Amazon Web Services SCS-C03 AWS Certified Security – Specialty Exam Practice Test

AWS IAM Identity Center relies on SAML assertions and attribute mappings to associate federated users with identities, groups, and permission sets. According to the AWS Certified Security – Specialty documentation, when changing identity providers while maintaining the same underlying directory, existing users and group identities can be preserved by updating attribute mappings to align with the new IdP’s SAML assertions.

By modifying the attribute mappings, IAM Identity Center can correctly interpret usernames, group memberships, and unique identifiers sent by the new IdP without requiring changes to AWS account roles or permission sets. This approach minimizes operational effort and avoids disruption to access management.

Option A unnecessarily disables identities and causes access outages. Option C is incorrect because IAM Identity Center abstracts role trust relationships, and roles do not directly trust the IdP. Option D is unrelated to federation source configuration and only affects authentication timing issues.

AWS best practices recommend updating attribute mappings when switching IdPs that share the same directory source.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center SAML Federation

AWS Identity Federation Best Practices

Amazon EC2 security groups are stateful, meaning that once a connection is established, return traffic is automatically allowed, even if the inbound rule that originally permitted the connection is later removed. According to the AWS Certified Security – Specialty Official Study Guide and Amazon EC2 security documentation, existing connections are not terminated when security group rules change. This explains why the SSH session remains active even after the security group rules were modified, while new traffic such as ICMP ping is blocked.

To immediately and fully isolate an EC2 instance during an incident response scenario, AWS recommends using stateless network controls. Amazon VPC network ACLs (NACLs) are stateless, which means that every packet is evaluated against the ACL rules regardless of whether the traffic is part of an existing connection. When a deny rule is added, all traffic is immediately blocked, including active sessions.

By creating a network ACL and associating it with the subnet that contains the target instance, and by adding explicit deny rules with the lowest rule numbers for both inbound and outbound traffic, the security engineer ensures that all network communication to and from the instance is immediately interrupted. This approach satisfies the requirement to isolate the instance while preserving its runtime state and memory for forensic analysis.

Other options fail to meet the requirement because security group modifications do not terminate existing sessions, Systems Manager does not enforce network isolation, and host-level firewall changes require instance-level access and do not provide immediate, network-enforced isolation.

AWS Certified Security – Specialty Official Study Guide

Amazon EC2 Security Groups Documentation

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

EC2 Instance Connect endpoints provide secure, private connectivity to EC2 instances without requiring public IP addresses, inbound internet access, or VPN connectivity. According to AWS Certified Security – Specialty documentation, Instance Connect endpoints are designed specifically for incident response and secure administrative access scenarios.

By deploying an EC2 Instance Connect endpoint in the VPC, the security team can block all external network access while still maintaining controlled access to EC2 instances through the AWS Management Console. The endpoint uses AWS-managed infrastructure and private connectivity, and access is authorized using IAM policies and instance profiles.

Options A and B rely on direct EC2 Instance Connect installation and network paths that may still depend on external access. Option C is incorrect because tunneling is not required when using the console-based Instance Connect endpoint.

This solution enables forensic access during incidents without reopening external network paths, aligning with AWS incident response best practices.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

EC2 Instance Connect Endpoint Architecture

AWS Incident Response Best Practices

AWS Systems Manager Run Command enables security engineers to remotely and securely execute scripts on EC2 instances without requiring SSH or inbound network access. According to AWS Certified Security – Specialty incident response guidance, Run Command is a foundational tool for instance quarantine and forensic preparation.

By configuring IAM permissions that allow the SSM Agent to execute a predefined Run Command document, the security engineer can rapidly deploy forensic tools, disable services, or modify system configurations across affected EC2 instances during an incident. This approach aligns with AWS best practices for containment and evidence preservation, while maintaining auditability through Systems Manager logs.

Option A only provides visibility, not quarantine capability. Option B restricts access but does not allow forensic tooling. Option C enables access to the script but does not execute it.

AWS documentation emphasizes that Systems Manager Run Command is the recommended mechanism for incident response automation and quarantine actions on EC2 instances.

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Run Command Documentation

AWS Incident Response Best Practices

AWS CloudTrail provides authoritative records of KMS key creation, origin, and usage. Enabling log file validation ensures tamper detection. S3 Object Lock in compliance mode enforces immutability, which is a core audit requirement cited in AWS Certified Security – Specialty materials.

