SCS-C03 Cheat Sheet
Detection
Monitoring & Alerting
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Sort detection services by job, because no two share one
GuardDuty detects threats from activity, Macie discovers sensitive data in S3, Security Hub aggregates findings and grades posture, Security Lake centralizes raw logs, Detective investigates a finding, and Config tracks resource compliance. Each does exactly one job, so a question stem that describes a job points to one service. Match the symptom in the stem to the job rather than recalling marketing names, and the lookalike answers fall away.
Trap Picking Security Hub when the stem asks to detect a brand-new threat from network or DNS activity; Security Hub only ingests findings others created, it never analyzes that telemetry itself.
- GuardDuty is the detector; Security Hub is the aggregator
GuardDuty analyzes telemetry and produces findings, while Security Hub consumes findings from GuardDuty, Macie, Inspector, and partners into one normalized list and adds control-based posture scores. The exam confuses them because both surface findings, but only GuardDuty creates them from raw activity. Reach for Security Hub when the requirement is a single prioritized view across many accounts plus compliance grading, and GuardDuty when the requirement is finding the threat in the first place.
- GuardDuty's three foundational sources are always on and free
GuardDuty's foundational data sources are AWS CloudTrail management events, VPC Flow Logs, and Route 53 Resolver DNS query logs; they need no agents, no setup, and carry no extra ingestion cost. CloudTrail S3 data events are not foundational, they are covered only by the optional S3 Protection plan, and other optional plans add EKS Runtime Monitoring, RDS login activity, Lambda network activity, and Malware Protection. Knowing which sources are built in tells you what GuardDuty catches before you enable anything else.
Trap Listing 'CloudTrail management and data events' as foundational; S3 data-event monitoring requires turning on the S3 Protection plan.
3 questions test this
- An organization's Amazon GuardDuty has generated a Stealth:IAMUser/CloudTrailLoggingDisabled finding. The security team needs to understand…
- A security operations team is investigating a high-severity Amazon GuardDuty finding with the type CryptoCurrency:EC2/BitcoinTool.B!DNS for…
- A company is enabling Amazon GuardDuty across all AWS accounts in their organization. The security architect wants to understand which data…
- GuardDuty severity runs 1.0 to 10.0 across four bands
Each GuardDuty finding gets a severity value on a 1.0 to 10.0 scale, bucketed as Low 1.0-3.9, Medium 4.0-6.9, High 7.0-8.9, and Critical 9.0-10.0. That number is the field your EventBridge alerting filters on, for example paging only on findings of 7.0 and above. Critical means an attack sequence may be in progress, so it is the band you wire to immediate response rather than a daily digest.
- Macie classifies sensitive data in Amazon S3 only
Macie scans Amazon S3 objects and raises sensitive-data findings when it matches managed or custom data identifiers for PII, credentials, and financial data, plus policy findings when a bucket's settings weaken. It does not scan databases, EBS volumes, or network traffic, and it does not detect threats. When a scenario is 'where is our regulated data sitting,' that is Macie; when it is 'is someone attacking us,' that is GuardDuty.
Trap Choosing Macie to scan an RDS database or EBS volume for sensitive data; Macie's discovery is scoped to S3 objects.
- Macie publishes to Security Hub directly, not via EventBridge
Macie sends findings to Security Hub through a native integration and, separately, to EventBridge as its own destination; the Security Hub delivery does not route through EventBridge. By default only new and updated policy findings are published to Security Hub, while sensitive-data findings must be opted in through the publication settings. So if sensitive-data findings are missing from Security Hub, the fix is the publication setting, not an EventBridge rule.
Trap Assuming sensitive-data findings reach Security Hub automatically; only policy findings do by default, sensitive-data findings need opt-in.
- Security Hub grades accounts with controls grouped into standards
Security Hub runs security controls grouped into standards such as the AWS Foundational Security Best Practices (FSBP) and CIS, producing a posture score per account on top of the findings it aggregates. The recommended configuration enables FSBP and all of its controls, including new ones as they ship. When a question wants continuous benchmarking of accounts against a best-practice standard, that scoring is Security Hub's job, distinct from GuardDuty's threat findings.
- Detective investigates a finding with a behavior graph
Detective is the investigation layer, not a detector: it pulls CloudTrail, VPC Flow Logs, and GuardDuty findings into a behavior graph using machine learning and graph analysis so an analyst can trace root cause and blast radius across up to about a year of history. You open it after a finding fires to answer 'what else did this principal touch.' It does not create findings and it is not a place to run ad-hoc SQL over raw logs.
Trap Treating Detective as a detector that raises its own findings; it visualizes and correlates existing telemetry, it does not generate findings.
4 questions test this
- A security team is establishing a threat detection and investigation workflow. They want to ensure security analysts can quickly pivot from…
- A company has enabled Amazon Detective to investigate security events across 50 AWS accounts in their organization. The security team…
- A security analyst receives an alert about a potential credential compromise affecting multiple AWS accounts. Amazon GuardDuty has…
- A company's security operations center (SOC) receives an alert about a potential security incident involving an Amazon EC2 instance. The…
- Findings become alerts through an EventBridge rule, not the service
Detection services do not notify anyone on their own; a finding is published to the default EventBridge bus, an EventBridge rule matches it by source and a field like severity, and targets such as SNS, Lambda, or Step Functions carry out notification or automated response. Build the alerting once at the EventBridge layer and every detector inherits it. A rule filtering severity at 7.0 and above, for instance, pages on-call only for High and Critical GuardDuty findings.
Trap Wiring each detection service to its own SNS topic separately; the reusable pattern centralizes matching in one EventBridge rule that all detectors feed.
4 questions test this
- A security engineer needs to configure automated alerts for Amazon GuardDuty findings that require immediate attention. The company's…
- A company uses Amazon GuardDuty with a delegated administrator account to monitor security across 200 member accounts. The security team…
- A company wants to implement automated remediation for Security Hub findings. The security team needs to automatically invoke AWS Lambda…
- A security architect is configuring Amazon GuardDuty for an AWS Organizations environment with a delegated administrator account. The…
- EventBridge archive defaults to indefinite retention
An EventBridge archive captures matching events for later replay, and its retention is configurable in days but defaults to indefinite, not 24 hours. Use it when you need to retain or re-drive detection events rather than just page on them live. The replay lets you reprocess past findings through a new rule or target without the original events being gone.
- Aggregate org-wide through a delegated administrator account
GuardDuty, Macie, Security Hub, Detective, and Config each let the Organizations management account designate one member as the delegated administrator, which then enables, configures, and views findings for every member across Regions from one place. AWS guidance, and the exam answer, is to put that role in a dedicated security or audit account, not the management account, keeping detection authority separate from billing and account creation. This is how you avoid logging into hundreds of accounts to see findings.
Trap Making the Organizations management account the delegated administrator for detection; best practice delegates to a separate security account.
- Security Hub central configuration pushes policies from a home Region
After integrating Security Hub with AWS Organizations, the delegated admin uses central configuration to write configuration policies from one home Region that declare whether Security Hub is on and which standards and controls run, taking effect in the home Region and all linked Regions. Targets (an account, OU, or root) are centrally managed, so only the delegated admin can change them, which blocks configuration drift, or self-managed, so the account configures itself per Region. An applied policy always wins over an inherited one.
Trap Expecting a centrally managed account to change its own standards locally; central configuration removes that, only the delegated admin can, which is the point.
- The home Region doubles as the Security Hub aggregation Region
In Security Hub central configuration the home Region is both where the delegated admin authors configuration policies and the aggregation Region that receives findings, insights, and data from all linked Regions. Pick it deliberately, because an opt-in Region (any introduced on or after March 20, 2019) cannot be the home Region, though it can be a linked Region. Cross-Region aggregation is what gives you a single multi-Region view of posture.
5 questions test this
- A multinational company operates AWS workloads across 15 AWS Regions and wants to centralize all security findings from Amazon GuardDuty,…
- A company has deployed AWS Security Hub across multiple AWS Regions including us-east-1, us-west-2, eu-west-1, and ap-southeast-1. The…
- A company uses AWS Security Hub as a delegated administrator in a multi-account AWS Organizations environment. The security team wants to…
- A security operations team uses Security Hub with cross-region aggregation enabled. They have created a custom insight in the home region…
- A company operates workloads across multiple AWS Regions and uses AWS Security Hub in each Region. The security team needs to establish a…
- Config conformance packs deploy rules as one org-wide unit
A conformance pack is a collection of AWS Config rules and remediation actions packaged as a single YAML template, optionally stored as a Systems Manager document, and deployed in one account-and-Region or across the whole organization from the delegated admin. It is how you assess compliance against a baseline like PCI or operational best practices in one deployable entity instead of wiring rules one at a time. Config tracks resource configuration over time; the pack turns that into a graded compliance result.
- Use State Manager to enforce configuration, not just flag it
AWS Config and conformance packs detect and report noncompliant resource configuration, but they do not by themselves keep a setting in place. AWS Systems Manager State Manager enforces a desired configuration on a schedule, reapplying it when something drifts. Reach for State Manager when the requirement is automatic correction of drift rather than a finding that a human or separate remediation must act on.
Trap Expecting an AWS Config rule on its own to fix a drifted setting; a rule evaluates compliance, enforcement comes from a remediation action or State Manager.
- Inspector findings flow into Security Hub, it is the scanner not the hub
Amazon Inspector continuously scans EC2 instances, container images in ECR, and Lambda functions for software vulnerabilities (CVEs) and unintended network exposure, then publishes its findings into Security Hub alongside GuardDuty and Macie. Inspector is the vulnerability detector; Security Hub is where its findings are aggregated and prioritized. When a stem asks which service finds unpatched CVEs on workloads, that is Inspector, with Security Hub as the place you review them.
- GuardDuty re-sends repeat findings every 6 hours by default; only the admin can shorten it
GuardDuty pushes a brand-new finding (unique finding ID) to EventBridge in near real time, but it aggregates subsequent occurrences of the same finding type into a single event on a notification frequency that defaults to 6 hours (configurable to 15 minutes or 1 hour). Only the administrator account can change this frequency for subsequent occurrences; a member account cannot, and the administrator's setting applies to all member accounts.
Trap Reading EventBridge firing only on a finding's first occurrence as a broken event pattern; it is the default 6-hour aggregation cadence for repeats.
3 questions test this
- A security architect is configuring Amazon GuardDuty for an AWS Organizations environment with a delegated administrator account. The…
- A company configured an Amazon EventBridge rule to trigger an AWS Lambda function whenever Amazon GuardDuty generates a new finding. After…
- A company is using Amazon GuardDuty with delegated administrator accounts across an AWS Organization. The security team notices that…
- Detective finding groups correlate GuardDuty findings into a MITRE ATT&CK attack chain
Amazon Detective finding groups examine multiple related GuardDuty findings and the entities involved (such as IPs, users, and resources) that are likely part of the same event, and map the group's tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework. A finding group offers a generative-AI natural-language summary of the attack narrative (powered by models on Amazon Bedrock) plus a graph-based visualization showing how the entities connect the findings.
Trap Reaching for a behavior-graph entity profile to see the cross-finding attack chain; the correlated, TTP-mapped view is the finding group, not an individual entity profile.
4 questions test this
- A security analyst is using Amazon Detective to investigate a complex security incident. The analyst finds that Detective has correlated 15…
- A security analyst receives multiple Amazon GuardDuty findings across different AWS accounts in an organization over a 48-hour period. The…
- A security analyst at a multinational company receives multiple Amazon GuardDuty findings indicating credential compromise across several…
- A security analyst receives an alert about a potential credential compromise affecting multiple AWS accounts. Amazon GuardDuty has…
- Security Hub custom actions are how an analyst manually pushes selected findings to EventBridge
Security Hub auto-streams every new finding and finding update to EventBridge for automated rules, but to act on only specific findings on demand you create a custom action; when an analyst selects findings (or insight results) and chooses it, Security Hub emits an event carrying the custom action ARN that an EventBridge rule matches to invoke a Lambda or ticketing integration. This is the supported pattern for combining automatic remediation with manual, on-demand routing.
Trap Building a separate console button or polling job for manual routing; the on-demand path is a Security Hub custom action matched by its ARN in an EventBridge rule.
4 questions test this
- A company wants to implement automated remediation for Security Hub findings. The security team needs to automatically invoke AWS Lambda…
- A company uses AWS Security Hub with cross-Region aggregation enabled in their delegated administrator account. The security team wants to…
- A security architect is troubleshooting an EventBridge rule that should send Security Hub findings to an Amazon SNS topic for notification.…
- A security team uses AWS Security Hub to aggregate findings across an AWS Organization. When an analyst identifies a finding in the…
- Security Hub insight filters are AND across attributes, OR within one attribute
A Security Hub custom insight combines filters on different attributes with AND and filters on the same attribute with OR, so 'Product name is GuardDuty' plus 'Product name is Amazon Inspector' plus 'Resource type is AwsS3Bucket' means (GuardDuty OR Inspector) AND S3. A grouping attribute (such as AwsAccountId or ResourceId) defines the insight result, and the insight spans the home Region and all linked Regions unless you add a Region filter.
