SCS-C03 Sample Questions Answers

Continuous monitoring requires an always-on compliance service that evaluates resources over time. AWS Config provides managed rules that assess configuration state and compliance continuously. AWS Certified Security – Specialty guidance highlights AWS Config for continuous compliance across accounts and regions when used with AWS Organizations. The ec2-managedinstance-applications-required managed rule evaluates whether specified software is installed on managed instances, leveraging Systems Manager inventory/managed instance status. By enabling AWS Config organization-wide and deploying this managed rule across all accounts, the company can continuously evaluate both existing and newly launched instances for required application presence. This provides a consistent compliance dashboard and history of compliance changes. Option D can provide inventory lists, but it is not a compliance rule engine that flags noncompliance with the same governance reporting and remediation pathways. Options B and C are operational approaches but do not provide continuous compliance state across the organization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for EC2 and SSM Managed Instances

AWS Organizations Integration with AWS Config

AWS CloudTrail provides authoritative records of KMS key creation, origin, and usage. Enabling log file validation ensures tamper detection. S3 Object Lock in compliance mode enforces immutability, which is a core audit requirement cited in AWS Certified Security – Specialty materials.

CloudWatch and DynamoDB do not provide immutable storage guarantees suitable for compliance evidence.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Log File Validation

Amazon S3 Object Lock

Amazon S3 Block Public Access provides centralized controls to prevent public access through bucket policies and ACLs. AWS Certified Security – Specialty guidance recommends enabling Block Public Access to reduce accidental exposure and to enforce guardrails that override public grants. Enabling Block Public Access on the bucket removes current public exposure when combined with correcting policies/ACLs and prevents future misconfiguration. To ensure the bucket cannot be made public again, the security engineer must prevent principals from disabling Block Public Access. An SCP that denies s3:PutPublicAccessBlock prevents changes that would remove or weaken the PublicAccessBlock configuration, enforcing the guardrail across the OU or account. Options A and D do not directly address public exposure control. Option B denies object reads but does not ensure public access cannot be re-enabled; it also does not address the root misconfiguration pathways and could disrupt legitimate access patterns. Option C specifically combines the correct preventive control (PublicAccessBlock) with organizational enforcement to stop future reversal.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Block Public Access

AWS Organizations SCP Guardrails for S3 Controls

When AWS IAM Identity Center is used to manage user access across an AWS Organization, Identity Center is the authoritative control plane for enabling and disabling user access. According to the AWS Certified Security – Specialty Official Study Guide, disabling a user in IAM Identity Center immediately prevents that user from accessing any AWS account or role that is assigned through permission sets, satisfying the requirement to stop access organization-wide.

Disabling an IAM user in a single account or removing attached policies (Options A and B) does not prevent access through IAM Identity Center–managed roles in other accounts. Option C is incomplete because removing permission sets does not immediately disable authentication and still requires querying logs from an unsupported source.

For investigation and evidence collection, AWS CloudTrail organizational event data stores provide centralized, queryable access to all management and data events across all accounts in the organization. CloudTrail Lake enables security engineers to run SQL-based queries directly against event data without exporting logs to other services. This allows rapid collection of all actions that the compromised user performed during the last 7 days.

AWS documentation explicitly identifies the combination of IAM Identity Center for access revocation and CloudTrail Lake for organization-wide investigation as a best practice for identity-related incident response.

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Documentation

AWS CloudTrail Lake User Guide

AWS Incident Response Best Practices

When Amazon CloudFront is used in front of an Application Load Balancer, CloudFront becomes the immediate source of incoming requests to the ALB. As a result, AWS WAF logs record the CloudFront edge location IP addresses as the client IPs, not the original viewer IP addresses. This behavior is explicitly documented in the AWS Certified Security – Specialty Study Guide and the AWS WAF and CloudFront integration documentation.

To preserve the original client IP address, CloudFront automatically adds the X-Forwarded-For HTTP header, which contains the IP address of the originating client followed by any proxy addresses involved in forwarding the request. AWS WAF logs include this header, making it the authoritative source for identifying true client IP addresses when CloudFront is used.

