Design secure architectures

An application running on EC2 must access an S3 bucket securely without storing long-term credentials on the instance. What is the recommended approach?

• A Embed an IAM user's access keys in the application code
• B Store credentials in a config file on the instance
• C Attach an IAM role to the EC2 instance ✓
• D Use the root account credentials

Answer: Attaching an IAM role to the EC2 instance provides temporary, automatically rotated credentials via the instance metadata service, avoiding the risk of hard-coded long-term keys.

A company needs to grant a third-party AWS account temporary access to specific resources without sharing long-term credentials. What is the BEST approach?

• A Create an IAM user and share its access keys
• B Create a cross-account IAM role that the third party can assume ✓
• C Make the S3 bucket public
• D Share the root account password

Answer: A cross-account IAM role allows the external account to assume the role and obtain temporary credentials, following least-privilege without sharing long-term keys.

A company must encrypt data at rest in an S3 bucket and retain full control over the encryption keys, including rotation, using a managed key service. Which option meets this?

• A SSE-S3 with Amazon-managed keys
• B SSE-KMS with a customer managed key ✓
• C Client-side encryption with no key management
• D No encryption, rely on bucket policies

Answer: SSE-KMS with a customer managed key lets the company control key policies, rotation, and auditing through AWS KMS while AWS handles the encryption operation server-side.

A company wants to centrally manage and enforce security policies across many AWS accounts. Which service should they use?

• A AWS IAM
• B AWS Organizations with Service Control Policies ✓
• C Amazon Cognito
• D AWS Config alone

Answer: AWS Organizations with Service Control Policies allows centralized governance, letting administrators set guardrails that restrict what actions accounts can perform.

An application stores sensitive data and must log all API calls made to AWS services for auditing. Which service captures this activity?

• A Amazon CloudWatch Logs
• B AWS CloudTrail ✓
• C AWS Config
• D Amazon Inspector

Answer: AWS CloudTrail records API calls and account activity across AWS services, providing an audit trail for governance, compliance, and operational and security analysis.

A company wants the simplest way to control inbound and outbound traffic at the instance level for its EC2 instances. Which feature should be used?

• A Network ACLs
• B Security groups ✓
• C Route tables
• D IAM policies

Answer: Security groups act as stateful virtual firewalls at the instance level, controlling inbound and outbound traffic. Network ACLs operate at the subnet level and are stateless.