AWS Cloud Foundations — Multiple Choice Questions (100)

Modules: 3 (Global Infrastructure) & 4 (Cloud Security)

Instructions: For each question choose the single best answer (A, B, C, or D). An answer key is
provided at the end of the document.

1. What is an AWS Region?

A. A physical data center building

B. A geographic area containing multiple Availability Zones

C. A single server hosting EC2 instances

D. The global network backbone

2. What is an Availability Zone (AZ)?

A. A single rack in a data center

B. A logical grouping of Regions

C. One or more discrete data centers with redundant power and networking within a Region

D. An edge cache location

3. Which AWS service provides information about API activity and account activity for auditing?

A. Amazon CloudWatch

B. AWS Config

C. AWS CloudTrail

D. AWS Shield

4. What does the AWS Shared Responsibility Model state that AWS is responsible for?

A. Security in the cloud (customer data and applications)

 B. Security of the cloud (hardware, software, networking, facilities)

C. Customer identity and access management

D. Encrypting customer data client-side

5. Under the Shared Responsibility Model, customers are responsible for which of the following?

A. Physical security of AWS data centers

B. Patch management of managed services' underlying host OS

C. Configuration of security groups and IAM policies

D. Cooling and power for AWS servers

6. What is an Edge Location used for in AWS?

A. Hosting primary EC2 instances

B. Caching content closer to users via Amazon CloudFront

C. Storing long-term backups

D. Running full databases

7. Which service provides server-side key management and encryption in AWS?

A. AWS IAM

B. AWS KMS (Key Management Service)

C. AWS Shield

D. AWS WAF

8. In IAM, what is a 'role'?

A. A permanent user account

B. A set of permissions that can be assumed by entities (users, services, EC2 instances)
 C. The AWS account root user

D. A physical security badge

9. Which statement about IAM policies is true?

A. An explicit Deny overrides an Allow

B. Allows and Denies are ignored if attached to a role

C. Policies are only applied to AWS managed services

D. Policies cannot be written in JSON

10. What does MFA (Multi-Factor Authentication) add to an AWS account?

A. A secondary password stored in S3

B. An extra authentication factor beyond username and password

C. Automatic role assignment

D. Region-level access control

11. Which service helps you maintain and assess compliance of AWS resource configurations
over time?

A. AWS Config

B. AWS IAM

C. Amazon GuardDuty

D. AWS Shield

12. What is the purpose of Amazon Route 53?

A. Distributed database service

B. DNS service and domain registration

C. Content delivery network

 D. Virtual private networking

13. Which AWS service provides DDoS protection at the network and transport layers?

A. AWS WAF

B. AWS Shield

C. AWS Config

D. CloudFront

14. What is the primary purpose of AWS CloudFront?

A. Virtual server hosting

B. Content delivery network (CDN) to reduce latency

C. Identity management

D. Key management

15. Which feature allows you to isolate network-level traffic within a VPC?

A. IAM roles

B. Security groups and Network ACLs

C. CloudTrail logs

D. Route 53 policies

16. Which service lets you centrally manage multiple AWS accounts and apply policies across
them?

A. AWS Organizations

B. AWS Control Tower only

C. AWS IAM

D. Amazon Cognito
17. What is the 'root' user in an AWS account?

A. A service role

B. The initial identity with full access to the account

C. A limited permission IAM user

D. A read-only administrator

18. Which of the following best describes 'infrastructure as a region' choice importance?

A. It only affects cost

B. It affects latency, data residency, and compliance

C. It does not affect availability

D. Regions are identical and interchangeable in all cases

19. What does Amazon GuardDuty provide?

A. Managed encryption keys

B. Threat detection and continuous security monitoring

C. DNS resolution

D. Automated backups

20. Which component stores detailed API call history for your AWS account?

