Design Secure Architectures Questions

A financial institution requires that S3 objects cannot be deleted or overwritten for 10 years by any user, including administrators. Which feature en...

A company must ensure calls from EC2 instances to supported AWS service APIs stay on the AWS network and that those API calls are logged. Which combin...

On-premises Active Directory users need to sign in to the AWS Management Console using their existing credentials. What should the architect configure...

What is AWS Key Management Service (AWS KMS) primarily used for?

IAM Access Analyzer reports that an S3 bucket is publicly accessible. The bucket contains approved public website assets that are intended to remain p...

Which service records AWS API calls for governance, compliance, and auditing?

An IAM policy grants s3:* on all resources, but an AWS Organizations service control policy allows only s3:GetObject. What S3 permissions does the use...

Which AWS service helps protect a web application from common exploits such as SQL injection and cross-site scripting?

A company needs to grant a third-party auditor read-only access to its AWS account. Which approach follows security best practices?

What is the simplest way to ensure all objects uploaded to an S3 bucket are encrypted at rest?

An IAM user has an identity policy allowing kms:Decrypt on a specific CMK, but Decrypt calls return AccessDenied. The CMK key policy does not referenc...

An organization with many VPCs needs centralized stateful packet inspection and intrusion prevention for outbound internet traffic routed through Tran...

Which AWS service continuously analyzes CloudTrail, VPC Flow Logs, and Route 53 DNS logs to detect malicious activity?

A mobile app needs user sign-up, sign-in, MFA, and JWT issuance for end users. Which Cognito feature should be used?

An ALB terminates TLS and forwards to EC2 targets. Compliance requires encryption end-to-end to the EC2 instances. What should the architect configure...