Option A is incorrect because VPC Flow Logs capture network-level metadata and will only show CloudFront IP addresses, not the original client IPs. Option C is incorrect because disabling connection reuse does not change how client IPs are logged in AWS WAF. Option D is unnecessary and unsupported as a requirement because CloudFront already provides the required information through standard headers.

AWS documentation consistently states that X-Forwarded-For is the correct and supported mechanism for tracing client IPs in CloudFront-protected applications.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Logging

Amazon CloudFront Developer Guide – Request Headers

VPC Flow Logs require an IAM role that CloudWatch Logs can use to publish flow log records. AWS documentation and AWS Certified Security – Specialty materials explain that the VPC Flow Logs service must be able to assume the IAM role through its trust policy. The trust relationship must include the service principal vpc-flow-logs.amazonaws.com. If the trust policy does not allow this principal to assume the role, flow logs cannot be delivered and no records will appear in the CloudWatch Logs log group even when traffic exists. logs:GetLogEvents is not required for delivery; it is used for reading logs. The security engineer’s ability to assume the role is not relevant because the service, not the engineer, assumes it. Tagging permissions are not required for basic log delivery. Therefore, the most likely cause is an incorrect trust policy that prevents the VPC Flow Logs service principal from assuming the role.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Flow Logs IAM Role Requirements

IAM Trust Policies for AWS Services

Amazon GuardDuty provides fully managed threat detection across accounts when configured with delegated administration. EKS and RDS protections enable workload-aware detection with minimal setup.

Other solutions require custom pipelines and higher operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Multi-Account Architecture

Amazon S3 Block Public Access configured at the AWS account level is the recommended and most effective approach to protect data stored in Amazon S3 while minimizing operational overhead. AWS Security Specialty documentation explains that S3 Block Public Access provides centralized, preventative controls designed to block public access to S3 buckets and objects regardless of individual bucket policies or object-level ACL configurations. When enabled at the account level, these controls automatically apply to all existing and newly created buckets, significantly reducing the risk of accidental exposure caused by misconfigured permissions.

The AWS Certified Security – Specialty Study Guide emphasizes that public access misconfiguration is a leading cause of data leaks in cloud environments. Account-level S3 Block Public Access acts as a guardrail by overriding any attempt to grant public permissions through bucket policies or ACLs. This eliminates the need to manage security settings on a per-bucket or per-object basis, thereby reducing administrative complexity and human error.

Configuring Block Public Access at the object level, as in option B, requires continuous monitoring and manual configuration, which increases operational overhead. Disabling ACLs alone, as described in option C, does not fully prevent public access because bucket policies can still allow public permissions. Using AWS PrivateLink, as in option D, controls network access but does not protect against public exposure through misconfigured S3 policies.

AWS security best practices explicitly recommend enabling S3 Block Public Access at the account level as the primary mechanism for preventing unintended public data exposure with minimal management effort.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Security Best Practices Documentation

Amazon S3 Block Public Access Overview

AWS Well-Architected Framework – Security Pillar

Step 1: Obtain the SAML metadata from IAM Identity Center.

Step 2: Obtain the SAML metadata from the external IdP.

Step 3: Configure the external IdP as the identity source in IAM Identity Center.

When integrating AWS IAM Identity Center (formerly AWS SSO) with an external identity provider (IdP) using SAML 2.0, AWS requires a specific sequence of steps to establish trust and federation correctly.

Step 1: Obtain the SAML metadata from IAM Identity Center

IAM Identity Center acts as the service provider (SP) in the SAML trust. The external IdP must trust IAM Identity Center, so the IdP needs IAM Identity Center’s SAML metadata first. This metadata contains critical information such as the SP entity ID, ACS (Assertion Consumer Service) URL, and signing certificate. Without this metadata, the external IdP cannot be configured to send assertions to AWS.

