SCS-C03 AWS Certified Security – Specialty Questions and Answers

Amazon Inspector provides native CI/CD integration capabilities that allow security checks to occur before container images are pushed to Amazon ECR. According to AWS Certified Security – Specialty documentation, Inspector does not block image pushes automatically. Instead, prevention must occur inside the CI/CD pipeline itself.

By generating a Software Bill of Materials (SBOM) using the Amazon Inspector SBOM generator and submitting it to Inspector for scanning, the pipeline can detect critical vulnerabilities before the image is uploaded. If vulnerabilities exceed policy thresholds, the pipeline fails, preventing deployment.

Post-push scanning solutions only detect vulnerabilities after exposure. Event-driven blocking does not prevent the initial risk.

AWS best practices require “shift-left” security controls to prevent vulnerable artifacts from entering production.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Inspector CI/CD Integration

When an internet-facing ALB is used as a CloudFront origin, it remains directly accessible unless additional access controls are enforced. According to AWS Certified Security – Specialty guidance,CloudFront IP allow lists alone are insufficient, because CloudFront IP ranges change and are not guaranteed to be exclusive.

The recommended and most secure approach is to configure CloudFront to send acustom origin header(such as X-Shared-Secret) with a secret value on every request to the origin. The ALB listener rules are then configured toforward traffic only when the header exists and matches the expected value. Requests that attempt to bypass CloudFront will not include this header and will be denied.

Option A is invalid because CloudFront does not support PrivateLink origins. Option B introduces unnecessary architectural changes and is not required. Option C is brittle and operationally risky due to changing IP ranges.

AWS documentation explicitly recommendscustom origin headersas the best practice to ensure that only CloudFront can access an internet-facing ALB when AWS WAF is attached at the CloudFront layer.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Origin Security Documentation

AWS WAF and ALB Integration Guidance

Amazon S3 Lifecycle rules are the native and most efficient way to enforce data retention policies. AWS Certified Security – Specialty documentation recommends lifecycle rules over custom automation to reduce operational complexity and failure risk.

Lifecycle rules automatically and reliably delete objects after a specified age, ensuring compliance without additional compute services. Lambda-based solutions increase cost and management overhead. Intelligent-Tiering manages storage cost, not data deletion.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Management

Network Load Balancers operate at Layer 4 and are optimized for extreme performance, ultra-low latency, and handling sudden traffic spikes. According to AWS Certified Security – Specialty documentation, using a TCP listener on an NLB allows TLS traffic to pass through directly to backend containers without termination, preserving true end-to-end encryption.

This approach eliminates the overhead of decrypting and re-encrypting traffic at the load balancer, reducing latency and maximizing throughput. NLBs scale automatically to handle volatile traffic patterns and millions of requests per second.

Application Load Balancers operate at Layer 7 and introduce additional latency due to TLS termination and HTTP processing. Route 53 multivalue routing does not provide load balancing at the transport layer and does not ensure encryption handling.

AWS recommends NLB TCP pass-through for high-performance, end-to-end encrypted container workloads.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Elastic Load Balancing Architecture

Network Load Balancer Performance Characteristics

Amazon CloudFront includes a built-in geo restriction feature that allows content to be allowed or denied based on the viewer’s country. According to AWS Certified Security – Specialty documentation, CloudFront geo restriction is the most cost-effective method for country-based blocking because it does not require AWS WAF or additional rule processing.

AWS WAF geo match rules incur additional cost and are more appropriate when advanced inspection or layered security controls are required. IP-based blocking is impractical due to frequent IP changes. Geolocation headers do not enforce access control.

CloudFront geo restriction is evaluated at the edge and efficiently blocks disallowed countries with minimal latency and cost.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Geo Restriction

AWS Edge Security Best Practices

Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security – Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.

By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.

Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC. Third-party CASB tools add cost and operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security and VPC Endpoints

AWS Organizations Condition Keys

AWS Secrets Manageris the AWS service designed to store secrets securely and to supportautomatic rotationon a schedule—commonly used for Amazon RDS credentials. Storing credentials in Secrets Manager removes them from source code, enables fine-grained access control, and supports auditability of secret retrieval through CloudTrail. Rotation can be configured to periodically change the database password and update the stored secret automatically, minimizing operational overhead compared to manual rotation processes.

To ensure the credentials are accessibleonly to the application, the correct ECS pattern is to useIAM roles for tasks. A task role can be scoped to allow only secretsmanager:GetSecretValue (and related actions if needed) for the specific secret ARN. Only tasks running with that role can retrieve the secret at runtime, which prevents broad access. This also helps reduce the risk of database administrators sharing plaintext credentials, because the recommended operational model is that humans should not need direct access; the application retrieves the secret programmatically, and access can be limited to break-glass workflows if required.

Systems Manager Parameter Store can store encrypted parameters, but Secrets Manager provides stronger native secret lifecycle features (notably rotation) for databases. Inline policies (Option B) are not necessary; managed or attached policies on the task role achieve the same goal with cleaner administration.

GuardDuty supports “Trusted IP lists” to suppress findings that would otherwise be generated for activity originating from known safe IP addresses (for example, corporate NAT egress IPs, security scanners, or monitoring systems). To use a trusted IP list, you create aplain textfile that contains the IP addresses (typically one per line or in supported list form) and store it inAmazon S3. You then configure GuardDuty to reference that S3 object as a trusted IP list. GuardDuty periodically retrieves the file from S3 and uses it to adjust finding generation accordingly.

That maps directly to Option A (create a plaintext file) and Option D (upload to S3 and create a trusted IP list in GuardDuty pointing to the file).