CloudWatch and DynamoDB do not provide immutable storage guarantees suitable for compliance evidence.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Log File Validation

Amazon S3 Object Lock

AWS CloudTrail data event logging is the correct solution because it is specifically designed to capture detailed, structured, and near–real-time API activity for Amazon S3 object-level operations. When S3 data events are enabled, CloudTrail records actions such as GetObject, PutObject, and DeleteObject, along with critical context including the IAM principal, source IP address, event time, request parameters, and response elements. These logs are delivered in JSON format, making them highly structured and suitable for security analysis, SIEM integration, and automated detection workflows.

Amazon S3 server access logging (option A) provides basic request-level information but does not include full IAM identity context and is delivered with a significant delay, which does not meet the near–real-time requirement. AWS Config (option C) focuses on resource configuration changes and compliance evaluation; it does not log object-level access events. Amazon Macie (option D) is a data security service that uses machine learning to discover and classify sensitive data in S3 and generate findings for anomalous access patterns, but it is not a comprehensive access logging solution.

AWS Security Specialty documentation clearly states that CloudTrail data events are the authoritative mechanism for auditing S3 object-level access with identity attribution and precise timestamps, making option B the correct and best-practice answer

AWS IAM Identity Center delegated administration requires foundational configuration to be completed in the organization’s management account before delegation. According to the AWS Certified Security – Specialty documentation, IAM Identity Center must be enabled with a directory in the management account before any delegation can occur.

Permission sets must be created in the management account because they define the permissions that will later be delegated to member accounts. Additionally, user assignments must initially exist in the management account to establish baseline access control before delegation is configured.

Option A is too generic and not a required prerequisite step. Option C is unrelated to Identity Center delegation. Option E is incorrect because IAM Identity Center uses identities from its directory or external IdPs, not IAM users.

AWS guidance clearly outlines directory creation, permission set definition, and initial user assignments as mandatory preparatory steps for delegated administration.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Delegated Administration

AWS Organizations and Identity Center Integration

AWS WAF supports logging of detailed HTTP request information, including source IP addresses, request URIs, headers, and rule evaluation results. According to the AWS Certified Security – Specialty documentation, Amazon S3 combined with Amazon Athena is the recommended and most cost-effective solution for ad hoc and forensic analysis of AWS WAF logs.

By configuring AWS WAF to deliver logs to Amazon S3 and using Athena with partition projection, the security engineer can efficiently query large volumes of log data without maintaining partitions manually. This enables rapid identification of application-layer attacks such as SQL injection, cross-site scripting, and bot activity.

Options A and D are incorrect because AWS WAF logs are not delivered to CloudTrail. Option B is invalid because OpenSearch cannot directly query data stored in S3 without ingestion or additional tooling.

AWS documentation highlights S3 + Athena as a best practice for scalable, serverless analysis of AWS WAF logs.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging Documentation

Amazon Athena Best Practices

Amazon S3 Lifecycle rules provide a native, fully managed mechanism to automatically transition or delete objects based on their age. According to the AWS Certified Security – Specialty Official Study Guide, S3 Lifecycle policies are the recommended and most secure method for enforcing data retention requirements because they operate automatically, consistently, and without custom code.

By configuring a lifecycle rule to delete objects after 45 days, the company ensures that sensitive datasets are retained long enough to support the 30-day model training process while remaining compliant with the data retention policy. Lifecycle rules are enforced by Amazon S3 itself and apply uniformly to all objects in the bucket or to objects that match specific prefixes or tags.

Option B and Option C introduce unnecessary operational complexity and risk by relying on custom Lambda code and scheduling. These approaches are more error-prone, harder to audit, and less reliable than a built-in S3 capability. Option D is incorrect because S3 Intelligent-Tiering manages storage cost optimization and does not delete data.

AWS documentation explicitly states that S3 Lifecycle rules are the standard control for enforcing retention and deletion policies, particularly for sensitive data stored at scale.

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Configuration Documentation

AWS Data Protection Best Practices

SSE-S3 uses AWS-managed keys and does not provide customer control. AWS Certified Security – Specialty documentation states that SSE-KMS with customer managed keys allows full control, auditing, and key rotation. The security engineer must first create a customer managed KMS key, then update the bucket to use SSE-KMS. Existing objects must be re-encrypted to ensure compliance.

