SCS-C03 Sample Questions Answers

AWS Systems Manager Session Manager providessecure, auditable, and portless accessto EC2 instances. According to the AWS Certified Security – Specialty Study Guide, Session Manager allows administrators to connect to instanceswithout opening inbound SSH or RDP ports, fully satisfying strict compliance requirements.

Session Manager integrates directly withAWS IAM Identity Center, ensuring that all access is authenticated and authorized using centralized identity management. Additionally, Session Manager automatically records session activity and can send logs to Amazon CloudWatch Logs or Amazon S3, providing a complete audit trail of all commands executed during a session.

Option A (EC2 serial console) does not provide comprehensive auditing and is intended for recovery scenarios. Option B requires inbound network access and security group rules, violating the “no exposed management ports” requirement. Option D explicitly opens ports, which directly violates compliance constraints.

AWS documentation clearly identifiesSystems Manager Session Manager as the recommended solution for secure, auditable, and identity-integrated instance accessin regulated environments.

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Session Manager Documentation

AWS IAM Identity Center Best Practices

CloudWatch Logs Insights is a managed, on-demand query capability designed to search and analyze log data stored in CloudWatch Logs without moving the data elsewhere. AWS Certified Security – Specialty documentation highlights Logs Insights as the lowest-effort method for rapid investigations, because it supports filtering, parsing, aggregation, and time-range queries directly over existing log groups. In this scenario, the logs already exist in CloudWatch Logs with sufficient retention. The engineer can write a query that filters for the suspicious IP address, counts occurrences over the last 7 days, and extracts requested URLs using parsing functions. This satisfies both requirements (count and URLs) immediately, without building pipelines or exporting data. Option B adds operational overhead by provisioning and maintaining OpenSearch ingestion and indexing. Options A and D require exporting data and additional services that are not necessary for a one-week forensic query. Therefore, Logs Insights is the most efficient and cost-effective approach.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Insights Querying and Investigation Workflows

Amazon Cognito is a fully managed identity service that providesuser authentication, authorization, and user managementfor web and mobile applications. According to AWS Certified Security – Specialty documentation, Cognito user pools are specifically designed to offload authentication responsibilities from applications while maintaining strong security controls.

By federating authentication with third-party identity providers (such as social IdPs), Cognito eliminates the need for the company to manage user passwords directly. This dramatically reduces password reset requests and customer service overhead, while also improving security throughindustry-standard authentication mechanisms, including MFA and token-based access.

Option A is insecure and incorrect because IAM access keys are not intended for end users. Option B simply relocates password storage and does not reduce operational burden. Option D uses API keys, which are not designed for user authentication and provide no identity verification.

AWS guidance clearly states thatAmazon Cognito is the recommended service for scalable, secure user authentication, especially when reducing password management complexity is a requirement.

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito User Pools Documentation

AWS IAM Security Best Practices

Amazon S3 Object Lock in compliance mode provides write-once-read-many (WORM) protection, which prevents objects from being modified or deleted for a specified retention period. According to the AWS Certified Security – Specialty Study Guide, compliance mode enforces immutability even for the root user and cannot be overridden.

Enabling S3 Object Lock requires S3 bucket versioning and ensures that once an object is written, it cannot be changed or removed until the retention period expires. This is the strongest protection against data modification and is commonly used for regulatory and legal retention requirements.

Option A can be bypassed by administrators. Option D only protects against deletions, not overwrites. Option C changes encryption but does not prevent modification.

AWS documentation explicitly identifies S3 Object Lock in compliance mode as the correct solution for immutable data storage.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Object Lock

Amazon S3 Data Protection and Compliance

Continuous monitoring requires an always-on compliance service that evaluates resources over time. AWS Config provides managed rules that assess configuration state and compliance continuously. AWS Certified Security – Specialty guidance highlights AWS Config for continuous compliance across accounts and regions when used with AWS Organizations. The ec2-managedinstance-applications-required managed rule evaluates whether specified software is installed on managed instances, leveraging Systems Manager inventory/managed instance status. By enabling AWS Config organization-wide and deploying this managed rule across all accounts, the company can continuously evaluate both existing and newly launched instances for required application presence. This provides a consistent compliance dashboard and history of compliance changes. Option D can provide inventory lists, but it is not a compliance rule engine that flags noncompliance with the same governance reporting and remediation pathways. Options B and C are operational approaches but do not provide continuous compliance state across the organization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for EC2 and SSM Managed Instances

AWS Organizations Integration with AWS Config

Network ACLs arestateless, so you must allow both the outbound request and the inboundreturn traffic. For outbound TLS to an internet service on TCP443, you need an outbound allow rule permitting destination port 443. The return traffic from the internet service will come back to the instance’sephemeral port(typically in the range 1024–65535) on the inbound path. Therefore, you must allow inbound TCP traffic on the ephemeral port range to support established outbound connections.

At the same time, the requirement is todeny inbound MySQL (TCP 3306). Because NACLs process rules in order (lowest rule number first), placing an explicit deny for port 3306 as a low-numbered inbound rule ensures that traffic destined for MySQL is blocked even if there are broader allow rules later.

Option B does exactly this: it denies inbound TCP 3306 first, then allows inbound ephemeral ports for return traffic, and allows outbound TCP 443. Option A/D incorrectly allow inbound 443 (not needed for outbound-only TLS) and fail to explicitly allow ephemeral return traffic correctly. Option C allows ephemeral inbound first, and then denies 3306 later; while 3306 is not in the ephemeral range, B is the clean, canonical ordering and matches the intended stateless-return-traffic pattern most directly.

In AWS IAM Identity Center (formerly AWS Single Sign-On), users and groups do not automatically gain access to all accounts in an AWS Organization simply because the accounts exist. Access is explicitly granted by assigning aprincipal(user or group) to a specific AWS account along with apermission set. Permission sets define the IAM policies that are provisioned into the target account as IAM roles.