Step 2: Obtain the SAML metadata from the external IdP

After the external IdP is configured to trust IAM Identity Center, the IdP generates its own SAML metadata. This metadata includes the IdP entity ID, SSO endpoint, and signing certificate. IAM Identity Center requires this information to validate authentication assertions coming from the external IdP.

Step 3: Configure the external IdP as the identity source in IAM Identity Center

Once both metadata files are available, the security engineer configures the external IdP as the identity source in IAM Identity Center. At this stage, IAM Identity Center imports the IdP metadata and establishes the SAML trust relationship. After this configuration, users authenticated by the external IdP can be federated into AWS accounts and applications via IAM Identity Center.

Why the other options are incorrect:

Creating an IAM role with an IdP API endpoint is used for IAM federation, not IAM Identity Center.

Automatic provisioning (SCIM) is optional and is configured after SAML federation is established.

Automatic provisioning must be enabled on both sides, but it is not required to complete the core IdP integration.

This sequence follows AWS best practices for SAML-based federation with IAM Identity Center.

AWS incident response best practices emphasize immediate containment, preservation of evidence, and safe forensic investigation. According to the AWS Certified Security – Specialty Study Guide, when an EC2 instance is suspected of compromise, security teams should avoid logging in to the instance or installing additional tools, as these actions can alter evidence and increase risk.

Terminating the compromised instance after ensuring that its Amazon EBS volumes are preserved prevents further malicious activity immediately. By setting the EBS volumes to not delete on termination, all disk data is retained for forensic analysis. Launching a new, clean EC2 instance in a different subnet or Availability Zone with preinstalled diagnostic tools allows investigators to safely attach and analyze the compromised volumes without executing potentially malicious code.

Option A introduces significant risk by logging in to the compromised instance and modifying security controls during active compromise. Option B delays containment and allows continued outbound traffic during investigation steps. Option D is invalid because AWS WAF cannot be attached directly to Amazon EC2 instances and does not control outbound traffic.

AWS documentation strongly recommends isolating or terminating compromised resources and performing offline analysis using detached storage volumes. This approach ensures immediate mitigation, preserves forensic integrity, and aligns with AWS incident response frameworks.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon EC2 and EBS Forensics Guidance

AWS Well-Architected Framework – Security Pillar

AWS IAM Identity Center relies on SAML assertions and attribute mappings to associate federated users with identities, groups, and permission sets. According to the AWS Certified Security – Specialty documentation, when changing identity providers while maintaining the same underlying directory, existing users and group identities can be preserved by updating attribute mappings to align with the new IdP’s SAML assertions.

By modifying the attribute mappings, IAM Identity Center can correctly interpret usernames, group memberships, and unique identifiers sent by the new IdP without requiring changes to AWS account roles or permission sets. This approach minimizes operational effort and avoids disruption to access management.

Option A unnecessarily disables identities and causes access outages. Option C is incorrect because IAM Identity Center abstracts role trust relationships, and roles do not directly trust the IdP. Option D is unrelated to federation source configuration and only affects authentication timing issues.

AWS best practices recommend updating attribute mappings when switching IdPs that share the same directory source.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center SAML Federation

AWS Identity Federation Best Practices

AWS IAM Identity Center delegated administration requires foundational configuration to be completed in the organization’s management account before delegation. According to the AWS Certified Security – Specialty documentation, IAM Identity Center must be enabled with a directory in the management account before any delegation can occur.

Permission sets must be created in the management account because they define the permissions that will later be delegated to member accounts. Additionally, user assignments must initially exist in the management account to establish baseline access control before delegation is configured.

Option A is too generic and not a required prerequisite step. Option C is unrelated to Identity Center delegation. Option E is incorrect because IAM Identity Center uses identities from its directory or external IdPs, not IAM users.

AWS guidance clearly outlines directory creation, permission set definition, and initial user assignments as mandatory preparatory steps for delegated administration.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Delegated Administration

AWS Organizations and Identity Center Integration

Requirements and Correct Selections

Automatically collect evidence from AWS CloudTrail, AWS Config, and AWS Security Hub for an assessment report.

