Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 76

Which AWS service provides automated rotation and secure storage of database credentials?

A) AWS Secrets Manager

B) AWS KMS

C) AWS IAM

D) AWS Macie

Answer: A) AWS Secrets Manager

Explanation:

AWS Secrets Manager securely stores sensitive information such as database credentials, API keys, and tokens. It allows automatic rotation of secrets based on defined schedules, ensuring that credentials are regularly updated without manual intervention. KMS manages encryption keys but does not rotate secrets. IAM manages access and permissions but does not store or rotate credentials. Macie discovers sensitive data but does not manage secrets. Secrets Manager integrates directly with AWS databases, Redshift, and third-party applications, ensuring credentials are encrypted, rotated automatically, and accessible only to authorized applications. This makes Secrets Manager the correct service for automated credential rotation and secure storage.

Question 77

Which service allows you to analyze CloudTrail, VPC Flow Logs, and DNS logs for security threats using machine learning?

A) AWS GuardDuty

B) AWS Macie

C) AWS WAF

D) AWS Shield

Answer: A) AWS GuardDuty

Explanation:

AWS GuardDuty continuously monitors AWS accounts by analyzing CloudTrail, VPC Flow Logs, and DNS logs using machine learning and threat intelligence feeds. This enables the detection of unauthorized activity, compromised credentials, and reconnaissance behavior. Macie scans for sensitive data but does not analyze logs for threats. WAF protects web applications but cannot monitor API activity. Shield protects against DDoS attacks but does not detect anomalies in account activity. GuardDuty generates actionable alerts, integrates with Security Hub and CloudWatch, and can trigger automated remediation, making it the correct service for detecting security threats using log analysis.

Question 78

Which AWS service protects applications from SQL injection and cross-site scripting attacks?

A) AWS WAF

B) AWS Shield

C) AWS GuardDuty

D) AWS Macie

Answer: A) AWS WAF

Explanation:

AWS WAF allows administrators to create rules that filter HTTP/HTTPS requests to block attacks such as SQL injection and cross-site scripting (XSS). Shield mitigates DDoS attacks but does not protect against application-layer exploits. GuardDuty detects anomalies but does not filter web requests. Macie scans for sensitive data but does not provide application protection. WAF can be integrated with CloudFront, ALB, and API Gateway to enforce security rules consistently across multiple applications, making it the correct service to protect applications from SQL injection and XSS attacks.

Question 79

Which service provides continuous monitoring and automated remediation of non-compliant AWS resources?

A) AWS Config

B) AWS GuardDuty

C) AWS Macie

D) AWS Shield

Answer: A) AWS Config

Explanation:

AWS Config continuously monitors configurations of AWS resources and evaluates them against defined rules. When a resource is non-compliant, Config can trigger automated remediation using Lambda or Systems Manager Run Command. GuardDuty detects security threats but does not manage compliance. Macie discovers sensitive data but cannot remediate resources. Shield protects against DDoS attacks but does not enforce compliance policies. Config allows organizations to maintain continuous compliance, generate audit reports, and automatically correct deviations, making it the correct service for continuous monitoring and remediation of non-compliant resources.

Question 80

Which AWS service enables centralized aggregation of security findings from multiple accounts and services?

A) AWS Security Hub

B) AWS GuardDuty

C) AWS Macie

D) AWS WAF

Answer: A) AWS Security Hub

Explanation:

AWS Security Hub aggregates security findings from multiple AWS services, including GuardDuty, Inspector, Macie, and Config, across multiple accounts and regions. GuardDuty detects threats but does not consolidate findings. Macie scans data but does not provide centralized dashboards. WAF protects applications but does not aggregate security findings. Security Hub allows administrators to visualize security posture, prioritize findings, assess compliance against standards like CIS AWS Foundations, and integrate with automated remediation workflows, making it the correct service for centralized aggregation of security findings.

Question 81

Which AWS service can detect unencrypted EBS volumes and non-compliant security groups?

A) AWS Config

B) AWS GuardDuty

C) AWS KMS

D) AWS Shield

Answer: A) AWS Config

Explanation:

AWS Config continuously monitors resources such as EBS volumes and security groups for compliance with encryption rules and access policies. GuardDuty detects threats but does not monitor configurations. KMS encrypts data but does not evaluate compliance. Shield protects against DDoS attacks but does not monitor resource configurations. Config can trigger automated remediation to apply encryption or adjust security group rules, ensuring compliance with organizational policies. Its historical record-keeping also supports auditing, making it the correct service to detect unencrypted EBS volumes and non-compliant security groups.