Trap Expecting two values of the same attribute to AND together; same-attribute filters OR, so listing two product names widens rather than narrows the insight.
6 questions test this
- A security engineer needs to create a custom insight in AWS Security Hub to track critical severity findings generated by either Amazon…
- A multinational company has enabled AWS Security Hub cross-Region aggregation with us-east-1 as the home Region. The security team creates…
- A company uses AWS Security Hub with cross-Region aggregation enabled and has configured US East (N. Virginia) as the home Region with…
- A financial services company uses AWS Security Hub to aggregate findings across multiple accounts and Regions. The compliance team requires…
- A security operations team uses Security Hub with cross-region aggregation enabled. They have created a custom insight in the home region…
- A company uses AWS Security Hub with cross-Region aggregation enabled. The security team notices that a specific AWS account is generating…
- Security Hub ALL_REGIONS linking mode auto-includes future Regions in aggregation
Security Hub cross-Region aggregation is off until you explicitly enable it from the aggregation (home) Region. Setting RegionLinkingMode to ALL_REGIONS aggregates findings from every Region where Security Hub is enabled and automatically aggregates findings from new Regions as Security Hub supports them and you opt into them, which is what satisfies a requirement to include future Regions without reconfiguration.
Trap Listing specific linked Regions (SPECIFIED_REGIONS) when the requirement is to auto-include future ones; only ALL_REGIONS (or ALL_REGIONS_EXCEPT_SPECIFIED) adds new Regions automatically.
5 questions test this
- A company has deployed AWS Security Hub across multiple AWS Regions including us-east-1, us-west-2, eu-west-1, and ap-southeast-1. The…
- A company operates across multiple AWS Regions with a delegated administrator account configured in AWS Organizations. The security team…
- A company has enabled AWS Security Hub across 50 AWS accounts in their organization spanning four AWS Regions. The security team wants to…
- A security team at a multinational company uses AWS Security Hub as the delegated administrator account in us-east-1 and needs to…
- A company operates workloads across multiple AWS Regions and uses AWS Security Hub in each Region. The security team needs to establish a…
Logging Solutions
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Troubleshooting Detection
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Incident Response
Incident Response Planning
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Cloud IR follows the four-phase NIST 800-61 lifecycle
AWS structures incident response on the NIST SP 800-61 lifecycle: preparation, then detection and analysis, then containment, eradication, and recovery, then post-incident activity. Preparation is where you stage access, runbooks, tooling, and rehearsals so response is a procedure, not an improvisation. The phases loop, so post-incident lessons feed straight back into preparation.
- Pre-provision responder access as a break-glass role, never standing admin
Incident response needs broader permissions than daily work, so pre-create a dedicated IR IAM role that responders assume only during a declared incident, gated by MFA, a tight trust policy, and full CloudTrail logging. This gives auditable, time-boxed elevation without leaving powerful permissions lying around, and beats writing an emergency policy live under pressure.
Trap Granting responders standing administrator permissions so they are 'ready'; that is permanent excess privilege an attacker can ride, the opposite of least privilege.
- Keep response and forensics in a separate account
Pre-stage a dedicated security or forensic account that is isolated from the workload accounts, and share evidence such as disk snapshots and memory captures into it. An attacker who controls a workload account then cannot reach the responders' tooling or tamper with collected evidence, which also preserves chain of custody because the evidence sits where the suspect identity has no access.
Trap Storing snapshots and analysis tools in the same compromised account; the attacker who owns that account can delete or alter the evidence.
- Shrink the blast radius before the incident, not during it
Containment is easier when the architecture already limits how far an incident can spread, so preparation includes multi-account segmentation, scoped IAM, and network isolation boundaries. Consistent resource tagging is part of this because an isolation runbook can then target exactly the tagged in-scope resources instead of guessing.
- Codify remediation as Systems Manager Automation runbooks
Turn repeatable response steps such as snapshot a volume, swap an instance's security group, or disable an access key into a Systems Manager Automation runbook (an Automation-type document) that runs identically every time. A runbook can be invoked manually, on a schedule, or by an event, replacing a wiki page a stressed responder would otherwise transcribe by hand.
- OpsCenter centralizes findings as OpsItems with runbooks attached
Systems Manager OpsCenter aggregates and deduplicates operational issues as OpsItems in one console and attaches the relevant Automation runbooks so a responder runs remediation from the item. It is wired to detection: a CloudWatch alarm entering ALARM, or an EventBridge event such as a Security Hub finding, can create an OpsItem automatically, pre-building the path from a finding to a one-click runbook.
Trap Treating OpsCenter as a detector; it organizes and remediates issues that other services detect, it does not generate the findings itself.
- Use Step Functions to orchestrate branchy or approval-gated response
When response is more than a linear list, for example branch on whether the instance is production, capture memory only if flagged, or wait for human approval before terminating, orchestrate it as a Step Functions state machine rather than one Lambda. Standard workflows give exactly-once execution and run up to a year, and every state transition is recorded, giving a built-in audit timeline of what the automation did. Reach for a single SSM runbook instead when the flow is short and linear.
Trap Cramming a branching, approval-gated response into one large Lambda function; you lose the auditable per-step timeline and the long-running, exactly-once execution Standard workflows provide.
- EventBridge is the glue from finding to automated response
A finding from GuardDuty or Security Hub publishes to EventBridge, and an EventBridge rule then invokes the response: an SSM Automation runbook for the simple linear case or a Step Functions state machine for the complex one. Pre-building this rule means the response triggers automatically instead of waiting for a human to notice and start it.
3 questions test this
- A company wants to integrate AWS Security Hub with Systems Manager Automation to automatically remediate findings. When Security Hub…
- A company has implemented an automated incident response workflow for their Amazon ECS environment. Amazon GuardDuty is enabled with…
- A company uses AWS Security Hub to aggregate findings from multiple security services including Amazon GuardDuty, Amazon Inspector, and…
- Validate the plan with game days using AWS Fault Injection Service
A plan you have never executed is only a hypothesis, so rehearse it with a game day: a scheduled, controlled exercise that injects a realistic fault and confirms detection fires, automation runs, and responders follow the runbook. AWS Fault Injection Service (FIS) is the managed way to run these, built on chaos-engineering principles. The distractors here are services that check state rather than test response: Config evaluates configuration, Inspector scans for vulnerabilities, Trusted Advisor checks best practices.
Trap Choosing AWS Config, Inspector, or Trusted Advisor to 'test the incident response plan'; those assess configuration or vulnerabilities, none of them injects a fault to exercise the response.
- A FIS experiment template is actions, targets, and stop conditions
An AWS FIS experiment template has three parts: actions (the disruption to inject), targets (the resources, selected by tag or state), and stop conditions (CloudWatch alarms that automatically halt and roll back the experiment if it crosses a threshold). The stop condition is the safety guardrail that keeps a controlled experiment from becoming a real outage.
Trap Running a FIS experiment with no stop condition; without the CloudWatch-alarm guardrail there is nothing to auto-halt and roll back the injected fault before it causes a real outage.
- FIS acts on real resources, so run new experiments in pre-production first
FIS performs real actions on real AWS resources, not a simulation, so AWS recommends running a new experiment in a pre-production environment before targeting production. This is why blast-radius controls and stop conditions matter even during a planned test.
Trap Assuming FIS only simulates faults; it injects genuine disruptions on live resources, so an untested experiment aimed straight at production can cause an actual incident.
- Resilience Hub assesses resilience; FIS injects the fault
AWS Resilience Hub evaluates an application against defined resiliency targets (RTO/RPO) and recommends where it is weak and what to test, but it does not itself inject faults. FIS is the service that actually runs the disruptive experiment, so the two pair up: Resilience Hub points at the gap, FIS exercises it.
Trap Picking Resilience Hub as the tool that 'tests by injecting faults'; it assesses and recommends, while FIS is the service that performs the fault injection.
- Pre-stage Shield Advanced and the SRT before a DDoS event
Shield Advanced is a preparation decision for DDoS: it unlocks the AWS Shield Response Team (SRT) and, with proactive engagement enabled, lets the SRT contact your emergency contacts during an attack instead of waiting for you to open a case. Reaching the SRT also requires a Business or Enterprise Support plan, so that support tier is part of the pre-staging. Shield Standard is free and automatic but includes no response team, so the SRT is the differentiator when the question wants expert help available during the event.
Trap Answering Shield Standard or WAF rate-based rules when the stem asks for expert assistance during a DDoS; neither includes the Shield Response Team, which requires Shield Advanced.
- Pre-deploy the Automated Forensics Orchestrator so capture is one trigger away
Preparation can include deploying the Automated Forensics Orchestrator for Amazon EC2, an AWS solution built on Step Functions that automates isolation, plus memory and disk acquisition into a dedicated forensic account, ready to be triggered by a GuardDuty or Security Hub finding. Standing it up in advance means evidence capture follows a tested, repeatable workflow instead of manual snapshotting during the incident.
- Post-incident review feeds the next preparation cycle
The post-incident phase exists to improve future response: a permission you lacked mid-incident becomes a new pre-staged role, and a slow manual step becomes an Automation runbook. Treating the lifecycle as a loop is what turns one painful incident into a stronger plan, rather than repeating the same gaps.
- Build the plan and runbooks per scenario, not one generic document
AWS Well-Architected (SEC10) frames the deliverable as an incident response plan plus a runbook for each recognizable scenario, such as an exposed credential or an instance beaconing to a known-bad IP. Scenario-specific runbooks are fast to execute because each one already knows its exact steps, where a single generic document forces decisions during the incident.
- Add an EventBridge target retry policy plus an SQS dead-letter queue so no security event is lost
Transient failures such as API throttling or downstream network errors can drop automated remediation. Configure the EventBridge rule target with a retry policy (MaximumRetryAttempts / maximum event age) to retry transient failures, and attach an SQS dead-letter queue to capture events that exhaust all retries. DLQ messages carry ERROR_CODE / ERROR_MESSAGE metadata, and a separate consumer can reprocess them — so persistent failures are preserved for investigation rather than lost.
Trap Relying on Lambda's own retries alone: they do not capture events EventBridge could not deliver to the target, which is exactly what the rule-level DLQ preserves.
3 questions test this
- A company is implementing an automated security response using EventBridge and Lambda to block malicious IP addresses detected by…
- A security engineer is building an automated response system using Amazon EventBridge and AWS Lambda for security incident remediation. The…
- A company has deployed an automated security remediation solution using EventBridge rules that trigger Lambda functions when Security Hub…
- An EventBridge rule built by CloudFormation/CLI needs a resource-based policy on its Lambda target
The console auto-adds the permission, but when you create an EventBridge rule with a Lambda target via CloudFormation, the CLI, or an SDK you must explicitly add a resource-based policy (lambda:AddPermission) on the function allowing the events.amazonaws.com service principal — ideally scoped to the rule ARN as SourceArn. Without it the rule looks correctly configured yet the function is never invoked; CloudWatch FailedInvocations / a DLQ confirm the missed deliveries.
Trap Assuming the Lambda execution role is the problem: the execution role governs what the function can do, while the missing resource-based policy is what blocks EventBridge from invoking it at all.
- Filter GuardDuty findings on the numeric severity (>= 7 for high/critical), not a 'HIGH' string label
GuardDuty publishes findings to EventBridge with source 'aws.guardduty' and detail-type 'GuardDuty Finding', and severity is a number from 1.0-10.0 across four tiers: Critical 9.0-10.0, High 7.0-8.9, Medium 4.0-6.9, Low 1.0-3.9. To alert on the top of the range, match detail.severity at or above 7 (which spans High and Critical) — a numeric matcher such as detail.severity {'numeric':['>=',7]} is valid, though AWS examples typically enumerate the values (e.g. [7, 7.0, ... 10.0]). Combine it with a prefix matcher on detail.type (such as 'CryptoCurrency:EC2' or 'UnauthorizedAccess:IAMUser') to target a finding family.
Trap Matching detail.severity against the string 'HIGH': GuardDuty severities are numeric, so a string filter matches nothing and the rule never fires.
3 questions test this
- A security analyst needs to create an EventBridge rule that triggers a Lambda function only when Amazon GuardDuty detects high-severity…
- A security architect is configuring an Amazon EventBridge rule to trigger automated remediation for high-severity Amazon GuardDuty findings…
- A security engineer has configured an Amazon EventBridge rule to invoke an AWS Lambda function when Amazon GuardDuty generates…
- A GuardDuty delegated administrator aggregates member findings onto its own default event bus
Designate a delegated administrator account for GuardDuty in AWS Organizations and findings from every current and future member account are automatically aggregated there and published to the administrator account's default EventBridge event bus. A single EventBridge rule in that account therefore captures organization-wide findings (the accountId field identifies the source) — no per-account event-bus forwarding is needed.
Trap Building per-member-account EventBridge cross-account forwarding rules: the delegated-admin aggregation already centralizes the finding events for you.