Correct Answer:

AWS Audit Manager controls

Why:

AWS Audit Manager is specifically designed to automatically collect, map, and organize evidence from AWS services such as CloudTrail, AWS Config, and AWS Security Hub. Audit Manager controls are used within audit frameworks to continuously gather evidence and generate assessment reports for compliance audits.

Determine which IAM principals within the AWS account have access to a specified resource.

Correct Answer:

AWS Identity and Access Management Access Analyzer internal access analyzers

Why:

IAM Access Analyzer internal access analyzers are used to identify which IAM users, roles, or services within an account or organization have access to a specific resource. This is a core access visibility and audit requirement for IAM reviews.

Download AWS security and compliance documents on demand.

Correct Answer:

AWS Artifact reports

Why:

AWS Artifact provides on-demand access to AWS security, compliance, and audit reports, including SOC reports, ISO certifications, and compliance attestations. This service is explicitly intended for audit preparation and regulatory documentation.

Amazon S3 Lifecycle rules are the native and most efficient way to enforce data retention policies. AWS Certified Security – Specialty documentation recommends lifecycle rules over custom automation to reduce operational complexity and failure risk.

Lifecycle rules automatically and reliably delete objects after a specified age, ensuring compliance without additional compute services. Lambda-based solutions increase cost and management overhead. Intelligent-Tiering manages storage cost, not data deletion.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Management

Amazon CloudWatch Logs provides a centralized, scalable service for collecting and storing logs from Amazon EC2 instances, regardless of whether the instances are On-Demand or Spot Instances. According to the AWS Certified Security – Specialty Official Study Guide, CloudWatch Logs is the recommended service for centralized log aggregation and near-real-time analysis of application and system logs.

By configuring all EC2 instances to send logs to a single CloudWatch Logs log group, the security engineer ensures that logs from all instances are available in one centralized location. Access to the log group can be restricted by using IAM policies, ensuring that only authorized users can view and analyze the logs.

CloudWatch Logs Insights provides a powerful query language with SQL-like syntax, enabling users to search, filter, aggregate, and analyze log data efficiently. This directly satisfies the requirement for SQL-style queries to identify event patterns and perform root cause analysis without requiring data movement or additional services.

Option B is incorrect because CloudWatch Logs Insights cannot query log files stored in Amazon S3. Option C is inefficient and operationally complex, as Athena cannot directly query CloudWatch Logs log groups. Option D is invalid because Amazon Detective is designed for security investigations using GuardDuty findings, not for general application log analysis.

AWS documentation explicitly states that CloudWatch Logs combined with CloudWatch Logs Insights is the most efficient and secure approach for centralized log analysis in EC2-based architectures.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Documentation

CloudWatch Logs Insights Query Guide

EventBridge natively consumes CloudTrail management events and provides near-real-time notifications.

Amazon GuardDuty findings provide high-level detection of suspicious activity but are not designed for deep investigation on their own. The AWS Certified Security – Specialty documentation explains that Amazon Detective is purpose-built to support rapid investigations by automatically collecting, correlating, and visualizing data from GuardDuty, AWS CloudTrail, and VPC Flow Logs. Detective enables security engineers to analyze API calls, user behavior, and resource interactions in context without making any changes to the environment.

Using read-only credentials ensures that the investigation does not impact the production application. Amazon Detective allows investigators to pivot directly from a GuardDuty finding into a detailed activity graph, showing which IAM user made anomalous calls, what resources were accessed, and how behavior deviated from the baseline. This significantly accelerates incident investigation.

Options A and C involve applying DenyAll policies, which are containment actions and could affect application availability. Option D requires manual analysis and setup and is slower than using Amazon Detective, which is designed for immediate investigative workflows.

AWS incident response guidance recommends using Detective for rapid, non-intrusive analysis after GuardDuty findings.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty and Amazon Detective Integration

AWS Incident Response Investigation Best Practices

Amazon Cognito is a fully managed identity service that provides user authentication, authorization, and user management for web and mobile applications. According to AWS Certified Security – Specialty documentation, Cognito user pools are specifically designed to offload authentication responsibilities from applications while maintaining strong security controls.

