SCS-C03 AWS Certified Security – Specialty Questions and Answers

AWS KMS keys are strictly regional resources. According to AWS Certified Security – Specialty documentation, a KMS key created in one Region cannot be used to encrypt or decrypt data in another Region. This includes encrypted RDS and Aurora snapshots.

When copying an encrypted snapshot to a different Region, the destination Region must have its own KMS key. AWS automatically re-encrypts the snapshot using the specified KMS key in the destination Region during the copy operation.

Options C and D are invalid because IAM policies cannot extend a KMS key’s scope across Regions. Option A is incorrect because Secrets Manager does not store or manage KMS keys themselves.

AWS best practices require creating a new customer managed key in the target Region and using it during the snapshot copy process.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Regional Key Limitations

Amazon RDS Encrypted Snapshot Copy

AWS CloudTrail organization trails are specifically designed to provide centralized, organization-wide logging with minimal operational effort. According to the AWS Certified Security – Specialty Official Study Guide, an organization trail records all management events for all member accounts and delivers them to a single Amazon S3 bucket.

To ensure that logs cannot be altered or deleted, Amazon S3 Object Lock in compliance mode must be used. Compliance mode enforces write-once-read-many (WORM) protection, meaning no user, including the root user, can delete or modify objects before the retention period expires. This directly satisfies the requirement that no changes or deletions are allowed for 2 years.

The S3 bucket must reside in the dedicated security account to provide isolation and strong security boundaries. Granting write permissions to the organization’s management account (Option A) aligns with AWS best practices, because the management account owns and manages the organization trail and centrally delivers logs on behalf of all member accounts.

Option B increases attack surface by allowing all member accounts to write directly. Option C does not meet immutability requirements because lifecycle policies do not prevent deletion. Option E introduces unnecessary services and operational complexity.

AWS documentation explicitly identifies the combination of CloudTrail organization trails + S3 Object Lock (compliance mode) as the recommended, lowest-overhead solution for long-term, immutable audit log retention.

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Organization Trail Documentation

Amazon S3 Object Lock Documentation

AWS Well-Architected Framework – Security Pillar

AWS incident response guidance emphasizes immediate containment, credential invalidation, and removal of malicious resources. According to the AWS Certified Security – Specialty documentation, compromised credentials must be rotated or deleted immediately to prevent further unauthorized actions. Rotating or deleting access keys directly mitigates ongoing abuse.

Deleting unrecognized or unauthorized resources, such as the malicious S3 bucket, removes the active threat and limits further damage. Enabling Amazon GuardDuty provides continuous monitoring and helps identify additional compromised resources or malicious behavior that may not yet be visible.

Changing passwords for all IAM users is disruptive and unnecessary if compromise scope is limited. Encrypting CloudTrail logs does not reduce active impact. Taking EBS snapshots is primarily for forensic investigation, not immediate consequence minimization.

AWS best practices recommend GuardDuty activation, credential rotation, and removal of malicious resources as first-response actions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon GuardDuty Threat Detection

Amazon GuardDuty provides managed threat detection and supports EKS protection features that analyze Kubernetes audit logs to detect suspicious activity, including unauthorized or unauthenticated access attempts. AWS Certified Security – Specialty documentation recommends GuardDuty for low-overhead detection because it is fully managed and does not require deploying agents or modifying application code. EKS Audit Log Monitoring is designed to consume and analyze relevant control plane audit events to identify anomalous or unauthorized actions against the cluster. Compared to third-party add-ons, GuardDuty reduces operational burden and remains fully within AWS managed services. Security Hub aggregates findings from services like GuardDuty but does not itself perform the detection. CloudWatch Container Insights focuses on performance and operational metrics, not authentication security detections. Therefore, enabling GuardDuty with EKS Audit Log Monitoring provides the required detection with the least operational effort and without requiring additional configuration to the existing EKS workload beyond enabling the feature.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty EKS Protection and Audit Log Monitoring

AWS Threat Detection Best Practices for Kubernetes on AWS

Amazon S3 Block Public Access provides centralized controls to prevent public access through bucket policies and ACLs. AWS Certified Security – Specialty guidance recommends enabling Block Public Access to reduce accidental exposure and to enforce guardrails that override public grants. Enabling Block Public Access on the bucket removes current public exposure when combined with correcting policies/ACLs and prevents future misconfiguration. To ensure the bucket cannot be made public again, the security engineer must prevent principals from disabling Block Public Access. An SCP that denies s3:PutPublicAccessBlock prevents changes that would remove or weaken the PublicAccessBlock configuration, enforcing the guardrail across the OU or account. Options A and D do not directly address public exposure control. Option B denies object reads but does not ensure public access cannot be re-enabled; it also does not address the root misconfiguration pathways and could disrupt legitimate access patterns. Option C specifically combines the correct preventive control (PublicAccessBlock) with organizational enforcement to stop future reversal.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Block Public Access