SSE-C requires the application to manage keys, increasing complexity and risk. AWS managed keys do not meet the requirement for customer-controlled encryption.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Encryption Options

AWS KMS Customer Managed Keys

AWS Organizations tag policies are designed to standardize and govern tag keys and allowed values across accounts. AWS Certified Security – Specialty documentation describes tag policies as a governance mechanism that helps enforce consistent tagging by specifying required tag keys and permitted values. To ensure every resource has the CostCenter tag at creation time, an SCP can deny create actions when aws:RequestTag/CostCenter is missing (null). This prevents resources from being created without the required tag. Tag policies then define the three approved values and can be configured to enforce or report noncompliance depending on supported services, ensuring that tag values remain within the allowed set and preventing drift to unapproved values. Compared with custom Lambda-based enforcement, this approach minimizes operational overhead and keeps enforcement within AWS native governance services. Option A partially addresses allowed values at request time but does not address ongoing governance as cleanly across many services. Option B is not preventive because Lambda runs after events and cannot reliably block all creations. Option D still relies on custom logic and is not as operationally efficient as tag policies plus SCP guardrails.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Tag Policies

AWS Organizations SCP Condition Keys for Tag Enforcement

Amazon CloudFront includes a built-in geo restriction feature that allows content to be allowed or denied based on the viewer’s country. According to AWS Certified Security – Specialty documentation, CloudFront geo restriction is the most cost-effective method for country-based blocking because it does not require AWS WAF or additional rule processing.

AWS WAF geo match rules incur additional cost and are more appropriate when advanced inspection or layered security controls are required. IP-based blocking is impractical due to frequent IP changes. Geolocation headers do not enforce access control.

CloudFront geo restriction is evaluated at the edge and efficiently blocks disallowed countries with minimal latency and cost.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Geo Restriction

AWS Edge Security Best Practices

Continuous monitoring requires an always-on compliance service that evaluates resources over time. AWS Config provides managed rules that assess configuration state and compliance continuously. AWS Certified Security – Specialty guidance highlights AWS Config for continuous compliance across accounts and regions when used with AWS Organizations. The ec2-managedinstance-applications-required managed rule evaluates whether specified software is installed on managed instances, leveraging Systems Manager inventory/managed instance status. By enabling AWS Config organization-wide and deploying this managed rule across all accounts, the company can continuously evaluate both existing and newly launched instances for required application presence. This provides a consistent compliance dashboard and history of compliance changes. Option D can provide inventory lists, but it is not a compliance rule engine that flags noncompliance with the same governance reporting and remediation pathways. Options B and C are operational approaches but do not provide continuous compliance state across the organization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for EC2 and SSM Managed Instances

AWS Organizations Integration with AWS Config

Amazon Detective is specifically designed to help security teams investigate and visualize the root cause of security findings. According to AWS Certified Security – Specialty documentation, Detective automatically aggregates and correlates data from GuardDuty, CloudTrail, and VPC Flow Logs to provide interactive visualizations and timelines.

Detective enables investigators to pivot from GuardDuty findings to IAM roles, API calls, network traffic, and resource behavior. This makes it the most efficient tool for understanding how IAM roles were used during suspicious activity.

Amazon Inspector focuses on vulnerability assessment, not behavioral investigation. Security Hub aggregates findings but does not provide deep investigation graphs. Manual analysis with Athena requires significantly more effort.

AWS guidance explicitly recommends Amazon Detective for root cause analysis and visualization of security incidents.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Detective Investigation Capabilities

AWS Threat Detection and Analysis

AWS Organizations service control policies (SCPs) are designed to enforce preventive guardrails across accounts without requiring application-level changes. According to the AWS Certified Security – Specialty documentation, SCPs can restrict specific API actions or require certain condition keys to enforce security standards centrally. AWS Lambda function URLs support two authentication modes: AWS_IAM and NONE. When the authentication type is set to NONE, the function URL becomes publicly accessible, which introduces a significant security risk in production environments.

By using an SCP that explicitly denies the lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions when the lambda:FunctionUrlAuthType condition key equals NONE, the organization ensures that unauthenticated function URLs cannot be created or modified in production accounts. This enforcement occurs at the AWS Organizations level and applies automatically to all accounts within the specified organizational units (OUs). Developers are not required to change their workflows or add additional controls, satisfying the requirement of no additional developer effort.

Option A relates to browser-based access controls and does not provide authentication or authorization enforcement. Option B is not valid because AWS WAF cannot be attached directly to AWS Lambda function URLs. Option C is incorrect because SCPs do not grant permissions; they only limit permissions. AWS documentation clearly states that SCPs define maximum available permissions and are evaluated before IAM policies.