Question 82

Which AWS service enables fine-grained access control for users, groups, and roles across AWS accounts?

A) AWS IAM

B) AWS Security Hub

C) AWS Config

D) AWS Macie

Answer: A) AWS IAM

Explanation:

AWS IAM allows administrators to define granular access policies for users, groups, and roles across multiple AWS accounts. Security Hub aggregates findings but does not manage permissions. Config monitors compliance but does not define access control. Macie discovers sensitive data but does not manage user access. IAM supports MFA, conditional policies, and cross-account roles, ensuring secure access control, centralized management, and adherence to security best practices, making it the correct service for fine-grained access control.

Question 83

Which AWS service provides managed encryption and key rotation for AWS services?

A) AWS KMS

B) AWS CloudTrail

C) AWS Secrets Manager

D) AWS Macie

Answer: A) AWS KMS

Explanation:

AWS KMS manages cryptographic keys used for encryption across AWS services. It allows automatic rotation of customer-managed keys, provides fine-grained access control, and integrates with services such as S3, EBS, and RDS. CloudTrail logs key usage but does not manage keys. Secrets Manager rotates secrets but does not manage general encryption keys. Macie discovers sensitive data but does not encrypt it. KMS ensures centralized encryption management, compliance support, and auditing capabilities, making it the correct service for managed encryption and key rotation.

Question 84

Which service detects threats and anomalies in AWS accounts using machine learning and threat intelligence?

A) AWS GuardDuty

B) AWS Macie

C) AWS WAF

D) AWS Shield

Answer: A) AWS GuardDuty

Explanation:

AWS GuardDuty continuously monitors AWS accounts by analyzing CloudTrail logs, VPC Flow Logs, and DNS data using machine learning and threat intelligence feeds. Macie identifies sensitive data but does not detect anomalies. WAF protects applications from web exploits but does not analyze account activity. Shield mitigates DDoS attacks but does not detect anomalies. GuardDuty provides actionable alerts, integrates with Security Hub, and supports automated response workflows, making it the correct service for detecting threats and anomalies in AWS accounts.

Question 85

Which AWS service allows automatic remediation of non-compliant S3 buckets, such as enabling encryption?

A) AWS Config

B) AWS Macie

C) AWS KMS

D) AWS Shield

Answer: A) AWS Config

Explanation:

AWS Config monitors S3 bucket configurations against compliance rules and can automatically remediate non-compliant buckets, such as enabling default encryption using Lambda functions. Macie detects sensitive data but does not enforce encryption. KMS manages encryption keys but does not monitor bucket compliance. Shield protects against DDoS but does not enforce resource compliance. Config ensures organizational policies are enforced automatically, provides historical audit data, and supports integration with Security Hub, making it the correct service for automatic remediation of S3 buckets.

Question 86

Which AWS service provides detailed logging of API calls for auditing and forensic analysis?

A) AWS CloudTrail

B) AWS GuardDuty

C) AWS KMS

D) AWS Macie

Answer: A) AWS CloudTrail

Explanation:

AWS CloudTrail is a fully managed service that provides comprehensive visibility into user and API activity across AWS accounts. It records all API calls made to AWS services, including details such as the identity of the caller, source IP address, request parameters, and timestamps. These records are crucial for auditing, security monitoring, compliance, and operational troubleshooting. By maintaining a detailed, immutable log of activities, CloudTrail allows organizations to understand who did what, when, and from where, providing a foundation for robust cloud governance and accountability.

One of the primary strengths of CloudTrail is its ability to log activity across all supported AWS services. This includes calls made through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. For example, if an administrator modifies an Amazon S3 bucket policy, starts or stops an EC2 instance, or updates an IAM role, CloudTrail captures the action in detail. The recorded information includes the AWS account and IAM identity that initiated the request, the source IP address, request parameters, and response elements. These logs are critical for tracing changes, investigating incidents, and verifying compliance with organizational policies or regulatory standards.

CloudTrail integrates closely with security-focused services, including Amazon GuardDuty. GuardDuty continuously analyzes CloudTrail logs, VPC Flow Logs, and DNS query data to detect suspicious activity, such as unusual API calls, compromised credentials, or reconnaissance attempts. However, GuardDuty itself does not retain logs permanently; it only analyzes incoming telemetry to generate security findings. CloudTrail provides the underlying persistent record that allows historical analysis, forensic investigation, and audit trails. Without CloudTrail, organizations would lack a permanent record of API activity, making it difficult to investigate incidents or demonstrate regulatory compliance.