AWS Organizations SCP Guardrails for S3 Controls

EC2 Instance Connect endpoints provide secure, private connectivity to EC2 instances without requiring public IP addresses, inbound internet access, or VPN connectivity. According to AWS Certified Security – Specialty documentation, Instance Connect endpoints are designed specifically for incident response and secure administrative access scenarios.

By deploying an EC2 Instance Connect endpoint in the VPC, the security team can block all external network access while still maintaining controlled access to EC2 instances through the AWS Management Console. The endpoint uses AWS-managed infrastructure and private connectivity, and access is authorized using IAM policies and instance profiles.

Options A and B rely on direct EC2 Instance Connect installation and network paths that may still depend on external access. Option C is incorrect because tunneling is not required when using the console-based Instance Connect endpoint.

This solution enables forensic access during incidents without reopening external network paths, aligning with AWS incident response best practices.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

EC2 Instance Connect Endpoint Architecture

AWS Incident Response Best Practices

AWS KMS key grants are specifically designed to provide temporary, granular permissions to use customer managed keys without modifying key policies. According to the AWS Certified Security – Specialty Study Guide, grants are the preferred mechanism for delegating key usage permissions to AWS principals for short-term or programmatic access scenarios. Grants allow permissions such as Encrypt, Decrypt, or GenerateDataKey and can be created and revoked dynamically.

Using a key grant avoids the operational risk and overhead of editing key policies, which are long-term control mechanisms and should remain stable. AWS documentation emphasizes that frequent key policy changes increase the risk of misconfiguration and accidental privilege escalation. Grants can be revoked immediately when access is no longer required, ensuring strong adherence to the principle of least privilege.

Options A and D violate AWS security best practices because AWS KMS does not allow direct export of key material unless the key was explicitly created as an importable key, and exporting key material increases exposure risk. Option B requires manual policy changes and rollback, which introduces operational overhead and audit complexity.

AWS recommends key grants as the most efficient and secure way to provide temporary access to KMS keys for applications.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Key Policies and Grants Documentation

AWS KMS Best Practices

Amazon Macie is the AWS service designed specifically to discover, classify, and inventory sensitive data stored in Amazon S3. According to the AWS Certified Security – Specialty Study Guide, Macie can be enabled organization-wide using AWS Organizations, with a delegated administrator account that centrally manages findings across all member accounts.

By designating the security account as the delegated administrator for both Amazon Macie and AWS Security Hub, the company can centralize sensitive data findings in a single location. Macie automatically scans S3 buckets for sensitive data such as personally identifiable information (PII) and publishes findings to Security Hub for centralized visibility and reporting.

Option B and C are incorrect because Amazon Inspector does not scan S3 objects for sensitive data. Option D is invalid because AWS Trusted Advisor does not ingest Macie sensitive data findings.

AWS best practices recommend Amazon Macie with delegated administration and Security Hub integration for centralized sensitive data inventory across multi-account environments.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Macie Sensitive Data Discovery

AWS Organizations Delegated Administrator Model

AWS Security Hub Integration Overview

AWS Service Catalog is designed to allow organizations to create and manage approved sets of CloudFormation templates, known as products, and make them available to specific accounts or organizational units (OUs). According to the AWS Certified Security – Specialty Study Guide, Service Catalog is the preferred governance mechanism for enforcing standardized infrastructure deployments while maintaining strong access controls.

By creating a Service Catalog portfolio in the management account and sharing it with a specific OU, the security engineer ensures that only accounts within that OU can deploy the approved CloudFormation template. This guarantees that third-party developers can deploy infrastructure only in accordance with the company’s predefined deployment plan, without modifying or directly accessing the template itself.

Option B and D use CloudFormation modules, which are intended for reusable resource definitions but do not provide the same level of deployment governance, access control, and lifecycle management as Service Catalog. Option C introduces unnecessary cross-account IAM roles, increasing the attack surface and operational complexity, which violates the “most secure” requirement.

AWS documentation explicitly states that Service Catalog is the recommended service for distributing standardized CloudFormation templates across AWS Organizations, while controlling who can deploy them and where.