A. CloudWatch Metrics

B. CloudTrail

C. AWS Config

D. AWS Inspector
21. What is an AWS Availability Zone composed of?

A. A single compute cluster

B. Multiple independent data centers

C. A single rack of servers

D. A single region

22. Which service is used to create and manage encryption keys in AWS?

A. AWS KMS

B. AWS Shield

C. AWS WAF

D. AWS Trusted Advisor

23. Which is true about AWS Edge Locations vs Regions?

A. Edge Locations host full services like EC2 and RDS

B. Regions are for compute and storage; Edge Locations are for caching/CDN

C. Edge Locations are larger than Regions

D. They are the same concept

24. What is AWS Artifact used for?

A. Key storage

B. Accessing AWS compliance reports and agreements

C. Log storage

D. WAF management

25. Which AWS service helps protect web applications from common web exploits?
 A. AWS Shield Standard

B. AWS WAF (Web Application Firewall)

C. AWS Config

D. AWS KMS

26. Which of these is a characteristic of AWS data centers?

A. Publicly accessible server racks

B. Highly secure facilities with strict access controls

C. Owned by customers

D. Located only in the US

27. How do Security Groups differ from Network ACLs (NACLs)?

A. Security Groups are stateless; NACLs are stateful

B. Security Groups act at the instance level and are stateful; NACLs act at the subnet level and
are stateless

C. They are identical in function

D. NACLs are applied to instances, Security Groups to subnets

28. What is AWS Organizations' SCP (Service Control Policy) used for?

A. Encrypting data

B. Restricting what services or actions accounts in an organization can use

C. IAM user password policy

D. Managing CloudFront distributions

29. What is the primary benefit of Regions with multiple Availability Zones?

A. Lower cost
 B. Higher availability and fault tolerance

C. Reduced security

D. Single point of failure

30. Which service stores immutable, time-ordered configuration changes for auditing?

A. AWS Config

B. CloudTrail

C. S3

D. AWS Backup

31. Which of the following is a best practice for protecting the AWS root account?

A. Use the root account for daily tasks

B. Enable MFA, create individual IAM users, and store root credentials securely

C. Share root credentials with team members

D. Use root account for automated scripts

32. What does AWS KMS integrate with to provide encryption for services?

A. Only EC2

B. Many AWS services (S3, EBS, RDS, etc.) to provide envelope encryption

C. Only S3

D. It doesn't integrate with AWS services

33. When creating IAM policies, which language is used to write them?

A. XML

B. YAML only
 C. JSON

D. Plain text key-value pairs

34. Which AWS service can help detect misconfigured or non-compliant resources?

A. AWS Config

B. Route 53

C. CloudFront

D. SNS

35. What is Amazon S3 primarily used for?

A. Object storage for files and backups

B. Managed SQL database

C. CDN caching

D. Serverless compute

36. What is the function of AWS IAM policies attached to users or roles?

A. Define network routes

B. Specify permissions to allow or deny actions on AWS resources

C. Manage DNS

D. Analyze logs

37. Which tool provides recommendations for cost optimization, performance, and security in
AWS?

A. AWS Trusted Advisor

B. AWS Shield

C. AWS WAF
 D. AWS Config

38. What is an IAM group used for?

A. To group AWS Regions

B. To simplify management by grouping IAM users and applying policies

C. To host Lambda functions

D. To encrypt data

39. Which security service monitors network and account activity for threats and unusual API
calls?

A. Amazon GuardDuty

B. AWS WAF

C. Route 53

D. AWS Config

40. What is the purpose of AWS CloudTrail Insights?

A. Provide cost forecasts

B. Automatically detect unusual API activity and anomalies

C. Manage encryption keys

D. Host websites

41. Which of the following is NOT true about Regions and Availability Zones?

A. AZs in a Region are connected with low-latency links

B. Regions are isolated from each other for fault tolerance

C. All Regions have the exact same services and features at the same time

D. Choosing a Region affects latency and data residency

