- (Topic 1)
A company's information security manager is supervising a move to AWS and wants to ensure that AWS best practices are followed. The manager has concerns about the potential misuse of AWS account root user credentials.
Which of the following is an AWS best practice for using the AWS account root user credentials?

1. A. Allow only the manager to use the account root user credentials for normal activities.
2. B. Use the account root user credentials only for Amazon EC2 instances from the AWS Free Tier.
3. C. Use the account root user credentials only when they alone must be used to perform a requiredfunction.
4. D. Use the account root user credentials only for the creation of private VPC subnets.

Correct Answer: C
The AWS best practice for using the AWS account root user credentials is to use them only when they alone must be used to perform a required function. The AWS account root user credentials have full access to all the resources in the account, and therefore pose a security risk if compromised or misused. You should create individual IAM users with the minimum necessary permissions for everyday tasks, and use AWS Organizations to manage multiple accounts. You should also enable multi-factor authentication (MFA) and rotate the password for the root user regularly. Some of the functions that require the root user credentials are changing the account name, closing the account, changing the support plan, and restoring an IAM user’s access.

- (Topic 1)
Which AWS service or tool provides users with the ability to monitor AWS service quotas?

1. A. AWS CloudTrail
2. B. AWS Cost and Usage Reports
3. C. AWS Trusted Advisor
4. D. AWS Budgets

Correct Answer: C
The correct answer is C because AWS Trusted Advisor is an AWS service or tool that provides users with the ability to monitor AWS service quotas. AWS Trusted Advisor is an online tool that provides users with real-time guidance to help them provision their resources following AWS best practices. One of the categories of checks that AWS Trusted Advisor performs is service limits, which monitors the usage of each AWS service and alerts users when they are close to reaching the default limit. The other options are incorrect because they are not AWS services or tools that provide users with the ability to monitor AWS service quotas. AWS CloudTrail is a service that enables users to track user activity and API usage across their AWS account. AWS Cost and Usage Reports is a tool that enables users to access comprehensive information about their AWS costs and usage. AWS Budgets is a tool that enables users to plan their service usage, costs, and reservations. Reference: [AWS Trusted Advisor FAQs]

- (Topic 1)
A company needs to identify the last time that a specific user accessed the AWS Management Console.
Which AWS service will provide this information?

1. A. Amazon Cognito
2. B. AWS CloudTrail
3. C. Amazon Inspector
4. D. Amazon GuardDuty

Correct Answer: B
AWS CloudTrail is the service that will provide the information about the last time that a specific user accessed the AWS Management Console. AWS CloudTrail is a service that records the API calls and events made by or on behalf of your AWS account. You can use AWS CloudTrail to view, search, and download the history of AWS console sign-in events, which include the user name, date, time, source IP address, and other details of the sign-in activity. Amazon Cognito, Amazon Inspector, and Amazon GuardDuty are not services that will provide this information. Amazon Cognito is a service that provides user authentication and authorization for web and mobile applications. Amazon Inspector is a service that assesses the security and compliance of your applications running on AWS. Amazon GuardDuty is a service that monitors your AWS account and workloads for malicious or unauthorized activity.

- (Topic 3)
A company wants to use guidelines from the AWS Well-Architected Framework to limit human error and facilitate consistent responses to events.
Which of the following is a Well-Architected design principle that will meet these requirements?

1. A. Use AWS CodeDeploy.
2. B. Perform operations as code.
3. C. Migrate workloads to a Dedicated Host.
4. D. Use AWS Compute Optimizer.

Correct Answer: B
This is a design principle of the operational excellence pillar of the AWS Well-Architected Framework. Performing operations as code means using scripts, templates, or automation tools to perform routine tasks, such as provisioning, configuration, deployment, and monitoring. This reduces human error, increases consistency, and enables faster recovery from failures. You can learn more about the operational excellence pillar from this whitepaper or this digital course.

- (Topic 3)
Which AWS service or feature can the company use to limit the access to AWS services for member accounts?

1. A. AWS Identity and Access Management (IAM)
2. B. Service control policies (SCPs)
3. C. Organizational units (OUs)
4. D. Access control lists (ACLs)

Correct Answer: B
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines2. SCPs are available only in an organization that has all features enabled2.