Security, Compliance, and Monitoring | AWS Certified Solutions Architect – Associate MCQs
AWS provides comprehensive security, compliance, and monitoring solutions to ensure your cloud infrastructure is both secure and compliant. Tools like AWS CloudTrail, Amazon CloudWatch, and AWS KMS are integral to monitoring and securing your architecture. This quiz tests your knowledge of AWS security tools, threat detection, and resource compliance.
Chapter 7: Security, Compliance, and Monitoring | AWS Certified Solutions Architect – Associate
Topic 1: AWS CloudTrail – Logging and Auditing API Calls
- Your organization needs to track and audit API calls made to AWS services for security and compliance purposes. Which AWS service should you enable?
- A. AWS Config
- B. AWS CloudTrail
- C. Amazon CloudWatch
- D. AWS Shield
- E. AWS Identity and Access Management (IAM)
- A security team needs to review the details of API requests made by a user in a specific region. What feature in AWS CloudTrail should be used to filter the logs?
- A. CloudTrail Insights
- B. Event history with region filter
- C. CloudTrail Trails
- D. IAM Access Analyzer
- E. Resource Access Manager
- Which of the following are true about AWS CloudTrail logs?
- A. CloudTrail logs are stored indefinitely unless manually deleted
- B. CloudTrail tracks only read-only API calls
- C. CloudTrail logs API activity from AWS Management Console, CLI, and SDKs
- D. CloudTrail is enabled by default for all AWS services
- E. CloudTrail logs can be encrypted using AWS KMS
- You want to store CloudTrail logs in an S3 bucket for long-term retention. Which AWS service allows you to automate log management for compliance and auditing?
- A. AWS Lambda
- B. AWS Config
- C. AWS CloudTrail Insights
- D. S3 Lifecycle policies
- E. Amazon Macie
- Your organization requires that CloudTrail logs be monitored for unauthorized API activity. Which feature of AWS CloudTrail allows you to get real-time notifications?
- A. CloudTrail Insights
- B. CloudWatch Logs Integration
- C. CloudTrail Event History
- D. Amazon GuardDuty
- E. AWS Config Rules
Topic 2: Amazon CloudWatch – Metrics, Logs, Alarms, and Dashboards
- You want to automatically receive notifications when an EC2 instance’s CPU utilization exceeds a specified threshold. Which AWS service should you use?
- A. AWS CloudTrail
- B. Amazon CloudWatch Alarms
- C. AWS Systems Manager
- D. Amazon S3
- E. AWS Config
- Which CloudWatch feature allows you to create custom visualizations for monitoring the performance of your AWS resources?
- A. CloudWatch Logs
- B. CloudWatch Alarms
- C. CloudWatch Dashboards
- D. CloudWatch Insights
- E. CloudWatch Events
- Which of the following is true when using Amazon CloudWatch Logs to monitor your application?
- A. CloudWatch Logs store logs indefinitely without cost
- B. You can trigger CloudWatch alarms based on log data patterns
- C. CloudWatch Logs require manual intervention for log retention
- D. CloudWatch Logs only support logs from AWS services
- E. Logs cannot be shared with other AWS accounts
- You want to monitor the health of a large number of EC2 instances running in different regions. Which CloudWatch feature should you use to automate this process?
- A. CloudWatch Dashboards
- B. CloudWatch Alarms
- C. CloudWatch Logs
- D. CloudWatch Events
- E. CloudWatch Metrics
- Which metric type can Amazon CloudWatch track for your AWS resources?
- A. EC2 instance status checks
- B. Number of active users on an EC2 instance
- C. Application-level request count
- D. Instance-level network traffic
- E. Service-specific application logs
Topic 3: AWS Config – Compliance and Resource Monitoring
- You need to ensure that all EC2 instances in your AWS account are tagged according to company policy. Which AWS service can help you with compliance tracking for this requirement?
