Topics / ☁️AWS Cloud Practitioner

Security, Identity & Compliance Services

By Pritesh Yadav 20 min read

AWS has a crowded shelf of security services, and the CLF-C02 exam loves to test whether you can tell the look-alikes apart. The trick is to learn each service by the one job it does: who manages the keys, what gets detected versus assessed versus discovered, and which tool records actions versus records configuration. This set drills the exact pairs candidates mix up under time pressure.

Most confused here: KMS (AWS-managed shared keys) vs CloudHSM (single-tenant dedicated hardware); GuardDuty (threat detection) vs Inspector (vulnerability assessment) vs Macie (sensitive-data discovery) vs Detective (investigation); Shield vs WAF vs Firewall Manager; CloudTrail (who did what) vs Config (what changed); Secrets Manager (auto-rotating secrets) vs Parameter Store; Artifact (compliance reports) vs Audit Manager.

Q1 A company must keep full, exclusive control of its encryption key hardware to meet a strict regulatory rule that no other customer may ever share the underlying device. Which AWS service fits this requirement?

  1. AWS Key Management Service (KMS)
  2. AWS CloudHSM
  3. AWS Secrets Manager
  4. AWS Certificate Manager (ACM)
Answer: B
Why B is correct: CloudHSM gives you a single-tenant, dedicated hardware security module (a physical device for storing keys) that no other AWS customer shares. You get exclusive control, which is exactly what "no shared device" regulations demand.
Why the other options are wrong:
  • A — KMS is multi-tenant; the underlying hardware is managed and shared across customers, so it cannot meet a "device used by no one else" rule.
  • C — Secrets Manager stores and rotates secrets like passwords; it is not key-storage hardware.
  • D — ACM provisions and manages TLS/SSL certificates, not encryption key hardware.
Common trap: Both KMS and CloudHSM manage keys, so candidates pick KMS by habit. The deciding word is "dedicated/single-tenant hardware," which only CloudHSM provides.

Q2 A security team wants automatic, continuous monitoring that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to flag unusual activity such as crypto-mining or communication with a known malicious IP. Which service is purpose-built for this?

  1. Amazon Inspector
  2. Amazon Macie
  3. Amazon GuardDuty
  4. AWS Config
Answer: C
Why C is correct: GuardDuty is the intelligent threat-detection service. It continuously reads CloudTrail, VPC Flow Logs, and DNS logs to spot suspicious behavior like crypto-mining or contact with malicious IPs, without you installing anything.
Why the other options are wrong:
  • A — Inspector scans EC2 instances, containers, and Lambda for software vulnerabilities and exposure; it does not monitor live logs for threats.
  • B — Macie discovers and protects sensitive data (like personal info) in S3; it is not a log-based threat detector.
  • D — Config tracks resource configuration changes and compliance, not active threats.
Common trap: "Continuous monitoring" tempts people toward Config or Inspector. GuardDuty is the one tied to threat detection from logs.

Q3 An auditor asks, "Which specific IAM user deleted this S3 bucket, from what IP, and at what time?" Which AWS service answers this question?

  1. AWS CloudTrail
  2. AWS Config
  3. Amazon CloudWatch
  4. AWS Trusted Advisor
Answer: A
Why A is correct: CloudTrail records API activity — the "who did what, when, and from where." A bucket deletion is an API call, so CloudTrail logs the identity, time, and source IP of the actor.
Why the other options are wrong:
  • B — Config records the configuration state and history of resources (what a resource looked like over time), not which user performed the action.
  • C — CloudWatch collects performance metrics and logs for monitoring health, not a record of who made API calls.
  • D — Trusted Advisor gives best-practice recommendations on cost, security, and performance; it is not an action log.
Common trap: Config and CloudTrail are the classic mix-up. Remember: CloudTrail = who did what (actions/identity); Config = what changed (resource state).

Q4 A team stores a database password in AWS and wants it to be automatically rotated on a schedule with built-in integration to RDS, so no human ever has to manually update it. Which service is designed for this?

  1. Systems Manager Parameter Store (standard parameters)
  2. AWS Key Management Service (KMS)
  3. AWS Certificate Manager (ACM)
  4. AWS Secrets Manager
Answer: D
Why D is correct: Secrets Manager is built specifically to store secrets and automatically rotate them on a schedule, with native integration for databases like RDS. Automatic rotation is its signature feature.
Why the other options are wrong:
  • A — Parameter Store can hold configuration values and SecureString secrets, but it does not provide built-in automatic rotation the way Secrets Manager does.
  • B — KMS manages encryption keys; it does not store or rotate application passwords.
  • C — ACM handles TLS certificates, not database passwords.
Common trap: Parameter Store also stores secrets (and is cheaper), so people pick it. The keyword "automatic rotation" points specifically to Secrets Manager.