By federating authentication with third-party identity providers (such as social IdPs), Cognito eliminates the need for the company to manage user passwords directly. This dramatically reduces password reset requests and customer service overhead, while also improving security through industry-standard authentication mechanisms, including MFA and token-based access.

Option A is insecure and incorrect because IAM access keys are not intended for end users. Option B simply relocates password storage and does not reduce operational burden. Option D uses API keys, which are not designed for user authentication and provide no identity verification.

AWS guidance clearly states that Amazon Cognito is the recommended service for scalable, secure user authentication, especially when reducing password management complexity is a requirement.

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito User Pools Documentation

AWS IAM Security Best Practices

AWS CloudFormation supports the use of a service role, which allows CloudFormation to assume a dedicated IAM role to create and manage resources on behalf of users. According to the AWS Certified Security – Specialty Study Guide, using a service role is the most secure and consistent way to ensure predictable stack deployments when users have varying permission sets.

By creating a service role with cloudformation.amazonaws.com as the trusted service principal (Option B), CloudFormation—not individual users—assumes responsibility for resource creation. Updating each stack to explicitly use this service role (Option E) ensures that all deployments use the same permission set, eliminating inconsistencies.

Granting the team members permission to pass the service role via iam:PassRole (Option F) is required so that CloudFormation can assume the role during stack operations. This approach adheres to the principle of least privilege and prevents users from gaining direct access to elevated permissions.

Composite principals (Option A) are unnecessary and insecure. Referencing stack ARNs (Option C) does not solve the root cause. While Option D reflects good policy design, it is implicit in creating the service role and is not a required standalone step.

AWS documentation clearly identifies CloudFormation service roles combined with iam:PassRole as best practice for secure, consistent infrastructure deployments.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Role Documentation

AWS IAM Best Practices

AWS Systems Manager Run Command enables security engineers to remotely and securely execute scripts on EC2 instances without requiring SSH or inbound network access. According to AWS Certified Security – Specialty incident response guidance, Run Command is a foundational tool for instance quarantine and forensic preparation.

By configuring IAM permissions that allow the SSM Agent to execute a predefined Run Command document, the security engineer can rapidly deploy forensic tools, disable services, or modify system configurations across affected EC2 instances during an incident. This approach aligns with AWS best practices for containment and evidence preservation, while maintaining auditability through Systems Manager logs.

Option A only provides visibility, not quarantine capability. Option B restricts access but does not allow forensic tooling. Option C enables access to the script but does not execute it.

AWS documentation emphasizes that Systems Manager Run Command is the recommended mechanism for incident response automation and quarantine actions on EC2 instances.

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Run Command Documentation

AWS Incident Response Best Practices

Amazon S3 Lifecycle rules provide a native, fully managed mechanism to automatically transition or delete objects based on their age. According to the AWS Certified Security – Specialty Official Study Guide, S3 Lifecycle policies are the recommended and most secure method for enforcing data retention requirements because they operate automatically, consistently, and without custom code.

By configuring a lifecycle rule to delete objects after 45 days, the company ensures that sensitive datasets are retained long enough to support the 30-day model training process while remaining compliant with the data retention policy. Lifecycle rules are enforced by Amazon S3 itself and apply uniformly to all objects in the bucket or to objects that match specific prefixes or tags.

Option B and Option C introduce unnecessary operational complexity and risk by relying on custom Lambda code and scheduling. These approaches are more error-prone, harder to audit, and less reliable than a built-in S3 capability. Option D is incorrect because S3 Intelligent-Tiering manages storage cost optimization and does not delete data.

AWS documentation explicitly states that S3 Lifecycle rules are the standard control for enforcing retention and deletion policies, particularly for sensitive data stored at scale.

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Configuration Documentation

AWS Data Protection Best Practices

AWS best practices require CloudFormation to assume a dedicated service role. This ensures consistent permissions regardless of the user. Users must have iam:PassRole permission to pass the role. Updating stacks to use the service role enforces uniform deployment behavior.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Roles

Amazon S3 gateway endpoints support endpoint policies that can restrict which S3 resources are accessible through the endpoint. According to AWS Certified Security – Specialty documentation, endpoint policies are evaluated in addition to IAM policies and are ideal for enforcing data exfiltration controls without breaking legitimate workloads.

