Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.3.6. Sample Questions - Domain 6: Security & Compliance

Question 1:

A company is implementing a multi-account AWS strategy and needs to enforce a security policy that prevents any IAM user or role in member accounts from creating S3 buckets that are publicly accessible. This policy must apply to all existing and future accounts within their AWS Organization. Which AWS service should be used to centrally enforce this preventive control?

A) IAM Roles B) IAM Policies C) Service Control Policies (SCPs) D) AWS Config Rules

Correct Answer: C
Explanation:
  • C) Service Control Policies (SCPs): SCPs are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. They can be used to restrict access to certain services or actions for all users and roles in affected accounts, including the root user. This directly addresses the need for central, preventive enforcement across multiple accounts, aligning with the First Principle of Centralized Governance and Preventive Security Controls.
Question 2:

A DevOps team needs to ensure that all data stored in Amazon S3 buckets is encrypted at rest. They want to enforce this encryption by default for all new objects uploaded to specific buckets without requiring application-level changes. Which S3 encryption option should they configure on the buckets?

A) Client-Side Encryption B) Server-Side Encryption with S3-Managed Keys (SSE-S3) C) Server-Side Encryption with Customer-Provided Keys (SSE-C) D) Server-Side Encryption with KMS-Managed Keys (SSE-KMS)

Correct Answer: B
Explanation:
  • B) Server-Side Encryption with S3-Managed Keys (SSE-S3): SSE-S3 uses Amazon S3-managed encryption keys to encrypt your data at rest. When you enable default encryption with SSE-S3 on a bucket, all new objects uploaded to that bucket are automatically encrypted using AES-256, without requiring any changes to the application code. This is the simplest way to enforce encryption at rest by default, aligning with the First Principle of Data Protection by Default and Operational Simplicity.
Alvin Varughese
Written byAlvin Varughese•Founder•15 professional certifications