- A. AWS Config
- B. AWS CloudTrail
- C. AWS Shield
- D. AWS Lambda
- E. Amazon GuardDuty
- Which of the following can AWS Config be used to monitor?
- A. Resource compliance with corporate governance
- B. Unauthorized changes to IAM policies
- C. Changes in security groups and VPC configurations
- D. Real-time API requests to services
- E. Billing and cost allocation tags
- How can you use AWS Config to enforce a desired configuration of your AWS resources?
- A. By using AWS Config rules
- B. By monitoring CloudTrail logs
- C. By creating CloudWatch Alarms
- D. By deploying AWS Lambda functions
- E. By using AWS Systems Manager
- Which of the following best describes AWS Config’s role in compliance auditing?
- A. It tracks API activity for all AWS resources
- B. It ensures resource configurations meet compliance standards
- C. It monitors AWS CloudTrail logs for unauthorized API access
- D. It helps detect security threats in real-time
- E. It helps set up WAF rules
- Which of the following are possible AWS Config actions based on compliance violations?
- A. Automatically remediating non-compliant resources
- B. Sending notifications to stakeholders
- C. Running Lambda functions to correct configurations
- D. Creating CloudWatch Alarms for real-time monitoring
- E. Reverting resources to a previous configuration
Topic 4: AWS KMS – Encryption and Key Management
- You need to store sensitive customer data in Amazon S3 and ensure it is encrypted at rest. Which AWS service can you use for managing the encryption keys?
- A. Amazon S3 Encryption
- B. AWS KMS
- C. AWS IAM
- D. AWS Lambda
- E. Amazon CloudWatch
- You want to manage the lifecycle of encryption keys and enforce strict key rotation policies. Which service is best suited for this?
- A. Amazon S3
- B. AWS Key Management Service (KMS)
- C. AWS Secrets Manager
- D. AWS Config
- E. Amazon CloudTrail
- Which AWS KMS feature ensures that a key is rotated automatically?
- A. Automatic Key Rotation
- B. Key Alias Management
- C. Multi-Region Key Management
- D. Key Policy Enforcement
- E. IAM Key Access Management
- You are planning to use KMS for encrypting data across multiple AWS regions. Which KMS feature enables you to use the same encryption key across regions?
- A. Cross-Region Replication
- B. Multi-Region Keys
- C. Key Policy
- D. CloudHSM Integration
- E. Key Rotation
- You need to create a customer-managed KMS key to encrypt sensitive data. Which of the following should you configure for access control?
- A. KMS Key Policies
- B. IAM Policies
- C. CloudWatch Logs integration
- D. VPC Security Groups
- E. CloudTrail Permissions
Answer Key
| Qno | Answer |
|---|---|
| 1 | B. AWS CloudTrail |
| 2 | B. Event history with region filter |
| 3 | C. CloudTrail tracks activity, E. CloudTrail logs can be encrypted |
| 4 | D. S3 Lifecycle policies |
| 5 | B. CloudWatch Logs Integration |
| 6 | B. Amazon CloudWatch Alarms |
| 7 | C. CloudWatch Dashboards |
| 8 | B. Trigger CloudWatch alarms, D. CloudWatch Logs only support AWS service logs |
| 9 | A. CloudWatch Dashboards |
| 10 | A. EC2 instance status checks, D. Instance-level network traffic |
| 11 | A. AWS Config |
| 12 | A. Resource compliance, C. Changes in security groups and VPC configurations |
| 13 | A. By using AWS Config rules |
| 14 | B. Ensures resource configurations meet compliance standards |
| 15 | A. Automatically remediating, B. Sending notifications, C. Running Lambda functions |
| 16 | B. AWS KMS |
| 17 | B. AWS Key Management Service (KMS) |
| 18 | A. Automatic Key Rotation |
| 19 | B. Multi-Region Keys |
| 20 | A. KMS Key Policies, B. IAM Policies |