AWS SAA Mock Exam 4 - Security & Compliance

📝 Exam Information

  • Focus Areas: Security, Identity & Access Management, Compliance
  • Duration: 130 minutes
  • Questions: 65 questions
  • Difficulty: Advanced

Question 1

A healthcare organization needs to store patient records in AWS while complying with HIPAA. The solution must ensure data encryption at rest, in transit, và audit all access. Which combination meets these requirements?

A) S3 với SSE-S3 + CloudTrail + VPC endpoints B) S3 với SSE-KMS + CloudTrail + S3 Access Logging + VPC endpoints C) EFS với encryption + CloudWatch Logs + IAM policies D) RDS với encryption + CloudTrail + VPC + Security Groups

Answer: B Explanation: SSE-KMS provides granular key management, CloudTrail audits API calls, S3 Access Logging tracks object access, VPC endpoints secure data transfer.

Question 2

A financial application requires that database administrators cannot view encrypted customer data in production. Which solution prevents privileged user access to sensitive data?

A) Use IAM policies để deny access to encrypted data B) Implement database-level encryption với application-managed keys C) Use AWS KMS với separate key policies for admins và applications D) Enable CloudHSM với client-side encryption before storing data

Answer: D Explanation: CloudHSM với client-side encryption ensures data is encrypted before reaching AWS services, preventing privileged user access.

Question 3

A company needs to share S3 objects với external partners for limited time periods. Partners should not have AWS accounts. Which solution provides secure, time-limited access?

A) Create IAM users cho each partner với temporary passwords B) Use S3 pre-signed URLs với expiration times C) Share S3 bucket policies với partner IP addresses D) Use Cognito Identity Pools cho temporary credentials

Answer: B Explanation: Pre-signed URLs provide temporary access to specific S3 objects without requiring AWS accounts or permanent credentials.

Question 4

An organization implements a multi-account strategy với AWS Organizations. They need to prevent any account from disabling CloudTrail logging. Which approach ensures this requirement?

A) Create IAM policies in each account denying CloudTrail modifications B) Use Service Control Policies (SCPs) to deny CloudTrail disable actions C) Configure CloudTrail với MFA delete protection D) Set up CloudWatch alarms cho CloudTrail modifications

Answer: B Explanation: SCPs provide centralized policy management across all accounts, can prevent CloudTrail disabling at organization level.

Question 5

A web application stores session data in DynamoDB. Sessions contain PII that must be encrypted. The application needs to search sessions by user attributes. Which solution maintains security while enabling search functionality?

A) Use DynamoDB encryption at rest với KMS keys B) Implement client-side encryption với searchable encryption schemes C) Use DynamoDB với field-level encryption + GSI on non-encrypted attributes
D) Store encrypted data in DynamoDB + metadata in separate encrypted table

Answer: C Explanation: Field-level encryption protects PII while allowing GSI searches on non-sensitive attributes that remain unencrypted.

Question 6

A company requires all EC2 instances to use approved AMIs và automatically remediate non-compliant instances. Which solution provides automated compliance enforcement?

A) AWS Config Rules + Lambda functions for remediation B) Systems Manager Compliance + CloudWatch Events C) Inspector + CloudFormation drift detection D) GuardDuty + Security Hub automatic responses

Answer: A Explanation: Config Rules detect AMI compliance violations, Lambda functions can automatically terminate và replace non-compliant instances.

Question 7

An application uses API Gateway với Lambda backend. Security requires that API calls are authenticated, authorized, và logged for audit purposes. Which solution provides comprehensive security?

A) API Gateway với API keys + CloudWatch Logs B) Cognito User Pools + Lambda authorizer + CloudTrail + WAF C) IAM roles + VPC endpoints + CloudWatch Logs D) Custom authentication + Application Load Balancer + S3 logging

Answer: B Explanation: Cognito provides authentication, Lambda authorizer enables custom authorization, CloudTrail audits API calls, WAF protects against attacks.

Question 8

A containerized application in ECS requires secrets management. Container tasks need database passwords và API keys without hardcoding credentials. Which solution provides secure secrets management?