4 questions test this
- A company uses AWS Organizations with multiple member accounts. The security team wants to implement a centralized automated response to…
- A company has a delegated administrator account for Amazon GuardDuty in AWS Organizations. The security team wants to create automated…
- A company uses AWS Organizations with multiple member accounts. The security team wants to centralize incident response automation in a…
- A multinational company uses AWS Organizations with GuardDuty enabled in a delegated administrator account. The security team wants to…
- Use the aws:branch action to take different remediation paths by finding severity
Conditional logic in a Systems Manager Automation runbook is implemented with the aws:branch action: it evaluates Choices (commonly StringEquals on a severity input variable) and routes execution to a NextStep, so HIGH findings can disable keys or isolate a resource while MEDIUM/LOW only notify or log. Set isEnd: true on the terminal step of each branch.
Trap Reaching for separate Step Functions states for simple in-runbook branching: aws:branch keeps the conditional severity routing inside one Automation document.
3 questions test this
- A security team is building an Automation runbook to respond to GuardDuty findings for unauthorized API calls from an IAM user. The runbook…
- A security team is designing an incident response runbook that must perform different remediation actions based on the severity of Amazon…
- A security operations team is designing an incident response runbook using AWS Systems Manager Automation to remediate compromised EC2…
- aws:approve pauses a runbook for human sign-off; MaxConcurrency/MaxErrors govern multi-account rollout
Add the aws:approve action to pause an Automation execution until designated IAM principals approve — the way to gate a production remediation (often combined with aws:branch on an environment tag so non-prod runs straight through). For organization-wide runs, multi-account/multi-Region execution (TargetLocations, aws:executeAutomation) uses MaxConcurrency to limit parallel targets and MaxErrors (a count or percentage) to stop the automation once failures exceed the threshold.
Trap Hard-coding a wait or a Lambda poll for approval: aws:approve is the built-in Automation action that suspends the run for named approvers.
4 questions test this
- A security operations team manages incident response across 50 AWS accounts organized in AWS Organizations. They need to deploy a security…
- A company uses AWS Config to monitor security group configurations across their organization. When a security group is found to be…
- A security engineer needs to design an Automation runbook that remediates Amazon Inspector vulnerability findings by patching EC2 instances…
- A security operations team is designing an incident response runbook using AWS Systems Manager Automation to remediate compromised EC2…
Responding to Security Events
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Infrastructure Security
Edge Security
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Layer the edge: CloudFront for delivery, WAF for L7, Shield for DDoS
An internet-facing app gets layered protection where each control works at a different OSI layer: CloudFront terminates TLS and caches, AWS WAF inspects HTTP/HTTPS requests for application-layer attacks, and AWS Shield absorbs L3/L4 DDoS floods. They stack on the same edge resource rather than compete, so one CloudFront distribution can carry both a WAF web ACL and Shield at once. Match the control to the layer the attack targets: a volumetric flood is absorption (Shield), a crafted request is inspection (WAF).
Trap Reaching for a security group or NACL to stop an OWASP-style web attack; those filter at L3/L4 inside the VPC and never inspect HTTP request content the way a WAF web ACL does.
- WAF is the OWASP Top 10 control, delivered through managed rule groups
AWS WAF defends against the OWASP Top 10 web risks (injection, broken access control, and the rest) through AWS Managed Rules, pre-built rule groups you enable instead of hand-writing signatures. The baseline Core rule set (CRS,
AWSManagedRulesCommonRuleSet) covers the broad common attacks, while Known bad inputs and the SQL database group target specific classes. Managed groups are maintained by AWS and updated as new threats emerge, so they are the first reach for generic web protection.Trap Writing custom string/regex rules to reproduce SQL-injection or XSS protection AWS already ships; the AWS managed Core rule set and SQL database group cover the OWASP classes and stay maintained for you.
- Web ACL rules evaluate in priority order; first terminating match wins
A web ACL runs its rules from lowest to highest priority number and stops at the first rule whose action terminates evaluation. Each rule action is Allow, Block, Count, or Captcha/Challenge: Allow and Block are terminating, Count only tallies and lets evaluation continue (the safe tuning mode), and Challenge issues a token-backed test. If no rule matches, the web ACL's default action (Allow or Block) decides.
Trap Assuming Count blocks traffic; Count is observe-only, used to test a rule's match volume before switching it to Block, so a rule left on Count stops nothing.
- Rate-based rules throttle per key over a 60/120/300/600s window
A WAF rate-based rule counts requests per aggregation key over a trailing evaluation window of 60, 120, 300, or 600 seconds, defaulting to 300 (5 minutes), and acts on a key once it exceeds the limit. The lowest rate limit you can set is 10 requests, and WAF looks back over the window continuously rather than resetting on a fixed schedule. This is the standard defense against HTTP floods and brute-force bursts when no signature matches.
Trap Treating the evaluation window as a fixed bucket that resets every N seconds; WAF re-estimates the rate frequently over a rolling look-back, so a client cannot dodge it by timing requests to a window boundary.
- Choose the rate-based aggregation key, including custom client fingerprinting
A rate-based rule aggregates by source IP by default, but you can aggregate by an IP pulled from a forwarded header such as
X-Forwarded-For(use this when CloudFront or a proxy fronts the app so the real client IP survives), or by custom keys built from headers, cookies, or query strings. Custom-key aggregation is the "client fingerprinting" the blueprint names: it lets you rate-limit per session token or per API key rather than per IP.Trap Aggregating on source IP alone behind CloudFront, which collapses many clients onto the CDN's edge IPs; use IP-in-header (X-Forwarded-For) so the rate limit tracks the true viewer.
- Geo-match and IP sets filter by country and address range at the edge
A geo-match statement blocks or allows requests by country code (
CountryCodes), and an IP set is a reusable list of CIDR ranges a rule references to allow trusted sources or block known-bad ones. Both run in the same web ACL as your managed and rate-based rules, so you enforce geography and IP allow/deny lists at the edge before traffic reaches the origin. Geo-match reads the request's resolved country, not a self-declared header.Trap Believing geo-match guarantees a user's location; it maps the connecting IP to a country, so a VPN or proxy in another country defeats it, making geo-blocking a coarse control rather than strong access enforcement.
- WAF labels let one rule's match drive a later rule
A matching WAF rule can attach a label to the request instead of terminating, and a downstream rule can match that label to make a combined decision. This builds staged logic, for example letting the Bot Control group label a request as a verified or known bot, then a later rule decides whether that bot category is permitted. Labels turn a flat rule list into composable detection without duplicating match conditions.
- Bot Control, ATP, and ACFP are paid intelligent-threat rule groups
Most AWS managed rule groups are free with WAF, but the intelligent threat mitigation tier carries additional fees because it fingerprints and challenges clients rather than matching signatures: Bot Control (automated traffic), account takeover prevention (ATP, credential-stuffing on login), and account creation fraud prevention (ACFP, fake-signup abuse). Reach for these when the threat is automation or credential abuse, not a payload pattern, and budget for the extra cost.
Trap Assuming every AWS managed rule group is free; Bot Control, ATP, and ACFP add per-request fees on top of base WAF charges, so enabling them blindly can surprise the bill.
- Captcha and Challenge actions verify clients with tokens
Beyond Allow/Block/Count, WAF offers Captcha and Challenge actions that interrupt a suspicious request and require the client to prove it is a real browser. Captcha shows a puzzle to a human; Challenge runs a silent background check (a token-backed JavaScript challenge) with no user interaction. Both issue a token the client presents on later requests, which is why they pair with Bot Control to slow automated clients without blocking legitimate users outright.
- Shield Standard is free and automatic on CloudFront, Route 53, Global Accelerator
AWS Shield Standard protects every customer at no cost and with no configuration, defending against the common, most frequent network and transport-layer (L3/L4) DDoS attacks. It applies automatically to CloudFront, Amazon Route 53, and AWS Global Accelerator, so an app fronted by CloudFront already has baseline DDoS coverage. Standard does not include the Shield Response Team, attack diagnostics, or cost protection.
- Shield Advanced is $3,000/mo per payer account with a 1-year commitment
Shield Advanced is a paid subscription priced at $3,000 per month per payer account in an AWS Organization, with a 1-year commitment, plus data-transfer-out fees for protected resources. Because the fee is per payer (the management/consolidated-billing account), you subscribe once and it is not multiplied across every member account under that payer. The cost is the same whether you protect one resource or many.
Trap Reading the price as $3,000 per organization or per protected resource; it is $3,000 per month per payer account, so consolidating accounts under one payer is what keeps the fee from multiplying.
- Shield Advanced buys SRT, cost protection, and automatic L7 mitigation
Shield Advanced adds four things Standard lacks: 24/7 access to the Shield Response Team (SRT) for help during an active attack, near-real-time attack diagnostics and metrics, automatic application-layer DDoS mitigation where Shield deploys WAF rules on your behalf, and DDoS cost protection that refunds the scaling charges (extra data transfer, ALB capacity, EC2 scale-out) caused by a covered attack. It also extends coverage to Elastic IPs, ALB, CLB, and Route 53 hosted zones.
Trap Picking Shield Standard when the scenario needs human support during an attack or a refund for attack-driven scaling bills; only Advanced includes the SRT and DDoS cost protection.
4 questions test this
- A company experienced a large DDoS attack targeting their AWS Global Accelerator accelerator, which caused increased data transfer costs.…
- A gaming company uses AWS Global Accelerator to route UDP traffic to Amazon EC2 instances for their real-time multiplayer game. During a…
- A company uses AWS Organizations with multiple accounts and wants to deploy AWS Shield Advanced protection consistently across all Amazon…
- A company protects its public-facing workloads with AWS Shield Advanced. The architecture includes an Amazon CloudFront distribution, an…
- Use the name Shield Response Team (SRT), not DDoS Response Team
AWS renamed the DDoS Response Team to the Shield Response Team (SRT), the experts a Shield Advanced subscriber can engage 24/7 during a DDoS event. Use SRT in current content; the old DRT name is retired and a distractor that says DRT is using stale terminology.
- Origin access control (OAC) makes the S3 origin reachable only via CloudFront
OAC signs each request CloudFront sends to an S3 origin with SigV4, and the bucket policy then permits only that distribution and denies direct access, so an attacker cannot bypass WAF by hitting the bucket URL. OAC is the current mechanism and supersedes the legacy origin access identity (OAI); unlike OAI it supports SSE-KMS encrypted objects and all Regions. Without it, a public bucket lets traffic skip the entire edge stack.
Trap Using the legacy origin access identity (OAI) for a new distribution serving SSE-KMS objects; OAI does not support KMS-encrypted origins, so OAC is the correct current choice.
- Set security response headers with a CloudFront response headers policy
A CloudFront response headers policy attaches security headers to every response without changing the origin: HSTS to force HTTPS,
X-Content-Type-Options: nosniffto stop MIME sniffing,X-Frame-Optionsto block clickjacking, and a Content-Security-Policy. Centralizing them at the distribution means one policy hardens the browser side across all origins behind it, rather than re-implementing headers on each backend.- S3 CORS is a browser read-permission list, not an authorization control
Cross-origin resource sharing (CORS) on an S3 bucket tells the browser which other origins may read responses via JavaScript, configured through
AllowedOrigins,AllowedMethods, andAllowedHeaders. It only relaxes the browser's same-origin policy for the origins you list and grants no AWS-level access, so it never replaces IAM or a bucket policy. A wildcard*origin is a misconfiguration finding, not a convenience.Trap Treating CORS as an access-control or authorization mechanism; it is a browser-side read-permission hint, so loosening it to
*exposes responses to any site's scripts without changing who can authenticate to the bucket.- Security Lake normalizes WAF and other logs to OCSF in Parquet
Amazon Security Lake centralizes security data, including AWS WAF logs, into a data lake in your own S3 and converts it to the Open Cybersecurity Schema Framework (OCSF) stored as Apache Parquet. OCSF is a vendor-neutral schema, so a third-party SIEM queries one normalized format and correlates a WAF block with a VPC Flow Log or CloudTrail event by shared field names. Subscribers read the data through Athena, Redshift, or Lake Formation rather than parsing each source's native log shape.
Trap Building a custom ETL pipeline to merge findings from many AWS and third-party tools into one schema; Security Lake already normalizes to OCSF in Parquet, which is the intended answer for unified, queryable security data.
- Subscribe to third-party WAF rule groups from the AWS Marketplace
You do not have to author every WAF rule: the AWS Marketplace offers managed rule groups from third-party vendors (such as F5, Fortinet, Imperva) that you subscribe to and reference in a web ACL exactly like an AWS managed group. They evaluate in priority order alongside AWS groups and your custom rules, so you can combine a vendor's specialized signatures with the AWS Core rule set in one policy.
Trap Re-implementing a commercial vendor's WAF signatures as custom AWS rules; subscribing to that vendor's Marketplace managed rule group is the supported path and keeps the signatures vendor-maintained.
