Security and monitoring are the backbone of any cloud environment, and AWS provides powerful tools such as IAM, KMS, CloudTrail, and CloudWatch to ensure safety, compliance, and visibility.

This set of 50 MCQs (Questions 51–100) focuses on AWS Security, Identity & Access Management (IAM), and Monitoring Services. Each question comes with detailed explanations so learners can strengthen both their exam preparation and practical understanding of cloud security.

Whether you are preparing for the AWS Certified Security – Specialty exam or a Solutions Architect Associate/Professional, these questions are designed to provide clarity on identity policies, encryption methods, logging, and best monitoring practices.

By the end of this batch, you will gain strong knowledge of IAM roles, multi-factor authentication, KMS encryption, CloudWatch metrics, and CloudTrail auditing. Let’s get started with questions 51–100 and boost your AWS security expertise!

🔹 Batch 2: AWS Security, IAM & Monitoring MCQs

Q51. Which AWS service is primarily used to manage user access and permissions?

A) AWS Organizations
B) AWS Shield
C) IAM
D) KMS
Answer: C) IAM
Explanation: IAM (Identity and Access Management) allows administrators to securely control access to AWS resources by managing users, groups, and roles.

Q52. What is the recommended way to grant temporary access to AWS resources?

A) Assign IAM roles
B) Share root credentials
C) Use access keys in plain text
D) Enable unrestricted policies
Answer: A) Assign IAM roles
Explanation: IAM roles provide temporary security credentials without exposing long-term access keys, making them best practice for secure access.

Q53. Which service provides centralized logging of all API calls made within AWS?

A) CloudWatch Logs
B) CloudTrail
C) Config
D) Inspector
Answer: B) CloudTrail
Explanation: AWS CloudTrail records all API activity, including user actions, services used, and resource changes, ensuring full auditability.

Q54. In IAM, what is the default access level for new users?

A) Administrator access
B) Read-only access
C) No permissions
D) Full access to EC2 and S3
Answer: C) No permissions
Explanation: By default, new IAM users have no permissions until explicitly granted through policies.

Q55. Which AWS service enables encryption of data at rest using customer-managed keys?

A) CloudHSM
B) IAM
C) KMS
D) Cognito
Answer: C) KMS
Explanation: AWS Key Management Service (KMS) manages cryptographic keys for encrypting and decrypting data across AWS services.

Q56. Which monitoring tool is used for setting alarms based on metrics like CPU usage or latency?

A) CloudTrail
B) CloudWatch
C) GuardDuty
D) Inspector
Answer: B) CloudWatch
Explanation: Amazon CloudWatch monitors AWS resources and applications, providing metrics, logs, and alarms for performance and health tracking.

Q57. Which feature should you enable for protecting IAM accounts with an additional security layer?

A) Multi-factor Authentication (MFA)
B) Access keys
C) Public policies
D) VPC Peering
Answer: A) Multi-factor Authentication (MFA)
Explanation: MFA requires a second factor (like OTP or hardware token) to log in, significantly improving account security.

Q58. What is AWS GuardDuty primarily used for?

A) Penetration testing
B) Threat detection and continuous monitoring
C) Key encryption
D) Access management
Answer: B) Threat detection and continuous monitoring
Explanation: GuardDuty is an intelligent threat detection service that continuously monitors for malicious activity and anomalies in AWS accounts.

Q59. Which AWS service is used for compliance auditing and configuration tracking?

A) CloudWatch
B) Config
C) Trusted Advisor
D) CloudFormation
Answer: B) Config
Explanation: AWS Config provides detailed visibility into configuration changes and compliance status of AWS resources.

Q60. What does AWS Security Hub provide?

A) A dashboard for centralized security and compliance findings
B) Real-time monitoring of EC2 instances
C) Management of IAM roles
D) Encryption of S3 buckets
Answer: A) A dashboard for centralized security and compliance findings
Explanation: AWS Security Hub aggregates security findings from multiple services (GuardDuty, Inspector, Macie, etc.) into one view for easier management.