Options B and E are incorrect because GuardDuty trusted IP lists are not configured by pasting JSON into the console; they are sourced from an S3-hosted text list. Option C is not supported because GuardDuty does not accept direct file uploads into the service as the configuration source; S3 is the expected integration point for IP lists and threat intel lists.

Amazon OpenSearch Service is designed for near real-time log ingestion, indexing, and search across large volumes of data. According to the AWS Certified Security – Specialty Study Guide, OpenSearch supports advanced log analytics use cases and integrates with OpenSearch Security Analytics, which provides prebuilt and custom detection rules.

Security Analytics can continuously evaluate incoming logs from multiple AWS services and generate alerts when detection rules are matched. These alerts can be forwarded to Amazon SNS with minimal configuration. OpenSearch also provides powerful search and query capabilities through APIs and dashboards.

Option C supports detection but lacks advanced correlation and scalable search capabilities. Option B is not a log analytics service. Option D is a visualization service and does not support real-time detection.

AWS guidance recommends OpenSearch Service for centralized, near real-time log analysis and alerting.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon OpenSearch Service Security Analytics

AWS Logging and Monitoring Architecture

AWS incident response best practices emphasizerapid containment with minimal blast radius. According to the AWS Certified Security – Specialty Official Study Guide, isolating a compromised resource while allowing the application to continue running is the preferred initial response.

By using Amazon EventBridge to detect GuardDuty findings related to anomalous traffic and invoking a Lambda function, the security engineer can automatically remove the affected EC2 instance from the Auto Scaling group and attach arestricted security group. This immediately isolates the instance while allowing Auto Scaling to launch a replacement instance, ensuring application availability.

Option A is invalid because EC2 instance profiles do not use long-term access keys. Option C affects the entire subnet and could disrupt unrelated workloads. Option D provides notification only and does not meet the requirement for automated response.

AWS documentation explicitly recommendsinstance-level isolation using security groupsas a best practice for initial incident containment.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide

AWS Incident Response Best Practices

Amazon CloudWatch Logs is designed to collect, store, and analyze log data from ephemeral compute resources such as EC2 instances in Auto Scaling groups. According to the AWS Certified Security – Specialty Study Guide, using the CloudWatch agent to stream logs off instances ensures log durability even when instances are terminated during scale-in events.

CloudWatch Logs Insights provides a fully managed, serverless query engine that enables ad hoc querying, filtering, and aggregation of log data without requiring additional infrastructure. This directly satisfies the requirement to query logs for application sessions and user troubleshooting.

Option A introduces operational risk because logs could be lost between cron executions. Option B requires additional services and data pipelines, increasing cost and complexity. Option E adds storage cost and management overhead and is not necessary for log analytics.

AWS best practices recommend CloudWatch Logs and Logs Insights as the most cost-effective and scalable solution for centralized log retention and analysis in Auto Scaling environments.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs and Logs Insights

AWS Logging Best Practices

When Amazon CloudFront is used in front of an Application Load Balancer, CloudFront becomes the immediate source of incoming requests to the ALB. As a result, AWS WAF logs record theCloudFront edge location IP addressesas the client IPs, not the original viewer IP addresses. This behavior is explicitly documented in the AWS Certified Security – Specialty Study Guide and the AWS WAF and CloudFront integration documentation.

To preserve the original client IP address, CloudFront automatically adds theX-Forwarded-For HTTP header, which contains the IP address of the originating client followed by any proxy addresses involved in forwarding the request. AWS WAF logs include this header, making it the authoritative source for identifying true client IP addresses when CloudFront is used.

Option A is incorrect because VPC Flow Logs capture network-level metadata and will only show CloudFront IP addresses, not the original client IPs. Option C is incorrect because disabling connection reuse does not change how client IPs are logged in AWS WAF. Option D is unnecessary and unsupported as a requirement because CloudFront already provides the required information through standard headers.

AWS documentation consistently states thatX-Forwarded-Foris the correct and supported mechanism for tracing client IPs in CloudFront-protected applications.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Logging

Amazon CloudFront Developer Guide – Request Headers

Amazon GuardDuty Exfiltration:S3/AnomalousBehavior findings indicate that S3 data access patterns are consistent with data exfiltration. In this scenario, the attacker is usingtemporary credentials obtained from an EC2 instance profile, which are issued by AWS Security Token Service (STS).

According to AWS Certified Security – Specialty documentation, thefastest and most targeted remediationis to revoke the temporary session credentials associated with the compromised instance profile. This can be accomplished by removing or modifying the IAM role permissions, detaching the instance profile, or stopping the instance, which immediately invalidates the temporary credentials and prevents further S3 access.

Option B may limit outbound traffic but does not invalidate already issued credentials. Option C is a detection and classification service and does not prevent active exfiltration. Option D would block all access to the bucket, including legitimate access, and is considered overly disruptive for incident containment.

AWS incident response best practices emphasizecredential revocation as the first containment stepwhen compromise of temporary credentials is confirmed.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide – S3 Protection

AWS STS and IAM Role Security Documentation

AWS Incident Response Best Practices

AWS CloudTrail provides a record of all API calls made in an AWS account, including calls initiated by AWS CloudFormation. According to the AWS Certified Security – Specialty Study Guide, CloudTrail is the primary source for troubleshooting authorization failures because it records denied actions and the policy type that caused the denial, including service control policies.

Reviewing CloudTrail logs allows a security engineer to identify which specific API calls failed during the CloudFormation deployment and whether the denial was caused by an SCP, an IAM policy, or a permission boundary. This evidence-based approach is the recommended first step before making any configuration changes.

Option B is unsafe and violates governance best practices by removing SCPs in production. Option C may be necessary later, but it does not identify whether SCPs are the root cause. Option D introduces unnecessary risk and bypasses the purpose of differentiated controls across OUs.