42. Which AWS service provides centralized logging and metric collection for monitoring?

A. AWS CloudWatch

B. AWS WAF

C. AWS Shield

D. AWS KMS

43. What is an IAM policy 'least privilege' principle?

A. Granting all permissions to simplify access

B. Granting only the permissions necessary to perform a task

C. Never using IAM

D. Using root credentials for all tasks

44. Which AWS service helps you manage SSL/TLS certificates for use with AWS services?

A. AWS Certificate Manager (ACM)

B. AWS KMS

C. AWS WAF

D. AWS Config

45. Which service provides a virtual network isolated from other networks in the AWS Cloud?

A. Amazon VPC

B. IAM

C. S3

D. CloudFront
46. What is a VPC subnet?

A. A single IP address

B. A range of IP addresses in a VPC in a specific AZ

C. A global network across regions

D. An Edge Location

47. Which AWS service is primarily used for centralized identity management for employees
with single sign-on?

A. AWS IAM only

B. AWS Single Sign-On (AWS SSO) / IAM Identity Center

C. Amazon Cognito

D. Route 53

48. What does an explicit Deny in an IAM policy do?

A. Overrides any Allow and prevents the action

B. Is ignored when other policies Allow

C. Grants temporary access

D. Only applies to root user

49. Which AWS service can enforce resource-level rules and guardrails across an Organization?

A. AWS Config Rules and AWS Organizations (SCPs)

B. CloudFront

C. S3 lifecycle policies

D. IAM groups only

50. Which statement about AWS data durability is true for S3 Standard?
 A. S3 Standard provides 99% durability

B. S3 Standard is designed for 99.999999999% (11 9's) of durability over a given year

C. S3 Standard guarantees infinite durability

D. S3 Standard has no durability guarantees

51. What is the purpose of Amazon Inspector?

A. DDoS protection

B. Automated security assessment to help improve security and compliance

C. Manage IAM users

D. Handle DNS routing

52. Which AWS service allows you to rotate, manage, and control access to secrets (like
database credentials)?

A. AWS Secrets Manager

B. AWS KMS only

C. AWS Config

D. Amazon S3

53. What type of encryption is typically used for data 'in transit'?

A. Disk-level encryption only

B. TLS/SSL

C. KMS key encryption only

D. S3 bucket policy

54. What is the primary use of Security Groups in EC2?

A. Encrypt EBS volumes

 B. Act as a virtual firewall controlling inbound and outbound traffic for instances

C. Manage IAM policies

D. Host databases

55. Which AWS service would you use to centrally view and analyze logs across multiple
accounts?

A. AWS CloudTrail only

B. Amazon Athena

C. Centralized CloudWatch Logs and AWS Logs Insights (optionally via Organizations)

D. S3 static hosting

56. In the context of AWS, what is 'defense in depth'?

A. Rely on a single security control

B. Multiple layers of security controls at different levels (network, identity, application, data)

C. Using only perimeter firewalls

D. Avoiding IAM

57. Which of the following prevents accidental public access to S3 buckets at the account level?

A. S3 Block Public Access settings

B. CloudFront

C. AWS Shield

D. IAM roles

58. What is the main benefit of using IAM roles with EC2 instances?

A. You must store long-term credentials on the instance

 B. Provide temporary credentials for applications running on instances without storing long-
term keys

C. Increase instance CPU

D. Make instances public

59. Which AWS service provides managed, scalable DNS routing with health checks and routing
policies?

A. Amazon Route 53

B. AWS WAF

C. AWS Shield

D. AWS Config

60. What is Cross-Region Replication (CRR) for S3 used for?

A. Replicate objects across buckets in different AWS Regions for redundancy and compliance

B. Cache objects at the edge

C. Replicate EC2 instances across AZs

D. Automatic IAM role replication

61. Which service provides a managed Web Application Firewall to protect against common
attacks like SQL injection?

A. AWS WAF

B. AWS Shield

C. AWS Config

D. CloudTrail

62. What is the effect of enabling AWS CloudTrail for your account?

A. It provides DNS resolution

 B. It records account activity and API calls for auditing and analysis