AWS Key Management Service (KMS) is another critical security service, providing encryption key management for securing data at rest and in transit. While KMS logs key usage through CloudTrail, it does not itself log API activity for other AWS services or provide a centralized audit trail. KMS is focused on cryptographic operations, key lifecycle management, and access control, rather than comprehensive tracking of user actions or API calls across the AWS environment. CloudTrail complements KMS by recording all API calls, including key management operations, creating a full audit trail for cryptographic activities alongside other AWS resource activity.

Amazon Macie specializes in data security and privacy by automatically discovering, classifying, and monitoring sensitive data stored in Amazon S3. Macie helps organizations identify PII, financial data, and intellectual property, alerting them to potential privacy violations or exposure risks. However, Macie does not provide detailed logging of API calls, user actions, or configuration changes. Its alerts are limited to data privacy risks, and it does not offer the level of operational and forensic insight provided by CloudTrail. While Macie is complementary for identifying sensitive content, CloudTrail is essential for tracking all interactions with AWS resources.

CloudTrail logs can be stored in Amazon S3, enabling secure, durable, and cost-effective long-term storage. Organizations can apply lifecycle policies to archive or delete logs according to retention requirements. CloudTrail also supports integration with Amazon CloudWatch Logs, which allows near real-time monitoring of specific events and the generation of alerts. For example, CloudWatch can trigger notifications or automated responses when certain API calls occur, such as the creation of a new IAM user, changes to security group rules, or deletion of critical resources. These integrations provide operational awareness and enable automated incident response, enhancing overall security posture.

CloudTrail supports multi-region and multi-account logging. Organizations using AWS Organizations can configure centralized logging so that API activity across all member accounts is captured in a single S3 bucket. This centralization simplifies auditing, compliance reporting, and security monitoring, particularly for enterprises with complex, multi-account architectures. Security teams can analyze consolidated logs to identify trends, investigate cross-account activity, and enforce governance policies consistently across the organization.

CloudTrail also integrates with AWS Security Hub, which aggregates security findings from multiple services. By sending CloudTrail logs and related alerts to Security Hub, organizations gain centralized visibility into potential threats and misconfigurations. This enables correlation of findings from different sources, prioritization of critical risks, and automated remediation workflows. For example, if CloudTrail logs indicate an unauthorized API call, Security Hub can trigger an automated response to isolate the affected resource or revoke permissions, reducing the risk of data compromise or service disruption.

Audit and compliance are central to CloudTrail’s value proposition. Regulatory frameworks such as HIPAA, PCI DSS, ISO 27001, SOC 2, and GDPR require organizations to maintain detailed records of access and activity for sensitive systems and data. CloudTrail provides tamper-evident, timestamped logs that meet these requirements, supporting both internal governance and external audits. Security teams can demonstrate that all API activity is recorded, monitored, and reviewed, providing accountability and transparency into cloud operations.

Furthermore, CloudTrail enables forensic investigations and incident response. When a security incident occurs, such as a data breach, misconfiguration, or unauthorized access, CloudTrail logs provide a detailed record of events leading up to the incident. Analysts can reconstruct timelines, identify the root cause, assess impacted resources, and implement corrective measures. This capability reduces downtime, supports remediation efforts, and strengthens security posture.

AWS CloudTrail is the correct service for detailed logging of API calls across AWS accounts. It provides comprehensive, immutable records of user and service activity, including identity, source IP, parameters, and timestamps. While GuardDuty analyzes logs for threats, it does not retain them permanently; KMS manages encryption keys without logging all API activity; and Macie identifies sensitive data but does not provide audit trails. CloudTrail supports regulatory compliance, forensic analysis, and operational monitoring, integrates with S3, CloudWatch, and Security Hub, and enables automated alerting and response. Its centralized logging, historical tracking, and integration with security and monitoring services make it indispensable for auditing, governance, and maintaining a strong security posture in AWS environments.

Question 87

Which AWS service helps prevent accidental exposure of sensitive data in S3 by detecting publicly accessible buckets?

A) AWS Config

B) AWS Macie

C) AWS KMS

D) AWS Shield

Answer: A) AWS Config

Explanation:

AWS Config is a fully managed service that provides continuous monitoring, assessment, and auditing of AWS resource configurations, enabling organizations to maintain security, governance, and compliance across their cloud environments. One of its critical use cases is evaluating Amazon S3 bucket configurations to detect publicly accessible or non-compliant buckets. Misconfigured S3 buckets pose significant security risks, potentially exposing sensitive data to unauthorized access. AWS Config addresses this by assessing bucket policies, ACLs, and permissions against organizational rules or industry best practices. By continuously evaluating these configurations, Config helps prevent accidental data exposure while ensuring compliance with internal policies and regulatory requirements.