This approach aligns with AWS best practices for centralized governance, least privilege, and preventive security controls.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Service Control Policies Documentation

AWS Lambda Security and Function URL Authentication Overview

Network ACLs are stateless and are evaluated in order based on rule number, with lower rule numbers taking precedence. According to AWS Certified Security – Specialty incident response guidance, network ACLs can be used to immediately block traffic at the subnet level without restarting instances or modifying their runtime state.

By adding a deny rule with a lower priority number (10) that explicitly denies TCP traffic on port 22 from the offending IP address (10.0.1.5), the unauthorized SSH session is immediately interrupted. This approach satisfies the requirement to keep the instance running and to preserve memory for forensic analysis.

Option A violates the requirement because restarting the instance clears memory. Option C would disrupt all legitimate SSH access, not just the unauthorized session. Option D would block all internet access and could cause widespread service disruption.

AWS documentation emphasizes using network ACL deny rules for rapid, targeted containment when immediate interruption is required without altering instance state.

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

Amazon CloudWatch Logs provides a centralized, scalable service for collecting and storing logs from Amazon EC2 instances, regardless of whether the instances are On-Demand or Spot Instances. According to the AWS Certified Security – Specialty Official Study Guide, CloudWatch Logs is the recommended service for centralized log aggregation and near-real-time analysis of application and system logs.

By configuring all EC2 instances to send logs to a single CloudWatch Logs log group, the security engineer ensures that logs from all instances are available in one centralized location. Access to the log group can be restricted by using IAM policies, ensuring that only authorized users can view and analyze the logs.

CloudWatch Logs Insights provides a powerful query language with SQL-like syntax, enabling users to search, filter, aggregate, and analyze log data efficiently. This directly satisfies the requirement for SQL-style queries to identify event patterns and perform root cause analysis without requiring data movement or additional services.

Option B is incorrect because CloudWatch Logs Insights cannot query log files stored in Amazon S3. Option C is inefficient and operationally complex, as Athena cannot directly query CloudWatch Logs log groups. Option D is invalid because Amazon Detective is designed for security investigations using GuardDuty findings, not for general application log analysis.

AWS documentation explicitly states that CloudWatch Logs combined with CloudWatch Logs Insights is the most efficient and secure approach for centralized log analysis in EC2-based architectures.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Documentation

CloudWatch Logs Insights Query Guide

Amazon S3 gateway endpoints support endpoint policies that can restrict which S3 resources are accessible through the endpoint. According to AWS Certified Security – Specialty documentation, endpoint policies are evaluated in addition to IAM policies and are ideal for enforcing data exfiltration controls without breaking legitimate workloads.

By updating the S3 gateway endpoint policy to require both aws:ResourceOrgId and aws:PrincipalOrgId to match the company’s AWS Organization, the security engineer ensures that EC2 instances can access only S3 buckets that belong to the organization. This immediately blocks exfiltration to external S3 buckets while allowing legitimate internal data access to continue uninterrupted.

Option B is insufficient because IAM policies alone cannot prevent access when the endpoint allows it. Option C would break all S3 access and stop the processing job. Option D applies too broadly and can impact unrelated services across the account.

AWS documentation highlights S3 VPC endpoint policies with organization condition keys as a best practice for preventing S3 data exfiltration in private VPC environments.

AWS Certified Security – Specialty Official Study Guide

Amazon S3 VPC Endpoint Policy Documentation

AWS Organizations Condition Keys Documentation

AWS best practices require CloudFormation to assume a dedicated service role. This ensures consistent permissions regardless of the user. Users must have iam:PassRole permission to pass the role. Updating stacks to use the service role enforces uniform deployment behavior.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Roles

AWS Audit Manager is specifically designed to help organizations continuously audit their AWS usage against compliance frameworks and generate audit-ready reports. According to AWS Certified Security – Specialty documentation, Audit Manager includes AWS managed frameworks for compliance standards, including PCI DSS v4.0.

Audit Manager automatically collects evidence from AWS services such as API Gateway, Lambda, RDS, CloudTrail, and Config, and maps the evidence directly to PCI DSS controls. Importantly, Audit Manager allows compliance teams to upload and attach manual evidence, which is a key requirement in this scenario.