C. It encrypts S3 buckets automatically

D. It disables IAM users

63. Which AWS service provides automatic key rotation and centralized key policies?

A. AWS KMS

B. AWS Config

C. CloudWatch

D. S3

64. Which of these is a characteristic of an IAM user?

A. Temporary credentials that automatically expire

B. An identity for a person or service that can have credentials and permissions

C. An encryption key

D. A VPC component

65. What does 'least-privilege' access help prevent?

A. Increased costs

B. Unnecessary access and reduced blast radius when credentials are compromised

C. Faster performance

D. Region outages

66. Which mechanism can be used to provide temporary credentials to mobile or web
applications?

A. AWS STS (Security Token Service) and Cognito

B. Root credentials
 C. Static IAM user keys

D. Route 53

67. Which AWS service provides a global network of Points of Presence used by CloudFront?

A. Edge Locations

B. Regions

C. Availability Zones

D. VPC

68. Which of the following is true about CloudTrail log file integrity validation?

A. It prevents logs from being written

B. It helps detect whether CloudTrail log files have been altered after delivery

C. It encrypts the logs with KMS

D. It deletes logs after 7 days

69. Which AWS construct helps you enforce encryption at rest for EBS volumes?

A. EBS encryption using KMS-managed keys

B. Security Groups

C. Route 53

D. CloudFront

70. What is AWS Shield Advanced used for?

A. Basic account monitoring

B. Enhanced DDoS protection with cost protection and response team access

C. Managing IAM policies

 D. Certificate management

71. Which AWS service can detect configuration drift and evaluate compliance against rules?

A. AWS Config

B. CloudWatch Events only

C. CloudFormation only

D. AWS Shield

72. Which AWS tool helps you analyze and visualize CloudTrail logs or S3 logs using SQL-style
queries?

A. Amazon Athena

B. AWS KMS

C. Route 53

D. CloudFront

73. Which of the following ensures that a backup stored in S3 is not altered?

A. S3 versioning with Object Lock (WORM)

B. Disabling ACLs

C. Route 53 settings

D. IAM group policy

74. Which service would you use to centrally manage security findings across AWS accounts?

A. AWS Security Hub

B. AWS WAF

C. Route 53

D. AWS Config
75. Which of the following is a best practice for IAM access keys?

A. Embed them in code and check into repositories

B. Rotate them regularly and avoid long-term keys; use roles where possible

C. Share with team via email

D. Never rotate keys

76. What is the typical use case for AWS Organizations' Service Control Policies (SCPs)?

A. Encrypting data

B. Applying account-level guardrails to restrict allowed actions across member accounts

C. Managing IAM user passwords

D. Hosting databases

77. Which of the following AWS services is primarily for identity federation and external identity
providers?

A. Amazon Cognito and AWS IAM Identity Center (SSO)

B. Route 53

C. CloudFront

D. S3

78. What does VPC peering allow?

A. Direct network connectivity between two VPCs using private IPs

B. Public internet access between VPCs

C. Replication of S3 buckets across VPCs

D. Automatic IAM role sharing

79. Which of the following is an example of a resource-based policy?

A. An IAM user policy

B. An S3 bucket policy that grants access to another AWS account

C. A group policy

D. A local OS policy

80. Which feature helps you detect suspicious activity in DNS queries using Route 53 Resolver?

A. Route 53 Resolver DNS Firewall

B. CloudFront

C. IAM roles

D. AWS WAF

81. What best describes AWS Edge Locations' role in reducing latency?

A. They are used for compute-heavy tasks

B. They cache and serve content closer to end users

C. They replicate IAM users

D. They store KMS keys

82. Which type of CloudTrail delivers events for management operations such as CreateUser?

A. Data events only

B. Management events

C. Billing events only

D. Network events

83. Which service can help you automatically remediate non-compliant resources identified by
AWS Config Rules?
 A. AWS Systems Manager Automation or AWS Config Remediation