Config works by tracking configuration changes to AWS resources over time. For S3, it records details such as bucket policies, access control lists (ACLs), encryption status, logging settings, versioning, and other attributes. Config rules, which can be AWS managed or customer-defined, evaluate these resource configurations against desired states. Config evaluates these rules continuously, providing near real-time detection of non-compliance, ensuring that S3 buckets adhere to security and privacy policies at all times.

AWS Macie complements Config by providing data classification and discovery. Macie automatically scans S3 buckets to identify sensitive information such as personally identifiable information (PII), financial records, or intellectual property. While Macie is essential for understanding what sensitive data resides in S3 and highlighting potential data privacy risks, it does not enforce configuration compliance. Macie can generate alerts when sensitive data is detected in unencrypted or misconfigured buckets, but it does not automatically restrict access or remediate misconfigurations. Config fills this gap by enforcing policies and triggering remediation when buckets violate security rules, ensuring that sensitive data is protected from accidental exposure.

AWS Key Management Service (KMS) provides encryption for data at rest, including S3 objects. While encryption protects data confidentiality, it does not prevent unauthorized access if bucket policies or ACLs are overly permissive. For example, a publicly accessible bucket encrypted with a KMS key could still expose metadata or allow encrypted objects to be copied by unauthorized users. KMS focuses on key lifecycle management, access control to keys, and cryptographic operations but does not evaluate or enforce S3 bucket policies. Config complements KMS by ensuring that buckets adhere to access policies, restricting public access, and triggering alerts or remediation when misconfigurations are detected.

AWS Shield protects against Distributed Denial of Service (DDoS) attacks by monitoring network and application-layer traffic to mitigate volumetric and protocol attacks. While Shield enhances availability and resilience of applications, it does not monitor S3 bucket accessibility or enforce data security policies. Shield ensures that applications remain online during attacks but cannot prevent sensitive data exposure due to misconfigured bucket permissions. Config, on the other hand, focuses specifically on resource configurations and policy enforcement, making it the appropriate tool to prevent accidental exposure of S3 data.

A key feature of AWS Config is its ability to trigger automated remediation actions when rules are violated. Using AWS Systems Manager Automation or AWS Lambda, Config can automatically adjust bucket policies, remove public access, or notify administrators when non-compliance is detected. For example, if a rule identifies a publicly accessible bucket, Config can invoke a remediation workflow to remove the public read or write permissions automatically. This reduces the window of exposure, limits operational risk, and ensures that organizational security policies are enforced consistently across all accounts and regions. Automated remediation also helps organizations maintain compliance with regulatory frameworks such as GDPR, HIPAA, PCI DSS, and SOC 2 by ensuring that sensitive data is not inadvertently exposed.

Continuous monitoring is another strength of Config. Every configuration change is tracked and recorded in the Config history, providing a timeline of modifications for auditing and forensic analysis. This historical record allows security and compliance teams to understand the evolution of S3 bucket configurations, investigate incidents, and demonstrate adherence to organizational policies during audits. In addition to tracking S3 bucket policies, Config can monitor other related configurations such as encryption settings, logging, versioning, and replication, providing a holistic view of bucket security.

Config also integrates with AWS Security Hub, which aggregates security findings from multiple services, including Config, GuardDuty, and Macie. By sending non-compliance findings from Config to Security Hub, organizations gain centralized visibility and can correlate configuration issues with detected threats or sensitive data exposure. This unified view improves operational efficiency, enables prioritization of critical risks, and allows security teams to respond more effectively. For example, if a misconfigured bucket is also identified by Macie as containing PII, Security Hub can highlight the combined risk, prompting immediate remediation.

Organizations can leverage both managed and custom Config rules to enforce comprehensive S3 security policies. Managed rules cover common best practices such as preventing public access or enforcing encryption. Custom rules allow organizations to implement specific requirements, such as ensuring only designated IAM roles can access buckets containing financial data. These rules can be scoped to individual accounts, organizational units, or regions, providing flexibility for complex enterprise environments.

Alerts generated by Config can be delivered through Amazon SNS or EventBridge, enabling integration with incident management workflows or security information and event management (SIEM) systems. This ensures that stakeholders are notified promptly when buckets are misconfigured, facilitating rapid response. Additionally, combining Config’s continuous evaluation, automated remediation, and centralized logging supports regulatory compliance by demonstrating proactive enforcement of security policies and controls.