In this scenario, employees in theCloudActive Directory group can access nearly all AWS accounts, which confirms that AD Connector synchronization is functioning correctly, eliminating option B. The fact that Account A exists but is inaccessible strongly indicates that the required account assignment is missing. Without explicitly assigning the Cloud group to Account A with a valid permission set, IAM Identity Center will not provision the necessary IAM role, and users will not see or access the account in the AWS access portal.

Option A is incorrect because accounts do not need to be placed in an OU to be accessible through IAM Identity Center. Option D is incorrect because IAM permissions boundaries do not control access to entire accounts and are not applied at the account level to block IAM Identity Center access.

AWS Security Specialty documentation emphasizes thataccount assignments are mandatoryfor IAM Identity Center access, making option C the correct answer.

To restrict activity to a single Region in an OU using an SCP, the standard pattern is an explicitDenyfor requests madeoutsidethe allowed Region, while carving out exceptions forglobal servicesthat do not use aws:RequestedRegion in the same way (or that must remain usable regardless of Region). This is done withEffect: Deny, aConditionusing StringNotEquals on aws:RequestedRegion for the allowed Region (here, eu-west-1), andNotActionlisting the global services that should remain available.

This works because SCPs act asguardrails: an explicit Deny in an SCP overrides IAM Allow in member accounts, ensuring the restriction applies consistently to all existing and future accounts placed in the OU. The StringNotEquals condition ensures the deny triggers for any Region other than eu-west-1. The NotAction exception list ensures that the specified global services are not blocked by this deny statement.

Option A is wrong because StringEquals would deny actionsineu-west-1 rather than outside it. Options B and D useAllowstatements, which do not enforce “only this Region” safely in SCPs unless combined with a comprehensive deny strategy; they would not reliably restrict all other services/regions. Therefore, option C is the correct SCP structure.

Amazon S3 Block Public Access provides centralized controls to prevent public access through bucket policies and ACLs. AWS Certified Security – Specialty guidance recommends enabling Block Public Access to reduce accidental exposure and to enforce guardrails that override public grants. Enabling Block Public Access on the bucket removes current public exposure when combined with correcting policies/ACLs and prevents future misconfiguration. To ensure the bucket cannot be made public again, the security engineer must prevent principals from disabling Block Public Access. An SCP that denies s3:PutPublicAccessBlock prevents changes that would remove or weaken the PublicAccessBlock configuration, enforcing the guardrail across the OU or account. Options A and D do not directly address public exposure control. Option B denies object reads but does not ensure public access cannot be re-enabled; it also does not address the root misconfiguration pathways and could disrupt legitimate access patterns. Option C specifically combines the correct preventive control (PublicAccessBlock) with organizational enforcement to stop future reversal.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Block Public Access

AWS Organizations SCP Guardrails for S3 Controls

Amazon OpenSearch Service is designed for near real-time log ingestion, indexing, and search across large volumes of data. According to the AWS Certified Security – Specialty Study Guide, OpenSearch supports advanced log analytics use cases and integrates with OpenSearch Security Analytics, which provides prebuilt and custom detection rules.

Security Analytics can continuously evaluate incoming logs from multiple AWS services and generate alerts when detection rules are matched. These alerts can be forwarded to Amazon SNS with minimal configuration. OpenSearch also provides powerful search and query capabilities through APIs and dashboards.

Option C supports detection but lacks advanced correlation and scalable search capabilities. Option B is not a log analytics service. Option D is a visualization service and does not support real-time detection.

AWS guidance recommends OpenSearch Service for centralized, near real-time log analysis and alerting.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon OpenSearch Service Security Analytics

AWS Logging and Monitoring Architecture

Amazon S3 Lifecycle configuration rules are the native, automated mechanism for managing object retention and deletion. According to AWS Certified Security – Specialty documentation, lifecycle rules can be configured to expire objects based on the number of days since object creation. Once the expiration time is reached, Amazon S3 permanently deletes the objects without manual intervention.

This solution directly enforces a maximum retention period of 72 hours and ensures compliance regardless of whether the vendor downloads the data or not. Lifecycle rules are evaluated continuously by Amazon S3 and do not require scripts, cron jobs, or additional services, making them the most operationally efficient and cost-effective solution.

S3 Versioning controls versions but does not enforce object deletion timelines. S3 Intelligent-Tiering optimizes storage cost but does not delete objects. Presigned URLs only control access duration and do not remove objects from storage.

AWS explicitly recommends lifecycle policies for automated data retention enforcement.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Management

To ensure traffic from a VPC to AWS KMS stays on the AWS network and does not use public endpoints, you should use aninterface VPC endpoint (AWS PrivateLink) for KMS. Creating aVPC endpoint for KMS with private DNS enabled(Option C) causes standard KMS DNS names (for example, kms. < region > .amazonaws.com) to resolve to theprivateendpoint IPs inside the VPC, routing requests over the AWS private network rather than through the internet. This is the core networking control that satisfies “no public service endpoints.”

To enforce that only calls that come through the intended VPC endpoint can use the key, add an authorization guardrail in theKMS key policyusing the aws:sourceVpce condition (Option A). This ensures that even if a principal has credentials, KMS will deny usage unless the request is made via the specified VPC endpoint, preventing accidental or malicious use over public paths.

Option B is neither necessary nor sufficient: removing an internet gateway does not prevent all public endpoint use (NAT, other egress paths, or other VPCs could still be involved) and can break workloads. Option D is unrelated to runtime KMS API traffic. Option E is weaker because SourceIp checks can be bypassed via other AWS network paths and does not guarantee PrivateLink usage the way sourceVpce does.

The database islatency-sensitive, so the connectivity option should minimize jitter and provide more consistent performance than traversing the public internet.AWS Direct Connectprovides a dedicated network connection from the on-premises environment into AWS, typically delivering more stable throughput and lower/consistent latency characteristics compared with internet-based paths. However, Direct Connect by itself does not automatically provideIPsec encryption.