AWS Certified Security – Specialty Official Study Guide

AWS Service Catalog Administrator Guide

AWS Organizations Best Practices

AWS Well-Architected Framework – Security Pillar

Amazon GuardDuty provides continuous threat detection for compromised instances by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. According to AWS Certified Security – Specialty guidance, GuardDuty is the fastest service to enable for detecting malware and compromised EC2 instances.

To notify the security team, Amazon SNS provides a native email notification mechanism with minimal setup. Amazon EventBridge integrates directly with GuardDuty findings and can filter based on severity. Creating an EventBridge rule that matches high severity GuardDuty findings and publishes to SNS ensures immediate notification.

Security Hub is not required for this use case and adds additional setup time. Amazon SQS does not support email subscriptions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Findings and Severity

Amazon EventBridge Integration with GuardDuty

Amazon CloudFront includes a native geo restriction (geoblocking) capability that allows content owners to control access to their distributions based on the geographic location of the viewer. The viewer’s country is determined using the IP address from which the request originates. According to the AWS Certified Security – Specialty Official Study Guide and the Amazon CloudFront Developer Guide, geo restriction is specifically designed for scenarios where organizations must comply with regional regulations, licensing requirements, or data sovereignty policies.

From a cost perspective, CloudFront geo restriction is the most cost-effective solution because it is configured directly within the CloudFront distribution and does not require AWS WAF. AWS WAF introduces additional costs for web ACLs, rules, and request processing, which is unnecessary when the requirement is limited strictly to blocking or allowing access based on country.

Option A is incorrect because maintaining IP ranges for entire countries is operationally complex, error-prone, and not scalable. Country-level IP ranges frequently change, making this approach unsuitable and inefficient. Option B, although technically valid, is not the most cost-effective choice because AWS WAF geo match rules incur additional charges and are intended for advanced Layer 7 security controls such as application-layer attacks. Option D is incorrect because geolocation headers provided by CloudFront are informational only and cannot independently enforce access control decisions.

AWS documentation explicitly recommends CloudFront geo restriction when the sole requirement is country-based access control, reserving AWS WAF for advanced security inspection and threat mitigation use cases.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Developer Guide – Geo Restriction

AWS Well-Architected Framework – Security Pillar

AWS Security Best Practices Documentation

AWS incident response best practices emphasize rapid containment, credential revocation, and threat detection to minimize the blast radius of a compromise. According to the AWS Certified Security – Specialty Official Study Guide, when unauthorized resources such as an Amazon S3 bucket hosting malware are discovered, immediate action must be taken to stop further misuse of the account and to prevent recurrence.

Rotating or deleting all AWS access keys (Option D) is a critical containment step. If an IAM user has been compromised, any long-term credentials associated with that user must be revoked immediately to prevent continued unauthorized access. AWS guidance explicitly lists access key rotation or deletion as a first-response action for suspected credential compromise.

Deleting unrecognized or unauthorized resources (Option F) directly removes the malicious infrastructure that is being abused. In this case, deleting the unauthorized S3 bucket immediately stops malware distribution and reduces reputational and compliance impact.

Turning on Amazon GuardDuty (Option B) enables continuous threat detection by analyzing CloudTrail events, VPC Flow Logs, and DNS logs. GuardDuty can identify additional malicious activity, compromised credentials, or persistence mechanisms that the attacker may have established. AWS documentation recommends enabling GuardDuty during or immediately after an incident to detect ongoing or future threats.

Option A does not reduce the impact of the current compromise. Option C is overly disruptive and not recommended; credential rotation should be targeted. Option E is unnecessary because there is no indication that EBS-backed compute resources are involved.

AWS incident response guidance clearly prioritizes credential revocation, malicious resource removal, and threat detection to minimize consequences.

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon GuardDuty User Guide

AWS IAM Security Best Practices

Amazon GuardDuty generates security findings when it detects suspicious or malicious activity, including CryptoCurrency:EC2/* findings that indicate an EC2 instance may be involved in unauthorized cryptocurrency mining. According to AWS Certified Security – Specialty documentation, GuardDuty findings are published as events to Amazon EventBridge (formerly Amazon CloudWatch Events).

Amazon EventBridge is the recommended service for building automated incident response workflows. By creating an EventBridge rule that listens for GuardDuty findings of type CryptoCurrency:EC2/*, the security engineer can automatically invoke a Lambda function to isolate the affected EC2 instance by modifying its security group attachments.

Option A is incorrect because GuardDuty does not directly invoke Lambda functions. Option B and Option D are incorrect because AWS Config tracks configuration compliance and resource changes, not real-time threat detection events. Cryptocurrency findings are security detections, not configuration changes.

