automated remediation, historical tracking, centralized compliance management, and multi-account aggregation. By continuously evaluating S3 buckets against encryption rules and automatically remediating non-compliant resources, Config ensures that sensitive data remains secure, reduces operational overhead, strengthens compliance, and enables organizations to maintain a consistent security posture across AWS accounts and regions. AWS Config is therefore an essential service for organizations seeking to enforce encryption compliance, maintain regulatory adherence, and protect critical data stored in S3.

Question 164

Which AWS service provides centralized management of IAM policies across accounts?

A) AWS IAM

B) AWS Security Hub

C) AWS Config

D) AWS Macie

Answer: A) AWS IAM

Explanation:

AWS Identity and Access Management (IAM) is a core AWS security service that enables organizations to manage access to AWS resources across accounts and regions in a centralized and secure manner. In modern cloud environments, organizations often operate multiple AWS accounts to isolate workloads, improve security, manage billing, and segment development, testing, and production environments. Managing access consistently across these accounts can become complex, especially as teams grow and resources multiply. IAM provides a robust framework for defining, enforcing, and auditing access policies, ensuring that users, groups, and roles have the right permissions while adhering to the principle of least privilege.

At its foundation, IAM allows administrators to create users, groups, and roles. Users represent individual identities that can interact with AWS resources, while groups are collections of users that share the same permissions, simplifying administration by grouping users with similar responsibilities. Roles are a powerful feature that enables secure delegation of access to resources without sharing long-term credentials. For example, a developer in one AWS account can assume a role in another account to access specific resources, such as an S3 bucket or an RDS database, without the need for permanent credentials. This capability is essential for cross-account access in enterprise environments, where multiple accounts are managed under a central organization.

Cross-account roles and integration with AWS Organizations are key features for managing IAM policies at scale. AWS Organizations allows administrators to create a hierarchical structure of accounts, apply policies centrally, and manage consolidated billing. IAM roles can be assigned across accounts, enabling users in one account to perform tasks in another without needing direct user creation or key sharing. For instance, a security team in a master account can create a read-only role in a production account, which developers in another account can assume temporarily to view logs or configuration details. This approach reduces operational complexity, improves security, and ensures that access can be centrally controlled and revoked as needed.

IAM also provides centralized policy management, which is crucial for maintaining consistent permissions across multiple accounts. Policies are written in JSON and define what actions are allowed or denied on specific AWS resources. Administrators can attach these policies to users, groups, or roles, enabling fine-grained control over who can access which resources. By combining IAM policies with AWS Organizations’ Service Control Policies (SCPs), organizations can enforce guardrails at the account level, ensuring that accounts cannot perform actions outside of defined boundaries, even if an IAM policy within the account would otherwise permit it. This layered approach supports strong security governance and compliance across the organization.

Another important capability of IAM is conditional access. Administrators can enforce conditions such as requiring Multi-Factor Authentication (MFA), restricting access by IP address, or limiting operations to specific time windows. For example, a policy could require MFA for any access to S3 buckets containing sensitive data or prevent API calls from untrusted networks. Conditional policies provide dynamic, context-aware access control, reducing the risk of unauthorized actions while enabling legitimate users to perform their work efficiently.

IAM is also designed to provide auditing and accountability. Every IAM action—including policy creation, role assumption, and permission changes—is logged in AWS CloudTrail, providing a detailed history of who did what and when. These logs are critical for regulatory compliance, forensic investigations, and internal audits. Organizations can monitor changes to IAM policies, detect unauthorized attempts to modify permissions, and ensure that access aligns with corporate security standards. The combination of centralized policy management, logging, and conditional access creates a secure framework for managing permissions across large, multi-account AWS environments.

While other AWS services support aspects of security and compliance, they do not manage IAM policies. AWS Security Hub aggregates findings from GuardDuty, Inspector, Macie, and Config, providing a consolidated view of security risks, but it does not create or enforce access policies. AWS Config monitors resource configurations and evaluates compliance but cannot define permissions for users, groups, or roles. Amazon Macie discovers sensitive data in S3 but does not control access to resources or manage user permissions. In contrast, IAM is purpose-built for defining and enforcing access control across accounts, ensuring that users have appropriate permissions while supporting least-privilege principles.

IAM also supports temporary credentials and automated access workflows, which are particularly useful for DevOps pipelines and cross-account service interactions. Services like AWS Security Token Service (STS) allow users or applications to assume roles temporarily, obtaining short-lived credentials that reduce the risk of exposure. For example, an automated build process can assume a role in a production account to deploy applications or retrieve configuration data, without using permanent keys. This model enhances security while maintaining operational flexibility.

In large enterprises, IAM’s capabilities for policy inheritance and hierarchical management allow organizations to implement scalable access control models. By using a combination of organization-wide SCPs, account-level policies, and resource-specific IAM policies, administrators can enforce consistent access rules across all accounts and resources, while retaining the flexibility to adjust permissions for specific teams or projects. This ensures that access management remains consistent, auditable, and aligned with organizational security goals.

IAM also enables integration with MFA and advanced authentication methods. By requiring MFA for sensitive operations, administrators add a critical layer of security beyond username and password, mitigating the risk of credential compromise. MFA can be enforced selectively, such as for role assumption, deletion of critical resources, or access to highly sensitive data, providing granular control over who can perform high-risk actions.

AWS IAM is the correct service for managing IAM policies across multiple accounts. Unlike Security Hub, which aggregates findings; Config, which monitors compliance; or Macie, which identifies sensitive data, IAM provides centralized policy management, conditional access, MFA integration, cross-account roles, temporary credential management, and auditability. By leveraging IAM, organizations can enforce consistent access controls, maintain compliance, reduce operational overhead, and protect critical resources across multi-account and multi-region AWS environments. Centralized management of permissions through IAM ensures security, accountability, and operational efficiency, making it a cornerstone of AWS governance and security strategy.