To satisfy the explicit requirement that traffic must haveIPsec encryption, the common AWS pattern is to run anAWS Site-to-Site VPN(IPsec tunnels) in conjunction with Direct Connect. This can be done as “VPN over Direct Connect” to encrypt the traffic while still taking advantage of Direct Connect’s private, predictable connectivity. This combination meets both requirements: improved latency characteristics (Direct Connect) and IPsec encryption (Site-to-Site VPN).

The other options do not fit. VPN CloudHub (Option C) is for connecting multiple remote sites together via AWS as a hub-and-spoke, not a primary low-latency private link. VPC peering (Option D) is only for VPC-to-VPC connectivity and does not connect to on-premises. NAT gateway (Option E) is for outbound internet/NAT translation and does not provide private encrypted connectivity to on-premises.

AWS Systems Manager Run Command enables secure, remote execution of commands on EC2 instances without requiring network access or inbound ports. According to the AWS Certified Security – Specialty Study Guide, Run Command is a recommended mechanism for incident response actions such as installing forensic tools, collecting evidence, or applying quarantine controls.

By granting the SSM Agent permission to execute a predefined Run Command document, the security engineer can immediately run the quarantine script across affected instances. This approach supports automation, scalability, and auditability, all of which are critical during security incidents.

Options A, B, and C do not directly enforce quarantine or execute response actions. Tracking versions and storing scripts alone do not trigger incident response.

AWS documentation highlights Systems Manager Run Command as a core capability for automated containment and investigation.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Run Command

AWS Incident Response Automation

AWS Audit Manager is specifically designed to help organizations continuously audit their AWS usage against compliance frameworks and generate audit-ready reports. According to AWS Certified Security – Specialty documentation, Audit Manager includes AWS managed frameworks for compliance standards, including PCI DSS v4.0.

Audit Manager automatically collects evidence from AWS services such as API Gateway, Lambda, RDS, CloudTrail, and Config, and maps the evidence directly to PCI DSS controls. Importantly, Audit Manager allows compliance teams to upload and attach manual evidence, which is a key requirement in this scenario.

Option C provides visibility into control status but does not support adding manual evidence. Option B evaluates configuration compliance but does not generate formal compliance reports. Option A requires extensive manual effort and is not aligned with PCI reporting workflows.

AWS documentation positions Audit Manager as the authoritative service for compliance reporting and audit evidence management.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Audit Manager PCI DSS Framework

AWS Compliance Reporting Best Practices

AWS Organizations tag policies are designed to standardize and govern tag keys and allowed values across accounts. AWS Certified Security – Specialty documentation describes tag policies as a governance mechanism that helps enforce consistent tagging by specifying required tag keys and permitted values. To ensure every resource has the CostCenter tag at creation time, an SCP can deny create actions when aws:RequestTag/CostCenter is missing (null). This prevents resources from being created without the required tag. Tag policies then define the three approved values and can be configured to enforce or report noncompliance depending on supported services, ensuring that tag values remain within the allowed set and preventing drift to unapproved values. Compared with custom Lambda-based enforcement, this approach minimizes operational overhead and keeps enforcement within AWS native governance services. Option A partially addresses allowed values at request time but does not address ongoing governance as cleanly across many services. Option B is not preventive because Lambda runs after events and cannot reliably block all creations. Option D still relies on custom logic and is not as operationally efficient as tag policies plus SCP guardrails.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Tag Policies

AWS Organizations SCP Condition Keys for Tag Enforcement

AWS Health providesreal-time visibility into events that affect AWS accounts, including abuse notifications such asAWS_ABUSE_DOS_REPORT. According to the AWS Certified Security – Specialty Study Guide, AWS Health events are natively integrated withAmazon EventBridge, enabling automated, near-real-time responses without polling or custom code.

By creating an EventBridge rule that listens for AWS Health events related to abuse reports and configuring the rule to publish messages to an SNS topic, the security engineer ensures immediate notification to the security team whenever AWS issues a DoS-related abuse report for the account.

Option A and C rely on periodic polling using Lambda functions, which introduces latency and operational complexity. Option D is incorrect because CloudTrail does not log AWS abuse notifications.

AWS documentation explicitly identifiesAWS Health + EventBridge + SNSas the recommended architecture for near-real-time operational and security alerts originating from AWS.

AWS Certified Security – Specialty Official Study Guide

AWS Health User Guide

Amazon EventBridge Documentation

AWS Incident Response Best Practices

AWS CloudHSM is aVPC-scopedservice: the HSMs (and the CloudHSM cluster) live inside a VPC in the central account, and clients connect over the network to perform cryptographic operations. When another account needs to use a centrally managed CloudHSM cluster, the right approach is toshare the CloudHSM clusterwith that account and allow network connectivity from the consuming account’s clients. AWS provides cross-account resource sharing throughAWS Resource Access Manager (AWS RAM)for supported resources, including CloudHSM clusters. Sharing thecluster/HSM identifieris what grants the consuming account visibility/ability to create client configurations against that shared cluster.

After sharing, the consuming account’s EC2 instances (CloudHSM clients) still must be able to reach the HSM ENIs over the network, so the CloudHSM security group in the central account must allow inbound connections from the client sources (typically by security group referencing via VPC connectivity, or by allowing the relevant IP range/ports as appropriate).

Option A is incorrect because sharing asubnet IDdoes not share the CloudHSM resource itself. Options B and C misuse IAM/STS: CloudHSM cryptographic operations are not granted via assuming an IAM role into the central account; access is based oncluster sharing + network connectivity + CloudHSM user authenticationat the HSM level.

AWS WAF allows security engineers to createstring match rule statementsthat inspect specific parts of web requests, including HTTP headers such as theUser-Agentheader. According to the AWS Certified Security – Specialty Study Guide and AWS WAF documentation, string match rules are ideal for blocking requests that contain known malicious identifiers, such as a distinctive user agent associated with a specific bot or IoT device brand.

In this scenario, the attack originates from a specific IoT device brand that uses aunique user agent. A string match rule that inspects the User-Agent header can precisely block malicious requests while allowing legitimate customer traffic to continue uninterrupted. This approach provides targeted mitigation for both current and future attacks originating from the same device signature.