Q5 A startup needs to download AWS's SOC 2 and ISO 27001 compliance reports to hand to its own auditors. Which AWS service provides these on-demand reports at no cost?

  1. AWS Audit Manager
  2. AWS Security Hub
  3. AWS Artifact
  4. AWS Config
Answer: C
Why C is correct: AWS Artifact is the self-service portal where you download AWS's own compliance documents — SOC reports, ISO certifications, PCI attestations — to share with auditors. It is free.
Why the other options are wrong:
  • A — Audit Manager helps you continuously collect evidence about your own environment to prepare for an audit; it does not hand you AWS's pre-made compliance certificates.
  • B — Security Hub aggregates security findings across services; it is not a document repository.
  • D — Config tracks resource configuration, not AWS compliance reports.
Common trap: Artifact vs Audit Manager. Artifact = download AWS's existing reports; Audit Manager = continuously gather evidence from your account for an audit.

Q6 An application is being hit by a large layer-7 attack with malicious HTTP requests containing SQL injection patterns. The team wants to filter requests by rules such as blocking specific patterns and IP ranges before they reach the app. Which service does this?

  1. AWS WAF
  2. AWS Shield Standard
  3. Amazon GuardDuty
  4. AWS Firewall Manager
Answer: A
Why A is correct: AWS WAF (Web Application Firewall) inspects incoming HTTP/HTTPS requests and lets you write rules to block things like SQL injection, cross-site scripting, and bad IP ranges. Filtering web requests by content is exactly its job.
Why the other options are wrong:
  • B — Shield Standard protects against network/transport-layer DDoS attacks, not application-layer content filtering by rules.
  • C — GuardDuty detects threats from logs; it does not block web requests inline.
  • D — Firewall Manager centrally manages WAF/Shield rules across many accounts; it is a management layer, not the request filter itself.
Common trap: Shield and WAF both "protect web apps," but Shield = DDoS; WAF = rule-based filtering of malicious requests (SQLi/XSS).

Q7 A company stores millions of files in Amazon S3 and wants to automatically discover and alert on objects that contain personally identifiable information (PII) such as credit card or passport numbers. Which service is built for this?

  1. Amazon GuardDuty
  2. Amazon Macie
  3. Amazon Inspector
  4. AWS Secrets Manager
Answer: B
Why B is correct: Macie uses machine learning to scan S3 buckets and identify sensitive data like PII, financial data, and credentials, then reports where it lives. Sensitive-data discovery in S3 is precisely Macie's role.
Why the other options are wrong:
  • A — GuardDuty detects malicious activity from logs; it does not classify the content of stored files.
  • C — Inspector finds software vulnerabilities on compute resources, not sensitive data in storage.
  • D — Secrets Manager stores and rotates secrets you give it; it does not scan S3 for hidden PII.
Common trap: Macie is the only one of the four detection/discovery services tied to data classification in S3. If the question mentions PII or S3 content, it is Macie.

Q8 A team wants a single dashboard that aggregates and prioritizes security findings from GuardDuty, Inspector, and Macie, and checks them against standards like CIS benchmarks. Which service provides this central view?

  1. Amazon Detective
  2. AWS Config
  3. AWS Security Hub
  4. AWS Trusted Advisor
Answer: C
Why C is correct: Security Hub is the central place that collects findings from GuardDuty, Inspector, Macie, and others into one prioritized dashboard, and runs automated checks against security standards like CIS. It is the "single pane of glass" for security posture.
Why the other options are wrong:
  • A — Detective helps you deep-dive and investigate the root cause of a specific finding, not aggregate everything into a posture dashboard.
  • B — Config tracks configuration compliance, not aggregated security findings from detection services.
  • D — Trusted Advisor gives general best-practice checks, not a unified security-findings hub.
Common trap: Security Hub (aggregate & prioritize many findings) vs Detective (investigate one finding deeply). "Single dashboard aggregating findings" = Security Hub.

Q9 After GuardDuty raises an alert, an analyst needs to visualize related events over time and dig into the root cause of the suspicious behavior across linked resources. Which service is purpose-built to help investigate?