- WAF inspects only HTTP/HTTPS, so non-web protocols need other controls
AWS WAF is a web application firewall: it only inspects layer-7 HTTP and HTTPS requests on the resources a web ACL attaches to (CloudFront, ALB, API Gateway, AppSync). Raw TCP/UDP services, or attacks below L7, fall outside WAF entirely and rely on Shield for DDoS plus VPC controls like security groups and Network Firewall. Knowing this boundary keeps you from proposing a web ACL for a non-HTTP workload.
Trap Proposing a WAF web ACL to protect a non-HTTP service (such as a custom TCP listener on an NLB); WAF inspects only HTTP/HTTPS, so that traffic needs Shield and VPC-layer controls instead.
- Attach a single web ACL to CloudFront, ALB, API Gateway, or AppSync
A WAF web ACL associates with CloudFront distributions (global scope), or with regional resources: an Application Load Balancer, an Amazon API Gateway stage, an AWS AppSync GraphQL API, a Cognito user pool, or an App Runner service. CloudFront web ACLs use the CLOUDFRONT scope in us-east-1; regional web ACLs are created in the resource's own Region. Front the app at the outermost internet-facing resource so WAF sees traffic before it fans in.
3 questions test this
- A company is deploying a global web application using Amazon CloudFront. The security team needs to protect the distribution from SQL…
- A security engineer is deploying an AWS WAF web ACL to protect an Amazon CloudFront distribution serving a global e-commerce application.…
- A retail company uses an Application Load Balancer (ALB) for its e-commerce site. The security team wants to add a third-party managed rule…
- Security Lake custom sources must be OCSF Parquet partitioned by region/accountId/eventDay
A Security Lake custom source must deliver OCSF-conformant Apache Parquet objects written under its assigned prefix with the partition layout region=/accountId=/eventDay=/ (eventDay has no separators). This partitioning is what lets the source's Glue crawler register partitions for Athena pruning. Deliver each distinct OCSF event class as its own custom source, and run the source's Glue crawler when the schema gains fields.
Trap Pushing raw JSON or a single mixed-class feed — each OCSF event class needs its own custom source in Parquet with the region/accountId/eventDay partitions.
6 questions test this
- A security engineer is configuring a third-party intrusion prevention system (IPS) as a custom source in Amazon Security Lake. The vendor's…
- A company has enabled Amazon Security Lake in its delegated administrator account and ingests AWS native sources. The security team plans…
- A security operations team has deployed a third-party extended detection and response (XDR) platform that emits multiple types of…
- A company operates a third-party DNS firewall in a colocation facility. The security team will forward query logs to Amazon Security Lake…
- A security engineer is building an AWS Glue ETL job that converts third-party intrusion detection alerts into Open Cybersecurity Schema…
- A company collects logs from a third-party network appliance and wants to register them as a custom source in Amazon Security Lake so that…
- A Security Lake data-access subscriber reads OCSF objects from S3 via an SQS/HTTPS notification and external ID
A data-access subscriber reads OCSF Parquet objects directly from the Security Lake S3 bucket: Security Lake provisions a subscriber IAM role and an SQS queue (or HTTPS endpoint) so the consumer is notified of new objects and assumes the role to read them. You supply the partner account ID and a unique external ID, which Security Lake enforces as an sts:ExternalId condition on every AssumeRole.
Trap Choosing query (Lake Formation/Athena) access when the consumer must read raw S3 objects without Athena — that requires data access, not query access.
3 questions test this
- A security platform team in account A operates Amazon Security Lake as the delegated administrator for the organization. A partner SOC team…
- A delegated administrator for Amazon Security Lake created a subscriber with data access for a partner AWS account. Engineers in the…
- A company registered a third-party endpoint detection product as an Amazon Security Lake custom source that writes OCSF Parquet objects. A…
- Cross-account Security Lake readers need kms:Decrypt in the data-lake key policy
When the Security Lake bucket is encrypted with a customer-managed KMS key in the delegated-administrator account, any cross-account principal that reads or writes objects (a subscriber role on GetObject, a Glue crawler, or a collector on PutObject) must be granted kms:Decrypt and kms:GenerateDataKey in that key's policy, not just in its identity policy. ListBucket can succeed while GetObject fails with a KMS AccessDenied when this is missing; the key must be single-Region.
Trap Granting KMS actions only in the reader's identity policy — a cross-account customer-managed key also needs them in the key policy in the source account.
- Shield Advanced proactive engagement requires Route 53 health checks on protected resources
Shield Advanced proactive engagement (and faster health-based detection) requires Amazon Route 53 health checks associated with each protected resource so the Shield Response Team can correlate a detected event with real application impact, plus configured emergency contacts and Business or Enterprise Support. Without the health checks the SRT will not reach out even when proactive engagement is enabled.
Trap Enabling proactive engagement and adding emergency contacts but skipping the Route 53 health-check association the SRT depends on.
7 questions test this
- A company has deployed AWS Shield Advanced to protect their Amazon CloudFront distributions and Application Load Balancers. The security…
- A global media company uses AWS Global Accelerator standard accelerators to route traffic to Application Load Balancers (ALBs) across…
- A security architect is designing a DDoS-resilient architecture for a company's global web application using Amazon CloudFront and AWS…
- A media streaming company is deploying AWS Shield Advanced to protect its Amazon CloudFront distributions against application layer DDoS…
- A financial services company has subscribed to AWS Shield Advanced to protect its Amazon CloudFront distributions and Application Load…
- A security engineer is configuring AWS Shield Advanced for a company's global web application that uses Amazon CloudFront distributions.…
- A company has subscribed to AWS Shield Advanced and wants the Shield Response Team (SRT) to proactively contact them during detected DDoS…
- CloudFront geo restriction blocks at the edge before WAF; per-path geo rules need WAF
CloudFront's built-in geographic restriction (allowlist/blocklist) is the most efficient way to block whole countries because it rejects requests at the edge before they reach AWS WAF, so blocked requests never appear in WAF logs or counts. When you need geo decisions combined with conditions (e.g. restrict only /trading to the US), use a WAF web ACL that ANDs a geo-match statement with a URI-path match instead.
Trap Expecting requests blocked by CloudFront geo restriction to still be logged or counted by WAF — they are dropped before WAF runs.
5 questions test this
- A company has enabled both CloudFront geographic restrictions to blocklist a specific country and an AWS WAF web ACL associated with the…
- A global media company uses Amazon CloudFront to deliver streaming content. They need to implement a solution that allows users from…
- A financial services company uses Amazon CloudFront to deliver a web application with different content paths: /public for marketing…
- A financial services company hosts a web application behind Amazon CloudFront and needs to block access from specific countries due to…
- A media streaming company distributes video content through Amazon CloudFront and must restrict access to users in specific countries due…
- AWS Marketplace WAF rule groups are per-account and billed until removed from every web ACL
An AWS Marketplace managed WAF rule-group subscription is scoped to the single account that subscribed, so each account (e.g. production vs sandbox) must subscribe separately before the rule group is selectable. To stop the charges you must remove the rule group from every web ACL and Firewall Manager policy that references it in addition to unsubscribing; pin a managed rule group to a static version so vendor updates require review before taking effect.
Trap Assuming an org-wide or another account's Marketplace subscription carries over, or that unsubscribing alone stops billing while a web ACL still references it.
3 questions test this
- A security engineer is adding an AWS Marketplace managed rule group to an AWS WAF web ACL. The vendor publishes new versions of the rule…
- A developer in a sandbox AWS account successfully subscribed to and added a third-party AWS Marketplace managed rule group to an AWS WAF…
- A security engineer subscribed to a third-party AWS Marketplace managed rule group and added it to a production AWS WAF web ACL. After…
- Firewall Manager centrally deploys WAF, Shield Advanced, and DNS Firewall policies across the org
AWS Firewall Manager is the least-overhead way to enforce a single security policy across all accounts and new resources in an AWS Organization: it can push WAF web ACLs (including AWS and Marketplace managed rule groups), Shield Advanced protections with automatic application-layer mitigation, and Route 53 Resolver DNS Firewall rule groups, auto-remediating onto in-scope and newly created resources.
Trap Scripting per-account web ACLs or rule-group associations for org-wide coverage when a Firewall Manager policy applies and auto-remediates everywhere.
4 questions test this
- A multinational enterprise uses AWS Organizations with accounts in multiple AWS Regions. The security team wants to deploy consistent Route…
- A company uses AWS Organizations with multiple AWS accounts that host public-facing Application Load Balancers and Amazon CloudFront…
- A company uses AWS Organizations with multiple accounts and wants to deploy AWS Shield Advanced protection consistently across all Amazon…
- A security engineer subscribed to a third-party AWS Marketplace managed rule group and added it to a production AWS WAF web ACL. After…
Compute Security
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Security Controls
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Identity and Access Management
Authentication
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Authentication proves identity; authorization decides what it can do
Authentication establishes who a caller is and hands back a credential; authorization is the separate step that evaluates policies against that identity. Keep them apart when reading a stem: a failed sign-in, a federation trust, an MFA prompt, or a credential lifetime is an authentication problem, even if the wrong answers talk about permissions. The fix that issues or validates a credential is the authentication answer.
- The identity type usually picks the AWS authentication service
AWS gives each caller a canonical front door: human workforce uses IAM Identity Center, application and customer end users use Amazon Cognito, and machines or AWS services assume an IAM role and get credentials from STS. Naming the actor in the question normally names the service before any other detail matters, so read for who is signing in first.
- Use IAM Identity Center for workforce, not per-employee IAM users
IAM Identity Center (the service formerly named AWS SSO) federates your corporate IdP over SAML 2.0 or SCIM and grants access through permission sets, which it materializes as short-lived IAM roles in each account. That replaces creating a long-lived IAM user per employee, the legacy anti-pattern, and gives one sign-on across the whole organization.
Trap Provisioning an IAM user for each employee when the requirement is workforce SSO across many accounts; that is exactly what Identity Center and permission sets exist to avoid.
- The Identity Center instance must live in the management account
An organization-wide IAM Identity Center instance always resides in the AWS Organizations management account. You can assign a delegated administrator in a member account for day-to-day work, but that delegated admin cannot modify permission sets provisioned into the management account; only an Identity Center administrator working from the management account can change those.
Trap Assuming a delegated administrator can edit a permission set used for access to the management account; that change is reserved to an Identity Center admin in the management account.
- Re-provision a permission set after you edit it
A permission set is a template Identity Center deploys as an IAM role into each assigned account. After you change the permission set, you must re-provision it to those accounts or members keep assuming the stale role. A wave of access errors right after a permission-set edit is a provisioning gap, not a policy bug.
Trap Rewriting the underlying IAM policy to chase access errors that actually came from a permission set that was edited but never re-provisioned.
- SAML federation uses AssumeRoleWithSAML; OIDC uses AssumeRoleWithWebIdentity
When you federate straight to IAM, a SAML 2.0 IdP drives
sts:AssumeRoleWithSAMLwith a signed SAML assertion, while an OIDC provider (Google, GitHub Actions, any OIDC-compliant IdP) drivessts:AssumeRoleWithWebIdentitywith a JWT. Match the protocol in the stem to the call: assertion means SAML, token means web identity.- AssumeRoleWithSAML and AssumeRoleWithWebIdentity need no AWS credentials
Both federation calls are unsigned: the caller presents the SAML assertion or OIDC JWT as the proof of identity, so no pre-existing AWS access key is required to make the request. Plain
sts:AssumeRole, by contrast, must be called with active AWS credentials.Trap Requiring an IAM access key before a web-identity or SAML federation call; the assertion or token itself is the credential, so those calls are unsigned.
- Cognito user pool authenticates; identity pool brokers AWS credentials
A Cognito user pool is a directory and OIDC provider that signs users in and issues JWT tokens. A Cognito identity pool takes a trusted token and exchanges it through STS for temporary AWS credentials so the client calls AWS services directly. Tokens-only is a user pool; needs-AWS-credentials adds an identity pool.
Trap Reaching for an identity pool just to authenticate app users and issue tokens; that is the user pool's job, and the identity pool only enters when the client must call AWS APIs itself.
- A user pool issues two verifiable JWTs plus an opaque refresh token
On sign-in a Cognito user pool returns an ID token and an access token, both JWTs you verify against the pool's public JWKS, plus a refresh token. The refresh token is encrypted and opaque, readable only by the user pool and used only to mint new ID and access tokens, so it is not a JWKS-verifiable JWT.
Trap Treating all three Cognito tokens as JWTs you can verify against the JWKS; the refresh token is opaque and cannot be validated that way.
- Cognito ID token authenticates the user; the access token authorizes API calls
The ID token carries identity and profile claims and proves who the user is, while the access token carries OAuth scopes and authorizes calls to your API. Send the access token to authorize an API request; use the ID token when you need the user's attributes.