Option A is incorrect because IP addresses cannot be derived from user agent strings, and IoT botnets frequently rotate IP addresses, making IP-based blocking ineffective. Option B is incorrect because geographic blocking is overly broad and risks blocking legitimate customers in the same regions as the attacking devices. Option C is incorrect because rate-based rules limit request volume per IP address and do not specifically identify malicious device signatures; legitimate high-traffic users could be unintentionally blocked.

AWS documentation emphasizes thatheader inspection with string match conditionsis a best practice for mitigating attacks that use identifiable request characteristics such as custom user agents, especially in DDoS and bot mitigation scenarios.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rule Statements

AWS DDoS Resiliency Best Practices

AWS Well-Architected Framework – Security Pillar

A rate-based rule in AWS WAF is designed to quickly mitigate spikes and potential layer 7 floods bytracking request rates per originating IPand temporarily blocking (or counting/challenging, depending on configuration) IPs that exceed a defined threshold within a 5-minute rolling window. In this scenario, the malicious traffic is distributed acrosshundreds of IPsin two countries, and the application still needs to remain available globally for legitimate users. A rate-based rule provides fast, targeted throttling that reduces abusive request patterns without permanently blocking entire geographies. This aligns with “quickly limit” while minimizing collateral impact.

Blocking both countries with a geo match rule (Option B) would likely block legitimate users located in those countries, which violates the requirement. Security groups (Options C and D) cannot natively enforcegeographicfiltering, and they are not well suited for large, rapidly changing sets of public source IPs at the application layer. Additionally, WAF operates at layer 7 with richer matching (rate limiting, URI/header patterns, bot controls), which is the appropriate control point when the ALB already has a web ACL associated. Therefore, implementing an AWS WAFrate-basedrule is the most effective and least disruptive immediate mitigation.

When an internet-facing ALB is used as a CloudFront origin, it remains directly accessible unless additional access controls are enforced. According to AWS Certified Security – Specialty guidance,CloudFront IP allow lists alone are insufficient, because CloudFront IP ranges change and are not guaranteed to be exclusive.

The recommended and most secure approach is to configure CloudFront to send acustom origin header(such as X-Shared-Secret) with a secret value on every request to the origin. The ALB listener rules are then configured toforward traffic only when the header exists and matches the expected value. Requests that attempt to bypass CloudFront will not include this header and will be denied.

Option A is invalid because CloudFront does not support PrivateLink origins. Option B introduces unnecessary architectural changes and is not required. Option C is brittle and operationally risky due to changing IP ranges.

AWS documentation explicitly recommendscustom origin headersas the best practice to ensure that only CloudFront can access an internet-facing ALB when AWS WAF is attached at the CloudFront layer.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Origin Security Documentation

AWS WAF and ALB Integration Guidance

The most secure and AWS-recommended pattern for cross-account access is to create anIAM role in the target account (production)and allow trusted principals from the source account (developer) toassume the roleby using AWS STS. This avoids long-term credentials in the production account, supports short-lived session credentials, and enables strong controls such as MFA requirements, session duration limits, and precise least-privilege permissions attached to the role. It also centralizes ownership of production permissions in the production account, which is important for separation of duties and governance.

Option A is insecure because it requires password sharing and uses a long-lived IAM user credential, which is against AWS best practices. Option C is also poor because it relies on a long-lived IAM user in the production account and encourages credential sharing/duplication. Option B places the role in the developer account; while you can attach permissions there, access to production resources is governed by the production account. The standard approach is a production-account role with a trust policy that names the developer account principals (or a role) as allowed to assume it. Therefore, Option D is the most secure solution.

GuardDuty’s DNS-related detections depend on GuardDuty being able to observeDNS query behaviorthrough AWS-provided DNS resolution paths in the VPC. If a VPC is configured to use acustom DNS resolvervia DHCP options (for example, an OpenDNS resolver) instead of the AmazonProvidedDNS resolver, DNS queries may bypass the visibility path GuardDuty relies on for DNS analysis and pattern detection. In that case, the test traffic (queries to example.com) might not be evaluated by GuardDuty’s DNS finding logic, so no DNS finding is generated—and therefore nothing is forwarded into Security Hub.

Option A is incorrect because VPC flow logs are not a prerequisite for GuardDuty to produce DNS findings; GuardDuty uses native telemetry sources and does not require customer-managed flow logs to be enabled. Option D is irrelevant because the company operates in a single Region, and cross-Region aggregation would not be required for the delegated administrator to see findings from the same Region. Option C is less likely given the setup explicitly states GuardDuty and Security Hub are automatically enabled across accounts; also, even if enabled, the specific lack of a DNS finding points to DNS visibility/configuration rather than a downstream integration toggle.

The requirement includesremediating existing noncompliant bucketsand also handlingfuture noncompliant bucketsacross multiple accounts and Regions. Anorganization-wide AWS Config aggregatorprovides centralized visibility into compliance status across all member accounts/Regions. To remediate, AWS Config can trigger automation (commonly via EventBridge/SNS) that invokes anAWS Lambda function(or SSM Automation) to take corrective action—such as enabling default encryption, blocking public access, or applying required bucket policies—whenever a bucket is evaluated as noncompliant. This addresses both existing findings (by running remediation on current noncompliant resources) and new ones (by automatically reacting when new buckets appear or configurations drift).

Options C and D are insufficient because they scope only to “accounts and Regions the company currently uses,” which fails the multi-Region/multi-account organization requirement and would miss future expansion. Option B helps prevent creation of new noncompliant resources but does not remediate existing buckets, which is explicitly required. Therefore, the combination of an org-wide aggregator plus automated remediation on Config noncompliance is the best fit.