AWS Config is the correct service for preventing accidental exposure of S3 data. It continuously evaluates bucket policies, permissions, and related configurations against compliance rules, triggers automated remediation, and integrates with centralized monitoring tools like Security Hub. While Macie discovers sensitive data, KMS provides encryption, and Shield protects against DDoS attacks, none of these services enforce S3 bucket access policies or monitor public exposure continuously. Config’s ability to enforce access controls, provide historical tracking for auditing, trigger automated remediation workflows, and integrate with other AWS services ensures comprehensive protection against accidental data exposure, supporting both operational security and regulatory compliance. Its centralized evaluation, monitoring, and automation capabilities make it an essential service for maintaining secure and compliant S3 storage.

Question 88

Which AWS service aggregates security findings across multiple accounts and regions into a single view?

A) AWS Security Hub

B) AWS GuardDuty

C) AWS Macie

D) AWS WAF

Answer: A) AWS Security Hub

Explanation:

AWS Security Hub is a centralized security management and monitoring service that provides organizations with a unified view of security findings across multiple AWS accounts, regions, and integrated third-party security products. Its core purpose is to aggregate, normalize, and prioritize findings from various AWS security services, enabling security teams to assess organizational security posture, identify high-risk issues, and take action in a coordinated manner. Security Hub’s ability to consolidate disparate security findings into a single pane of glass is critical for organizations managing complex environments with multiple AWS accounts and services, where manual correlation of security alerts is inefficient, error-prone, and time-consuming.

Security Hub ingests findings from a variety of AWS services using the AWS Security Finding Format (ASFF), which standardizes the representation of security alerts. Key services that feed into Security Hub include Amazon GuardDuty, Amazon Inspector, AWS Config, and Amazon Macie. By aggregating findings from these services, Security Hub allows organizations to understand security risks holistically rather than in isolation. The platform provides dashboards that highlight critical and high-severity findings, enabling security teams to focus resources where they are most needed. Through this unified view, Security Hub facilitates prioritization of alerts based on severity, impacted resources, account ownership, or compliance implications, significantly improving operational efficiency.

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts, workloads, and network activity for signs of malicious or unauthorized behavior. It analyzes CloudTrail logs, VPC Flow Logs, and DNS query logs using machine learning, anomaly detection, and threat intelligence feeds to detect issues such as compromised credentials, suspicious API calls, and reconnaissance activity. While GuardDuty is highly effective at generating actionable findings for individual accounts, it does not provide centralized aggregation across multiple accounts or regions. Each account generates its own findings, making it challenging to maintain a holistic view of an organization’s security posture without a service like Security Hub.

Amazon Macie focuses on data security and privacy by automatically discovering, classifying, and monitoring sensitive data stored in Amazon S3. Macie identifies personally identifiable information (PII), financial data, and other confidential content, helping organizations manage privacy risks and comply with regulatory requirements. Although Macie generates alerts regarding sensitive data exposure or misconfiguration, it does not provide centralized aggregation of findings from multiple accounts or integrate with other security services for comprehensive analysis. Its scope is primarily data-focused, leaving broader threat and compliance visibility to other services.

AWS Config continuously monitors and evaluates AWS resource configurations against defined compliance rules and best practices. It identifies non-compliant resources, misconfigurations, or deviations from organizational policies and generates findings that can highlight potential security risks. Config’s insights are essential for maintaining governance and compliance, yet, like GuardDuty and Macie, it operates at the resource level without providing a centralized dashboard or cross-account aggregation. Organizations managing multiple accounts and regions require a consolidated platform to visualize these findings alongside threat and data security alerts, which is precisely what Security Hub provides.

AWS Web Application Firewall (WAF) protects web applications from common exploits, such as SQL injection, cross-site scripting (XSS), and HTTP flood attacks. WAF generates logs and metrics regarding web traffic patterns and rule enforcement but does not provide a centralized aggregation of security findings across AWS services. While it is critical for application-layer protection, WAF’s focus is limited to web traffic and does not encompass comprehensive organizational security visibility.

Security Hub consolidates findings from these diverse services, enabling organizations to view, filter, and analyze alerts in a unified interface. This centralized approach supports security monitoring at scale and provides situational awareness across accounts, regions, and AWS services. Security Hub dashboards present findings by severity, resource type, account, and region, allowing security teams to prioritize their response based on impact and risk. Additionally, Security Hub supports automated remediation workflows, which can trigger AWS Lambda functions or integrate with AWS Systems Manager, enabling rapid, consistent responses to security findings. For example, if a GuardDuty finding indicates a compromised IAM credential, an automated workflow can rotate the credentials, isolate the affected resource, and notify administrators simultaneously.