By updating the S3 gateway endpoint policy to require both aws:ResourceOrgId and aws:PrincipalOrgId to match the company’s AWS Organization, the security engineer ensures that EC2 instances can access only S3 buckets that belong to the organization. This immediately blocks exfiltration to external S3 buckets while allowing legitimate internal data access to continue uninterrupted.

Option B is insufficient because IAM policies alone cannot prevent access when the endpoint allows it. Option C would break all S3 access and stop the processing job. Option D applies too broadly and can impact unrelated services across the account.

AWS documentation highlights S3 VPC endpoint policies with organization condition keys as a best practice for preventing S3 data exfiltration in private VPC environments.

AWS Certified Security – Specialty Official Study Guide

Amazon S3 VPC Endpoint Policy Documentation

AWS Organizations Condition Keys Documentation

AWS Config provides managed rules that continuously evaluate resource configurations against compliance requirements. The AWS Certified Security – Specialty documentation highlights AWS Config managed rules as the preferred mechanism for enforcing configuration compliance at scale. The managed rule for encrypted RDS storage automatically detects DB instances and clusters that are created without encryption enabled.

By configuring automatic remediation, AWS Config can immediately invoke corrective actions without manual intervention. Integrating remediation with an Amazon SNS topic enables automated email notifications, while an AWS Lambda function can terminate the noncompliant resource. This creates a fully automated detect-alert-remediate workflow.

Option B requires manual remediation, which increases operational effort and delays enforcement. Options C and D rely on Amazon EventBridge, which evaluates events rather than configuration state and does not provide continuous compliance monitoring. AWS Config is explicitly designed for configuration compliance and governance use cases.

This solution aligns with AWS governance best practices by combining continuous monitoring, automated remediation, and centralized alerting with minimal operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules

AWS Config Automatic Remediation

Amazon Macie is the AWS service designed specifically to discover, classify, and inventory sensitive data stored in Amazon S3. According to the AWS Certified Security – Specialty Study Guide, Macie can be enabled organization-wide using AWS Organizations, with a delegated administrator account that centrally manages findings across all member accounts.

By designating the security account as the delegated administrator for both Amazon Macie and AWS Security Hub, the company can centralize sensitive data findings in a single location. Macie automatically scans S3 buckets for sensitive data such as personally identifiable information (PII) and publishes findings to Security Hub for centralized visibility and reporting.

Option B and C are incorrect because Amazon Inspector does not scan S3 objects for sensitive data. Option D is invalid because AWS Trusted Advisor does not ingest Macie sensitive data findings.

AWS best practices recommend Amazon Macie with delegated administration and Security Hub integration for centralized sensitive data inventory across multi-account environments.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Macie Sensitive Data Discovery

AWS Organizations Delegated Administrator Model

AWS Security Hub Integration Overview

The Amazon CloudWatch agent requires explicit IAM permissions to create log groups, create log streams, and put log events into Amazon CloudWatch Logs. According to the AWS Certified Security – Specialty Study Guide, the most common cause of CloudWatch agent log delivery failures is missing or insufficient IAM permissions on the EC2 instance role.

The CloudWatchAgentServerPolicy AWS managed policy provides the required permissions, including logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Attaching this policy to the EC2 instance role enables the CloudWatch agent to successfully deliver custom application logs without requiring changes to the application or logging configuration.

Options A, B, and C are incorrect because CloudTrail, Amazon S3, and Amazon Inspector are not designed to ingest custom application logs from EC2 instances in this manner. AWS documentation clearly states that IAM permissions must be granted to the EC2 role for CloudWatch Logs ingestion.