- Identity pools pick the IAM role by RBAC or ABAC
A Cognito identity pool chooses the IAM role two ways: role-based access control (a default authenticated role, a rules-based choice from claims, or a role from user-pool group membership) and attribute-based access control, where it maps claims to STS principal tags so IAM policies filter on
aws:PrincipalTag. It can also issue limited credentials to unauthenticated guest identities when enabled.8 questions test this
- A company is building a web application that allows unauthenticated users to browse public content and authenticated users to access…
- A company operates a multi-tenant SaaS application where users from different organizations authenticate through their own SAML identity…
- A company is building a mobile application that requires users to access Amazon S3 and Amazon DynamoDB after authenticating through an…
- A company's mobile application authenticates users through an Amazon Cognito user pool and needs to provide access to Amazon S3 and Amazon…
- A security engineer is configuring Amazon Cognito for a multi-tenant SaaS application. The application uses a single Amazon Cognito user…
- A company has a mobile application that authenticates users through an Amazon Cognito user pool. The application requires users to access…
- A company uses Amazon Cognito identity pools to provide AWS credentials to mobile application users. Users authenticate through an Amazon…
- A security architect is designing a solution where users from an external OIDC identity provider need temporary AWS credentials to access…
- Prefer temporary, auto-expiring credentials over long-lived access keys
Long-lived IAM user access keys leak easily and are hard to rotate, so the modern pattern replaces them with credentials that expire on their own: IAM roles plus STS for workloads, federation for workforce, and IAM Roles Anywhere for on-premises servers. The exam consistently rewards the option that removes a static key in favor of an STS-issued session.
Trap Embedding an IAM user access key on an EC2 instance or app server when an attached IAM role would supply auto-rotating temporary credentials with no stored secret.
- AssumeRole sessions default to 1 hour, max 12 by MaxSessionDuration
An
sts:AssumeRolesession lasts one hour by default; the maximum is set by the role'sMaxSessionDuration, which can be raised up to 12 hours. STS always returns an access key, a secret key, and a session token that must accompany every request made with the credentials.- Role chaining caps the second session at 1 hour
When you use one role's temporary credentials to assume a second role (role chaining), the second session is limited to a maximum of 1 hour, regardless of that role's
MaxSessionDuration. If a question needs a longer session, it cannot come from a chained assume-role.Trap Expecting a chained AssumeRole session to honor a 12-hour MaxSessionDuration; chaining hard-caps the result at 1 hour.
3 questions test this
- A DevOps engineer needs to configure cross-account access for an application running on Amazon EC2 instances in Account A to access…
- A developer is using role chaining to access resources in a production AWS account. The developer first assumes RoleA using their IAM user…
- A security engineer is troubleshooting an automated workflow that performs cross-account remediation actions. The workflow runs in Account…
- GetSessionToken issues MFA-backed credentials to an IAM user
sts:GetSessionTokenlets an IAM user trade long-term keys for temporary credentials, optionally carrying MFA state when you passSerialNumberandTokenCode, which is the standard way to require MFA before MFA-protected CLI or API calls. It defaults to 12 hours and ranges from 15 minutes to 36 hours for an IAM user.Trap Using AssumeRole to satisfy an MFA-before-CLI requirement for an IAM user; GetSessionToken with SerialNumber and TokenCode is the operation that returns MFA-stamped credentials.
- Root-user temporary credentials are capped at 1 hour
A token issued to the AWS account root user through GetSessionToken or GetFederationToken is restricted to a one-hour duration, even though an IAM user can request up to 36 hours. This is one more reason to avoid using the root user for routine work.
- STS is a global service exempt from Region-deny SCPs
AWS STS is global, like IAM and CloudFront, so a Region-restriction SCP that denies on
aws:RequestedRegionmust exempt it or it would break authentication everywhere. You should still activate Regional STS endpoints for latency and resilience, but STS calls are not blocked by a data-residency Region deny.- IAM Roles Anywhere gives on-premises servers temporary role credentials
IAM Roles Anywhere lets servers and containers outside AWS obtain temporary STS credentials by presenting an X.509 client certificate issued by a certificate authority you register as a trust anchor. It removes the last common reason to create a long-lived IAM user for an on-premises host.
Trap Creating a long-lived IAM user with static keys for each on-premises server when IAM Roles Anywhere can hand those hosts temporary role credentials from an X.509 trust anchor.
- An S3 presigned URL carries the signer's permissions, not the user's
A presigned URL delegates one S3 operation to someone with no AWS account, and it acts with the permissions of the IAM principal who signed it, so it can never grant more access than the signer already has. Anyone holding the URL can use it until it expires, which is why it is treated as a bearer token.
Trap Assuming a presigned URL grants the recipient's own permissions or can exceed the signer's; it inherits exactly the signer's access and nothing more.
- A presigned URL dies with its signing credential, shortest clock wins
Signed with an IAM user's long-term key via the CLI or SDK, a presigned URL can last up to 7 days (the console allows 1 minute to 12 hours). Signed with temporary credentials, it expires when those credentials do, even if you asked for longer, so a URL signed by a default 1-hour role session lasts at most that hour and one from an EC2 instance profile at most its roughly 6-hour rotation.
Trap Setting a 7-day expiry on a presigned URL signed from an assumed role or instance profile and expecting it to last; the temporary credential expires first and the URL dies with it.
- CloudTrail is the first stop for failed sign-ins and assume-role denials
CloudTrail records console
ConsoleLoginevents and STS API calls with theuserIdentityelement and error fields, so it tells you who failed to authenticate and why, including root-user logins, MFA usage, and source IP. For organization-wide visibility, query an organization trail or CloudTrail Lake across every account.Trap Reaching for VPC Flow Logs or GuardDuty to find who failed a console login or AssumeRole; the authoritative record of the sign-in event and its error is in CloudTrail.
- AWS MFA spans virtual TOTP, FIDO2 passkeys, and hardware tokens
AWS supports virtual TOTP authenticator apps, FIDO2 security keys and passkeys, and hardware TOTP tokens as MFA factors, and IAM Identity Center and Cognito user pools can require MFA at sign-in. FIDO2 keys and passkeys are the phishing-resistant choice because the credential is bound to the origin and cannot be replayed.
- Protect the root user with strong MFA and then lock it away
The root user cannot be deleted or scoped down by IAM policy, so the baseline control is to enable a strong MFA device on it, remove any root access keys, and reserve it for the few tasks that require it. Centralized root access for member accounts lets an organization manage member root credentials without each account holding its own.
Trap Trying to restrict the root user with an IAM policy or permission boundary; root is not constrained that way, so MFA plus locking the credentials away is the actual control.
- Use AWS Directory Service when workloads need real Active Directory
AWS Managed Microsoft AD provides domain join, Kerberos, LDAP, and group policy, and you can establish a forest trust to on-premises AD so users sign in with existing domain credentials; Identity Center can use it as an identity source. Directory authentication failures usually trace to the trust relationship, DNS resolution between directories, or blocked AD ports.
Trap Blaming an IAM policy when domain users cannot authenticate through AWS Managed Microsoft AD; the cause is normally a broken forest trust, DNS, or a security-group rule blocking AD ports.
4 questions test this
- A security engineer is troubleshooting a forest trust relationship between AWS Managed Microsoft AD and an on-premises Active Directory.…
- A company is establishing a forest trust between its AWS Managed Microsoft AD directory and an on-premises Active Directory domain. The…
- A company is migrating its on-premises applications to AWS and needs to integrate AWS Managed Microsoft AD with its existing on-premises…
- A company is migrating to AWS and needs to allow users from their on-premises Active Directory forest (corp.example.local) to access AWS…
- Single-user rotation has a brief outage; alternating-users keeps one credential always valid
Secrets Manager single-user rotation changes one database user's password, so there is a short window where the old password is dead before the secret updates — the app must retry (exponential backoff) or stay stale. The alternating-users strategy keeps two users and rotates whichever is idle, so a valid credential is always available for high availability, but it clones a second user and needs a separate superuser secret with privileges to create/clone users.
Trap Reaching for alternating-users behind RDS Proxy, which only supports single-user rotation because the proxy never learns about the cloned user.
7 questions test this
- A development team manages an application that connects to an Amazon RDS for PostgreSQL database using credentials stored in AWS Secrets…
- A company is implementing AWS Secrets Manager rotation for an Amazon RDS PostgreSQL database that serves a mission-critical application…
- A security architect is designing a credential rotation solution for an Amazon RDS Aurora MySQL cluster that serves a high-availability…
- A financial services company uses Amazon RDS for PostgreSQL with AWS Secrets Manager to store database credentials. The security team…
- A financial services company uses Amazon RDS for PostgreSQL with AWS Secrets Manager for credential management. The application requires…
- A company runs a critical financial application on Amazon EC2 instances in private subnets that connects to an Amazon RDS for MySQL…
- A company is deploying a new application that connects to an Amazon Aurora MySQL database. The security team must implement automatic…
- Rotation runs createSecret/setSecret/testSecret/finishSecret and swaps the AWSCURRENT label onto AWSPENDING
The rotation Lambda runs four steps — createSecret, setSecret, testSecret, finishSecret — staging the new value under the AWSPENDING label and moving AWSCURRENT to it only after a successful test. A successful rotation but a still-broken app usually means the app cached the old credentials; an orphaned AWSPENDING label left on a version other than AWSCURRENT makes Secrets Manager think a rotation is still running. For alternating-users, the superuser secret's ARN must be stored inside the rotating secret's JSON so the function can find it.
Trap Assuming a successful rotation with the new password under AWSCURRENT proves the app will reconnect, when the app is caching the old credentials and never refreshed.
3 questions test this
- A company uses AWS Secrets Manager to store credentials for an Amazon RDS for MySQL database. A developer reports that after enabling…
- A DevOps engineer is configuring automatic rotation for an Amazon RDS Oracle database credential stored in AWS Secrets Manager. The…
- A security engineer is troubleshooting a failed AWS Secrets Manager rotation for an Amazon RDS database credential. When attempting to…
- A VPC-bound rotation Lambda needs a Secrets Manager VPC endpoint (and an RDS API endpoint for alternating-users)
When the rotation Lambda runs inside a private VPC with no internet path, it cannot reach the public Secrets Manager endpoint and times out (often at createSecret). Create an interface VPC endpoint for Secrets Manager so it can call the service privately. Alternating-users rotation against an RDS-managed superuser secret also needs an RDS API VPC endpoint, because the function calls the RDS API to fetch connection details.
Trap Blaming security groups or database connectivity for the timeout when the function actually cannot reach the Secrets Manager service endpoint at all.
7 questions test this
- A company has an Amazon RDS MySQL database deployed in private subnets within a VPC. A security engineer configured AWS Secrets Manager to…
- A company operates an Amazon RDS for MySQL database in a private subnet. The security team has configured AWS Secrets Manager to store…
- A company runs a critical financial application on Amazon EC2 instances in private subnets that connects to an Amazon RDS for MySQL…
- A company has enabled AWS Secrets Manager automatic rotation for their Amazon RDS MySQL database credentials using the alternating users…
- A security engineer is troubleshooting a failed AWS Secrets Manager rotation for an Amazon RDS PostgreSQL database. The Lambda rotation…
- A company has an Amazon RDS MySQL database running in a private subnet with no internet access. The security team configured AWS Secrets…
- A company uses AWS Secrets Manager to store credentials for an Amazon RDS for MySQL database running in a private subnet without internet…
- aws:MultiFactorAuthPresent requires MFA at the AssumeRole call, not just MFA enabled on the account
A trust policy condition on aws:MultiFactorAuthPresent is satisfied only when the caller supplies a fresh MFA serial number and token code in the AssumeRole call; merely having MFA registered on the IAM user is not enough. Temporary credentials minted by a service such as Lambda can never carry an MFA context, so a Lambda execution role can never assume a role whose trust policy requires MFA to be present.
Trap Assuming MFA registered on the IAM user satisfies the condition, when the --serial-number and --token-code must be passed on the AssumeRole request itself.
3 questions test this
- A security engineer is troubleshooting an AssumeRole failure for a cross-account access pattern. An IAM user in Account A (111122223333) is…
- A company has a multi-account AWS environment. Account A (Production) contains an IAM role named CrossAccountAuditRole with the following…
- A security engineer is troubleshooting why an AWS Lambda function in Account A (111122223333) cannot assume a cross-account role named…
- Most Cognito SAML sign-in failures come from a stale metadata import or a mismatched ACS URL
An 'Invalid SAML response' or 'Invalid Destination' error usually means the IdP's updated metadata was never re-imported into the Cognito user pool, or the Assertion Consumer Service (ACS) URL on the IdP no longer matches the pool's https://.auth..amazoncognito.com/saml2/idpresponse endpoint. The first diagnostic step is to capture the SAML response in the browser, URL- and base64-decode it, and confirm the destination and mapped attributes.
Trap Mapping the SAML NameID to a mutable attribute like email, which spawns a brand-new profile whenever the user's email changes instead of recognizing the returning user.