AWS best practices require CloudFormation to assume a dedicated service role. This ensures consistent permissions regardless of the user. Users must have iam:PassRole permission to pass the role. Updating stacks to use the service role enforces uniform deployment behavior.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Roles

To addresssoftware vulnerabilities, you need both (1) a vulnerability assessment capability and (2) a consistent patching mechanism.Amazon Inspectorcontinuously scans EC2 instances for known software vulnerabilities and exposures (CVEs), package-level issues, and security misconfigurations relevant to the supported scan types. It provides prioritized findings and helps the security team understand which instances are exposed and why.

To mitigate those vulnerabilities,AWS Systems Manager Patch Managerprovides automated, policy-driven patching for fleets of EC2 instances. Patch Manager can schedule patch windows, control reboots, enforce baselines, and report compliance, allowing the company to remediate issues at scale with controlled operational impact.

Option B focuses on firewall/AV tooling, which can be helpful, but it is not a complete vulnerability detection-and-patching solution and is heavier to manage across large fleets. Option C is centered on log anomaly detection, not vulnerability management. Option D mixes GuardDuty Malware Protection (malware detection) with patching; GuardDuty is not a vulnerability scanner and does not replace Inspector for CVE detection. Therefore, Inspector + Patch Manager is the correct combined solution to detect and mitigate software vulnerabilities.

Amazon GuardDuty provides continuous threat detection for compromised instances by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. According to AWS Certified Security – Specialty guidance, GuardDuty is the fastest service to enable for detecting malware and compromised EC2 instances.

To notify the security team, Amazon SNS provides a native email notification mechanism with minimal setup. Amazon EventBridge integrates directly with GuardDuty findings and can filter based on severity. Creating an EventBridge rule that matches high severity GuardDuty findings and publishes to SNS ensures immediate notification.

Security Hub is not required for this use case and adds additional setup time. Amazon SQS does not support email subscriptions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Findings and Severity

Amazon EventBridge Integration with GuardDuty

Amazon S3 Lifecycle rules provide anative, fully managed mechanismto automatically transition or delete objects based on their age. According to the AWS Certified Security – Specialty Official Study Guide, S3 Lifecycle policies are therecommended and most secure methodfor enforcing data retention requirements because they operate automatically, consistently, and without custom code.

By configuring a lifecycle rule to delete objects after 45 days, the company ensures that sensitive datasets are retained long enough to support the 30-day model training process while remaining compliant with the data retention policy. Lifecycle rules are enforced by Amazon S3 itself and apply uniformly to all objects in the bucket or to objects that match specific prefixes or tags.

Option B and Option C introduce unnecessary operational complexity and risk by relying on custom Lambda code and scheduling. These approaches are more error-prone, harder to audit, and less reliable than a built-in S3 capability. Option D is incorrect because S3 Intelligent-Tiering manages storage cost optimization and does not delete data.

AWS documentation explicitly states thatS3 Lifecycle rules are the standard control for enforcing retention and deletion policies, particularly for sensitive data stored at scale.

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Configuration Documentation

AWS Data Protection Best Practices

AWS WAF rate-based rules are designed to help protect applications and resources fromtraffic floods and application-layer DDoS attacksby tracking the number of requests from individual source IP addresses over a rolling time window. According to the AWS Certified Security – Specialty Official Study Guide and AWS WAF documentation, rate-based rules can be configured with different actions, includingCount,Block, andAllow.

When a security engineer is determining an appropriate rate limit that will not block legitimate traffic, AWS best practices recommend initially configuring the rate-based rule with theCountaction. The Count action allows AWS WAF tomonitor and log requests that exceed the specified rate threshold without actively blocking them. This provides visibility into traffic patterns and enables the security engineer to analyze how the rule would behave in production.

By using the Count action, the security engineer can safely evaluate whether legitimate users would be affected by the chosen rate limit. Once the engineer is confident that the threshold accurately distinguishes between normal traffic and malicious behavior, the action can later be changed to Block.

Option B is incorrect because immediately blocking traffic without validation risks denying service to legitimate users. Option C is invalid because AWS WAF does not have a Monitor action. Option D is incorrect because the Allow action does not enforce rate limiting.

AWS documentation explicitly recommendsstarting rate-based rules in Count modeto fine-tune thresholds before enforcing blocks, especially for DDoS protection scenarios.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rate-Based Rules

AWS DDoS Resiliency Best Practices

Amazon S3 pre-signed URLs grant temporary access based on the permissions of the principal that generates them. AWS Certified Security – Specialty documentation explains that fine-grained authorization can be enforced by combining pre-signed URLs with IAM policy conditions.

By tagging each invoice object with a client identifier and adding a condition to the EC2 instance role policy using s3:ResourceTag/ClientId, the role can generate pre-signed URLs only for objects associated with a specific client. This ensures that each client can access only their own invoices, even though the URLs are temporary and unauthenticated.

Option A over-permissions clients. Option C is unnecessary because instance profiles already use temporary credentials. Option D violates AWS best practices by using long-term credentials.

AWS recommends resource tagging with IAM policy conditions for scalable, secure access control.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Pre-Signed URLs

IAM Policy Conditions and Resource Tags

Amazon GuardDuty provides managed threat detection and supports EKS protection features that analyze Kubernetes audit logs to detect suspicious activity, including unauthorized or unauthenticated access attempts. AWS Certified Security – Specialty documentation recommends GuardDuty for low-overhead detection because it is fully managed and does not require deploying agents or modifying application code. EKS Audit Log Monitoring is designed to consume and analyze relevant control plane audit events to identify anomalous or unauthorized actions against the cluster. Compared to third-party add-ons, GuardDuty reduces operational burden and remains fully within AWS managed services. Security Hub aggregates findings from services like GuardDuty but does not itself perform the detection. CloudWatch Container Insights focuses on performance and operational metrics, not authentication security detections. Therefore, enabling GuardDuty with EKS Audit Log Monitoring provides the required detection with the least operational effort and without requiring additional configuration to the existing EKS workload beyond enabling the feature.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty EKS Protection and Audit Log Monitoring

AWS Threat Detection Best Practices for Kubernetes on AWS

The findingInstanceCredentialExfiltrationindicates that credentials available to the EC2 instance (from the instance profile / IMDS) were likely stolen and then used from an unusual location. The fastest way todeny the malicious actor immediatelyis to invalidate the stolen, currently usable credentials. Because these aretemporary credentialsissued to the instance profile role, the correct first containment action is torevoke active sessionsfor that role so the stolen session credentials stop working. This directly blocks continued API use while you continue investigation and remediation.