This approach aligns with AWS best practices for least privilege while ensuring reliable detection and monitoring capabilities.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Agent Configuration

AWS IAM Best Practices for Monitoring

EC2 Instance Connect endpoints provide secure, private connectivity to EC2 instances without requiring public IP addresses, inbound internet access, or VPN connectivity. According to AWS Certified Security – Specialty documentation, Instance Connect endpoints are designed specifically for incident response and secure administrative access scenarios.

By deploying an EC2 Instance Connect endpoint in the VPC, the security team can block all external network access while still maintaining controlled access to EC2 instances through the AWS Management Console. The endpoint uses AWS-managed infrastructure and private connectivity, and access is authorized using IAM policies and instance profiles.

Options A and B rely on direct EC2 Instance Connect installation and network paths that may still depend on external access. Option C is incorrect because tunneling is not required when using the console-based Instance Connect endpoint.

This solution enables forensic access during incidents without reopening external network paths, aligning with AWS incident response best practices.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

EC2 Instance Connect Endpoint Architecture

AWS Incident Response Best Practices

Amazon GuardDuty provides continuous threat detection for compromised instances by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. According to AWS Certified Security – Specialty guidance, GuardDuty is the fastest service to enable for detecting malware and compromised EC2 instances.

To notify the security team, Amazon SNS provides a native email notification mechanism with minimal setup. Amazon EventBridge integrates directly with GuardDuty findings and can filter based on severity. Creating an EventBridge rule that matches high severity GuardDuty findings and publishes to SNS ensures immediate notification.

Security Hub is not required for this use case and adds additional setup time. Amazon SQS does not support email subscriptions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Findings and Severity

Amazon EventBridge Integration with GuardDuty

AWS Organizations and CloudFormation StackSets provide an organizational deployment mechanism for consistent infrastructure across accounts. AWS Certified Security – Specialty guidance emphasizes minimizing use of the management account and using delegated administrator capabilities where available for centralized governance while reducing blast radius. By configuring a delegated administrator account for AWS CloudFormation, the company can create and manage StackSets without performing day-to-day deployment operations from the management account. Targeting the organization root ensures the StackSet deploys to all existing accounts. Enabling automatic deployment ensures that any future accounts that join the organization (or move into targeted OUs, depending on configuration) automatically receive the monitoring service without manual intervention. This directly meets the requirement to deploy to all existing and future accounts with minimal effort. Option A requires ongoing manual updates when accounts are added, increasing operational overhead. Options C and D rely on Systems Manager Automation, which can work but introduces additional operational complexity and is not the standard AWS mechanism for organization-wide infrastructure rollout compared to StackSets with auto-deployment. StackSets also provide consistent change control, drift detection, and centralized update mechanisms, which align with governance expectations for compliance tooling.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Delegated Administration

AWS CloudFormation StackSets for Multi-Account Governance

AWS IAM supports identity federation by allowing external identity providers that use OpenID Connect (OIDC) to authenticate and assume IAM roles. According to the AWS Certified Security – Specialty documentation, IAM OIDC identity providers are the recommended approach for enabling third-party systems, such as external CI/CD pipelines or Git-based repositories, to securely obtain temporary AWS credentials without using long-term access keys.

By creating an OIDC identity provider in IAM and configuring the IAM role trust policy to trust the external IdP, the company enables secure, token-based authentication. The trust policy can include conditions that restrict which repositories, branches, or workflows are allowed to assume the role, enforcing least privilege. AWS Security Specialty guidance emphasizes that this method eliminates static credentials and relies on short-lived tokens issued by the OIDC provider.

Option B is incorrect because IAM Roles Anywhere is designed for workloads running outside AWS that use X.509 certificates, not OIDC. Option C is intended for workforce identity federation, not machine-to-machine authentication. Option D is invalid because AWS RAM does not provide identity federation or authentication capabilities.

This solution aligns with AWS best practices for secure, scalable, and low-overhead authentication for external workloads.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM OIDC Identity Providers

AWS IAM Role Trust Policies

AWS WAF allows security engineers to create string match rule statements that inspect specific parts of web requests, including HTTP headers such as the User-Agent header. According to the AWS Certified Security – Specialty Study Guide and AWS WAF documentation, string match rules are ideal for blocking requests that contain known malicious identifiers, such as a distinctive user agent associated with a specific bot or IoT device brand.