Another critical capability of Security Hub is compliance monitoring. Security Hub continuously evaluates resources against security standards such as the Center for Internet Security (CIS) AWS Foundations Benchmark, Payment Card Industry Data Security Standard (PCI DSS), and AWS best practices. Findings are normalized and scored, providing a clear, consolidated view of compliance posture. This facilitates audits, simplifies reporting, and ensures that regulatory requirements are consistently enforced across multiple accounts and regions. Security Hub also supports integration with third-party security products, SIEM platforms, and incident response tools, enabling organizations to extend its centralized aggregation capabilities into broader enterprise security operations.

Security Hub enhances operational efficiency by reducing alert fatigue. By correlating findings from multiple sources and presenting them in a unified format, the platform allows security teams to focus on high-priority threats rather than reviewing isolated alerts from individual services. Automated workflows further reduce the manual effort required for incident response, enabling security teams to remediate issues quickly, enforce organizational policies, and maintain a strong security posture without overwhelming operational resources.

AWS Security Hub is the correct service for aggregation and centralization of security findings. While GuardDuty detects threats, Macie identifies sensitive data, Config monitors compliance, and WAF protects applications, none of these services independently provide centralized dashboards, cross-account visibility, or automated remediation. Security Hub integrates findings from these services, normalizes them, provides visualization, enables prioritization, supports compliance assessment, and allows automated response actions. By providing a unified view of organizational security posture and streamlining operational processes, Security Hub ensures that organizations can manage threats, vulnerabilities, and compliance risks efficiently and proactively across multiple accounts and regions. Its ability to correlate findings, highlight high-priority risks, and automate responses makes it an indispensable tool for centralized security management and operational governance in AWS.

Question 89

Which AWS service encrypts EBS volumes using customer-managed keys and ensures centralized key management?

A) AWS KMS

B) AWS IAM

C) AWS CloudTrail

D) AWS Macie

Answer: A) AWS KMS

Explanation:

AWS Key Management Service (KMS) is a fully managed service that enables centralized creation, management, and control of cryptographic keys used to protect data across AWS services. One of its primary use cases is encrypting Amazon Elastic Block Store (EBS) volumes to ensure that data at rest remains secure from unauthorized access. KMS provides a scalable and secure approach to encryption, allowing organizations to manage keys centrally while integrating seamlessly with AWS services to enforce data protection policies. Its capabilities extend beyond simple encryption, encompassing key lifecycle management, access control, auditing, and compliance, which together provide a robust framework for securing sensitive information stored in EBS volumes.

KMS enables the creation of customer-managed keys (CMKs), which give organizations full control over encryption and decryption operations. CMKs can be used to encrypt EBS volumes directly, ensuring that all data written to the volumes is automatically encrypted. This encryption is transparent to the applications using the storage, allowing developers and system administrators to maintain seamless operational workflows without sacrificing security. CMKs also support automatic rotation, which enhances security by periodically changing the cryptographic keys according to organizational policies or compliance requirements. Key rotation ensures that even if a key is compromised, data encrypted with previous keys remains secure and can be re-encrypted with new keys to maintain long-term confidentiality.

AWS Identity and Access Management (IAM) is a critical service for controlling access to AWS resources, including KMS keys. IAM allows organizations to define granular policies specifying who can use, manage, or administer keys. While IAM enforces access control, it does not provide encryption capabilities itself. IAM policies can complement KMS by restricting key usage to authorized users or roles, ensuring that only approved personnel or services can perform encryption or decryption operations. This combination of KMS and IAM provides both technical encryption enforcement and access governance, maintaining a strong security posture across AWS environments.

AWS CloudTrail is a service that records API activity across AWS accounts, capturing detailed logs of actions taken by users, roles, or services. CloudTrail integrates with KMS to log key usage events, including encryption and decryption operations, administrative actions, and policy changes. This logging capability is critical for auditing and compliance, as it allows organizations to verify that encryption policies are being followed and identify any unauthorized attempts to access sensitive data. However, CloudTrail itself does not perform encryption; it serves as a monitoring and auditing tool. By combining CloudTrail with KMS, organizations gain visibility into both the enforcement and use of encryption, providing a full spectrum of operational security controls.