3 questions test this
- A company's web application uses Amazon Cognito user pools for authentication and integrates with a corporate SAML 2.0 identity provider…
- A security team is implementing enterprise SSO for a web application using Amazon Cognito user pools with a corporate SAML 2.0 identity…
- A company is implementing federated authentication with Amazon Cognito user pools and integrating with their corporate SAML 2.0 identity…
- Session Manager S3 logging needs s3:GetEncryptionConfiguration (and PutObjectAcl for cross-account)
For Session Manager to write logs to S3 the instance profile needs s3:PutObject, plus s3:GetEncryptionConfiguration whenever 'Enforce S3 log encryption' is on, and s3:PutObjectAcl when the bucket lives in a different account; private-subnet instances also need a network path to S3. Logs never appear for port-forwarding or SSH sessions because that traffic is tunneled and Session Manager cannot capture it.
Trap Expecting logs from an SSH-over-Session-Manager or port-forwarding session, which are tunneled and intentionally not logged.
4 questions test this
- A company requires all Session Manager sessions to be logged to Amazon S3 with server-side encryption. The security team configured the S3…
- A company requires all Session Manager sessions to be logged to an Amazon S3 bucket with server-side encryption. EC2 instances in private…
- A company uses AWS Systems Manager Session Manager for administrative access to EC2 instances. The security policy requires that session…
- A company wants to use AWS Systems Manager Session Manager to eliminate the need for SSH keys and bastion hosts. The security team requires…
- Session Manager KMS encryption splits permissions: the user needs kms:GenerateDataKey, the instance needs kms:Decrypt
When Session Manager is set to encrypt session data with a customer managed key, the IAM principal starting the session must hold kms:GenerateDataKey on that key to create the data key, and the instance profile must hold kms:Decrypt to read the stream. AmazonSSMManagedInstanceCore grants neither KMS permission, so both must be added explicitly.
Trap Granting kms:Decrypt to the user instead of kms:GenerateDataKey, leaving the session unable to encrypt even though the instance can decrypt.
4 questions test this
- A company wants to enable Session Manager for EC2 instances while ensuring that all session data is encrypted using a customer managed KMS…
- A company is implementing AWS Systems Manager Session Manager with KMS encryption for session data. The security team configured a customer…
- A company has enabled AWS KMS encryption for AWS Systems Manager Session Manager sessions. Users report that they can start sessions from…
- A security architect is implementing AWS Systems Manager Session Manager with KMS encryption for session data. The company's security…
- Session Manager needs an SSM instance profile plus ssm, ssmmessages, and ec2messages reachability
A managed node needs an instance profile carrying AmazonSSMManagedInstanceCore for the SSM Agent to register; without it the instance is unmanaged. In a private subnet with no internet, sessions fail with TargetNotConnected unless interface VPC endpoints for ssm, ssmmessages, and ec2messages exist, because ssmmessages carries the Session Manager data channel.
Trap Adding only the ssm endpoint and omitting ssmmessages, which carries the actual session channel that Session Manager opens to the node.
3 questions test this
- A security engineer is troubleshooting an issue where users with the correct IAM permissions cannot start Session Manager sessions to EC2…
- A security engineer needs to configure Session Manager to allow administrators to connect to Amazon EC2 instances in private subnets…
- A company uses AWS Systems Manager Session Manager to provide shell access to EC2 instances in private subnets without public IP addresses.…
- Pick the AD trust by use case: forest for transitive forest-wide auth, external for Linux WorkSpaces
A two-way trust is required for AWS Enterprise Apps (WorkSpaces, IAM Identity Center, FSx) because AWS Managed Microsoft AD must query users and groups in the other directory. A forest trust is transitive, so a single trust to the on-premises forest root authenticates users in every child domain with the least effort. Linux WorkSpaces (Amazon Linux, RHEL, Rocky, Ubuntu) use SSSD, which does not support forest trusts, so they require an external trust instead.
Trap Configuring a forest trust for Linux WorkSpaces, whose SSSD integration only works over an external trust.
8 questions test this
- A company is integrating their on-premises Active Directory with AWS services including Amazon WorkSpaces and AWS IAM Identity Center. The…
- A company is planning to deploy Ubuntu Linux WorkSpaces for its development team using AWS Managed Microsoft AD. The company has an…
- A company is deploying Amazon Linux 2 WorkSpaces for developers who need to authenticate using accounts from the company's on-premises…
- A company is migrating its on-premises applications to AWS and needs to integrate AWS Managed Microsoft AD with its existing on-premises…
- A company operates a hybrid environment with AWS Managed Microsoft AD and an on-premises Active Directory forest. The on-premises forest…
- A company is migrating to AWS and needs to allow users from their on-premises Active Directory forest (corp.example.local) to access AWS…
- A company has an on-premises Active Directory domain and is deploying AWS Managed Microsoft AD in the cloud. The company plans to use…
- A company has deployed AWS Managed Microsoft AD to provide authentication for Amazon WorkSpaces. The company also has an on-premises Active…
- Client-side LDAPS encrypts AWS-to-on-prem LDAP; server-side LDAPS needs an enterprise CA on the AWS domain controllers
Client-side LDAPS encrypts traffic from AWS Managed Microsoft AD acting as an LDAP client to self-managed on-premises domain controllers; you register the CA certificate that chains to the on-prem server certificates, and a chain mismatch is the usual cause of failures. Server-side LDAPS (for apps querying the AWS directory) requires certificates issued by a Microsoft Enterprise CA joined to the AWS Managed Microsoft AD domain — third-party CA certificates installed directly on the controllers are rejected.
Trap Trying to install a third-party CA's certificate straight onto the AWS Managed Microsoft AD domain controllers for server-side LDAPS, which only accepts a joined enterprise CA.
3 questions test this
- A company has established a trust relationship between their AWS Managed Microsoft AD directory and their on-premises Active Directory.…
- A company has enabled client-side LDAPS for their AWS Managed Microsoft AD directory to encrypt communications between Amazon WorkSpaces…
- A security team needs to enable server-side LDAPS for their AWS Managed Microsoft AD directory to encrypt LDAP communications from their…
- Selective authentication on a trust limits which users can authenticate via 'Allowed to Authenticate'
Enabling selective authentication on a two-way trust restricts cross-trust access to only the principals explicitly granted the 'Allowed to Authenticate' permission on the relevant computer objects in the trusting directory. If selective authentication is enabled on the on-premises side, AWS application service accounts (for WorkSpaces, FSx, and similar) must be granted that permission or provisioning fails.
Trap Leaving the AWS application service account without 'Allowed to Authenticate' after selective authentication is enabled, which silently blocks WorkSpaces provisioning.
4 questions test this
- A company is integrating their on-premises Active Directory with AWS services including Amazon WorkSpaces and AWS IAM Identity Center. The…
- A company has configured AWS Managed Microsoft AD with a two-way forest trust to their on-premises Active Directory. The security team…
- A company has deployed AWS Managed Microsoft AD and established a two-way forest trust with its on-premises Active Directory. Users are…
- A company has an on-premises Active Directory domain and is deploying AWS Managed Microsoft AD in the cloud. The company plans to use…
Authorization
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Data Protection
Data in Transit
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Data at Rest
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- SSE-S3 is the default encryption on every new bucket since January 2023
Server-side encryption with S3-managed keys (SSE-S3) applies AES-256 automatically to all new buckets created on or after January 5, 2023, with no per-bucket action required. An exam answer claiming objects are unencrypted by default, or that you must turn encryption on, is outdated. SSE-S3 gives no per-use CloudTrail audit and no key-policy access control, which is why you upgrade to SSE-KMS when those are required.
- Use SSE-KMS when you need per-use audit and key-policy access control
SSE-KMS encrypts S3 objects with a KMS key, so every encrypt and decrypt is recorded in CloudTrail and gated by the key policy, giving auditability and fine-grained access control that SSE-S3 cannot. The cost is a KMS request per object operation unless you enable an S3 Bucket Key. Reach for SSE-KMS when a requirement names auditable key usage, key rotation control, or restricting decryption to specific principals.
- DSSE-KMS is two AES-256 layers, only one of which is KMS-backed
Dual-layer server-side encryption (DSSE-KMS) applies two independent AES-256 layers to an object: the first uses a KMS data key, the second uses a separate S3-managed key, so it is not two KMS layers. Use it only when a requirement explicitly names dual-layer at-rest encryption, such as certain government mandates; ordinary key-managed encryption is fully served by SSE-KMS.
Trap Reading DSSE-KMS as applying two KMS keys; only the first layer is KMS-backed, the second uses an independent S3-managed key.
- SSE-C keeps the key out of AWS by making you send it on every request
With server-side encryption using customer-provided keys (SSE-C), you pass the encryption key in each PUT and GET; S3 encrypts or decrypts and then discards the key, so AWS never stores it. The vendor term is customer-provided keys, not customer-supplied. Choose SSE-C when the key must stay outside AWS-managed storage but you still want S3 to do the encryption work; choose client-side encryption when even the ciphertext-to-plaintext step must happen before data reaches AWS.
Trap Calling SSE-C 'customer-supplied keys'; the AWS term is customer-provided keys, and a wrong-name distractor relies on that slip.
- Only client-side encryption keeps plaintext from ever reaching AWS
Client-side encryption encrypts data inside your application before upload, so AWS only ever handles ciphertext and cannot read the plaintext even in memory. All four server-side modes, including SSE-C, let S3 see plaintext momentarily during the operation. When a requirement says AWS must never be able to access the data in clear, the answer is client-side encryption, with you owning all key management.
Trap Assuming SSE-C hides plaintext from AWS; with SSE-C, S3 still decrypts server-side, so plaintext exists on the service momentarily.
- Enable an S3 Bucket Key to cut SSE-KMS request cost up to 99 percent
Without a Bucket Key, S3 calls KMS once per object operation, so large SSE-KMS buckets rack up per-request KMS charges. An S3 Bucket Key is a short-lived bucket-level key S3 derives from your KMS key and reuses to wrap many objects, cutting KMS request traffic by up to 99 percent. It changes only cost and the CloudTrail encryption context, not which key protects your data, and the savings grow with object count and shared requesters.
- S3 Bucket Keys do not work with DSSE-KMS and only apply to new objects
Two limits define when a Bucket Key helps: it is not supported for DSSE-KMS at all, and enabling it affects only objects written afterward, so existing objects must be re-copied (CopyObject) to adopt it. Enabling a Bucket Key also switches the KMS encryption context from the object ARN to the bucket ARN, so any key policy that scoped access by object-ARN encryption context must be rewritten to the bucket ARN or access breaks.
Trap Expecting a newly-enabled Bucket Key to cover objects already in the bucket; it applies only to new writes until you re-copy the old ones.
4 questions test this
- A company stores millions of objects in Amazon S3 buckets that are encrypted using server-side encryption with AWS KMS keys (SSE-KMS). The…
- A company has millions of existing objects in an Amazon S3 bucket that were encrypted using SSE-KMS without S3 Bucket Keys. The security…
- A company has enabled S3 Bucket Keys for an S3 bucket that uses SSE-KMS with a customer managed key. The company's IAM policies use the…
- A company has configured an Amazon S3 bucket with default encryption using SSE-KMS with a customer managed key. The security team wants to…
- S3 Object Lock requires versioning and enforces write-once-read-many
S3 Object Lock makes object versions immutable for a retention period or under a legal hold, and it works only on a bucket with S3 Versioning enabled because the lock attaches to a specific version. It protects against accidental or malicious deletion and overwrite, which encryption alone does not. Object Lock can also serve as a fixed-period retention solution where records must persist for a legal duration.
Trap Assuming you can enable Object Lock on a non-versioned bucket; versioning is a prerequisite because the lock binds to an object version.
- Object Lock compliance mode is immutable even to the account root user
In compliance mode, no principal can overwrite, delete, or shorten the retention of a protected object version, including the AWS account root user; the only way to remove the object before its retain-until date is to close the AWS account. Governance mode, by contrast, lets a caller with s3:BypassGovernanceRetention and the bypass header override the lock. Choose compliance mode when a regulator demands true immutability with no escape hatch.
Trap Believing the root user can delete a compliance-mode object early; root cannot, which is exactly the property regulators rely on.
3 questions test this
- An organization is implementing a data retention strategy for sensitive documents stored in Amazon S3. The security policy requires that…
- A healthcare organization must store patient records in Amazon S3 for exactly 7 years to meet HIPAA compliance requirements. The records…
- A healthcare organization must store patient records in Amazon S3 for regulatory compliance. The records must be immutable and cannot be…
- Governance mode allows a permissioned override via s3:BypassGovernanceRetention
Governance mode protects objects from deletion by most users but lets an operator holding s3:BypassGovernanceRetention delete or shorten the lock when they also send x-amz-bypass-governance-retention:true. Use it when trusted admins must be able to correct mistakes, or to test retention settings before committing to compliance mode. The escape hatch is the whole difference from compliance mode.
- A legal hold protects an object version indefinitely until explicitly removed
A legal hold places WORM protection on an object version with no expiry, independent of any retention period, and is set or cleared with s3:PutObjectLegalHold. Even after a retention period expires, an active legal hold keeps the version immutable until someone removes the hold. Use it when you cannot predict how long the data must stay frozen, such as during litigation or an audit.