Q61. Which AWS service can help you detect unusual login activity or compromised credentials?

A) GuardDuty
B) Inspector
C) CloudWatch
D) Macie
Answer: A) GuardDuty
Explanation: GuardDuty detects unusual activities like unauthorized logins or API calls using machine learning and threat intelligence.

Q62. What is the main difference between IAM roles and IAM users?

A) Users are temporary, roles are permanent
B) Users are permanent identities, roles provide temporary credentials
C) Roles manage billing, users manage resources
D) There is no difference
Answer: B) Users are permanent identities, roles provide temporary credentials
Explanation: IAM users have long-term credentials, while IAM roles are used to delegate temporary access.

Q63. Which AWS service automatically rotates encryption keys for you?

A) IAM
B) KMS
C) Secrets Manager
D) CloudTrail
Answer: B) KMS
Explanation: AWS KMS can automatically rotate cryptographic keys to enhance data security.

Q64. To enforce least privilege in IAM policies, which approach should be followed?

A) Grant full admin rights
B) Start with broad permissions and narrow later
C) Grant only required permissions for specific tasks
D) Use inline policies only
Answer: C) Grant only required permissions for specific tasks
Explanation: The principle of least privilege ensures users have only the access necessary for their job.

Q65. Which service provides insights into S3 bucket data for sensitive information like PII?

A) Security Hub
B) Macie
C) Inspector
D) GuardDuty
Answer: B) Macie
Explanation: Amazon Macie uses machine learning to discover, classify, and protect sensitive data in S3.

Q66. What is the default maximum number of IAM users per AWS account?

A) 500
B) 1,000
C) 5,000
D) Unlimited
Answer: B) 1,000
Explanation: By default, AWS allows 1,000 IAM users per account, but this limit can be increased upon request.

Q67. Which AWS service enables centralized management of multiple AWS accounts?

A) IAM
B) Organizations
C) Security Hub
D) GuardDuty
Answer: B) Organizations
Explanation: AWS Organizations helps consolidate and manage multiple accounts with centralized governance and policies.

Q68. Which log type in CloudWatch captures custom application logs?

A) Metrics Logs
B) Event Logs
C) Log Streams
D) Resource Logs
Answer: C) Log Streams
Explanation: CloudWatch Log Streams capture application/system logs, grouped into log groups for monitoring.

Q69. Which AWS service is recommended for securely storing and rotating database credentials?

A) KMS
B) Secrets Manager
C) Parameter Store
D) Inspector
Answer: B) Secrets Manager
Explanation: AWS Secrets Manager securely stores, rotates, and retrieves secrets like DB credentials and API keys.

Q70. CloudTrail logs can be delivered to which of the following storage services for long-term retention?

A) DynamoDB
B) S3
C) RDS
D) EBS
Answer: B) S3
Explanation: CloudTrail logs are typically stored in S3 buckets for secure, durable, and long-term retention.

Q71. Which AWS service provides anomaly detection for metrics like CPU or network usage?

A) GuardDuty
B) CloudWatch Anomaly Detection
C) Inspector
D) Security Hub
Answer: B) CloudWatch Anomaly Detection
Explanation: This feature of CloudWatch uses machine learning to detect anomalies in metric patterns.

Q72. Which of the following is a best practice for managing root user access?

A) Use root for all daily tasks
B) Share root credentials securely
C) Enable MFA and avoid daily use
D) Store root credentials in code
Answer: C) Enable MFA and avoid daily use
Explanation: Root credentials should be locked down with MFA and used only for critical tasks.

Q73. Which IAM feature allows applying policies across multiple AWS accounts?

A) IAM groups
B) IAM inline policies
C) Service control policies (SCPs)
D) Resource-based policies
Answer: C) Service control policies (SCPs)
Explanation: SCPs in AWS Organizations set permission boundaries across accounts.

Q74. Which AWS service is most suitable for monitoring billing and usage anomalies?