Amazon Macie focuses on data security and privacy by scanning Amazon S3 for sensitive content, such as personally identifiable information (PII), financial data, and intellectual property. While Macie helps organizations identify and classify sensitive data, it does not encrypt EBS volumes or manage cryptographic keys. Macie complements KMS by highlighting data that may require additional protection, but it cannot enforce encryption or manage key lifecycle. Therefore, for centralized EBS encryption, KMS is the appropriate solution, providing both the technical mechanism for encryption and the governance capabilities necessary to secure storage.

KMS provides extensive integration with AWS services beyond EBS, including Amazon S3, Amazon RDS, Amazon Redshift, Amazon DynamoDB, and AWS Lambda. This broad integration enables organizations to standardize encryption practices across multiple services using the same centralized keys, simplifying key management and policy enforcement. For example, a single CMK can be used to encrypt multiple EBS volumes across different accounts or regions, ensuring consistency and reducing operational complexity. The centralized management model also allows organizations to enforce security policies, monitor key usage, and automate compliance reporting, which is essential for regulated industries.

Auditing and compliance are critical components of KMS functionality. Each key usage operation is recorded in CloudTrail, providing a tamper-evident log of who accessed the key, what operation was performed, and when it occurred. This level of auditing allows organizations to demonstrate adherence to regulatory frameworks such as HIPAA, PCI DSS, ISO 27001, and SOC 2. Security teams can review logs to identify anomalies, investigate incidents, and ensure that encryption policies are enforced consistently. Additionally, KMS supports key policies and grants that define fine-grained access controls, allowing administrators to enforce separation of duties, restrict key usage to specific resources, and minimize the risk of insider threats.

KMS also enhances security through automated key rotation and lifecycle management. By regularly rotating CMKs, organizations reduce the potential impact of key compromise and maintain long-term data protection. KMS handles key rotation transparently, ensuring that encrypted EBS volumes continue to function without disruption. Administrators can also define automatic deletion schedules for keys no longer in use, ensuring that unused keys do not pose a security risk. These capabilities provide organizations with operational efficiency and strong cryptographic hygiene, reducing administrative overhead while maintaining high security standards.

In multi-account or multi-region AWS environments, KMS enables centralized key management through AWS Organizations integration. Organizations can create and manage keys at a central account while delegating key usage to member accounts. This model ensures that encryption policies are consistently applied across all accounts, simplifying governance and compliance in complex cloud architectures. By controlling encryption at a centralized level, organizations can standardize security practices, reduce the likelihood of misconfigurations, and ensure that all EBS volumes and other encrypted resources comply with organizational standards.

AWS KMS is the correct solution for centralized encryption of EBS volumes. It provides customer-managed keys for transparent, secure encryption, supports automated key rotation, enables detailed auditing through CloudTrail, and integrates with IAM to enforce granular access control. Unlike IAM, which governs access without encrypting data, CloudTrail, which only logs key usage, or Macie, which classifies data without providing encryption, KMS delivers both technical and operational control over encryption. Its broad integration with AWS services, centralized key management, and ability to enforce security policies across multiple accounts make it the definitive service for ensuring that EBS volumes are securely encrypted, operationally manageable, and compliant with regulatory requirements, providing organizations with confidence in the confidentiality and integrity of their stored data.

Question 90

Which service protects AWS applications against volumetric and application-layer DDoS attacks?

A) AWS Shield

B) AWS WAF

C) AWS GuardDuty

D) AWS Macie

Answer: A) AWS Shield

Explanation:

AWS Shield is a managed service designed to protect applications and workloads running on AWS from Distributed Denial of Service (DDoS) attacks. DDoS attacks are malicious attempts to overwhelm network resources or applications, causing service disruption or downtime. These attacks can range from high-volume volumetric attacks designed to saturate network bandwidth, to protocol-layer attacks that exploit weaknesses in networking protocols, to sophisticated application-layer attacks that target the logic and availability of web applications. Shield provides comprehensive protection across these layers, ensuring that AWS-hosted applications remain resilient and available even under attack.

AWS Shield comes in two tiers: Standard and Advanced. Shield Standard is automatically included at no additional cost for all AWS customers and provides protection against the most common network and transport layer attacks. These include SYN floods, UDP reflection attacks, and other frequent volumetric attacks that aim to exhaust server or network capacity. Shield Standard operates seamlessly with AWS infrastructure, monitoring incoming traffic at the network edge and automatically applying mitigations to absorb or filter malicious requests. This automated protection ensures that services such as Amazon CloudFront, Application Load Balancer (ALB), Elastic IP addresses, and Route 53-hosted applications remain available during attack events. By filtering traffic close to the source, Shield Standard reduces the load on backend resources, maintaining performance and minimizing the risk of service disruption.