- S3 Glacier Vault Lock locks an archive policy immutably after a 24-hour test window
S3 Glacier Vault Lock enforces a vault-level policy such as 'deny deletes for five years' through a two-step process: you initiate the lock, then have 24 hours to validate it before completing the lock, after which the policy becomes immutable. It is a distinct feature from S3 Object Lock (object versions) and AWS Backup Vault Lock (recovery points), a separation the exam tests directly.
Trap Confusing S3 Glacier Vault Lock with S3 Object Lock or AWS Backup Vault Lock; they immutably protect different resources and are configured separately.
- Use AWS Signer code signing to reject tampered code artifacts
Integrity for executable artifacts comes from digital signatures, not WORM storage: AWS Signer produces a signature over a code package, and consumers like Lambda code signing verify it and refuse to deploy a package whose signature does not match. This protects the supply chain so an altered artifact is rejected at deploy time rather than running silently.
- S3 Lifecycle cannot move objects to Standard-IA or One Zone-IA before 30 days
A lifecycle rule cannot transition objects to S3 Standard-IA or One Zone-IA until they are at least 30 days old, and the same 30-day floor applies to noncurrent versions. Transitions straight to Glacier classes can fire from day 0, though each Glacier class still bills its own minimum duration in full: 90 days for Glacier Instant and Flexible Retrieval, 180 days for Deep Archive. A claim of 'IA transition after 0 days' is wrong.
Trap Configuring a 0-day transition to Standard-IA; the IA classes require a 30-day minimum, unlike the Glacier classes which allow day-0 transitions.
- EFS and FSx have their own lifecycle and retention policies
Amazon EFS lifecycle management moves files to Infrequent Access or Archive storage classes after a configured idle period to cut cost on cold data, and FSx file systems carry their own backup-retention policies. These are the file-system analogs of S3 Lifecycle; the design pattern of tiering cold data to cheaper storage applies across object and file storage, not just S3.
- AWS Backup Vault Lock compliance mode becomes immutable after a grace time of at least 3 days
AWS Backup Vault Lock enforces WORM on recovery points. In compliance mode you set a cooling-off grace time of at least 3 days (72 hours); during grace time you can still remove or change the lock, but once it expires neither the root user nor AWS can delete recovery points or the vault until their lifecycle completes. Governance mode, by contrast, can be removed any time by a principal with sufficient IAM permissions.
Trap Assuming a freshly-created compliance lock is immediately immutable; it stays changeable during the >= 3-day grace time before locking in.
4 questions test this
- A multinational company is implementing AWS Backup with cross-region copies from us-east-1 to eu-west-1 for disaster recovery. Their…
- A healthcare organization must ensure that backup data cannot be deleted by any user, including administrators and the root user, to meet…
- A security architect needs to configure AWS Backup for a multi-account AWS Organizations environment to meet compliance requirements. The…
- A financial services company must implement a backup strategy for Amazon EFS file systems that meets WORM (Write-Once-Read-Many) compliance…
- Build ransomware-resilient backups with a locked vault plus cross-account copies
Encryption does nothing against an admin who deletes backups, so resilience comes from immutability plus isolation. Combine an AWS Backup compliance-mode locked vault with cross-account copies into a separate, locked-down account to create a logically air-gapped backup that a single compromised account cannot erase, and add cross-Region copies for regional failure. The locked vault stops deletion; the separate account stops a credential-holder from reaching it.
- DataSync moves data; AWS Backup creates retained, immutable recovery points
AWS DataSync is a transfer service for migrating or replicating large datasets between on-premises, other clouds, and AWS storage, with in-transit encryption and integrity checks. AWS Backup is for scheduled, point-in-time backups with retention and Vault Lock immutability. If a stem says 'migrate or replicate file data,' choose DataSync; if it says 'scheduled, retained, immutable recovery points,' choose AWS Backup.
Trap Reaching for DataSync to satisfy a backup-retention or immutability requirement; DataSync transfers data and does not manage retained recovery points.
- Use Amazon Data Lifecycle Manager to automate EBS snapshot and AMI policies
Amazon Data Lifecycle Manager (DLM) automates the creation, retention, and cross-account or cross-Region copy of EBS snapshots and EBS-backed AMIs on a schedule. It is the EBS-specific automation layer; for cross-service centralized backups with Vault Lock you use AWS Backup instead. Reach for DLM when the requirement is specifically scheduled EBS snapshot or AMI lifecycle management.
3 questions test this
- A security engineer needs to ensure that an isolated disaster recovery AWS account receives encrypted EBS snapshots from the production…
- A company stores sensitive financial data on Amazon EBS volumes attached to Amazon EC2 instances. The security team requires that all EBS…
- A security engineer needs to implement an automated EBS snapshot retention strategy for a production environment. The requirements include…
- Retain N newest noncurrent versions with NoncurrentVersionExpiration + NewerNoncurrentVersions
On a versioned bucket, the NoncurrentVersionExpiration lifecycle action deletes noncurrent versions after NoncurrentDays, and adding NewerNoncurrentVersions keeps that many of the most recent noncurrent versions before expiration applies. A Filter element is required when NewerNoncurrentVersions is set. Pair it with AbortIncompleteMultipartUpload to clean up stalled uploads.
Trap Using only NoncurrentDays (or current-version Expiration) when the requirement is to keep the N newest noncurrent versions regardless of age.
3 questions test this
- A company uses Amazon S3 with versioning enabled to store application data. The bucket contains millions of noncurrent object versions that…
- A healthcare organization has an S3 bucket with versioning enabled that stores medical records requiring a 7-year retention period for…
- A company has an S3 bucket with versioning enabled that contains frequently updated log files. The security team wants to reduce storage…
- EBS encryption by default is a per-Region setting that can pin a customer managed key
Enabling EBS encryption by default makes every new EBS volume in that Region encrypted even when no encryption parameters are supplied, and you can set a specific customer managed key as the default encryption key instead of aws/ebs. The setting is Region-scoped, so it must be enabled separately in each Region; volumes in Regions where it is not enabled stay unencrypted.
Trap Assuming enabling encryption-by-default in one Region applies account-wide across all Regions.
3 questions test this
- A security engineer must ensure that all new Amazon EBS volumes in an AWS Region are automatically encrypted without requiring developers…
- A security engineer needs to ensure that all new Amazon EBS volumes in an AWS account are automatically encrypted across all AWS Regions.…
- A company enables Amazon EBS encryption by default in the us-west-2 Region with a customer managed KMS key specified as the default…
- A cross-Region encrypted RDS/Aurora read replica needs a KMS key in the destination Region
KMS keys are Regional and cannot be used outside their Region, so creating an encrypted cross-Region read replica requires you to specify a customer managed key that exists in the destination Region (via --kms-key-id). The replica is then encrypted with that destination-Region key; you can enable automatic rotation on it independently.
Trap Trying to reuse the source Region's KMS key for the replica instead of creating and specifying a key in the destination Region.
3 questions test this
- A company operates an Amazon Aurora MySQL cluster with encryption at rest enabled using a customer managed KMS key. The security team needs…
- A company has an encrypted Amazon RDS for MySQL database instance in us-east-1 that uses a customer managed AWS KMS key. The security team…
- A company operates an Amazon RDS for MySQL database in the us-east-1 Region. The database is encrypted using a customer managed AWS KMS key…
- Encrypt an existing unencrypted RDS/Aurora DB by copying a snapshot with a KMS key
You cannot turn on encryption in place for an existing unencrypted RDS or Aurora instance, nor change the KMS key of an already-encrypted one. Snapshot the database, copy the snapshot specifying the customer managed key (which encrypts the copy), and restore a new encrypted instance/cluster; once encrypted, its storage, automated backups, read replicas, and snapshots are all encrypted. Logical replication minimizes cutover downtime.
Trap Looking for a 'modify instance to enable encryption' option instead of the snapshot-copy-with-key-then-restore path.
3 questions test this
- A company operates an Amazon Aurora PostgreSQL cluster with three read replicas in the same AWS Region. The cluster is encrypted using the…
- A financial services company has an unencrypted Amazon Aurora PostgreSQL cluster containing sensitive customer data. Compliance…
- A company has an unencrypted Amazon RDS for PostgreSQL database that contains sensitive customer data. A new security policy requires that…
- DynamoDB CMK encryption: audit/rotation/disable-to-revoke, and Global Tables need v2019
Encrypting a DynamoDB table with a customer managed key gives CloudTrail audit of key use, automatic rotation, and immediate revocation by disabling the key. Customer managed keys require Global Table Version 2019 (not 2017), and each replica uses a CMK in its own Region. If a replica's CMK becomes inaccessible (disabled or pending deletion), DynamoDB removes that replica from the replication group about 20 hours later without deleting the replica table.
Trap Expecting CMK encryption on a Global Table Version 2017, or assuming an existing on-demand backup re-encrypts when you rotate to a new key (it stays on the key used at backup time).
4 questions test this
- A company has DynamoDB global tables deployed across three AWS Regions for disaster recovery. Each regional table uses a different customer…
- A security engineer is designing an encryption strategy for a DynamoDB table that will store sensitive financial data. The organization…
- A healthcare organization is migrating their patient records system to Amazon DynamoDB and must comply with HIPAA regulations. The…
- A multinational corporation is deploying a DynamoDB Global Table across three AWS Regions using customer managed KMS keys for encryption.…
- A disabled or pending-deletion CMK locks out encrypted EFS and RDS
Encrypted EFS needs the CMK enabled with kms:Decrypt and kms:GenerateDataKeyWithoutPlaintext (plus kms:CreateGrant for the caller creating the file system, often scoped with kms:ViaService). If the key is disabled or scheduled for deletion, EFS mounts fail and an encrypted RDS instance enters an inaccessible state; re-enable the key (or cancel deletion) and, for RDS, restart the instance to recover.
Trap Scheduling a CMK for deletion or removing its EFS/RDS permissions while data encrypted under it is still in use, which silently locks out the storage.
4 questions test this
- A company has created an encrypted Amazon EFS file system using a customer managed KMS key. After several months, the security team notices…
- A company is configuring an Amazon EFS file system with encryption at rest using a customer managed KMS key. The security architect needs…
- A security architect needs to troubleshoot an issue where Amazon EC2 instances can no longer access an encrypted Amazon EFS file system.…
- A security engineer discovers that an Amazon RDS for PostgreSQL database encrypted with a customer managed KMS key has entered the…
Secrets & Key Material
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Foundations and Governance
Multi-Account Governance
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- An SCP caps what identities can do, it never grants access
A service control policy sets the maximum permissions for IAM users and roles in member accounts, so a principal can only do something an SCP allows AND an IAM policy grants. Because it is a ceiling and not a grant, attaching an SCP that allows an action does nothing on its own; you still need an identity-based or resource-based policy to actually permit it. Attach SCPs at the org root or an OU and inheritance covers every current and future account below.
Trap Treating an Allow in an SCP as if it granted the permission; the identity still has no access until an IAM policy grants it.
- SCPs never restrict the management account or its root user
Service control policies apply to every principal in member accounts, including each member account's root user, but they have no effect on the management account or its root. This is why the management account is kept empty of workloads: anything running there sits above your own guardrails. The fix for a management-account risk is to move the workload into a member account, not to write a tighter SCP.
Trap Writing an SCP to restrict the management account; SCPs exempt it entirely, so the policy has no effect there.
- Use an RCP to guard resources, the resource-side complement to SCPs
A resource control policy caps the maximum permissions on resources in member accounts, closing a gap SCPs cannot: an over-permissive S3 bucket or KMS key policy could grant access to a principal outside your organization that no SCP governs. The canonical RCP requires that access to your S3, STS, KMS, SQS, or Secrets Manager resources come from a principal in your own org via an aws:PrincipalOrgID condition, or that connections use TLS. Like SCPs, RCPs only set a ceiling and need all features enabled in Organizations.
Trap Reaching for an SCP to stop a cross-account principal from reading your bucket; an SCP only governs your own identities, so it never sees the external principal, an RCP does.
- RCPs cover only a subset of services and skip the management account
Resource control policies apply to a defined list of services such as S3, STS, KMS, SQS, Secrets Manager, DynamoDB, and CloudWatch Logs, not every AWS service, so confirm the service is in scope before relying on one. Like SCPs, RCPs do not affect resources in the management account and do not restrict service-linked roles. An RCP on a member account that is a delegated administrator still applies to that account's resources.
- Effective permission is the intersection of guardrails and grants
Whether a request succeeds is the logical intersection of what the SCPs allow, what the RCPs allow, and what the identity-based and resource-based policies grant. Any explicit deny at any layer wins, and a missing grant means denied even when every guardrail allows. Guardrails set the outer boundary; IAM still has to open the door inside it.
- Declarative policies pin a durable configuration, not an API allow/deny
Where SCPs and RCPs decide whether an API call is authorized, a declarative policy enforces a desired account-level setting in the service's control plane and keeps it there even when the service ships a new API that could change it. You declare intent once, such as EBS encryption-by-default on or VPC block-public-access on, and Organizations maintains it for current and future accounts. Detaching the policy rolls the attribute back to its previous state.