Option C provides visibility into control status but does not support adding manual evidence. Option B evaluates configuration compliance but does not generate formal compliance reports. Option A requires extensive manual effort and is not aligned with PCI reporting workflows.

AWS documentation positions Audit Manager as the authoritative service for compliance reporting and audit evidence management.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Audit Manager PCI DSS Framework

AWS Compliance Reporting Best Practices

AWS Organizations and CloudFormation StackSets provide an organizational deployment mechanism for consistent infrastructure across accounts. AWS Certified Security – Specialty guidance emphasizes minimizing use of the management account and using delegated administrator capabilities where available for centralized governance while reducing blast radius. By configuring a delegated administrator account for AWS CloudFormation, the company can create and manage StackSets without performing day-to-day deployment operations from the management account. Targeting the organization root ensures the StackSet deploys to all existing accounts. Enabling automatic deployment ensures that any future accounts that join the organization (or move into targeted OUs, depending on configuration) automatically receive the monitoring service without manual intervention. This directly meets the requirement to deploy to all existing and future accounts with minimal effort. Option A requires ongoing manual updates when accounts are added, increasing operational overhead. Options C and D rely on Systems Manager Automation, which can work but introduces additional operational complexity and is not the standard AWS mechanism for organization-wide infrastructure rollout compared to StackSets with auto-deployment. StackSets also provide consistent change control, drift detection, and centralized update mechanisms, which align with governance expectations for compliance tooling.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Delegated Administration

AWS CloudFormation StackSets for Multi-Account Governance

Amazon S3 pre-signed URLs grant temporary access based on the permissions of the principal that generates them. AWS Certified Security – Specialty documentation explains that fine-grained authorization can be enforced by combining pre-signed URLs with IAM policy conditions.

By tagging each invoice object with a client identifier and adding a condition to the EC2 instance role policy using s3:ResourceTag/ClientId, the role can generate pre-signed URLs only for objects associated with a specific client. This ensures that each client can access only their own invoices, even though the URLs are temporary and unauthenticated.

Option A over-permissions clients. Option C is unnecessary because instance profiles already use temporary credentials. Option D violates AWS best practices by using long-term credentials.

AWS recommends resource tagging with IAM policy conditions for scalable, secure access control.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Pre-Signed URLs

IAM Policy Conditions and Resource Tags

AWS Service Catalog is designed to allow organizations to create and manage approved sets of CloudFormation templates, known as products, and make them available to specific accounts or organizational units (OUs). According to the AWS Certified Security – Specialty Study Guide, Service Catalog is the preferred governance mechanism for enforcing standardized infrastructure deployments while maintaining strong access controls.

By creating a Service Catalog portfolio in the management account and sharing it with a specific OU, the security engineer ensures that only accounts within that OU can deploy the approved CloudFormation template. This guarantees that third-party developers can deploy infrastructure only in accordance with the company’s predefined deployment plan, without modifying or directly accessing the template itself.

Option B and D use CloudFormation modules, which are intended for reusable resource definitions but do not provide the same level of deployment governance, access control, and lifecycle management as Service Catalog. Option C introduces unnecessary cross-account IAM roles, increasing the attack surface and operational complexity, which violates the “most secure” requirement.

AWS documentation explicitly states that Service Catalog is the recommended service for distributing standardized CloudFormation templates across AWS Organizations, while controlling who can deploy them and where.

AWS Certified Security – Specialty Official Study Guide

AWS Service Catalog Administrator Guide

AWS Organizations Best Practices

AWS Well-Architected Framework – Security Pillar

AWS CloudTrail organization trails are specifically designed to provide centralized, organization-wide logging with minimal operational effort. According to the AWS Certified Security – Specialty Official Study Guide, an organization trail records all management events for all member accounts and delivers them to a single Amazon S3 bucket.

To ensure that logs cannot be altered or deleted, Amazon S3 Object Lock in compliance mode must be used. Compliance mode enforces write-once-read-many (WORM) protection, meaning no user, including the root user, can delete or modify objects before the retention period expires. This directly satisfies the requirement that no changes or deletions are allowed for 2 years.

The S3 bucket must reside in the dedicated security account to provide isolation and strong security boundaries. Granting write permissions to the organization’s management account (Option A) aligns with AWS best practices, because the management account owns and manages the organization trail and centrally delivers logs on behalf of all member accounts.

Option B increases attack surface by allowing all member accounts to write directly. Option C does not meet immutability requirements because lifecycle policies do not prevent deletion. Option E introduces unnecessary services and operational complexity.