  1. Amazon Detective
  2. AWS Security Hub
  3. Amazon Inspector
  4. AWS CloudTrail
Answer: A
Why A is correct: Detective automatically builds linked data and visualizations so you can investigate and find the root cause of a security finding. It is the "now that we have an alert, let's investigate" service.
Why the other options are wrong:
  • B — Security Hub aggregates and prioritizes findings but does not provide the deep investigation graphs Detective offers.
  • C — Inspector assesses vulnerabilities; it is unrelated to investigating an active finding.
  • D — CloudTrail provides raw API logs, but it does not auto-correlate and visualize an investigation the way Detective does.
Common trap: Security Hub and Detective both sit "after" detection. Hub = collect & prioritize; Detective = investigate root cause.

Q10 A company runs hundreds of EC2 instances and wants automatic, ongoing scanning for known software vulnerabilities (CVEs) and unintended network exposure. Which service should they enable?

  1. Amazon Macie
  2. AWS Shield Advanced
  3. AWS WAF
  4. Amazon Inspector
Answer: D
Why D is correct: Inspector continuously scans EC2 instances, container images, and Lambda functions for known software vulnerabilities (CVEs) and unintended network reachability. Vulnerability assessment is its defining purpose.
Why the other options are wrong:
  • A — Macie discovers sensitive data in S3, not software vulnerabilities on compute.
  • B — Shield Advanced provides enhanced DDoS protection, not vulnerability scanning.
  • C — WAF filters malicious web requests; it does not scan instances for CVEs.
Common trap: GuardDuty vs Inspector. GuardDuty detects active threats from logs; Inspector assesses weaknesses (CVEs/exposure) before they are exploited.

Q11 Every AWS account automatically receives protection against common network and transport-layer DDoS attacks at no extra cost. What is this baseline protection called?

  1. AWS Shield Standard
  2. AWS Shield Advanced
  3. AWS WAF
  4. AWS Firewall Manager
Answer: A
Why A is correct: Shield Standard is automatically and freely included for all AWS customers, defending against the most common layer 3/4 DDoS attacks. No setup or extra payment is needed.
Why the other options are wrong:
  • B — Shield Advanced is a paid subscription adding deeper DDoS protection, cost protection, and DDoS response support; it is not the free default.
  • C — WAF filters web requests by rules and is billed separately; it is not automatic DDoS protection.
  • D — Firewall Manager centrally manages security rules across accounts; it is not the baseline DDoS layer.
Common trap: Candidates assume DDoS protection costs extra. Standard is free and automatic; only Advanced is paid.

Q12 A large organization with dozens of AWS accounts under AWS Organizations wants to centrally configure and enforce WAF rules and Shield protections across all of them from one place. Which service does this?

  1. AWS WAF
  2. AWS Firewall Manager
  3. AWS Security Hub
  4. AWS Config
Answer: B
Why B is correct: Firewall Manager sits on top of AWS Organizations and lets you centrally create and enforce WAF rules, Shield Advanced protections, and security groups across many accounts at once. Central, multi-account enforcement is its whole reason to exist.
Why the other options are wrong:
  • A — WAF defines and applies rules, but you would configure it per resource/account; it lacks the centralized cross-account enforcement layer.
  • C — Security Hub aggregates findings; it does not push firewall rules to accounts.
  • D — Config tracks configuration compliance, not central firewall-rule deployment.
Common trap: WAF vs Firewall Manager. WAF is the rule engine; Firewall Manager is the multi-account manager that deploys those rules everywhere.

Q13 A developer needs a free, auto-renewing public TLS/SSL certificate to enable HTTPS on an Application Load Balancer and CloudFront distribution. Which service provides this?

  1. AWS Key Management Service (KMS)
  2. AWS Secrets Manager
  3. AWS Certificate Manager (ACM)
  4. AWS CloudHSM
Answer: C
Why C is correct: ACM provisions, manages, and automatically renews public TLS/SSL certificates at no cost when used with integrated services like ELB and CloudFront. It is the service for enabling HTTPS (encryption in transit).
Why the other options are wrong:
  • A — KMS manages encryption keys for data at rest, not TLS certificates.
  • B — Secrets Manager stores and rotates secrets like passwords, not certificates for HTTPS.
  • D — CloudHSM provides dedicated key-storage hardware; it is not a certificate provider.
Common trap: KMS and ACM both relate to encryption, so candidates blur them. ACM = certificates for encryption in transit (HTTPS); KMS = keys for encryption at rest.

Q14 A mobile and web app needs user sign-up, sign-in, and the ability to let users log in with Google or Facebook (social identity providers). Which AWS service handles this customer identity management?

