Security Engineering on AWS Certification Cheat Sheet 2026

The 30 highest-yield Security Engineering on AWS Certification facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

  1. Which AWS feature should you enable on an Amazon ECR repository to prevent mutable image tags from being overwritten, reducing supply chain attack risk? ECR image tag immutability
  2. Which AWS service can be used to create golden AMIs with security baselines pre-baked, and automatically test and distribute them across regions? EC2 Image Builder
  3. In an Amazon EKS cluster, which Kubernetes object defines network-level rules that restrict traffic between pods to only permitted sources and destinations? Kubernetes NetworkPolicy
  4. An engineer notices GuardDuty finding type 'UnauthorizedAccess:IAMUser/TorIPCaller'. What does this indicate? An IAM user's credentials were used from a Tor network exit node
  5. What common challenge do professionals face when applying System Administration & Configuration principles? Balancing theoretical best practices with practical constraints and real-world conditions
  6. What is the recommended approach to staying current in Access Control & Identity Management? Regular professional development, industry publications, and peer collaboration
  7. What should be the first action when a new regulation is enacted that affects your practice? Review the regulation, assess its impact, and develop an implementation plan
  8. Which approach to compliance is considered most effective? A proactive approach that integrates compliance into daily operations
  9. Which best describes the scope of Vulnerability Assessment & Penetration Testing in professional practice? A comprehensive area covering both theoretical foundations and practical applications
  10. When GuardDuty is enabled in an AWS Organization, which account should be designated as the GuardDuty administrator? A dedicated security account delegated as the GuardDuty administrator
  11. A company wants to automatically remediate non-compliant AWS Config rules. Which approach should they use? Use AWS Config remediation actions backed by AWS Systems Manager Automation documents
  12. What does enabling 'CloudTrail Insights' provide that standard CloudTrail does not? Automatic detection of unusual API call rates or error rates that deviate from baseline
  13. What common challenge do professionals face when applying Cryptography & Data Protection principles? Balancing theoretical best practices with practical constraints and real-world conditions
  14. What common challenge do professionals face when applying Application Security & Development principles? Balancing theoretical best practices with practical constraints and real-world conditions
  15. What distinguishes inherent risk from residual risk? Inherent risk exists before controls; residual risk remains after controls are applied
  16. Which best describes the scope of Application Security & Development in professional practice? A comprehensive area covering both theoretical foundations and practical applications
  17. What common challenge do professionals face when applying Access Control & Identity Management principles? Balancing theoretical best practices with practical constraints and real-world conditions
  18. What is the recommended approach to staying current in Database Management & Security? Regular professional development, industry publications, and peer collaboration
  19. Which AWS service can analyze VPC Flow Logs, DNS logs, and CloudTrail logs to investigate the root cause and full scope of a security incident? Amazon Detective
  20. How often should compliance procedures be reviewed and updated? Regularly, and whenever regulations change or new risks are identified
  21. Which best describes the scope of Cloud Computing & Virtualization in professional practice? A comprehensive area covering both theoretical foundations and practical applications
  22. What is the recommended approach to staying current in Threat Detection & Incident Response? Regular professional development, industry publications, and peer collaboration
  23. What is the most important competency assessed in Application Security & Development for professionals in this field? Applied knowledge and practical problem-solving ability
  24. When configuring an Amazon ECS task definition, which setting prevents a container from running as the Linux root user inside the container? Setting 'user' to a non-root UID or enabling 'privileged: false'
  25. What is the most important competency assessed in Threat Detection & Incident Response for professionals in this field? Applied knowledge and practical problem-solving ability
  26. When configuring a Lambda function's execution role following the principle of least privilege, what is the recommended approach? Create a unique IAM role per function with only the permissions that function requires
  27. What does a VPN provide in terms of network security? Encrypted communication tunnels over public networks
  28. Which best describes the scope of Cryptography & Data Protection in professional practice? A comprehensive area covering both theoretical foundations and practical applications
  29. Which CloudTrail feature allows you to validate that log files have not been tampered with after delivery? Log file validation using digest files
  30. What is the most important competency assessed in Cryptography & Data Protection for professionals in this field? Applied knowledge and practical problem-solving ability