Question 165

Which AWS service provides centralized key management, encryption, and automatic rotation across AWS services?

A) AWS KMS

B) AWS CloudTrail

C) AWS Secrets Manager

D) AWS Macie

Answer: A) AWS KMS

Explanation:

AWS Key Management Service (KMS) is a fully managed service that provides centralized creation, management, and enforcement of cryptographic keys across AWS resources, ensuring that sensitive data is protected at scale. In modern cloud environments, organizations rely on multiple services such as Amazon S3, Amazon EBS, Amazon RDS, and other AWS offerings to store and process critical information. Protecting this data requires robust encryption, centralized key governance, and the ability to automate key lifecycle management. AWS KMS fulfills these requirements by offering centralized key management, fine-grained access control, automatic rotation, auditing, and seamless integration with a wide range of AWS services.

At the core of KMS is centralized key management. Administrators can create cryptographic keys, define usage policies, and control access to these keys from a single location. Centralized management ensures that encryption policies are applied consistently across services and accounts, reducing the complexity of managing keys individually for each resource. By leveraging KMS, organizations can implement a unified encryption strategy across S3 buckets, EBS volumes, RDS databases, and other AWS services, simplifying compliance with internal policies and regulatory frameworks such as PCI DSS, HIPAA, SOC 2, and GDPR.

One of the key capabilities of KMS is automatic key rotation. Regular rotation of cryptographic keys is a security best practice because it reduces the risk of compromise and ensures that encryption remains robust over time. KMS allows administrators to configure automatic rotation for customer-managed keys (CMKs), typically on a yearly schedule. When rotation is enabled, KMS generates a new cryptographic key while maintaining the previous versions for decryption of existing data. This ensures backward compatibility, so existing encrypted data remains accessible, while newly encrypted data uses the updated key. Automatic rotation eliminates the operational overhead and human error associated with manual key rotation, enhancing security and compliance.

While other AWS services provide complementary functions, they do not manage general-purpose encryption keys. AWS CloudTrail logs key usage, including API calls to KMS, which supports auditing and compliance, but it does not create, manage, or rotate keys. AWS Secrets Manager automates the rotation of secrets such as database credentials, API keys, and passwords, but it is not a general-purpose key management service for encrypting resources like S3 or EBS. Amazon Macie discovers and classifies sensitive data stored in S3, providing visibility into data exposure risks, but it does not enforce encryption or manage cryptographic keys. In contrast, KMS provides a complete solution for key lifecycle management, access control, and encryption integration, making it essential for protecting sensitive AWS workloads.

KMS integrates seamlessly with a wide range of AWS services to provide transparent encryption management. For instance, when creating an S3 bucket, administrators can select a KMS key to encrypt objects at rest automatically. Similarly, EBS volumes can be encrypted during creation using a KMS key, ensuring that data stored on the volume is protected without requiring changes at the application or operating system level. RDS databases can also use KMS-managed keys to encrypt storage, snapshots, and automated backups. These integrations allow organizations to implement encryption consistently across all workloads, enhancing security while simplifying management.

Another important feature of KMS is fine-grained access control. KMS allows administrators to define key policies that specify who or what can perform encryption and decryption operations. These policies can be applied at a granular level, controlling access to individual keys or resources. Integration with IAM enables organizations to implement least-privilege principles, granting only the minimum required permissions to users, groups, or services. Conditional access policies can be enforced, such as requiring multi-factor authentication (MFA) for sensitive key operations, ensuring that only authorized entities can access cryptographic material.

KMS also supports audit logging and compliance monitoring. Every use of a key—whether it is encrypting, decrypting, or rotating—is logged in CloudTrail. These logs provide detailed metadata, including the identity of the caller, timestamp, source IP, and the operation performed. Audit trails are essential for demonstrating compliance during regulatory inspections and for investigating security incidents. Historical logs allow security teams to verify key usage, detect unauthorized access attempts, and maintain accountability across all cryptographic operations.

Scalability and enterprise readiness are additional strengths of KMS. Organizations with multiple AWS accounts can manage keys centrally, enforce policies consistently across accounts, and control access using cross-account permissions. KMS supports hierarchical key management, allowing organizations to create multiple keys for different business units, applications, or data sensitivity levels, while still maintaining centralized governance. This architecture simplifies key administration in large-scale environments and ensures that encryption practices are uniformly enforced across all accounts and regions.

KMS also enhances security and compliance posture by providing robust key lifecycle management, including key creation, enabling, disabling, deletion scheduling, and rotation. By integrating with other AWS security services such as CloudTrail, Config, Security Hub, and Macie, organizations can implement a comprehensive security strategy that combines encryption enforcement, configuration compliance, threat detection, and sensitive data monitoring. This integrated approach ensures that sensitive data is protected at all stages—at rest, in transit, and during processing—while maintaining compliance with regulatory standards.

AWS Key Management Service is the correct service for centralized encryption key management across AWS. Unlike CloudTrail, which only logs key usage; Secrets Manager, which rotates secrets; or Macie, which discovers sensitive data, KMS provides centralized key management, automatic rotation, fine-grained access control, audit logging, compliance support, and seamless integration with AWS services. By using KMS, organizations can enforce encryption policies consistently across S3, EBS, RDS, and other resources, reduce operational overhead, mitigate the risk of unauthorized access, and maintain a strong security and compliance posture across their AWS environment. Centralized management of encryption keys with KMS ensures that sensitive data remains protected, regulatory requirements are met, and security operations are streamlined, making it a cornerstone of AWS security strategy.