B. Route 53

C. CloudFront

D. IAM groups

84. Which AWS service helps protect web applications from bots and automated attacks?

A. AWS WAF with AWS Shield and additional bot control

B. IAM roles

C. CloudTrail

D. S3

85. Which of the following is FALSE about IAM roles for cross-account access?

A. Roles can be assumed by principals in other AWS accounts

B. Cross-account roles require trust policies

C. Roles automatically grant full admin access to other accounts without restrictions

D. Roles can have permissions policies limiting allowed actions

86. What is AWS Config's relationship to CloudTrail?

A. They are the same service

B. CloudTrail records API calls; AWS Config records resource configuration changes; both are
complementary

C. AWS Config only stores logs for CloudTrail

D. CloudTrail manages encryption for Config

87. Which of the following is a networking best practice to increase fault tolerance across AZs?

A. Deploy resources across multiple Availability Zones

 B. Use only one AZ to simplify management

C. Use only edge locations

D. Avoid using Load Balancers

88. Which of the following helps manage permissions at scale for many AWS accounts and
workloads?

A. IAM users in each account only

B. AWS Organizations, IAM Identity Center, and SCPs

C. Local OS users

D. Route 53 policies

89. Which statement is true: What is an AWS Region?

A. A physical data center building

B. A geographic area containing multiple Availability Zones

C. A single server hosting EC2 instances

D. The global network backbone

90. What is an Availability Zone (AZ)? (from the modules)

A. A single rack in a data center

B. A logical grouping of Regions

C. One or more discrete data centers with redundant power and networking within a Region

D. An edge cache location

91. Which AWS service provides information about API activity and account activity for auditing?
(choose the best answer)

A. Amazon CloudWatch
 B. AWS Config

C. AWS CloudTrail

D. AWS Shield

92. In AWS, what does the AWS Shared Responsibility Model state that AWS is responsible for?

A. Security in the cloud (customer data and applications)

B. Security of the cloud (hardware, software, networking, facilities)

C. Customer identity and access management

D. Encrypting customer data client-side

93. Under the Shared Responsibility Model, customers are responsible for which of the
following? — which is correct?

A. Physical security of AWS data centers

B. Patch management of managed services' underlying host OS

C. Configuration of security groups and IAM policies

D. Cooling and power for AWS servers

94. Which statement is true: What is an Edge Location used for in AWS?

A. Hosting primary EC2 instances

B. Caching content closer to users via Amazon CloudFront

C. Storing long-term backups

D. Running full databases

95. Which service provides server-side key management and encryption in AWS? (from the
modules)

A. AWS IAM
 B. AWS KMS (Key Management Service)

C. AWS Shield

D. AWS WAF

96. In IAM, what is a 'role'? (choose the best answer)

A. A permanent user account

B. A set of permissions that can be assumed by entities (users, services, EC2 instances)

C. The AWS account root user

D. A physical security badge

97. In AWS, which statement about IAM policies is true?

A. An explicit Deny overrides an Allow

B. Allows and Denies are ignored if attached to a role

C. Policies are only applied to AWS managed services

D. Policies cannot be written in JSON

98. What does MFA (Multi-Factor Authentication) add to an AWS account? — which is correct?

A. A secondary password stored in S3

B. An extra authentication factor beyond username and password

C. Automatic role assignment

D. Region-level access control

99. Which statement is true: Which service helps you maintain and assess compliance of AWS
resource configurations over time?

A. AWS Config

B. AWS IAM
 C. Amazon GuardDuty

D. AWS Shield

100. What is the purpose of Amazon Route 53? (from the modules)

A. Distributed database service

B. DNS service and domain registration

C. Content delivery network

D. Virtual private networking

Answer Key — AWS MCQs (100 Questions)
1. B

2. C

3. C

4. B

5. C

6. B

7. B

8. B

9. A

10. B

11. A

12. B

13. B

14. B

15. B

16. A

17. B

18. B

19. B

20. B

21. B

22. A

23. B

24. B

25. B
26. B

27. B

28. B

29. B

30. A

31. B

32. B

33. C

34. A

35. A

36. B

37. A

38. B

39. A

40. B

41. C

42. A

43. B

44. A

45. A

46. B

47. B

48. A

49. A

50. B
51. B

52. A

53. B

54. B

55. C

56. B

57. A

58. B

59. A

60. A

61. A

62. B

63. A

64. B

65. B

66. A

67. A

68. B

69. A

70. B

71. A

72. A

73. A

74. A

75. B
76. B

77. A

78. A

79. B

80. A

81. B

82. B

83. A

84. A

85. C

86. B

87. A

88. B

89. B

90. C

91. C

92. B

93. C

94. B

95. B

96. B

97. A

98. B

99. A

100. B