Changing security groups (Option A) affects inbound network access to the website but does not stop an attacker from using stolen API credentials against AWS APIs. Installing agents and running assessments (Options B and C) are investigative steps that take time and do not immediately cut off the attacker’s current access. After revoking sessions, best practice incident response typically continues with additional containment and eradication steps such as rotating credentials, reviewing CloudTrail for actions taken, checking for persistence (new IAM users/keys, modified policies), patching the instance, and restricting IMDS (for example, enforcing IMDSv2) to reduce risk of further credential theft.

To performcustom validation at sign-upand explicitlyaccept or denyregistrations, Amazon Cognito providesLambda triggers. APre sign-up triggerruns synchronously during the sign-up flow (including the Hosted UI) and can implement custom checks (for example, IP reputation checks, email/domain validation, velocity checks, allow/deny lists, or geo checks using an external service). Based on the trigger logic, the function can allow the sign-up to proceed or reject it, meeting the “custom validation” and “accept/deny” requirement directly.

Because the observed fraud largely originatesoutside France, adding a front-door geographic control reduces unwanted traffic before it reaches Cognito.AWS WAFsupportsGeo matchconditions in a web ACL to allow/deny requests by country, which is a common mitigation for region-scoped applications. Associating a WAF web ACL to protect the Hosted UI endpoint helps block sign-up requests from non-French locations early, reducing fraud attempts and load.

The other options do not meet the requirement: Cognito user pools do not provide a native “geographic restriction setting” for sign-up (D), app client ID validation does not stop fraudulent sign-ups (C), and using a social IdP does not provide custom accept/deny validation for all sign-ups (E).

AWS WAF supportsWAF loggingas a dedicated feature that can deliver logs to destinations such as Amazon S3 (commonly via Kinesis Data Firehose). These logs contain rich request details (rule matches, action taken, headers, URI, source IP, etc.) that are essential for determining whether traffic spikes are due to application-layer attacks. For analysis with low operational overhead, storing logs inS3and querying them withAmazon Athenais a standard pattern. Usingpartition projectionfurther reduces administrative work by avoiding manual partition management and enabling efficient queries over time-based prefixes.

Options A and D incorrectly route WAF logs through CloudTrail; WAF request logs are not delivered “to a CloudTrail trail.” CloudTrail records AWS API activity, not per-request WAF inspection logs. Option B describes querying S3 data directly with OpenSearch using “partition projection,” which is an Athena/Glue concept; OpenSearch is typically used by ingesting data into an index (often via Firehose), not by directly querying S3 objects as a table in that manner.

Therefore, enabling WAF logs to S3 and analyzing them with Athena using partition projection is the correct solution.

Password policies are enforced at the identity provider where authentication occurs. According to the AWS Certified Security – Specialty Study Guide, when IAM is federated with an external identity provider such as on-premises Active Directory, IAM does not manage or enforce password policies. Instead, password requirements such as minimum length must be enforced directly in Active Directory Group Policy Objects.

Amazon Cognito user pools maintain their own user directory and authentication logic. Cognito provides configurable password policies, including minimum length, complexity, and expiration. To enforce a minimum password length for application users, the Cognito user pool password policy must be updated.

IAM password policies apply only to IAM users that authenticate directly with IAM and do not affect federated users or Cognito users. SCPs and IAM policies cannot enforce password length requirements.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Federation and Password Policies

Amazon Cognito User Pool Security Settings

Amazon Detective is a purpose-built AWS service designed toanalyze, investigate, and visualize security datato help identify the root cause of suspicious or malicious activity. According to the AWS Certified Security – Specialty Official Study Guide, Amazon Detective directly integrates withAmazon GuardDuty findings, AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon EKS audit logs to automatically create behavior graphs and timelines.

When GuardDuty generates findings related to anomalous activity, Amazon Detective enables security engineers to pivot directly to an investigation focused on a specific IAM role, user, or resource. Detective automatically correlates historical activity, identifies deviations from baseline behavior, and highlightsindicators of compromise, such as unusual API calls, credential misuse, or suspicious network activity.

AWS Audit Manager (Option B) is designed for compliance and audit evidence collection, not threat investigation. Amazon Inspector (Options C and D) is focused on vulnerability scanning of compute resources and does not analyze IAM behavior or GuardDuty findings.

AWS documentation explicitly states thatAmazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, providing enriched context and investigation reports for security incidents.

AWS Certified Security – Specialty Official Study Guide

Amazon Detective User Guide

Amazon GuardDuty Integration Documentation

AWS WAF provides managed and custom rules that can immediately mitigate common web exploits such as SQL injection without modifying application code. According to AWS Certified Security – Specialty documentation, placing AWS WAF in front of an Application Load Balancer is a recommended rapid-response control for legacy applications with known vulnerabilities.

Creating an ALB in front of the existing EC2 instances allows seamless traffic migration. AWS WAF SQL injection rules can be deployed and tested without downtime. Updating Route 53 to point to the ALB preserves normal operations. Restricting EC2 security groups afterward prevents bypassing the WAF.