A) GuardDuty
B) CloudWatch
C) Cost Explorer with Budgets
D) Inspector
Answer: C) Cost Explorer with Budgets
Explanation: AWS Budgets and Cost Explorer help detect unusual billing patterns and control costs.

Q75. Which AWS service provides automated compliance checks with industry standards like PCI DSS?

A) GuardDuty
B) Config
C) Security Hub
D) Inspector
Answer: C) Security Hub
Explanation: AWS Security Hub checks compliance against frameworks like PCI DSS, CIS, and ISO.

Q76. Which IAM feature ensures that policies are attached directly to resources rather than users?

A) Inline policies
B) Resource-based policies
C) Group policies
D) SCPs
Answer: B) Resource-based policies
Explanation: Resource-based policies are attached directly to AWS resources (e.g., S3 buckets).

Q77. What is the difference between AWS Shield Standard and AWS Shield Advanced?

A) Standard protects against basic DDoS, Advanced offers enhanced DDoS protection and 24/7 support
B) Both provide the same protection
C) Advanced only protects EC2
D) Standard requires extra cost, Advanced is free
Answer: A) Standard protects against basic DDoS, Advanced offers enhanced DDoS protection and 24/7 support
Explanation: Shield Advanced provides advanced DDoS protection with SLAs, whereas Shield Standard is free and basic.

Q78. Which service integrates with CloudTrail to detect unauthorized API activity?

A) GuardDuty
B) Inspector
C) Security Hub
D) CloudWatch Logs
Answer: A) GuardDuty
Explanation: GuardDuty analyzes CloudTrail logs for suspicious API calls.

Q79. Which IAM policy type defines what an AWS principal can do with a resource?

A) Identity-based policy
B) Resource-based policy
C) Service control policy
D) Both A and B
Answer: D) Both A and B
Explanation: IAM uses identity-based (users/roles) and resource-based (e.g., S3 bucket) policies to control permissions.

Q80. Which AWS monitoring service is specifically designed to detect resource misconfigurations?

A) Config
B) CloudTrail
C) GuardDuty
D) Inspector
Answer: A) Config
Explanation: AWS Config monitors configuration changes and alerts for non-compliance with rules.

Q81. Which service allows centralized logging from multiple AWS accounts?

A) CloudTrail Lake
B) CloudWatch Logs
C) AWS Organizations
D) GuardDuty
Answer: A) CloudTrail Lake
Explanation: CloudTrail Lake lets you aggregate and query logs across multiple AWS accounts.

Q82. Which AWS service uses “Findings” as a way to notify security issues?

A) CloudWatch
B) Inspector
C) Security Hub
D) Both B and C
Answer: D) Both B and C
Explanation: Both AWS Inspector and Security Hub generate findings to alert about security risks.

Q83. What’s the maximum number of IAM groups a user can belong to?

A) 5
B) 10
C) 20
D) Unlimited
Answer: C) 20
Explanation: A single IAM user can belong to a maximum of 20 groups.

Q84. Which service should you enable to track all API calls made in your AWS account?

A) CloudWatch
B) GuardDuty
C) CloudTrail
D) Security Hub
Answer: C) CloudTrail
Explanation: CloudTrail records all AWS API calls for governance, compliance, and auditing.

Q85. Which AWS service encrypts data at rest automatically without requiring user configuration?

A) S3 (default encryption enabled)
B) RDS
C) EBS
D) All of the above
Answer: D) All of the above
Explanation: AWS provides default encryption at rest for many services like S3, RDS, and EBS.

Q86. To securely share temporary access to AWS resources, which method should be used?

A) IAM groups
B) IAM roles + STS
C) Inline policies
D) SCPs
Answer: B) IAM roles + STS
Explanation: AWS STS (Security Token Service) provides temporary credentials via IAM roles.

Q87. What is the retention period for CloudTrail event history by default?

A) 7 days
B) 30 days
C) 90 days
D) 365 days
Answer: C) 90 days
Explanation: CloudTrail keeps API activity logs for 90 days by default.

Q88. Which IAM feature helps prevent accidental resource deletion?