AWS documentation emphasizes observing and validating before modifying security controls, making CloudTrail log analysis the correct initial troubleshooting step.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Service Control Policies

AWS CloudTrail Authorization Failure Analysis

Amazon Detective is a purpose-built AWS service designed toanalyze, investigate, and visualize security datato help identify the root cause of suspicious or malicious activity. According to the AWS Certified Security – Specialty Official Study Guide, Amazon Detective directly integrates withAmazon GuardDuty findings, AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon EKS audit logs to automatically create behavior graphs and timelines.

When GuardDuty generates findings related to anomalous activity, Amazon Detective enables security engineers to pivot directly to an investigation focused on a specific IAM role, user, or resource. Detective automatically correlates historical activity, identifies deviations from baseline behavior, and highlightsindicators of compromise, such as unusual API calls, credential misuse, or suspicious network activity.

AWS Audit Manager (Option B) is designed for compliance and audit evidence collection, not threat investigation. Amazon Inspector (Options C and D) is focused on vulnerability scanning of compute resources and does not analyze IAM behavior or GuardDuty findings.

AWS documentation explicitly states thatAmazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, providing enriched context and investigation reports for security incidents.

AWS Certified Security – Specialty Official Study Guide

Amazon Detective User Guide

Amazon GuardDuty Integration Documentation

Option D is the correct solution because it provides fully automated, real-time detection and mitigation of application-layer (Layer 7) DDoS attacks with no manual intervention. AWS Shield Advanced includes automatic application layer DDoS mitigation when it is enabled for supported resources such as Amazon CloudFront distributions. This feature continuously monitors traffic patterns and, when an attack is detected, automatically deploys AWS WAF rules to mitigate malicious requests.

Adding a rate-based rule to the AWS WAF web ACL further strengthens protection by automatically blocking IP addresses that exceed a defined request threshold, which is a common characteristic of Layer 7 DDoS attacks. This combination aligns directly with AWS best practices for protecting web applications against volumetric and application-layer threats.

Option A only provides alerting and visibility but does not ensure automated mitigation. Option B includes proactive engagement with the AWS DDoS Response Team, which is valuable for complex or large-scale attacks but still involves human interaction and therefore does not meet the “no manual effort” requirement. Option C introduces unnecessary complexity and is not recommended for protecting CloudFront-based applications against Layer 7 DDoS attacks.

AWS Security Specialty documentation explicitly recommends AWS Shield Advanced with automatic application layer DDoS mitigation and AWS WAF rate-based rules for fully automated, real-time protection of public web applications.

AWS Systems Manager Session Manager provides secure, auditable shell access to EC2 instances without opening inbound ports. According to AWS Certified Security – Specialty guidance, Session Manager records all session activity to CloudWatch Logs or Amazon S3 and integrates with IAM Identity Center for centralized authentication.

This solution meets all requirements: no exposed ports, full audit logging, and identity-based access control. EC2 Instance Connect and serial console access do not integrate with Identity Center and may expose management paths.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Session Manager

AWS IAM Identity Center Integration

Amazon S3 Block Public Access provides centralized controls to prevent public access through bucket policies and ACLs. AWS Certified Security – Specialty guidance recommends enabling Block Public Access to reduce accidental exposure and to enforce guardrails that override public grants. Enabling Block Public Access on the bucket removes current public exposure when combined with correcting policies/ACLs and prevents future misconfiguration. To ensure the bucket cannot be made public again, the security engineer must prevent principals from disabling Block Public Access. An SCP that denies s3:PutPublicAccessBlock prevents changes that would remove or weaken the PublicAccessBlock configuration, enforcing the guardrail across the OU or account. Options A and D do not directly address public exposure control. Option B denies object reads but does not ensure public access cannot be re-enabled; it also does not address the root misconfiguration pathways and could disrupt legitimate access patterns. Option C specifically combines the correct preventive control (PublicAccessBlock) with organizational enforcement to stop future reversal.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Block Public Access

AWS Organizations SCP Guardrails for S3 Controls

The database islatency-sensitive, so the connectivity option should minimize jitter and provide more consistent performance than traversing the public internet.AWS Direct Connectprovides a dedicated network connection from the on-premises environment into AWS, typically delivering more stable throughput and lower/consistent latency characteristics compared with internet-based paths. However, Direct Connect by itself does not automatically provideIPsec encryption.

To satisfy the explicit requirement that traffic must haveIPsec encryption, the common AWS pattern is to run anAWS Site-to-Site VPN(IPsec tunnels) in conjunction with Direct Connect. This can be done as “VPN over Direct Connect” to encrypt the traffic while still taking advantage of Direct Connect’s private, predictable connectivity. This combination meets both requirements: improved latency characteristics (Direct Connect) and IPsec encryption (Site-to-Site VPN).

The other options do not fit. VPN CloudHub (Option C) is for connecting multiple remote sites together via AWS as a hub-and-spoke, not a primary low-latency private link. VPC peering (Option D) is only for VPC-to-VPC connectivity and does not connect to on-premises. NAT gateway (Option E) is for outbound internet/NAT translation and does not provide private encrypted connectivity to on-premises.

Amazon GuardDuty provides continuous threat detection for compromised instances by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. According to AWS Certified Security – Specialty guidance, GuardDuty is the fastest service to enable for detecting malware and compromised EC2 instances.

To notify the security team, Amazon SNS provides a native email notification mechanism with minimal setup. Amazon EventBridge integrates directly with GuardDuty findings and can filter based on severity. Creating an EventBridge rule that matches high severity GuardDuty findings and publishes to SNS ensures immediate notification.