Trap Using an SCP to keep EBS encryption-by-default on; an SCP can only deny specific API calls, so it cannot guarantee the setting survives a new service feature the way a declarative policy does.
- Declarative policies are the only org policy that governs service-linked roles
SCPs and RCPs do not restrict service-linked roles, but declarative policies do, because they enforce configuration at the service level rather than at API authorization. So when a requirement must hold even against service-managed behavior, a declarative policy is the right org-policy tool. This is also why declarative policies, unlike SCPs and RCPs, affect the management account where attached.
Trap Assuming an SCP can constrain a service-linked role; SCPs exempt SLRs, so only a declarative policy reaches them.
- Organizations also carries backup, tag, and AI opt-out policies
Beyond the authorization policies, the same Organizations machinery distributes backup policies, tag policies, and AI services opt-out policies inherited down the OU tree. The AI services opt-out policy stops AWS AI services such as Amazon Bedrock and Amazon Rekognition from storing or using your content to improve those services, applied org-wide instead of per account. Tag policies standardize tag keys and values; backup policies centrally enforce AWS Backup plans.
- Deny non-approved Regions with an aws:RequestedRegion SCP
The standard way to confine an organization to approved Regions is an SCP that denies actions when aws:RequestedRegion is not an approved value, attached at the root or OU so future accounts inherit it. You must exempt global services such as IAM, STS, CloudFront, Route 53, and Organizations because they have no Regional endpoint, and you cannot deny access to your home Region. Control Tower's built-in Region deny control implements exactly this pattern.
Trap Applying the Region-deny SCP without exempting global services like IAM and STS; those calls have no Region and would be blocked, breaking the account.
3 questions test this
- A security architect is configuring AWS Control Tower for an organization that operates only in the eu-west-1 and eu-central-1 Regions for…
- A healthcare company is implementing AWS Organizations with three OUs: Workloads, Sandbox, and Security. The company must ensure that…
- A multinational financial services company is deploying a multi-account strategy using AWS Organizations. The security team must ensure…
- Control Tower is the opinionated landing zone on top of Organizations
Control Tower automates a multi-account landing zone: it provisions the shared accounts (management, log archive, audit), applies a baseline of controls, and vends new governed accounts through Account Factory. Reach for Control Tower when you want a governed baseline out of the box; use raw Organizations when you need fully custom control with no opinionated structure. Account Factory for Terraform (AFT) wraps Account Factory in a Terraform pipeline for infrastructure-as-code account vending.
- Control Tower controls come in preventive, detective, and proactive behaviors
A preventive control stops a non-compliant action before it happens and is implemented as an SCP or RCP; a detective control reports drift after the fact and is implemented as an AWS Config rule; a proactive control checks resources against policy before they are provisioned and is implemented as a CloudFormation hook. Matching the behavior to the requirement is the testable point: stop it (preventive), find it later (detective), or block it at deploy time (proactive).
Trap Picking a detective control to stop a non-compliant action; a Config rule only reports drift after the fact, you need a preventive SCP/RCP to actually block it.
- Control Tower controls have mandatory, strongly recommended, and elective levels
By guidance level, mandatory controls are always on and cannot be disabled, strongly recommended controls follow AWS best practice, and elective controls let you opt into stricter behavior. This guidance level is independent of the preventive/detective/proactive behavior axis, so a control is described by both, for example a strongly recommended detective control.
- Run security services from a delegated administrator, not the management account
AWS recommends keeping the management account free of workloads, so day-to-day operation of GuardDuty, Security Hub, AWS Config, IAM Access Analyzer, and Detective is delegated to a dedicated security or audit account. That delegated administrator configures the service, auto-enrolls members, and views findings org-wide, while the management account only enables trusted access. This shrinks the blast radius of the most powerful account.
Trap Operating GuardDuty or Security Hub from the management account; AWS guidance is to delegate it to a security account so the management account stays workload-free.
6 questions test this
- A multinational company operates workloads across 15 AWS accounts in an AWS Organization spanning four AWS Regions. The security team needs…
- A security engineer needs to configure IAM Access Analyzer to identify Amazon S3 buckets and AWS KMS keys that are accessible by principals…
- A multinational company is implementing IAM Access Analyzer across their AWS Organizations environment. The security team wants to…
- A company has implemented AWS Organizations with 50 member accounts across multiple AWS Regions. The security team must identify all…
- A security engineer at a company with 50 AWS accounts in AWS Organizations discovers that several Amazon S3 buckets have been…
- A security team at a multinational company needs to evaluate compliance posture across 50 AWS accounts spanning five AWS Regions. They want…
- IAM Identity Center's instance must stay in the management account
IAM Identity Center supports a delegated administrator member account, but the Identity Center instance itself must always reside in the management account. The delegated administrator can manage most things but cannot alter permission sets used for access to the management account; only an Identity Center administrator in the management account can change those.
Trap Assuming a delegated administrator can move the IAM Identity Center instance out of the management account; the instance must remain there even with delegation.
- Centralized root access removes standing root credentials from member accounts
Central management of root credentials lets the management account or a delegated administrator delete a member account's root password, access keys, signing certificates, and MFA device, so no long-term root credential exists to be stolen or misused. You enable it with the EnableOrganizationsRootCredentialsManagement action. The management account's own root user is governed separately and is not removed this way.
- Recover a locked-out resource with a short task-scoped root session
After removing standing root credentials, genuine root-only tasks run through a central root session: a short-lived, task-scoped session of at most 15 minutes authorized to perform only that one action, enabled with EnableOrganizationsRootSessions. The canonical uses are recovery: deleting a misconfigured S3 bucket policy that denies all principals, and deleting an SQS queue resource-based policy that denies all principals. This replaces logging in as the member account root with a permanent credential.
Trap Recovering a deny-all bucket policy by logging in as the member account root; centralized root access removes that standing credential, so the recovery path is a 15-minute task-scoped root session from the central account.
- Map the exam stem's goal to the right policy type
When the goal is to limit what identities in member accounts may do, the answer is an SCP; when it is to protect resources from over-broad or cross-org access, the answer is an RCP with aws:PrincipalOrgID; when it is to keep a service setting true over time, the answer is a declarative policy. Reading the verb in the stem (limit identities, protect resources, pin a setting, recover root) is the fastest discriminator on this subtopic.
Trap Choosing an SCP for a resource-protection goal because both are deny policies; an SCP cannot see an external principal accessing your resource, so the resource case needs an RCP.
- An organization needs all features enabled for guardrail policies
SCPs, RCPs, and declarative policies require an organization with all features enabled, not the consolidated-billing-only mode. Consolidated billing alone gives you combined invoicing and volume discounts but none of the authorization or configuration guardrails. Switching to all features is a one-way move that member accounts must approve.
- An external-access analyzer is Regional, so create one per Region
IAM Access Analyzer external-access analysis only evaluates resource policies in the Region where the analyzer is enabled, so multi-Region coverage requires an analyzer in each Region with resources. Set the organization as the zone of trust to flag only access from outside the org, and run it from a delegated administrator to view findings org-wide without the management account.
Trap Assuming a single analyzer covers every Region: an analyzer in us-east-1 never produces findings for resources in another Region.
4 questions test this
- A security engineer needs to configure IAM Access Analyzer to identify Amazon S3 buckets and AWS KMS keys that are accessible by principals…
- A company has implemented AWS Organizations with 50 member accounts across multiple AWS Regions. The security team must identify all…
- A security engineer at a company with 50 AWS accounts in AWS Organizations discovers that several Amazon S3 buckets have been…
- A company is implementing IAM Access Analyzer across its AWS Organizations environment. The company has accounts in multiple AWS Regions…
- Archive rules auto-mark expected Access Analyzer findings as intended
An archive rule with criteria such as a trusted account ID or resource type automatically marks matching external-access findings as intended, and choosing 'create and archive active findings' applies it to existing findings too. Access Analyzer suggests the default criterion 'Public access is false' so a rule never silently archives findings for genuinely public resources.
- Unused-access analyzers can exclude accounts and tagged identities
An IAM Access Analyzer unused-access analyzer supports two exclusion lists: specific AWS account IDs to skip entirely, and tag key-value pairs that exempt matching IAM users and roles (for example break-glass roles tagged Purpose=Emergency-Access) from generating unused-access findings.
- Access Analyzer policy validation flags iam:PassRole with a wildcard resource as a security warning
Policy validation sorts findings into errors, security warnings, general warnings, and suggestions. iam:PassRole on Resource "*" is a security warning because passing any role enables privilege escalation; security warnings call out overly permissive statements rather than syntax problems.
- CfCT applies CloudFormation customizations on Control Tower lifecycle events
Customizations for AWS Control Tower (CfCT) is the AWS-published solution that uses a CloudFormation manifest, StackSets, and SCPs to configure accounts, triggered by Control Tower lifecycle events such as CreateManagedAccount. It is the low-overhead choice for automating post-Account-Factory setup without Terraform.
Trap Reaching for Account Factory for Terraform (AFT) when no Terraform is wanted: AFT is the Terraform/GitOps path, while CfCT is the CloudFormation-native one.
- AFT provisions and customizes Control Tower accounts through a Terraform GitOps pipeline
Account Factory for Terraform (AFT) runs from a dedicated AFT management account and provisions Control Tower accounts from account-request Terraform files in a repo (GitOps). After provisioning it applies aft-global-customizations to every account and aft-account-customizations to accounts whose request names a matching customization; failures surface on the aft-failure-notifications SNS topic.
3 questions test this
- A large enterprise is standardizing on AWS Control Tower to manage their multi-account environment. The infrastructure team uses Terraform…
- A company is deploying AWS Control Tower Account Factory for Terraform (AFT) and needs to understand the repository structure for…
- A multinational corporation is implementing AWS Control Tower with Account Factory to establish governance across their organization. The…
- Enroll existing accounts into Control Tower with the Enroll account action
Pre-existing accounts join Control Tower governance through the Enroll account action in Account Factory, which deploys the baseline (Config, CloudTrail, Identity Center access, SCPs) into a registered OU. Each account must already have the AWSControlTowerExecution role trusting the management account, and any existing Config recorder and delivery channel must be removed first because Control Tower creates its own.
- Fix Control Tower drift by moving the account back and running Reset
Control Tower reports drift when its managed resources change outside Control Tower, such as an account moved between OUs through Organizations or a Control-Tower SCP edited by hand. The remediation is to move the account back to its registered OU through Control Tower and run the Reset action to re-apply the baseline and SCPs.
Trap Editing the drifted SCP or OU directly in Organizations to undo it: changes made outside Control Tower keep the landing zone in drift instead of clearing it.
- SAML authenticates users but SCIM is what provisions them into Identity Center
With an external IdP, SAML 2.0 only handles sign-in; new users and groups appear in IAM Identity Center only when SCIM v2.0 automatic provisioning is configured. Identity Center rejects multivalue attributes over SCIM, so each attribute such as email or phone must map to a single value or the sync fails.
Trap Assuming working SAML federation also creates accounts: without SCIM, newly added IdP users never provision and cannot access AWS.
3 questions test this
- A company is migrating from a legacy identity management solution to AWS IAM Identity Center with Okta as an external identity provider.…
- A multinational company uses AWS Organizations to manage over 200 AWS accounts. The company has Okta as its corporate identity provider and…
- A company has configured AWS IAM Identity Center with Microsoft Entra ID (Azure AD) as the external identity provider using SAML 2.0…
- The Identity Center SCIM access token lasts one year with rotation reminders
A SCIM access token generated in IAM Identity Center is valid for one year. When it is within 90 days of expiry, AWS posts reminders in the Identity Center console and the AWS Health Dashboard so you can rotate it; if it expires, provisioning synchronization stops.
- Identity Center has two separate session durations: portal and permission set
The AWS access portal session duration (set in Identity Center settings, up to 90 days) controls how long a user stays signed in to the portal, while each permission set's session duration (1 to 12 hours) caps a console/role session inside an account. Set them independently to allow a long portal sign-in but short account sessions.
- Pin accounts in the org by denying LeaveOrganization at the Root
A guardrail that keeps member accounts from detaching or disabling service integration is an SCP that denies organizations:LeaveOrganization (and organizations:DisableAWSServiceAccess) attached to the Root, where it inherits to all current and future accounts. Because a deny in SCPs is inherited by everything beneath the attach point, attaching it one OU too high blocks sibling OUs you meant to leave alone.
Trap Attaching a targeted deny to a parent OU instead of the intended child OU: the deny flows down to every child OU and account, not just the one you wanted to restrict.
- Exempt one role from an SCP deny with an ArnNotLike PrincipalArn condition
To let a specific role (for example a SecurityAuditRole) keep performing actions an SCP otherwise denies org-wide, add a condition to the Deny statement using ArnNotLike on aws:PrincipalArn for that role's ARN, so the deny applies to everyone except the excluded principal.
Secure Deployment
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Compliance Evaluation
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.