AWS documentation explicitly identifies the combination of CloudTrail organization trails + S3 Object Lock (compliance mode) as the recommended, lowest-overhead solution for long-term, immutable audit log retention.

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Organization Trail Documentation

Amazon S3 Object Lock Documentation

AWS Well-Architected Framework – Security Pillar

Amazon Macie is the AWS service designed specifically to discover, classify, and report sensitive data stored in Amazon S3. According to the AWS Certified Security – Specialty Study Guide, Macie uses machine learning and managed data identifiers to automatically detect sensitive data types such as PII and financial information.

Macie integrates natively with Amazon EventBridge, allowing findings to be routed to other services such as Amazon SNS with minimal configuration. Creating an EventBridge rule to forward Macie findings to an existing SNS topic satisfies the notification requirement without custom code.

Option A is invalid because AWS Config does not inspect object contents. Option B requires custom development and ongoing maintenance. Option D is incorrect because Amazon GuardDuty focuses on threat detection, not sensitive data discovery.

AWS documentation emphasizes Macie as the lowest-effort and most accurate solution for sensitive data identification in S3.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Macie Sensitive Data Discovery

Amazon EventBridge Integration with Security Services

AWS Secrets Manager is a regional service that is accessed through private AWS endpoints. In a VPC without internet access, AWS recommends using AWS PrivateLink through interface VPC endpoints to enable secure, private connectivity to supported AWS services. According to AWS Certified Security – Specialty documentation, interface VPC endpoints allow resources within a VPC to communicate with AWS services without traversing the public internet, NAT devices, or internet gateways.

An interface VPC endpoint for Secrets Manager creates elastic network interfaces (ENIs) within the VPC subnets and assigns private IP addresses that route traffic directly to the Secrets Manager service. Because the VPC has private DNS enabled, the standard Secrets Manager DNS hostname resolves to the private IP addresses of the interface endpoint, allowing the Lambda rotation function to communicate securely and transparently.

Option A introduces unnecessary complexity and expands the attack surface by allowing outbound internet access. Option B is incorrect because gateway VPC endpoints are supported only for Amazon S3 and Amazon DynamoDB. Option D violates the security requirement by exposing the VPC to the internet.

AWS security best practices explicitly recommend interface VPC endpoints as the most secure connectivity method for private VPC workloads accessing AWS managed services.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Secrets Manager Security Architecture

AWS PrivateLink and Interface VPC Endpoints Documentation

AWS incident response best practices emphasize rapid containment, credential revocation, and threat detection to minimize the blast radius of a compromise. According to the AWS Certified Security – Specialty Official Study Guide, when unauthorized resources such as an Amazon S3 bucket hosting malware are discovered, immediate action must be taken to stop further misuse of the account and to prevent recurrence.

Rotating or deleting all AWS access keys (Option D) is a critical containment step. If an IAM user has been compromised, any long-term credentials associated with that user must be revoked immediately to prevent continued unauthorized access. AWS guidance explicitly lists access key rotation or deletion as a first-response action for suspected credential compromise.

Deleting unrecognized or unauthorized resources (Option F) directly removes the malicious infrastructure that is being abused. In this case, deleting the unauthorized S3 bucket immediately stops malware distribution and reduces reputational and compliance impact.

Turning on Amazon GuardDuty (Option B) enables continuous threat detection by analyzing CloudTrail events, VPC Flow Logs, and DNS logs. GuardDuty can identify additional malicious activity, compromised credentials, or persistence mechanisms that the attacker may have established. AWS documentation recommends enabling GuardDuty during or immediately after an incident to detect ongoing or future threats.

Option A does not reduce the impact of the current compromise. Option C is overly disruptive and not recommended; credential rotation should be targeted. Option E is unnecessary because there is no indication that EBS-backed compute resources are involved.

AWS incident response guidance clearly prioritizes credential revocation, malicious resource removal, and threat detection to minimize consequences.

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon GuardDuty User Guide

AWS IAM Security Best Practices

Step 1: Obtain the SAML metadata from IAM Identity Center.

Step 2: Obtain the SAML metadata from the external IdP.

Step 3: Configure the external IdP as the identity source in IAM Identity Center.

When integrating AWS IAM Identity Center (formerly AWS SSO) with an external identity provider (IdP) using SAML 2.0, AWS requires a specific sequence of steps to establish trust and federation correctly.