A) IAM policy boundaries
B) AWS Config rules
C) Service control policies
D) Resource-based conditions (e.g., "Deny": "Delete*")
Answer: D) Resource-based conditions (e.g., "Deny": "Delete*" )
Explanation: Conditions in IAM/resource policies can explicitly block delete actions to prevent accidents.

Q89. Which service integrates with GuardDuty to automate remediation of findings?

A) AWS Lambda
B) CloudWatch Alarms
C) AWS Config
D) Inspector
Answer: A) AWS Lambda
Explanation: GuardDuty findings can trigger Lambda functions to automatically remediate security threats.

Q90. Which AWS service lets you manage encryption keys across multiple AWS services?

A) KMS
B) Secrets Manager
C) IAM
D) Security Hub
Answer: A) KMS
Explanation: AWS KMS integrates with many services to manage encryption keys securely.

Q91. Which AWS feature allows granular control over VPC traffic at the subnet level?

A) NACLs (Network ACLs)
B) Security Groups
C) Route Tables
D) Shield
Answer: A) NACLs (Network ACLs)
Explanation: NACLs control inbound and outbound traffic at the subnet level.

Q92. Which AWS service uses agent-based scanning for vulnerabilities in EC2?

A) GuardDuty
B) Inspector
C) Security Hub
D) Shield
Answer: B) Inspector
Explanation: AWS Inspector installs an agent on EC2 to detect vulnerabilities and deviations.

Q93. Which AWS service consolidates findings from GuardDuty, Inspector, and Macie?

A) Security Hub
B) CloudTrail
C) Config
D) Lambda
Answer: A) Security Hub
Explanation: Security Hub acts as a central place for security findings across AWS services.

Q94. Which IAM feature lets you restrict access based on IP addresses?

A) Group Policies
B) Policy conditions
C) Service control policies
D) Inline policies
Answer: B) Policy conditions
Explanation: You can use conditions like "aws:SourceIp" in IAM policies to restrict access by IP.

Q95. Which AWS feature allows encryption keys to never leave AWS hardware modules?

A) CloudHSM
B) KMS
C) Secrets Manager
D) Shield Advanced
Answer: A) CloudHSM
Explanation: AWS CloudHSM provides FIPS 140-2 Level 3 compliant hardware security modules for key storage.

Q96. Which service should you use to create alarms on specific metrics?

A) GuardDuty
B) CloudWatch Alarms
C) Config Rules
D) Security Hub
Answer: B) CloudWatch Alarms
Explanation: CloudWatch Alarms let you monitor metrics and trigger actions like notifications or scaling.

Q97. Which AWS service encrypts data in-transit between AWS and users?

A) TLS/SSL certificates via ACM
B) IAM policies
C) GuardDuty
D) CloudWatch
Answer: A) TLS/SSL certificates via ACM
Explanation: AWS ACM provides and manages SSL/TLS certificates for encrypted communication.

Q98. Which AWS service is useful for enforcing multi-account logging compliance?

A) CloudTrail Organization Trails
B) GuardDuty
C) Config Rules
D) Security Hub
Answer: A) CloudTrail Organization Trails
Explanation: Org-wide CloudTrails enforce logging across all AWS accounts centrally.

Q99. Which IAM feature is best to enforce time-limited access to resources?

A) Inline policies
B) Temporary security credentials (STS)
C) SCPs
D) MFA only
Answer: B) Temporary security credentials (STS)
Explanation: STS provides time-limited access with temporary security tokens.

Q100. Which AWS monitoring service helps visualize metrics in dashboards?

A) CloudTrail
B) CloudWatch
C) Inspector
D) GuardDuty
Answer: B) CloudWatch
Explanation: CloudWatch provides dashboards for visualizing application and infrastructure metrics.

AWS certifications are among the highest-paying IT credentials worldwide 🌍. Security and monitoring are tested heavily in all AWS exams, making this section vital for success.

✅ Don’t stop here! Explore more:

Keep practicing daily, and you’ll be fully prepared to ace your AWS Security Specialty or Associate exams. 🚀