Option B introduces CloudFront changes and single-origin testing, increasing complexity. Option C cannot be completed within 24 hours and risks downtime. Option D is invalid because AWS WAF cannot be attached directly to EC2 instances.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Web ACL Architecture

AWS Application Load Balancer Security

To enforce encryption in transit for Amazon S3, AWS best practice is to require HTTPS (TLS) by using a bucket policy condition that denies any request where aws:SecureTransport is false. The requirement includes both existing buckets and future buckets, so the control must continuously evaluate configuration drift and automatically remediate. AWS Config is the service intended for continuous configuration compliance monitoring across resources, and AWS Config managed rules provide standardized checks with low operational overhead. The s3-bucket-ssl-requests-only managed rule evaluates whether S3 buckets enforce SSL-only requests, aligning directly with enforcing encryption in transit. Setting the trigger type to Hybrid ensures evaluation both on configuration changes and periodically. Automatic remediation with an AWS Systems Manager Automation runbook allows the organization to apply or correct the bucket policy consistently at scale without manual work. This approach also supports governance by maintaining a measurable compliance status while actively fixing noncompliance. Option A is not the best fit because a “proactive” custom policy rule does not by itself remediate existing buckets and “block resource creation” is not how AWS Config enforces controls. Option C is incorrect because Amazon Inspector is a vulnerability management service and does not govern S3 bucket transport policies. Option D is inefficient and indirect because CloudTrail data events are not a compliance engine and would require custom processing.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for S3 Compliance

Amazon S3 Security Best Practices for SSL-only Access

The fastest, least-effort way to mitigate SQL injection at the edge—without modifying legacy application code—is to place the application behind a component that supportsAWS WAFand applymanaged SQL injection protections. AnApplication Load Balancerintegrates directly with AWS WAF, allowing the security engineer to deploy a web ACL (including AWS Managed Rules for SQL injection and custom patterns based on the provided samples) and immediately start blocking malicious payloads before they reach the EC2 instances and the database.

Option A also preserves normal operations during rollout: you can create the ALB, register the existing EC2 instances as targets, validate health checks and traffic behavior, apply WAF protections, and then shift Route 53 weighted records to the ALB with minimal downtime. Finally, tightening the EC2 security groups to prevent direct internet access ensures all inbound web traffic is forced through the ALB + WAF inspection point, reducing exposure quickly.

Option B is risky because it uses only one EC2 origin (reducing availability) and adds CloudFront origin configuration complexity under a 24-hour deadline. Option C requires code changes on unsupported software and is unlikely to be safely delivered in time. Option D is invalid because AWS WAF cannot be attached directly to EC2 instances, and changing DB-port exposure doesn’t address SQL injection on the web layer.

VPC Flow Logs require an IAM role that CloudWatch Logs can use to publish flow log records. AWS documentation and AWS Certified Security – Specialty materials explain that the VPC Flow Logs service must be able to assume the IAM role through its trust policy. The trust relationship must include the service principal vpc-flow-logs.amazonaws.com. If the trust policy does not allow this principal to assume the role, flow logs cannot be delivered and no records will appear in the CloudWatch Logs log group even when traffic exists. logs:GetLogEvents is not required for delivery; it is used for reading logs. The security engineer’s ability to assume the role is not relevant because the service, not the engineer, assumes it. Tagging permissions are not required for basic log delivery. Therefore, the most likely cause is an incorrect trust policy that prevents the VPC Flow Logs service principal from assuming the role.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Flow Logs IAM Role Requirements

IAM Trust Policies for AWS Services

AWS WAF supports logging of detailed HTTP request information, including source IP addresses, request URIs, headers, and rule evaluation results. According to the AWS Certified Security – Specialty documentation,Amazon S3 combined with Amazon Athenais the recommended and most cost-effective solution for ad hoc and forensic analysis of AWS WAF logs.

By configuring AWS WAF to deliver logs to Amazon S3 and usingAthena with partition projection, the security engineer can efficiently query large volumes of log data without maintaining partitions manually. This enables rapid identification of application-layer attacks such as SQL injection, cross-site scripting, and bot activity.

Options A and D are incorrect because AWS WAF logs are not delivered to CloudTrail. Option B is invalid because OpenSearch cannot directly query data stored in S3 without ingestion or additional tooling.

AWS documentation highlightsS3 + Athenaas a best practice for scalable, serverless analysis of AWS WAF logs.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging Documentation

Amazon Athena Best Practices

When Amazon CloudFront is used in front of an Application Load Balancer, CloudFront becomes the immediate source of incoming requests to the ALB. As a result, AWS WAF logs record theCloudFront edge location IP addressesas the client IPs, not the original viewer IP addresses. This behavior is explicitly documented in the AWS Certified Security – Specialty Study Guide and the AWS WAF and CloudFront integration documentation.

To preserve the original client IP address, CloudFront automatically adds theX-Forwarded-For HTTP header, which contains the IP address of the originating client followed by any proxy addresses involved in forwarding the request. AWS WAF logs include this header, making it the authoritative source for identifying true client IP addresses when CloudFront is used.

Option A is incorrect because VPC Flow Logs capture network-level metadata and will only show CloudFront IP addresses, not the original client IPs. Option C is incorrect because disabling connection reuse does not change how client IPs are logged in AWS WAF. Option D is unnecessary and unsupported as a requirement because CloudFront already provides the required information through standard headers.

AWS documentation consistently states thatX-Forwarded-Foris the correct and supported mechanism for tracing client IPs in CloudFront-protected applications.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Logging

Amazon CloudFront Developer Guide – Request Headers

To achieve true separation of duties, the company needs a design whereS3 access alone is not sufficientto read plaintext data.SSE-KMS with a customer managed KMS keyprovides that separation because successful object reads require both: (1) S3 permissions to read the object and (2) permission to use the KMS key to decrypt it. This enables the operations team to manage bucket and object permissions while the security team independently controls key usage through theKMS key policy(and grants). If either team misconfigures only their part, the data is still protected: an overly permissive bucket policy won’t expose plaintext unless KMS decrypt is also allowed; similarly, KMS permissions alone are not sufficient without S3 read access.

Option B also adds a bucket policy requirement enforcingSSE-KMSso objects are consistently protected with the customer managed key. SSE-S3 options (A and C) do not provide the same separation because S3 manages the keys and decryption is not independently controlled by a separate team via KMS policies. Option D is invalid because SSE-C uses customer-provided keys that are supplied with each request and are not stored/managed in KMS as described. Therefore, SSE-KMS with customer managed keys plus restrictive key policy is the correct solution.