Step 1: Obtain the SAML metadata from IAM Identity Center

IAM Identity Center acts as the service provider (SP) in the SAML trust. The external IdP must trust IAM Identity Center, so the IdP needs IAM Identity Center’s SAML metadata first. This metadata contains critical information such as the SP entity ID, ACS (Assertion Consumer Service) URL, and signing certificate. Without this metadata, the external IdP cannot be configured to send assertions to AWS.

Step 2: Obtain the SAML metadata from the external IdP

After the external IdP is configured to trust IAM Identity Center, the IdP generates its own SAML metadata. This metadata includes the IdP entity ID, SSO endpoint, and signing certificate. IAM Identity Center requires this information to validate authentication assertions coming from the external IdP.

Step 3: Configure the external IdP as the identity source in IAM Identity Center

Once both metadata files are available, the security engineer configures the external IdP as the identity source in IAM Identity Center. At this stage, IAM Identity Center imports the IdP metadata and establishes the SAML trust relationship. After this configuration, users authenticated by the external IdP can be federated into AWS accounts and applications via IAM Identity Center.

Why the other options are incorrect:

Creating an IAM role with an IdP API endpoint is used for IAM federation, not IAM Identity Center.

Automatic provisioning (SCIM) is optional and is configured after SAML federation is established.

Automatic provisioning must be enabled on both sides, but it is not required to complete the core IdP integration.

This sequence follows AWS best practices for SAML-based federation with IAM Identity Center.

When an internet-facing ALB is used as a CloudFront origin, it remains directly accessible unless additional access controls are enforced. According to AWS Certified Security – Specialty guidance, CloudFront IP allow lists alone are insufficient, because CloudFront IP ranges change and are not guaranteed to be exclusive.

The recommended and most secure approach is to configure CloudFront to send a custom origin header (such as X-Shared-Secret) with a secret value on every request to the origin. The ALB listener rules are then configured to forward traffic only when the header exists and matches the expected value. Requests that attempt to bypass CloudFront will not include this header and will be denied.

Option A is invalid because CloudFront does not support PrivateLink origins. Option B introduces unnecessary architectural changes and is not required. Option C is brittle and operationally risky due to changing IP ranges.

AWS documentation explicitly recommends custom origin headers as the best practice to ensure that only CloudFront can access an internet-facing ALB when AWS WAF is attached at the CloudFront layer.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Origin Security Documentation

AWS WAF and ALB Integration Guidance

AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security – Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal to write objects. Additionally, the IAM role used by AWS Config must allow s3:GetBucketAcl and s3:PutObject.

If either permission is missing, AWS Config cannot deliver snapshots and will log delivery errors in CloudTrail. This dual-permission model ensures least privilege while maintaining secure delivery of compliance data.

Other options reference incorrect principals or irrelevant permissions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Prerequisites

AWS WAF logs contain detailed request-level information, including source IP addresses, requested URIs, and rule matches. According to AWS Certified Security – Specialty guidance, enabling AWS WAF logging provides the most reliable and tamper-resistant method to investigate web-based attacks, especially when instance-level logs are unavailable.

By streaming WAF logs through Amazon Kinesis Data Firehose to Amazon S3, the company ensures durable, centralized log storage that is independent of EC2 lifecycle events. Amazon Athena can then query the logs efficiently to identify repeated requests to the new-user-creation.php endpoint and extract attacker IP addresses.

VPC Flow Logs do not capture HTTP-level details. ALB access logs alone may not capture blocked requests. WAF logs provide the best forensic visibility for future detection.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging and Monitoring

Amazon Athena Log Analysis

Amazon SQS is an AWS-managed service and does not operate within customer VPCs. Therefore, security groups and network ACLs cannot be used to control access to SQS, making options A and B invalid. According to AWS Certified Security – Specialty documentation, the recommended approach to securely access AWS services from within a VPC is through interface VPC endpoints (AWS PrivateLink).

By creating interface VPC endpoints for Amazon SQS, the company ensures that traffic to SQS stays within the AWS network and does not traverse the public internet. Adding an SQS resource policy with the aws:SourceVpce condition restricts access so that only requests originating from the specified VPC endpoint are allowed. Additionally, using the aws:PrincipalOrgId condition ensures that only principals belonging to the same AWS Organization can access the queue.

Option D introduces an external tool, increasing cost and compliance complexity, which directly violates the requirement to minimize investment outside AWS.