Security Hub is not required for this use case and adds additional setup time. Amazon SQS does not support email subscriptions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Findings and Severity

Amazon EventBridge Integration with GuardDuty

In IAM Identity Center, a permission set that includes acustomer managed policydoes not “carry” that policy into each target account automatically unless the policy exists there. When you attach a customer managed policy by name to a permission set, IAM Identity Center expects that policy to be present in each account where the permission set is provisioned. If the policy is missing in any account (common when assigning across multiple accounts), provisioning/assignment can fail because Identity Center cannot attach a non-existent policy to the role it creates in that account.

The correct fix is tocreate the customer managed policy in every target account, ensuring it has thesame nameand the intended permissions in each account. Once the policy exists consistently across accounts, IAM Identity Center can successfully provision the permission set in each account and complete the user assignment.

Options B and D are workarounds that increase complexity and do not address the underlying requirement to use the customer managed policy across accounts. Option C is not the issue here; policy “conflicts” typically do not prevent provisioning—missing referenced customer managed policies do. Therefore, ensuring the customer managed policy exists in each assigned account resolves the failure with the intended multi-account design.

Amazon SQS is an AWS-managed service and does not operate within customer VPCs. Therefore, security groups and network ACLs cannot be used to control access to SQS, making options A and B invalid. According to AWS Certified Security – Specialty documentation, the recommended approach to securely access AWS services from within a VPC is throughinterface VPC endpoints (AWS PrivateLink).

By creatinginterface VPC endpoints for Amazon SQS, the company ensures that traffic to SQS stays within the AWS network and does not traverse the public internet. Adding anSQS resource policywith the aws:SourceVpce condition restricts access so that only requests originating from the specified VPC endpoint are allowed. Additionally, using the aws:PrincipalOrgId condition ensures that only principals belonging to the same AWS Organization can access the queue.

Option D introduces an external tool, increasing cost and compliance complexity, which directly violates the requirement to minimize investment outside AWS.

AWS documentation clearly identifiesVPC endpoints combined with IAM condition keysas a best practice for securing service access in multi-account environments.

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security Best Practices

AWS Organizations Documentation

AWS PrivateLink User Guide

AWS incident response best practices emphasizecontainment with minimal blast radiuswhile preserving business continuity. According to the AWS Certified Security – Specialty Official Study Guide, isolating a compromised resource while allowing the application to continue operating is the recommended initial response.

By creating an Amazon EventBridge rule that reacts to GuardDuty anomalous traffic findings and invokes an AWS Lambda function, the security engineer can automaticallyremove the affected EC2 instance from the Auto Scaling groupand attach arestricted security group. This immediately stops malicious activity while allowing Auto Scaling to replace the instance and keep the application available.

Option A is inappropriate because EC2 instance profiles do not use long-term access keys. Option C applies subnet-wide changes that could disrupt unrelated workloads. Option D provides notification only and does not meet the automated response requirement.

AWS documentation explicitly identifiesinstance isolation via security groupsas a preferred containment technique that preserves application availability and forensic integrity.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide

AWS Incident Response Best Practices

AWS CloudTrail provides authoritative records of KMS key creation, origin, and usage. Enabling log file validation ensures tamper detection. S3 Object Lock in compliance mode enforces immutability, which is a core audit requirement cited in AWS Certified Security – Specialty materials.

CloudWatch and DynamoDB do not provide immutable storage guarantees suitable for compliance evidence.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Log File Validation

Amazon S3 Object Lock

AWS Config is a fully managed service that providescontinuous monitoring and evaluation of AWS resource configurationsagainst desired configuration baselines. According to the AWS Certified Security – Specialty Official Study Guide, AWS Config is the primary service used totrack configuration changes, evaluate compliance in near real time, and display compliance statesfor individual AWS resources.

AWS Config providesmanaged rulesthat directly map to the listed Aurora MySQL security requirements, including encryption at rest, public accessibility, deletion protection, and log exports to CloudWatch Logs. These managed rules continuously evaluate resources and mark them as compliant or noncompliant whenever a configuration change occurs.

The AWS Config dashboard enables security engineers to viewper-resource and per-rule compliance states at any point in time, satisfying the requirement to display compliance status for each part of the policy.

AWS Audit Manager (Option A) is designed for audit evidence collection and reporting, not continuous monitoring. AWS Security Hub (Option C) aggregates findings from other services but relies on AWS Config for configuration compliance data. Option D introduces unnecessary custom logic and does not provide a native compliance dashboard.

AWS documentation explicitly identifiesAWS Config as the authoritative service for continuous compliance monitoring and visibility.

AWS Certified Security – Specialty Official Study Guide

AWS Config Developer Guide

Amazon Aurora Security Best Practices

AWS Well-Architected Framework – Security Pillar

Network ACLs arestateless, so you must allow both the outbound request and the inboundreturn traffic. For outbound TLS to an internet service on TCP443, you need an outbound allow rule permitting destination port 443. The return traffic from the internet service will come back to the instance’sephemeral port(typically in the range 1024–65535) on the inbound path. Therefore, you must allow inbound TCP traffic on the ephemeral port range to support established outbound connections.

At the same time, the requirement is todeny inbound MySQL (TCP 3306). Because NACLs process rules in order (lowest rule number first), placing an explicit deny for port 3306 as a low-numbered inbound rule ensures that traffic destined for MySQL is blocked even if there are broader allow rules later.

Option B does exactly this: it denies inbound TCP 3306 first, then allows inbound ephemeral ports for return traffic, and allows outbound TCP 443. Option A/D incorrectly allow inbound 443 (not needed for outbound-only TLS) and fail to explicitly allow ephemeral return traffic correctly. Option C allows ephemeral inbound first, and then denies 3306 later; while 3306 is not in the ephemeral range, B is the clean, canonical ordering and matches the intended stateless-return-traffic pattern most directly.