In this scenario, the attack originates from a specific IoT device brand that uses a unique user agent. A string match rule that inspects the User-Agent header can precisely block malicious requests while allowing legitimate customer traffic to continue uninterrupted. This approach provides targeted mitigation for both current and future attacks originating from the same device signature.

Option A is incorrect because IP addresses cannot be derived from user agent strings, and IoT botnets frequently rotate IP addresses, making IP-based blocking ineffective. Option B is incorrect because geographic blocking is overly broad and risks blocking legitimate customers in the same regions as the attacking devices. Option C is incorrect because rate-based rules limit request volume per IP address and do not specifically identify malicious device signatures; legitimate high-traffic users could be unintentionally blocked.

AWS documentation emphasizes that header inspection with string match conditions is a best practice for mitigating attacks that use identifiable request characteristics such as custom user agents, especially in DDoS and bot mitigation scenarios.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rule Statements

AWS DDoS Resiliency Best Practices

AWS Well-Architected Framework – Security Pillar

Service control policies (SCPs) define the maximum available permissions for accounts and are evaluated as guardrails. AWS Certified Security – Specialty documentation states SCPs are typically used to apply organization-wide restrictions, and exceptions are commonly handled by using conditions (for example, excluding specific accounts) or by structuring OUs differently. Because all accounts are in the same OU and the company must continue blocking external sharing for everyone except one account, modifying the existing SCP to exclude the marketing account is the most direct solution. An SCP attached at the root affects all accounts unless conditions narrow its scope. Adding a condition that excludes the marketing account allows that account to retain the ability to share resources externally while the SCP continues to block sharing for other accounts. Option A is not feasible because account-level SCPs cannot override a deny applied by a parent SCP; explicit denies always win. Option C misunderstands SCP behavior because SCPs do not grant permissions; they only limit. Option D is an IAM control that cannot override an organization-level deny. Therefore, the only secure, scalable option is to modify the existing SCP with an exception condition for the marketing account.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations SCP Evaluation Logic

SCP Deny Precedence and Exception Patterns

SSE-S3 uses AWS-managed keys and does not provide customer control. AWS Certified Security – Specialty documentation states that SSE-KMS with customer managed keys allows full control, auditing, and key rotation. The security engineer must first create a customer managed KMS key, then update the bucket to use SSE-KMS. Existing objects must be re-encrypted to ensure compliance.

SSE-C requires the application to manage keys, increasing complexity and risk. AWS managed keys do not meet the requirement for customer-controlled encryption.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Encryption Options

AWS KMS Customer Managed Keys

AWS WAF rate-based rules are designed to help protect applications and resources from traffic floods and application-layer DDoS attacks by tracking the number of requests from individual source IP addresses over a rolling time window. According to the AWS Certified Security – Specialty Official Study Guide and AWS WAF documentation, rate-based rules can be configured with different actions, including Count, Block, and Allow.

When a security engineer is determining an appropriate rate limit that will not block legitimate traffic, AWS best practices recommend initially configuring the rate-based rule with the Count action. The Count action allows AWS WAF to monitor and log requests that exceed the specified rate threshold without actively blocking them. This provides visibility into traffic patterns and enables the security engineer to analyze how the rule would behave in production.

By using the Count action, the security engineer can safely evaluate whether legitimate users would be affected by the chosen rate limit. Once the engineer is confident that the threshold accurately distinguishes between normal traffic and malicious behavior, the action can later be changed to Block.

Option B is incorrect because immediately blocking traffic without validation risks denying service to legitimate users. Option C is invalid because AWS WAF does not have a Monitor action. Option D is incorrect because the Allow action does not enforce rate limiting.

AWS documentation explicitly recommends starting rate-based rules in Count mode to fine-tune thresholds before enforcing blocks, especially for DDoS protection scenarios.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rate-Based Rules

AWS DDoS Resiliency Best Practices