AWS documentation clearly identifies VPC endpoints combined with IAM condition keys as a best practice for securing service access in multi-account environments.

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security Best Practices

AWS Organizations Documentation

AWS PrivateLink User Guide

The correct solution is option D because it effectively prevents direct access to the internet-facing ALB while allowing legitimate traffic that originates from Amazon CloudFront. By configuring CloudFront to include a custom HTTP header (such as X-Shared-Secret) in all origin requests, and then configuring ALB listener rules to only forward requests that contain the expected header value, the ALB will reject any requests that bypass CloudFront.

This approach is a documented AWS best practice when CloudFront is placed in front of an ALB and AWS WAF is associated with the CloudFront distribution. AWS WAF only evaluates traffic that flows through CloudFront; therefore, preventing direct access to the ALB is critical to ensure that all requests are inspected by the web ACL.

Option A is invalid because CloudFront does not support AWS PrivateLink endpoints as origins. Option B is incorrect because CloudFront cannot use an internal ALB as an origin; CloudFront requires a publicly reachable origin. Option C is not recommended because CloudFront IP ranges change frequently, making IP-based allow lists operationally complex and error-prone, and AWS does not provide a supported CloudFront prefix list for ALB listener rules.

AWS Security Specialty guidance explicitly recommends using custom origin headers to restrict ALB access to CloudFront-only traffic, making option D the correct and secure solution.

AWS KMS access control is primarily enforced through key policies (and optionally grants), and AWS recommends using key policy condition keys to restrict how keys can be used. The kms:ViaService condition key is specifically designed to restrict KMS API usage to requests that come through a particular AWS service endpoint in a specific Region. This is the most robust way to ensure a key can be used only via AWS Lambda (for example, lambda..amazonaws.com) and not via Amazon EC2 (ec2..amazonaws.com), even if IAM permissions exist elsewhere. By writing a key policy that uses the Lambda execution role as the principal and conditions on kms:ViaService, the company can tightly bind key usage to Lambda-originated cryptographic operations while preventing use through EC2 service paths. Option A is weaker because EC2 is not the only way an IAM principal might use KMS, and relying on attaching explicit deny policies broadly is harder to manage and can miss principals. Option C is incorrect because aws:AuthorizedService is not the typical mechanism for KMS service restriction, and SourceIp is unreliable for service-to-service calls. Option D is not ideal because SCPs do not provide fine-grained service-path restrictions for KMS usage and cannot “allow” beyond IAM; key policy controls still apply.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Key Policies and Condition Keys

AWS KMS Best Practices for Service-Scoped Key Usage

AWS incident response best practices emphasize rapid containment to prevent further data exposure. According to the AWS Certified Security – Specialty Study Guide, the fastest and least disruptive containment method for compromised compute resources is to immediately revoke credentials and permissions rather than modifying data or infrastructure.

Revoking the IAM role’s active sessions prevents the EC2 instance from continuing to access AWS services. Updating the S3 bucket policy to explicitly deny access to the IAM role ensures immediate enforcement, even if temporary credentials remain cached. Removing the IAM role from the instance profile further prevents new credentials from being issued.

Option A and D involve large-scale data movement or re-encryption, which is time-consuming and operationally expensive. Option B relies on network-level controls that do not prevent access through private AWS endpoints.

AWS guidance explicitly recommends credential revocation and policy-based denial as the fastest containment step during active incidents.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

AWS IAM Role Session Management

Amazon Inspector provides native Lambda code vulnerability scanning. GuardDuty focuses on runtime threats, not static code analysis.

AWS incident response best practices emphasize containment with minimal blast radius while preserving business continuity. According to the AWS Certified Security – Specialty Official Study Guide, isolating a compromised resource while allowing the application to continue operating is the recommended initial response.

By creating an Amazon EventBridge rule that reacts to GuardDuty anomalous traffic findings and invokes an AWS Lambda function, the security engineer can automatically remove the affected EC2 instance from the Auto Scaling group and attach a restricted security group. This immediately stops malicious activity while allowing Auto Scaling to replace the instance and keep the application available.

Option A is inappropriate because EC2 instance profiles do not use long-term access keys. Option C applies subnet-wide changes that could disrupt unrelated workloads. Option D provides notification only and does not meet the automated response requirement.

AWS documentation explicitly identifies instance isolation via security groups as a preferred containment technique that preserves application availability and forensic integrity.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide

AWS Incident Response Best Practices