A company is managing multiple AWS accounts in AWS Organizations. The company is reviewing internal security of its AWS environment. The company's security administrator has their own AWS account and wants to review the VPC configuration of developer AWS accounts.
Which solution will meet these requirements in the MOST secure manner?
Answer : D
The most secure solution is to use cross-account IAM roles with least-privilege read-only permissions. The security administrator should not receive shared IAM user credentials from the developer accounts. Credential sharing is poor security practice and creates accountability and rotation problems. Administrator access is also excessive because the requirement is only to review VPC configuration, not modify resources. A cross-account role lets the security administrator authenticate in their own AWS account and assume a role in each developer account for temporary, auditable access. The role should allow only the required read-only EC2 and VPC actions, such as describing VPCs, subnets, route tables, network ACLs, security groups, and flow logs. This approach follows AWS least-privilege and temporary-credential best practices.
A company hosts an FTP server on EC2 instances. AWS Security Hub sends findings to Amazon EventBridge when the FTP port becomes publicly exposed in attached security groups.
A CloudOps engineer needs an automated, event-driven remediation solution to remove public access from security groups.
Which solution will meet these requirements?
Answer : D
Per the AWS Cloud Operations and Security Automation documentation, Security Hub integrates with Amazon EventBridge to publish findings in real time. These events can trigger automated responses using AWS Lambda functions or AWS Systems Manager Automation runbooks.
In this scenario, the correct CloudOps approach is to configure the existing EventBridge rule to invoke a Lambda function that inspects the event payload, identifies the affected security group, and removes the offending inbound rule (e.g., port 21 open to 0.0.0.0/0).
This event-driven remediation provides continuous compliance and eliminates manual intervention. Cron jobs (Options B and C) contradict event-driven design and add operational overhead. Stopping instances (Option A) doesn't address the root cause --- the insecure security group.
Thus, Option D aligns with AWS best practices for automated security remediation through EventBridge and Lambda.
An ecommerce company uses Amazon ElastiCache (Redis OSS) for caching product queries. The CloudOps engineer observes a large number of cache evictions in Amazon CloudWatch metrics and needs to reduce evictions while retaining popular data in cache.
Which solution meets these requirements with the least operational overhead?
Answer : D
According to the AWS Cloud Operations and ElastiCache documentation, cache evictions occur when the cache runs out of memory and must remove items to make space for new data.
To reduce evictions and retain frequently accessed items, AWS recommends increasing the total available memory --- either by scaling up to larger node types or scaling out by adding shards/nodes. Migrating to a cluster with larger nodes is the simplest and most efficient solution because it immediately expands capacity without architectural changes.
Adjusting TTL (Options B and C) controls expiration timing, not memory allocation. Adding a single node (Option A) may help, but redistributing data requires resharding, introducing more complexity.
Thus, Option D provides the lowest operational overhead and ensures high cache hit rates by increasing total cache memory.
A CloudOps engineer must ensure that all of a company's current and future Amazon S3 buckets have logging enabled. If an S3 bucket does not have logging enabled, an automated process must enable logging for the S3 bucket.
Which solution will meet these requirements?
Answer : D
AWS Config is designed to continuously evaluate AWS resource configurations and detect noncompliance. The s3-bucket-logging-enabled managed rule specifically checks whether server access logging is enabled on S3 buckets. This directly meets the detection requirement for both current and future buckets.
To satisfy the remediation requirement, AWS Config supports automatic remediation actions. Using the AWS-provided AWS-ConfigureS3BucketLogging Systems Manager Automation runbook enables logging without custom code. This reduces operational overhead, avoids Lambda function maintenance, and aligns with AWS best practices.
Option A is incorrect because Trusted Advisor does not support automatic remediation. Option B cannot enforce logging at creation time through bucket policies alone. Option C works but introduces unnecessary Lambda maintenance compared to using an AWS-managed automation runbook.
Thus, combining AWS Config managed rules with Systems Manager Automation provides continuous compliance with minimal operational effort.
A company runs an application on Amazon EC2 instances behind an Elastic Load Balancer (ELB) in an Auto Scaling group. The application performs well except during a 2-hour period of daily peak traffic, when performance slows.
A CloudOps engineer must resolve this issue with minimal operational effort.
What should the engineer do?
Answer : C
According to the AWS Cloud Operations and Compute documentation, when workloads exhibit predictable traffic patterns, the best practice is to use scheduled scaling for Amazon EC2 Auto Scaling groups.
With scheduled scaling, administrators can predefine the desired capacity of an Auto Scaling group to increase before anticipated demand (in this case, before the 2-hour peak) and scale back down afterward. This ensures that sufficient compute capacity is provisioned proactively, avoiding performance degradation while maintaining cost efficiency.
AWS notes: ''Scheduled actions enable scaling your Auto Scaling group at predictable times, allowing you to pre-warm instances before demand spikes.''
Manual scaling (Option D) adds operational overhead. Adjusting launch templates (Option B) doesn't affect scaling behavior, and permanently increasing minimum capacity (Option A) wastes resources outside of peak hours.
Thus, Option C provides an automated, cost-effective, and operationally efficient CloudOps solution.
A CloudOps engineer must manage the security of an AWS account. Recently, an IAM user's access key was mistakenly uploaded to a public code repository. The engineer must identify everything that was changed using this compromised key.
How should the CloudOps engineer meet these requirements?
Answer : C
According to the AWS Cloud Operations and Security documentation, AWS CloudTrail is the authoritative service for recording API activity across all AWS services within an account.
When an access key is compromised, CloudTrail logs all API requests made using that key, including details such as:
The user identity (access key ID) that made the request,
The service, operation, resource, and timestamp affected, and
The source IP address and region of the request.
By searching the CloudTrail event history for the specific access key ID, the CloudOps engineer can identify every action performed by that key during the suspected breach window.
Other options are incorrect:
EventBridge (A) is event-driven, not historical.
CloudWatch Logs (B) monitors system logs, not AWS API activity.
VPC Flow Logs (D) track network-level traffic, not API calls.
Therefore, the correct solution is Option C --- using AWS CloudTrail event history to audit and trace all actions executed via the compromised access key.
A company has attached the following policy to an IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-1"
}
}
},
{
"Effect": "Deny",
"NotAction": [
"ec2:*",
"s3:GetObject"
],
"Resource": "*"
}
]
}
Which of the following actions are allowed for the IAM user?
Answer : C
The explicit Deny statement uses NotAction, which means it denies all actions except ec2:* and s3:GetObject. Explicit deny overrides any allow. Therefore, even though rds:Describe* is allowed in the first statement, it is denied by the Deny statement because RDS actions are not excluded from the deny. s3:PutObject is also denied because only s3:GetObject is excluded. EC2 actions are excluded from the deny, but they still need an applicable Allow. The second statement allows ec2:* only when the EC2 Region condition equals us-east-1. Therefore, ec2:DescribeInstances in us-east-1 is allowed, while ec2:AttachNetworkInterface in eu-west-1 is not allowed. Option C is the only permitted action.