AWS Systems Manager Session Manager providessecure, auditable, and portless accessto EC2 instances. According to the AWS Certified Security – Specialty Study Guide, Session Manager allows administrators to connect to instanceswithout opening inbound SSH or RDP ports, fully satisfying strict compliance requirements.

Session Manager integrates directly withAWS IAM Identity Center, ensuring that all access is authenticated and authorized using centralized identity management. Additionally, Session Manager automatically records session activity and can send logs to Amazon CloudWatch Logs or Amazon S3, providing a complete audit trail of all commands executed during a session.

Option A (EC2 serial console) does not provide comprehensive auditing and is intended for recovery scenarios. Option B requires inbound network access and security group rules, violating the “no exposed management ports” requirement. Option D explicitly opens ports, which directly violates compliance constraints.

AWS documentation clearly identifiesSystems Manager Session Manager as the recommended solution for secure, auditable, and identity-integrated instance accessin regulated environments.

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Session Manager Documentation

AWS IAM Identity Center Best Practices

AWS Systems Manager Session Manager requires secure outbound HTTPS connectivity from the EC2 instance to Systems Manager endpoints. In a VPC without internet access, AWS Certified Security – Specialty documentation recommends using interface VPC endpoints to enable private connectivity without exposing the instance to the internet.

Creating a VPC interface endpoint for Systems Manager allows the SSM Agent to communicate securely with the Systems Manager service. The endpoint must have an attached security group that allows inbound traffic on port 443 from the VPC CIDR range. Additionally, the EC2 instance security group must allow outbound HTTPS traffic on port 443 so the agent can initiate connections.

Option C is incorrect because creating or associating key pairs enables SSH access, which can alter forensic evidence and violates forensic best practices. Option B is unnecessary because Session Manager does not require inbound rules on the EC2 instance. Option F is invalid because EC2 does not use interface endpoints for management connectivity.

This combination ensures secure, private access for forensic investigation while preserving evidence integrity and adhering to AWS incident response best practices.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Session Manager Architecture

AWS Incident Response and Forensics Best Practices

The correct Config rule for finding buckets that are not usingSSE-KMS by defaultiss3-default-encryption-kms. It evaluates the bucket’s default encryption settings and flags buckets that do not have KMS default encryption enabled. The s3-bucket-ssl-requests-only rule focuses on enforcing HTTPS-only requests and does not validate encryption-at-rest settings, so it cannot satisfy the “identify not encrypted with KMS” requirement.

For preventing uploads of objects that are not encrypted with KMS, an organization-wide control is needed. AnSCPcan restrict s3:PutObject so that uploads succeed only when the request specifiesSSE-KMS(and optionally a specific KMS key). This provides broad, low-touch enforcement across many accounts and buckets. While bucket policies can also enforce SSE-KMS, managing and verifying hundreds of bucket policies is more operationally heavy than a centrally managed SCP guardrail.

Option B enforcesSSE-S3, which does not meet the requirement forKMSencryption. Option D uses the wrong Config rule and relies on an “allow-only” pattern rather than explicit deny logic, making it an unreliable fit for the stated goal. Therefore, A is the best answer.

Amazon CloudWatch Logs provides a centralized, scalable service for collecting and storing logs from Amazon EC2 instances, regardless of whether the instances are On-Demand or Spot Instances. According to the AWS Certified Security – Specialty Official Study Guide, CloudWatch Logs is therecommended service for centralized log aggregation and near-real-time analysisof application and system logs.

By configuring all EC2 instances to send logs to asingle CloudWatch Logs log group, the security engineer ensures that logs from all instances are available in one centralized location. Access to the log group can be restricted by using IAM policies, ensuring that only authorized users can view and analyze the logs.

CloudWatch Logs Insights provides apowerful query language with SQL-like syntax, enabling users to search, filter, aggregate, and analyze log data efficiently. This directly satisfies the requirement for SQL-style queries to identify event patterns and perform root cause analysis without requiring data movement or additional services.

Option B is incorrect because CloudWatch Logs Insights cannot query log files stored in Amazon S3. Option C is inefficient and operationally complex, as Athena cannot directly query CloudWatch Logs log groups. Option D is invalid because Amazon Detective is designed for security investigations using GuardDuty findings, not for general application log analysis.

AWS documentation explicitly states thatCloudWatch Logs combined with CloudWatch Logs Insightsis the most efficient and secure approach for centralized log analysis in EC2-based architectures.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Documentation

CloudWatch Logs Insights Query Guide

AWS CloudFormation supports dynamic references to AWS Secrets Manager, which allow sensitive values to be retrieved securely at stack runtime. According to AWS Certified Security – Specialty guidance, dynamic references prevent secrets from being stored in plaintext in templates, stack metadata, or logs.

Using dynamic references ensures that secrets remain encrypted at rest and are accessed only when required. CloudFormation does not support SecureString parameters for Secrets Manager references, and encrypting templates does not prevent exposure during execution.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Dynamic References

AWS Secrets Manager Best Practices

The most secure and AWS-recommended pattern for cross-account access is to create anIAM role in the target account (production)and allow trusted principals from the source account (developer) toassume the roleby using AWS STS. This avoids long-term credentials in the production account, supports short-lived session credentials, and enables strong controls such as MFA requirements, session duration limits, and precise least-privilege permissions attached to the role. It also centralizes ownership of production permissions in the production account, which is important for separation of duties and governance.