AWS documentation explicitly describes this pattern—GuardDuty → EventBridge → Lambda → remediation action—as a best practice for automated threat response and containment.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide – Findings

Amazon EventBridge User Guide

AWS Incident Response Best Practices

AWS Organizations and CloudFormation StackSets provide an organizational deployment mechanism for consistent infrastructure across accounts. AWS Certified Security – Specialty guidance emphasizes minimizing use of the management account and using delegated administrator capabilities where available for centralized governance while reducing blast radius. By configuring a delegated administrator account for AWS CloudFormation, the company can create and manage StackSets without performing day-to-day deployment operations from the management account. Targeting the organization root ensures the StackSet deploys to all existing accounts. Enabling automatic deployment ensures that any future accounts that join the organization (or move into targeted OUs, depending on configuration) automatically receive the monitoring service without manual intervention. This directly meets the requirement to deploy to all existing and future accounts with minimal effort. Option A requires ongoing manual updates when accounts are added, increasing operational overhead. Options C and D rely on Systems Manager Automation, which can work but introduces additional operational complexity and is not the standard AWS mechanism for organization-wide infrastructure rollout compared to StackSets with auto-deployment. StackSets also provide consistent change control, drift detection, and centralized update mechanisms, which align with governance expectations for compliance tooling.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Delegated Administration

AWS CloudFormation StackSets for Multi-Account Governance

AWS KMS keys are regional resources and cannot be used across Regions. According to AWS Certified Security – Specialty documentation, applications that are deployed in multiple Regions should use region-specific customer managed keys while referencing keys by alias instead of key ID.

By creating a new customer managed key in eu-north-1 and assigning it the same alias as the key in eu-west-1, the application code can continue to reference the alias without modification. Each Region resolves the alias to the correct local key, ensuring encryption continues to function correctly.

Option A is invalid because KMS keys are regional. Option B requires application changes. Option D introduces unsupported alias patterns.

AWS best practices recommend alias-based key references for multi-Region deployments.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Regional Keys and Aliases

AWS KMS Best Practices

Amazon Detective is a managed service designed specifically to investigate and analyze security findings by automatically correlating data from Amazon GuardDuty, AWS CloudTrail, and VPC Flow Logs. According to the AWS Certified Security – Specialty Official Study Guide, Detective enables security teams to identify root causes, anomalous behavior, and indicators of compromise through interactive visualizations.

Amazon Detective allows investigators to pivot directly to IAM roles, users, and resources that are involved in GuardDuty findings. Detective builds behavior graphs and timelines that show API activity, network traffic, and historical context, making it easier to understand how and why a security incident occurred.

Amazon Inspector (Option B) focuses on vulnerability scanning of compute resources and does not investigate IAM behavior. Option C requires manual analysis and lacks native visualization. AWS Security Hub (Option D) aggregates findings but does not perform root-cause investigation or behavioral analysis.

AWS documentation explicitly states that Amazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, especially when IAM roles are involved.

AWS Certified Security – Specialty Official Study Guide

Amazon Detective User Guide

Amazon GuardDuty Integration Documentation

AWS Config is the AWS service designed to continuously evaluate resource configurations against defined rules. According to the AWS Certified Security – Specialty Study Guide, AWS Config managed rules exist specifically to check database encryption, public accessibility, deletion protection, and log exports for Amazon RDS and Aurora.

AWS Config provides a real-time compliance timeline and displays the compliance state of each resource against each rule at any point in time. This granular visibility is required to assess ongoing compliance with security policies.

Audit Manager generates reports but does not provide continuous compliance monitoring. Security Hub aggregates findings but does not track configuration drift. EventBridge and Lambda introduce unnecessary complexity.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for RDS

AWS Continuous Compliance Monitoring

When an internet-facing ALB is used as a CloudFront origin, it remains directly accessible unless additional access controls are enforced. According to AWS Certified Security – Specialty guidance, CloudFront IP allow lists alone are insufficient, because CloudFront IP ranges change and are not guaranteed to be exclusive.

The recommended and most secure approach is to configure CloudFront to send a custom origin header (such as X-Shared-Secret) with a secret value on every request to the origin. The ALB listener rules are then configured to forward traffic only when the header exists and matches the expected value. Requests that attempt to bypass CloudFront will not include this header and will be denied.

Option A is invalid because CloudFront does not support PrivateLink origins. Option B introduces unnecessary architectural changes and is not required. Option C is brittle and operationally risky due to changing IP ranges.