A) Store secrets in environment variables với base64 encoding B) Use AWS Secrets Manager với IAM task roles C) Mount EFS volume với encrypted credential files D) Use Parameter Store với SecureString parameters + IAM task roles

Answer: D Explanation: Parameter Store SecureString provides encryption at rest, IAM task roles ensure least privilege access, automatic rotation available.

Question 9

A multi-tenant SaaS application stores customer data in separate S3 prefixes. Each customer should only access their own data. Which solution ensures tenant isolation?

A) Use separate S3 buckets cho each customer B) Implement S3 bucket policies với dynamic prefix conditions C) Use IAM roles với condition keys for S3 prefix access D) Create separate AWS accounts cho each customer

Answer: C Explanation: IAM roles với condition keys (like s3:ExistingObjectTag/TenantID) provide dynamic, scalable tenant isolation.

Question 10

A company needs to detect và respond to potential data exfiltration attempts from EC2 instances. The solution should monitor network traffic và automatically block suspicious activities. Which combination provides this capability?

A) VPC Flow Logs + CloudWatch Alarms + Security Groups B) GuardDuty + EventBridge + Lambda + NACLs
C) WAF + Shield + CloudFront + API Gateway D) Config + Systems Manager + Inspector + CloudTrail

Answer: B Explanation: GuardDuty detects suspicious network activities, EventBridge triggers automated responses, Lambda implements blocking via NACLs.

Question 11

A legacy application cannot be modified to use IAM roles but needs to access S3. The application runs on EC2 instances và requires rotating access keys for security. Which solution provides automated key rotation?

A) Use Instance profiles với automatic credential rotation B) Implement Lambda function để rotate IAM user access keys C) Use Secrets Manager với IAM user credentials + automatic rotation D) Configure Systems Manager để update application config files

Answer: C Explanation: Secrets Manager can store IAM user credentials và automatically rotate them, applications retrieve current credentials via API.

Question 12

A financial services company must ensure all data in transit between services is encrypted. The architecture includes ALB, EC2 instances, RDS, và ElastiCache. Which combination ensures end-to-end encryption?

A) HTTPS on ALB + HTTP to EC2 + SSL to RDS + TLS to ElastiCache B) HTTPS throughout + SSL/TLS for all database connections + Redis AUTH C) Certificate Manager certificates + VPC endpoints + encryption at rest D) Network Load Balancer + TLS passthrough + encrypted EBS volumes

Answer: B Explanation: HTTPS throughout ensures encrypted communication, SSL/TLS for databases, Redis AUTH adds authentication layer.

Question 13-35

[Additional security questions covering:] - Network security (VPC, Security Groups, NACLs) - Identity federation và SSO - Compliance frameworks (SOC, PCI DSS, GDPR) - Incident response và forensics - Data protection và privacy

Security Domain Breakdown

Identity & Access Management (25%)

  • IAM best practices
  • Cross-account access
  • Federation scenarios
  • Service-linked roles

Data Protection (25%)

  • Encryption strategies
  • Key management
  • Data classification
  • Privacy controls

Infrastructure Security (20%)

  • Network security
  • Compute security
  • Perimeter defense
  • Monitoring & logging

Incident Response (15%)

  • Detection mechanisms
  • Automated remediation
  • Forensics capabilities
  • Recovery procedures

Compliance (15%)

  • Regulatory requirements
  • Audit preparation
  • Documentation
  • Evidence collection

Key Security Principles

  1. Defense in depth
  2. Least privilege access
  3. Fail securely
  4. Security by design
  5. Automate security

Compliance Frameworks Covered

  • HIPAA - Healthcare data protection
  • PCI DSS - Payment card security
  • SOX - Financial reporting controls
  • GDPR - Data privacy regulation
  • SOC 2 - Security controls audit

Study Focus Areas

  1. IAM policy evaluation logic
  2. Encryption implementation patterns
  3. Network security controls
  4. Logging và monitoring strategy
  5. Automated security responses
  6. Compliance requirement mapping