Option A is insecure because it requires password sharing and uses a long-lived IAM user credential, which is against AWS best practices. Option C is also poor because it relies on a long-lived IAM user in the production account and encourages credential sharing/duplication. Option B places the role in the developer account; while you can attach permissions there, access to production resources is governed by the production account. The standard approach is a production-account role with a trust policy that names the developer account principals (or a role) as allowed to assume it. Therefore, Option D is the most secure solution.

AWS Config is the AWS service designed to continuously evaluate resource configurations against defined rules. According to the AWS Certified Security – Specialty Study Guide, AWS Config managed rules exist specifically to check database encryption, public accessibility, deletion protection, and log exports for Amazon RDS and Aurora.

AWS Config provides a real-time compliance timeline and displays the compliance state of each resource against each rule at any point in time. This granular visibility is required to assess ongoing compliance with security policies.

Audit Manager generates reports but does not provide continuous compliance monitoring. Security Hub aggregates findings but does not track configuration drift. EventBridge and Lambda introduce unnecessary complexity.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for RDS

AWS Continuous Compliance Monitoring

Amazon Macie’sautomated sensitive data discoveryis designed for exactly this: at scale, Macie continuously evaluates andsamplesobjects across S3 buckets to identify where sensitive data (PII, financial data, credentials, etc.) is likely present. This gives the security engineer a low-touch way toidentify which buckets contain sensitive datawithout having to orchestrate per-bucket scanning workflows. Once Macie flags buckets with sensitive data findings, the engineer can then prioritize and runadditional, more targeted scanning(for example, deeper classification jobs on those specific buckets) rather than scanning everything exhaustively all the time.

The other options increase operational burden significantly. CRR to another Region (A) doubles storage/transfer complexity and is not needed for discovery. An event-driven Lambda scan per object (B) is expensive and complex at high object volumes and is not how Macie classification is intended to be orchestrated. Aggregating results into DynamoDB (D) adds an extra system to maintain when Macie already provides centralized findings, dashboards, and integrations.

Therefore, enabling Macie automated discovery and then performing deeper scans only on buckets where Macie detects sensitive data provides the least administrative overhead.

AWS best practices require CloudFormation to assume a dedicated service role. This ensures consistent permissions regardless of the user. Users must have iam:PassRole permission to pass the role. Updating stacks to use the service role enforces uniform deployment behavior.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Roles

The threat is client ID manipulation to break authorization boundaries. The strongest control is tobind the MQTT client identity to the authenticated device identity(the Thing) rather than trusting arbitrary client IDs provided by the client. Using theThing name as the client ID(Option A) removes ambiguity and makes the identifier predictable and tied to a registered identity.

On the authorization side, AWS IoT Core policies can use policy variables. Allowing iot:Connect only when the resource matches client/${iot:Connection.Thing.ThingName} (Option E) ensures the connection is permittedonlyif the client ID exactly equals the authenticated Thing name from the TLS certificate/Thing principal context. This prevents attackers from injecting special characters or choosing a different client ID to escalate access, because the policy evaluation ties the allowed client resource to the Thing identity, not the attacker-controlled string.

Option D is weaker because it effectively allows whatever client ID is presented (it matches the same value the client supplies), so it does not prevent crafted client IDs from being used. Option C is unrelated to the described MQTT connect authorization (and references an action not aligned with the scenario). Option B is an application-side check and can be bypassed by a malicious client; enforcement must be at AWS IoT Core policy level.

AWS Elastic Disaster Recovery (AWS DRS)is purpose-built for continuously replicatingphysical and virtual serversinto AWS with low RTO/RPO. It uses lightweight replication agents to stream block-level changes to a low-coststaging areain AWS, which helps optimize storage costs (only the staging resources run continuously) and reduces bandwidth usage through efficient replication mechanisms. In a disaster or test, AWS DRS can automatically launch recovery instances in AWS based on a defined blueprint (instance types, networking, security groups), enabling rapid failover workflows that commonly meetsub-hour RTOobjectives.

Option A is not the intended service model: AWS Backup protects AWS-native resources and does not “directly replicate” arbitrary on-prem servers as a continuous replication DR system. Option B (Storage Gateway Volume Gateway) can support backups of certain storage use cases via snapshots, but it is not a general continuous replication solution for diverse physical/virtual servers and may not meet the RTO requirement as directly as AWS DRS. Option D (Direct Connect + custom automation) can help with connectivity, but it does not provide continuous server replication by itself and would require significant custom engineering and ongoing operational effort.

Therefore, enabling AWS Elastic Disaster Recovery and configuring replication agents is the best automated, cost-optimized solution.

Continuous monitoring requires an always-on compliance service that evaluates resources over time. AWS Config provides managed rules that assess configuration state and compliance continuously. AWS Certified Security – Specialty guidance highlights AWS Config for continuous compliance across accounts and regions when used with AWS Organizations. The ec2-managedinstance-applications-required managed rule evaluates whether specified software is installed on managed instances, leveraging Systems Manager inventory/managed instance status. By enabling AWS Config organization-wide and deploying this managed rule across all accounts, the company can continuously evaluate both existing and newly launched instances for required application presence. This provides a consistent compliance dashboard and history of compliance changes. Option D can provide inventory lists, but it is not a compliance rule engine that flags noncompliance with the same governance reporting and remediation pathways. Options B and C are operational approaches but do not provide continuous compliance state across the organization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for EC2 and SSM Managed Instances

AWS Organizations Integration with AWS Config

AWS incident response best practices emphasize rapid containment to prevent further data exposure. According to the AWS Certified Security – Specialty Study Guide, the fastest and least disruptive containment method for compromised compute resources is to immediately revoke credentials and permissions rather than modifying data or infrastructure.