  1. AWS IAM
  2. AWS IAM Identity Center
  3. AWS Directory Service
  4. Amazon Cognito
Answer: D
Why D is correct: Cognito provides sign-up, sign-in, and access control for your application's end users (customers), including federation with social and enterprise identity providers. It is built for app/customer identity, not internal AWS access.
Why the other options are wrong:
  • A — IAM controls access for AWS resources and AWS principals (users/roles inside your account), not millions of application end users.
  • B — IAM Identity Center manages workforce single sign-on to AWS accounts and business apps, not customer-facing app logins.
  • C — Directory Service provides managed Microsoft Active Directory; it is not a customer app sign-in service.
Common trap: IAM vs Cognito. IAM = your team/resources inside AWS; Cognito = your customers logging into your app.

Q15 A compliance officer needs to confirm that all S3 buckets in an account have encryption enabled and to see a timeline of any bucket whose setting changed. Which service tracks resource configuration and compliance over time?

  1. AWS CloudTrail
  2. AWS Config
  3. Amazon GuardDuty
  4. AWS Trusted Advisor
Answer: B
Why B is correct: Config continuously records the configuration of resources, evaluates them against rules (like "encryption must be enabled"), and keeps a configuration history timeline. Checking ongoing compliance of resource settings is exactly what Config does.
Why the other options are wrong:
  • A — CloudTrail logs who made API calls, but does not evaluate whether a resource's configuration is compliant over time.
  • C — GuardDuty detects threats from logs, not configuration compliance.
  • D — Trusted Advisor offers point-in-time best-practice checks, not a per-resource configuration history and rule timeline.
Common trap: CloudTrail vs Config again. "Is this resource configured correctly / what changed in its settings" = Config; "who performed the action" = CloudTrail.

Q16 A company wants AWS to manage encryption keys for it but still needs control over key policies, rotation, and the ability to disable a key, using a multi-tenant managed service that is cheaper and simpler than dedicated hardware. Which service fits best?

  1. AWS CloudHSM
  2. AWS Certificate Manager (ACM)
  3. AWS Secrets Manager
  4. AWS Key Management Service (KMS)
Answer: D
Why D is correct: KMS is the managed, multi-tenant key service where AWS handles the heavy lifting while you still control key policies, enable/disable, and rotation. It is simpler and lower-cost than running dedicated HSM hardware.
Why the other options are wrong:
  • A — CloudHSM is single-tenant dedicated hardware — more control but more cost and management; the scenario explicitly prefers the simpler managed option.
  • B — ACM manages certificates, not general-purpose encryption keys.
  • C — Secrets Manager stores secrets, not encryption keys you manage policies for.
Common trap: The "control over keys" wording makes people jump to CloudHSM. KMS still gives policy/rotation control; CloudHSM is only when you need exclusive, single-tenant hardware.

Q17 A team enables HTTPS so data moving between the user's browser and the web server cannot be read if intercepted on the network. This is an example of protecting data in which state?

  1. Encryption at rest
  2. Encryption in transit
  3. Tokenization at rest
  4. Key escrow
Answer: B
Why B is correct: Encryption in transit protects data while it moves across a network, which is exactly what HTTPS/TLS does between a browser and a server. The data is being transmitted, so it is "in transit."
Why the other options are wrong:
  • A — Encryption at rest protects stored data (on disk, in S3, in a database), not data moving over the wire.
  • C — Tokenization replaces sensitive values with tokens and is not what HTTPS provides for moving data.
  • D — Key escrow is about storing keys with a third party; it is unrelated to the state of the data.
Common trap: In transit = moving (TLS/HTTPS); at rest = stored (KMS-encrypted S3/EBS). HTTPS is always the in-transit example.

Q18 An enterprise must produce continuous evidence that its own AWS environment meets a framework like PCI DSS, automatically collecting and organizing that evidence for its internal and external auditors. Which service is designed for this?

  1. AWS Artifact
  2. AWS Security Hub
  3. AWS Trusted Advisor
  4. AWS Audit Manager
Answer: D
Why D is correct: Audit Manager continuously collects evidence from your own AWS usage and maps it to frameworks like PCI DSS, automating audit preparation. It is about proving your environment's compliance, not downloading AWS's certificates.
Why the other options are wrong:
  • A — Artifact provides AWS's own pre-made compliance reports for download; it does not gather evidence about your specific environment.
  • B — Security Hub aggregates security findings; it is not an evidence-collection-for-audit tool.
  • C — Trusted Advisor gives best-practice recommendations, not audit evidence mapped to frameworks.
Common trap: Artifact vs Audit Manager. "Collect evidence about my account for an audit" = Audit Manager; "download AWS's existing compliance reports" = Artifact.

