Back to the course
Test yourself

AWS security for DevOps engineers

Final exam · 12 questions · answers explained as you pick
IAM & federation
6 questions
01A permissions boundary sets…
Incorrect — That is Budgets, not IAM.
Correct — Policies grant; the boundary caps — delegation without escalation.
Incorrect — That is a role/session setting, not a boundary.
Incorrect — MFA is enforced by conditions, not boundaries.
02When an explicit Deny and an Allow both match a request, AWS…
Correct — Evaluation is deny-by-default with explicit Deny overriding any Allow.
Incorrect — Breadth does not beat an explicit Deny.
Incorrect — Recency is not part of evaluation.
Incorrect — There is no partial merge; Deny wins.
03Attaching policies to groups/roles instead of individual users…
Incorrect — Evaluation cost is the same.
Correct — You manage a few roles, not hundreds of user policies.
Incorrect — Unrelated to MFA.
Incorrect — Boundaries still cap delegated permissions.
04OIDC federation from CI replaces…
Incorrect — It uses a role — it assumes one via the token.
Correct — Short-lived tokens scoped to repo and branch; nothing to leak.
Incorrect — It is for workloads, not human MFA.
Incorrect — Logging is unrelated to how CI authenticates.
05The big win of OIDC over stored access keys is…
Correct — You can also scope trust to a specific repo/branch.
Incorrect — The point is there is no key to copy.
Incorrect — It is built on IAM roles and trust policies.
Incorrect — CloudTrail still records the AssumeRole.
06Scoping a CI role’s trust policy to a specific repo and branch prevents…
Incorrect — Performance is not the concern.
Correct — The token’s subject claim must match your conditions.
Incorrect — It does not affect logging.
Incorrect — You still use a role, just tightly trusted.
6 questions · explanations appear as you answer
Guardrails, detection & IR
6 questions
01Service Control Policies apply to…
Incorrect — They act above individual users.
Correct — Even the account root cannot cross an SCP deny.
Incorrect — Bucket policies do that; SCPs are org-wide.
Incorrect — They target accounts/OUs, though can condition on region.
02An SCP that denies an action means an account admin…
Correct — SCPs cap the maximum available permissions for the account.
Incorrect — No IAM policy can grant past an SCP deny.
Incorrect — MFA does not bypass an SCP.
Incorrect — Region-switching does not evade the guardrail.
03The two AWS services to turn on everywhere as a baseline are…
Incorrect — Those are workloads, not the detection baseline.
Correct — The trail records what happened; GuardDuty flags the suspicious.
Incorrect — Not security-baseline services.
Incorrect — Networking/CDN, not the security baseline.
04CloudTrail’s role during an incident is to…
Correct — The trail is how you reconstruct the blast radius.
Incorrect — It records; it does not enforce.
Incorrect — That is your runbook’s action, not CloudTrail.
Incorrect — Unrelated to logging.
05The primary defense against public-S3 mistakes is…
Incorrect — Hope is not a control.
Correct — BPA overrides risky ACLs org-wide.
Incorrect — That increases exposure.
Incorrect — That removes visibility, not risk.
06On confirmed access-key compromise, the first action is…
Incorrect — Destroying everything is not containment.
Correct — Contain first; the trail tells you what the key touched.
Incorrect — Broad and slow; deal with the exposed key first.
Incorrect — Active compromise is not a backlog item.
6 questions · explanations appear as you answer