Revoking the IAM role’s active sessions prevents the EC2 instance from continuing to access AWS services. Updating the S3 bucket policy to explicitly deny access to the IAM role ensures immediate enforcement, even if temporary credentials remain cached. Removing the IAM role from the instance profile further prevents new credentials from being issued.

Option A and D involve large-scale data movement or re-encryption, which is time-consuming and operationally expensive. Option B relies on network-level controls that do not prevent access through private AWS endpoints.

AWS guidance explicitly recommends credential revocation and policy-based denial as the fastest containment step during active incidents.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

AWS IAM Role Session Management

Option A satisfies all requirements with the most direct, purpose-built AWS logging workflow. By using the CloudWatch Agent (or fluent-bit / unified logging configuration) on each EC2 instance—regardless of whether it is On-Demand or Spot—the application logs can be centralized into asingle Amazon CloudWatch Logs log group. Centralization ensures the logs remain available even as Spot Instances are interrupted and replaced. Access control is handled withIAM policies(and optionally resource policies/KMS encryption) so that only a specific set of users can read/query the log group.

For analysis,CloudWatch Logs Insightsprovides an interactive query language that is SQL-like and commonly treated as “SQL queries” for troubleshooting. It enables fast filtering, aggregation, and pattern detection across large log volumes without building a separate data lake pipeline. This supports event-pattern analysis and root cause investigation directly from the centralized log group.

Option B is incorrect because Logs Insights queries CloudWatch Logs data, not arbitrary log files sitting in S3. Option C is inefficient (many log groups) and Athena cannot directly query CloudWatch log groups as a native data source. Option D is incorrect because Amazon Detective is for security investigations across supported data sources and is not the primary service for ad-hoc SQL-style querying of application logs.

WithSSE-KMS, authorization is a two-part check: the caller must have S3 permissions to read the objectandthe caller must be allowed to use the KMS key for decryption. Even if an IAM policy grants kms:Decrypt, the request will still fail if theKMS key policydoes not allow the principal (or does not allow the account to delegate use of the key). KMS key policies are authoritative: they can prevent key usage even when IAM policies appear to allow it.

A common misconfiguration is editing the key policy and removing the statement that grants the AWS account (or key administrators) the ability to manage and delegate permissions for the key—often described as removing “Enable IAM user permissions” or otherwise blocking the account from using IAM policies to authorize key usage. In that case, the IAM user’s kms:Decrypt permission in IAM is not sufficient because the key policy no longer permits it, resulting in Access Denied when S3 attempts to call KMS on the user’s behalf during GetObject.

Option A is not required for decrypting data (DescribeKey is useful for discovery but not necessary for GetObject). Option B would not inherently cause access denied if permissions align. Option C is incorrect because same-account S3 access can be granted purely via IAM without a bucket policy. Therefore, the key policy change is a valid reason.

AWS WAF allows security engineers to createstring match rule statementsthat inspect specific parts of web requests, including HTTP headers such as theUser-Agentheader. According to the AWS Certified Security – Specialty Study Guide and AWS WAF documentation, string match rules are ideal for blocking requests that contain known malicious identifiers, such as a distinctive user agent associated with a specific bot or IoT device brand.

In this scenario, the attack originates from a specific IoT device brand that uses aunique user agent. A string match rule that inspects the User-Agent header can precisely block malicious requests while allowing legitimate customer traffic to continue uninterrupted. This approach provides targeted mitigation for both current and future attacks originating from the same device signature.

Option A is incorrect because IP addresses cannot be derived from user agent strings, and IoT botnets frequently rotate IP addresses, making IP-based blocking ineffective. Option B is incorrect because geographic blocking is overly broad and risks blocking legitimate customers in the same regions as the attacking devices. Option C is incorrect because rate-based rules limit request volume per IP address and do not specifically identify malicious device signatures; legitimate high-traffic users could be unintentionally blocked.

AWS documentation emphasizes thatheader inspection with string match conditionsis a best practice for mitigating attacks that use identifiable request characteristics such as custom user agents, especially in DDoS and bot mitigation scenarios.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rule Statements

AWS DDoS Resiliency Best Practices

AWS Well-Architected Framework – Security Pillar

Password policies are enforced at the identity provider where authentication occurs. According to the AWS Certified Security – Specialty Study Guide, when IAM is federated with an external identity provider such as on-premises Active Directory, IAM does not manage or enforce password policies. Instead, password requirements such as minimum length must be enforced directly in Active Directory Group Policy Objects.

Amazon Cognito user pools maintain their own user directory and authentication logic. Cognito provides configurable password policies, including minimum length, complexity, and expiration. To enforce a minimum password length for application users, the Cognito user pool password policy must be updated.

IAM password policies apply only to IAM users that authenticate directly with IAM and do not affect federated users or Cognito users. SCPs and IAM policies cannot enforce password length requirements.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Federation and Password Policies

Amazon Cognito User Pool Security Settings

Amazon Detective is specifically designed to help security teams investigate and visualize the root cause of security findings. According to AWS Certified Security – Specialty documentation, Detective automatically aggregates and correlates data from GuardDuty, CloudTrail, and VPC Flow Logs to provide interactive visualizations and timelines.

Detective enables investigators to pivot from GuardDuty findings to IAM roles, API calls, network traffic, and resource behavior. This makes it the most efficient tool for understanding how IAM roles were used during suspicious activity.

Amazon Inspector focuses on vulnerability assessment, not behavioral investigation. Security Hub aggregates findings but does not provide deep investigation graphs. Manual analysis with Athena requires significantly more effort.