AWS Firewall Manager applies and enforces AWS WAF protections based on thepolicy scopeyou define. In this scenario, the policy is explicitly scoped toonlythose resources that have the tag keyWAF-protectedwith a value oftrue. If the API Gateway REST API does not have that exact tag (correct key, correct value, correct spelling/case), Firewall Manager will treat the resource asout of scope. Out-of-scope resources are not evaluated for compliance and are not remediated, so the expected automatic association of the web ACL will never occur.

This is the most common reason for “nothing happens” when Firewall Manager is configured with tag-based scoping: the resource is missing the tag, the value is different (for example “True” vs “true”), or the tag was applied to a different resource than the one Firewall Manager evaluates.

Option A is incorrect because AWS WAF web ACLscanprotect API Gateway REST APIs (regional). Option C is not a blocker because a web ACL can generally be associated with multiple resources (within the supported scope). Option D is irrelevant to preventing association here; CloudFront uses a global scope and does not inherently block regional associations.

AWS Config is a fully managed service that providescontinuous monitoring and evaluation of AWS resource configurationsagainst desired configuration baselines. According to the AWS Certified Security – Specialty Official Study Guide, AWS Config is the primary service used totrack configuration changes, evaluate compliance in near real time, and display compliance statesfor individual AWS resources.

AWS Config providesmanaged rulesthat directly map to the listed Aurora MySQL security requirements, including encryption at rest, public accessibility, deletion protection, and log exports to CloudWatch Logs. These managed rules continuously evaluate resources and mark them as compliant or noncompliant whenever a configuration change occurs.

The AWS Config dashboard enables security engineers to viewper-resource and per-rule compliance states at any point in time, satisfying the requirement to display compliance status for each part of the policy.

AWS Audit Manager (Option A) is designed for audit evidence collection and reporting, not continuous monitoring. AWS Security Hub (Option C) aggregates findings from other services but relies on AWS Config for configuration compliance data. Option D introduces unnecessary custom logic and does not provide a native compliance dashboard.

AWS documentation explicitly identifiesAWS Config as the authoritative service for continuous compliance monitoring and visibility.

AWS Certified Security – Specialty Official Study Guide

AWS Config Developer Guide

Amazon Aurora Security Best Practices

AWS Well-Architected Framework – Security Pillar

Option C best meets the requirements because Amazon GuardDuty provides Kubernetes-focused threat detection for Amazon EKS by analyzingEKS control plane audit logs(EKS Protection) and combining that signal withruntime telemetryfrom the worker nodes (Runtime Monitoring). EKS audit logs capture Kubernetes API activity and authorization decisions, allowing GuardDuty to detect suspicious cluster actions such as unusual API calls, unexpected access patterns, or indicators of compromise within the cluster. Runtime Monitoring extends coverage tooperating system/process activity, network connections, and file activityon the nodes, which directly aligns with the need to monitor OS, networking, and file events in addition to audit logs.

For notifications, GuardDuty generatesfindingsthat can be delivered throughAmazon EventBridgerules. EventBridge can route relevant GuardDuty findings to anAmazon SNS topic, and SNS can sendemail alertsto the security team by subscribing the team’s mailing list to the topic. This approach is fully managed, near real time, and avoids building custom log-parsing pipelines while still providing actionable alerts based on GuardDuty’s curated EKS threat detections.

Amazon Cognito threat protection is purpose-built to detect and mitigate malicious authentication activity such as credential stuffing and bot traffic. It uses adaptive risk-based analysis without disrupting legitimate users.

AWS WAF cannot be directly associated with Cognito user pools.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito Threat Protection

EventBridge natively consumes CloudTrail management events and provides near-real-time notifications.

Amazon CloudWatch Logs provides a centralized, scalable service for collecting and storing logs from Amazon EC2 instances, regardless of whether the instances are On-Demand or Spot Instances. According to the AWS Certified Security – Specialty Official Study Guide, CloudWatch Logs is therecommended service for centralized log aggregation and near-real-time analysisof application and system logs.

By configuring all EC2 instances to send logs to asingle CloudWatch Logs log group, the security engineer ensures that logs from all instances are available in one centralized location. Access to the log group can be restricted by using IAM policies, ensuring that only authorized users can view and analyze the logs.

CloudWatch Logs Insights provides apowerful query language with SQL-like syntax, enabling users to search, filter, aggregate, and analyze log data efficiently. This directly satisfies the requirement for SQL-style queries to identify event patterns and perform root cause analysis without requiring data movement or additional services.

Option B is incorrect because CloudWatch Logs Insights cannot query log files stored in Amazon S3. Option C is inefficient and operationally complex, as Athena cannot directly query CloudWatch Logs log groups. Option D is invalid because Amazon Detective is designed for security investigations using GuardDuty findings, not for general application log analysis.

AWS documentation explicitly states thatCloudWatch Logs combined with CloudWatch Logs Insightsis the most efficient and secure approach for centralized log analysis in EC2-based architectures.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Documentation

CloudWatch Logs Insights Query Guide

AmazonMacieis the AWS service purpose-built todiscover and classify sensitive data in S3(PII, financial data, credentials, etc.) and produce findings that can be aggregated centrally. In a multi-account organization, the recommended centralized model is to designate adelegated administrator accountfor Macie so the security team can manage discovery across member accounts from one place.

To make the findings visible from a single location and integrate them with broader security visibility,AWS Security Hubprovides centralized aggregation of security findings across accounts and services. By also configuring the security account as thedelegated administrator for Security Hub, the company can aggregate findings across the organization. Macie integrates with Security Hub so that sensitive data discovery findings flow into Security Hub’s centralized view, giving the security team a single console and API surface to build an “inventory” of sensitive data locations and severity.

Inspector (options B and C) is focused on vulnerability management (EC2, ECR, and related scanning use cases), not sensitive data classification in S3. Trusted Advisor is not the primary destination for sensitive data discovery findings at organizational scale. Therefore, Macie + Security Hub with delegated administration in the security account is the correct solution.