AWS Shield Advanced is designed for customers who require enhanced protection and visibility. It offers protection against large-scale and complex DDoS attacks, including multi-vector attacks that combine volumetric, protocol, and application-layer methods. Shield Advanced provides near real-time attack detection and mitigation, along with detailed attack diagnostics. Customers have access to the AWS DDoS Response Team (DRT), who provide expert guidance during attacks and help in planning proactive mitigations. Advanced tier customers also benefit from DDoS cost protection, which reimburses charges incurred for scaling resources in response to attacks. This financial safeguard is particularly valuable for organizations running high-traffic applications or critical workloads, where attack-induced scaling could result in significant unplanned costs.

AWS Shield integrates closely with other AWS services to provide layered and automated defenses. Integration with Amazon CloudFront enables traffic to be inspected and mitigated at edge locations across the AWS global network, reducing latency for legitimate users while blocking malicious traffic at the perimeter. Application Load Balancer integration allows Shield to filter traffic for applications running across multiple regions and availability zones. Integration with Amazon Route 53 ensures that DNS queries are also protected against volumetric and protocol-level attacks. These integrations provide comprehensive protection for web-facing and regional applications, enabling automatic mitigation without requiring manual intervention.

AWS Web Application Firewall (WAF) complements Shield by providing application-layer protections. WAF filters HTTP and HTTPS requests to block threats such as SQL injection, cross-site scripting, and other web application exploits. While WAF is effective at preventing malicious web traffic, it does not absorb or mitigate high-volume network-level attacks or multi-vector DDoS events. WAF’s focus is Layer 7 of the OSI model, providing granular traffic filtering for web applications but lacking the capacity to handle the network saturation or protocol-level exploitation that Shield mitigates. For comprehensive security, WAF and Shield should be used together to provide a layered defense strategy.

Amazon GuardDuty focuses on threat detection within AWS accounts by analyzing CloudTrail logs, VPC Flow Logs, and DNS query data. GuardDuty can identify suspicious activity such as compromised credentials, unusual API calls, or reconnaissance attempts. Although GuardDuty provides actionable alerts and integrates with Security Hub for centralized monitoring, it does not block or mitigate DDoS attacks. Its role is detection and alerting rather than traffic protection. Consequently, GuardDuty cannot replace Shield for ensuring the availability and continuity of applications under attack.

Amazon Macie is designed for data security and privacy compliance. It automatically discovers, classifies, and monitors sensitive information stored in Amazon S3. While Macie helps organizations identify potential exposure of personally identifiable information (PII), financial records, or confidential data, it does not provide protection against attacks, network-level threats, or service disruption. Macie is complementary to Shield and WAF in the broader security strategy but does not contribute to DDoS mitigation.

Shield Advanced provides additional operational and analytical benefits. During an attack, customers receive detailed diagnostics, including attack vectors, duration, magnitude, and affected resources. This information allows security teams to analyze attack patterns, refine mitigation strategies, and improve overall resilience. Advanced also supports automated mitigation workflows through integration with AWS Firewall Manager and EventBridge, allowing organizations to respond dynamically to attacks without manual intervention. These capabilities ensure that DDoS protection is both proactive and adaptive, reducing the risk of prolonged service disruption.

Another advantage of Shield Advanced is the access to the AWS DDoS Response Team. The DRT provides guidance on incident response planning, mitigations, and post-attack analysis. This expert support is invaluable for organizations running mission-critical workloads or applications exposed to public traffic. Combined with automated monitoring and protection, DRT access enhances operational readiness and reduces the risk of extended outages during large-scale or sophisticated attacks.

AWS Shield provides comprehensive protection against volumetric, protocol, and application-layer DDoS attacks, ensuring that AWS applications remain available and resilient under adverse conditions. Shield Standard protects against common network attacks automatically, while Shield Advanced offers enhanced detection, mitigation, cost protection, expert guidance, and detailed analytics. Although WAF protects web applications from exploits, it cannot absorb high-volume network traffic. GuardDuty detects suspicious behavior but does not prevent attacks, and Macie secures sensitive data without mitigating service disruptions. Shield’s integration with CloudFront, ALB, and Route 53 ensures automated, real-time mitigation at both network and application layers, making it the correct service for DDoS protection. Its combination of automated defenses, expert support, detailed reporting, and cost protection provides organizations with confidence that their applications can withstand complex attacks while maintaining performance, availability, and operational continuity.