AWS guidance explicitly recommends Amazon Detective for root cause analysis and visualization of security incidents.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Detective Investigation Capabilities

AWS Threat Detection and Analysis

AWS abuse notifications are delivered as AWS Health events. According to the AWS Certified Security – Specialty Study Guide, Amazon EventBridge integrates natively with AWS Health and can be used to detect specific event types such as AWS_ABUSE_DOS_REPORT in near real time.

By creating an EventBridge rule that filters for the abuse report event type and publishes directly to Amazon SNS, the solution remains fully managed, low latency, and cost effective.

Polling APIs introduces delay and complexity. CloudTrail does not log abuse notifications. EventBridge with AWS Health is the recommended mechanism for reacting to AWS service events.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Health and EventBridge Integration

AWS Abuse Notification Handling

For encrypted RDS snapshots that must be shared across accounts and still bedecryptablein the target accounts, you should use acustomer managed KMS keyand explicitly grant cross-account use of that key. AWS-managed default keys (Option A/C) generally cannot be shared for cross-account decryption in the same flexible way as customer managed keys, and you cannot “copy” an AWS-managed key to another account. Likewise, you cannot “import” an existing KMS key into another account via Lambda as described in Option B; KMS keys are account-scoped resources and are not copied between accounts like that.

With acustomer managed key (CMK), the key policy (and/or grants) can allow principals in the DR accounts to use the key for the required cryptographic operations (for example, kms:Decrypt, kms:CreateGrant, and relevant describe permissions). Then, when the snapshot is shared and copied/used in the destination account during a DR event, the destination account can decrypt it because it has been granted permission to use the same CMK. This approach is the standard AWS pattern for cross-account encrypted snapshot sharing and meets both encryption and recoverability requirements with strong governance and auditability through CloudTrail.

AWS KMS key grants are specifically designed to provide temporary, granular permissions to use customer managed keys without modifying key policies. According to the AWS Certified Security – Specialty Study Guide, grants are the preferred mechanism for delegating key usage permissions to AWS principals for short-term or programmatic access scenarios. Grants allow permissions such as Encrypt, Decrypt, or GenerateDataKey and can be created and revoked dynamically.

Using a key grant avoids the operational risk and overhead of editing key policies, which are long-term control mechanisms and should remain stable. AWS documentation emphasizes that frequent key policy changes increase the risk of misconfiguration and accidental privilege escalation. Grants can be revoked immediately when access is no longer required, ensuring strong adherence to the principle of least privilege.

Options A and D violate AWS security best practices because AWS KMS does not allow direct export of key material unless the key was explicitly created as an importable key, and exporting key material increases exposure risk. Option B requires manual policy changes and rollback, which introduces operational overhead and audit complexity.

AWS recommends key grants as the most efficient and secure way to provide temporary access to KMS keys for applications.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Key Policies and Grants Documentation

AWS KMS Best Practices

AWS WAF supports logging of detailed HTTP request information, including source IP addresses, request URIs, headers, and rule evaluation results. According to the AWS Certified Security – Specialty documentation,Amazon S3 combined with Amazon Athenais the recommended and most cost-effective solution for ad hoc and forensic analysis of AWS WAF logs.

By configuring AWS WAF to deliver logs to Amazon S3 and usingAthena with partition projection, the security engineer can efficiently query large volumes of log data without maintaining partitions manually. This enables rapid identification of application-layer attacks such as SQL injection, cross-site scripting, and bot activity.

Options A and D are incorrect because AWS WAF logs are not delivered to CloudTrail. Option B is invalid because OpenSearch cannot directly query data stored in S3 without ingestion or additional tooling.

AWS documentation highlightsS3 + Athenaas a best practice for scalable, serverless analysis of AWS WAF logs.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging Documentation

Amazon Athena Best Practices

A rate-based rule in AWS WAF is designed to quickly mitigate spikes and potential layer 7 floods bytracking request rates per originating IPand temporarily blocking (or counting/challenging, depending on configuration) IPs that exceed a defined threshold within a 5-minute rolling window. In this scenario, the malicious traffic is distributed acrosshundreds of IPsin two countries, and the application still needs to remain available globally for legitimate users. A rate-based rule provides fast, targeted throttling that reduces abusive request patterns without permanently blocking entire geographies. This aligns with “quickly limit” while minimizing collateral impact.

Blocking both countries with a geo match rule (Option B) would likely block legitimate users located in those countries, which violates the requirement. Security groups (Options C and D) cannot natively enforcegeographicfiltering, and they are not well suited for large, rapidly changing sets of public source IPs at the application layer. Additionally, WAF operates at layer 7 with richer matching (rate limiting, URI/header patterns, bot controls), which is the appropriate control point when the ALB already has a web ACL associated. Therefore, implementing an AWS WAFrate-basedrule is the most effective and least disruptive immediate mitigation.

The requirement is to havekey material generated and used inside a custom key store backed by an AWS CloudHSM cluster. This is exactly whatAWS KMS Custom Key Storesprovide: KMS manages the keys and policies, but the cryptographic operations for those KMS keys occur in the associatedCloudHSMcluster, keeping the key material within HSM boundaries. For applications that needlocal-use data keys(both symmetric data keys and asymmetric data key pairs), KMS supports generating data keys and data key pairs that applications can use for envelope encryption and local cryptographic operations, while the master key protections remain within KMS (and within CloudHSM when using a custom key store).

For auditing, AWS best practice isAWS CloudTrail, which records KMS API calls (such as CreateKey, GenerateDataKey, GenerateDataKeyPair, Encrypt/Decrypt, etc.) and provides an immutable event history for compliance and investigation. Athena can query logs, but it is not the primary audit record source; GuardDuty is for threat detection, not authoritative key-usage auditing. Therefore, the correct combination isKMS with a CloudHSM-backed custom key storeplusCloudTrailfor auditability.