Q19 A media company that frequently faces large, sophisticated DDoS attacks wants enhanced protection, near-real-time attack visibility, cost protection against scaling charges during an attack, and access to the AWS DDoS Response Team. Which option provides all of this?

  1. AWS Shield Standard
  2. AWS WAF
  3. AWS Shield Advanced
  4. Amazon GuardDuty
Answer: C
Why C is correct: Shield Advanced is the paid tier that adds enhanced DDoS mitigation, detailed attack diagnostics, cost protection (credits for scaling caused by an attack), and access to the AWS Shield Response Team (SRT). All those premium features point to Advanced.
Why the other options are wrong:
  • A — Shield Standard is free and automatic but lacks cost protection, the response team, and advanced visibility.
  • B — WAF filters web requests by rules; it is not a DDoS mitigation tier with a response team.
  • D — GuardDuty detects threats from logs; it does not mitigate DDoS or offer cost protection.
Common trap: The phrases "DDoS Response Team" and "cost protection" are unique to Shield Advanced. If they appear, the answer is Advanced, not Standard or WAF.

Q20 A developer simply needs to store a non-secret configuration value (like an environment name "production") and occasionally a secure string, at the lowest cost, without needing automatic rotation. Which service best fits?

  1. AWS Secrets Manager
  2. Systems Manager Parameter Store
  3. AWS CloudHSM
  4. AWS Key Management Service (KMS)
Answer: B
Why B is correct: Parameter Store (part of AWS Systems Manager) is ideal for storing configuration data and simple secure strings, and its standard parameters are free. When automatic rotation is not required and cost matters, it is the right pick.
Why the other options are wrong:
  • A — Secrets Manager carries a per-secret cost and is overkill when you do not need automatic rotation.
  • C — CloudHSM is dedicated key hardware, far beyond storing a config string.
  • D — KMS manages encryption keys; it is not a config/secret value store.
Common trap: The flip side of the rotation question. No rotation + low cost + config values = Parameter Store; automatic rotation = Secrets Manager.

Q21 A security lead summarizes the team's tools: one service finds threats from account logs, another scans instances for vulnerabilities, and a third finds sensitive data in S3. Which set correctly maps to GuardDuty, Inspector, and Macie in that order?

  1. Threat detection from logs, vulnerability scanning, sensitive-data discovery
  2. Vulnerability scanning, threat detection from logs, sensitive-data discovery
  3. Sensitive-data discovery, vulnerability scanning, threat detection from logs
  4. Threat detection from logs, sensitive-data discovery, vulnerability scanning
Answer: A
Why A is correct: GuardDuty = threat detection from logs (CloudTrail/VPC/DNS); Inspector = vulnerability scanning of compute; Macie = sensitive-data discovery in S3. The first option lists them in exactly that order.
Why the other options are wrong:
  • B — It swaps GuardDuty and Inspector, wrongly making GuardDuty a vulnerability scanner.
  • C — It reverses the order entirely, mislabeling GuardDuty as data discovery.
  • D — It swaps Inspector and Macie, wrongly tying Inspector to S3 data.
Common trap: These three blur together. Memory hook: GuardDuty = guard against threats (logs), Inspector = inspect machines (vulnerabilities), Macie = "data" detective for S3 PII.

Q22 An organization wants to encrypt data stored at rest in Amazon S3 and Amazon EBS using managed keys, while keeping the option to audit every time a key is used. Which service provides the encryption keys for this data-at-rest scenario?

  1. AWS Certificate Manager (ACM)
  2. Amazon Cognito
  3. AWS Secrets Manager
  4. AWS Key Management Service (KMS)
Answer: D
Why D is correct: KMS creates and manages the encryption keys used to encrypt data at rest in services like S3 and EBS, and it integrates with CloudTrail so every key use can be audited. Data-at-rest key management is KMS's core job.
Why the other options are wrong:
  • A — ACM manages TLS certificates for encryption in transit, not keys for stored data.
  • B — Cognito handles application user identity, not data encryption keys.
  • C — Secrets Manager stores and rotates secrets like passwords, not the encryption keys for S3/EBS at rest.
Common trap: Pairing the wrong encryption service with the data state. At rest (S3/EBS storage) = KMS keys; in transit (HTTPS) = ACM certificates.

Continue reading

☁️ AWS Cloud Practitioner

Cloud Concepts, Value Proposition & Cloud Economics

☁️ AWS Cloud Practitioner

AWS Well-Architected Framework & the Six Pillars

☁️ AWS Cloud Practitioner

The Shared Responsibility Model