AWS documentation explicitly recommends custom origin headers as the best practice to ensure that only CloudFront can access an internet-facing ALB when AWS WAF is attached at the CloudFront layer.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Origin Security Documentation

AWS WAF and ALB Integration Guidance

AWS WAF allows security engineers to create string match rule statements that inspect specific parts of web requests, including HTTP headers such as the User-Agent header. According to the AWS Certified Security – Specialty Study Guide and AWS WAF documentation, string match rules are ideal for blocking requests that contain known malicious identifiers, such as a distinctive user agent associated with a specific bot or IoT device brand.

In this scenario, the attack originates from a specific IoT device brand that uses a unique user agent. A string match rule that inspects the User-Agent header can precisely block malicious requests while allowing legitimate customer traffic to continue uninterrupted. This approach provides targeted mitigation for both current and future attacks originating from the same device signature.

Option A is incorrect because IP addresses cannot be derived from user agent strings, and IoT botnets frequently rotate IP addresses, making IP-based blocking ineffective. Option B is incorrect because geographic blocking is overly broad and risks blocking legitimate customers in the same regions as the attacking devices. Option C is incorrect because rate-based rules limit request volume per IP address and do not specifically identify malicious device signatures; legitimate high-traffic users could be unintentionally blocked.

AWS documentation emphasizes that header inspection with string match conditions is a best practice for mitigating attacks that use identifiable request characteristics such as custom user agents, especially in DDoS and bot mitigation scenarios.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rule Statements

AWS DDoS Resiliency Best Practices

AWS Well-Architected Framework – Security Pillar

Service control policies (SCPs) define the maximum available permissions for accounts and are evaluated as guardrails. AWS Certified Security – Specialty documentation states SCPs are typically used to apply organization-wide restrictions, and exceptions are commonly handled by using conditions (for example, excluding specific accounts) or by structuring OUs differently. Because all accounts are in the same OU and the company must continue blocking external sharing for everyone except one account, modifying the existing SCP to exclude the marketing account is the most direct solution. An SCP attached at the root affects all accounts unless conditions narrow its scope. Adding a condition that excludes the marketing account allows that account to retain the ability to share resources externally while the SCP continues to block sharing for other accounts. Option A is not feasible because account-level SCPs cannot override a deny applied by a parent SCP; explicit denies always win. Option C misunderstands SCP behavior because SCPs do not grant permissions; they only limit. Option D is an IAM control that cannot override an organization-level deny. Therefore, the only secure, scalable option is to modify the existing SCP with an exception condition for the marketing account.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations SCP Evaluation Logic

SCP Deny Precedence and Exception Patterns

AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security – Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal to write objects. Additionally, the IAM role used by AWS Config must allow s3:GetBucketAcl and s3:PutObject.

If either permission is missing, AWS Config cannot deliver snapshots and will log delivery errors in CloudTrail. This dual-permission model ensures least privilege while maintaining secure delivery of compliance data.

Other options reference incorrect principals or irrelevant permissions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Prerequisites

Amazon S3 Lifecycle configuration rules are the native, automated mechanism for managing object retention and deletion. According to AWS Certified Security – Specialty documentation, lifecycle rules can be configured to expire objects based on the number of days since object creation. Once the expiration time is reached, Amazon S3 permanently deletes the objects without manual intervention.

This solution directly enforces a maximum retention period of 72 hours and ensures compliance regardless of whether the vendor downloads the data or not. Lifecycle rules are evaluated continuously by Amazon S3 and do not require scripts, cron jobs, or additional services, making them the most operationally efficient and cost-effective solution.

S3 Versioning controls versions but does not enforce object deletion timelines. S3 Intelligent-Tiering optimizes storage cost but does not delete objects. Presigned URLs only control access duration and do not remove objects from storage.

AWS explicitly recommends lifecycle policies for automated data retention enforcement.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Management

AWS Shield Advanced is the AWS-native managed service specifically designed to provide detection, mitigation, and visibility for Distributed Denial of Service (DDoS) attacks at both the network and application layers. Shield Advanced integrates directly with Amazon CloudWatch by publishing DDoS-related metrics such as DDoSDetected, AttackVolume, and AttackVector, which can be monitored using CloudWatch alarms to trigger alerts in near real time. This makes option D the correct and fully supported solution.

Amazon Macie focuses on discovering and protecting sensitive data (such as PII) in Amazon S3 using machine learning and does not provide DDoS detection capabilities, making option A incorrect. Amazon Inspector is a vulnerability management service that assesses EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure; it does not detect live DDoS attacks, so option B is incorrect. AWS Firewall Manager is a centralized management service for configuring AWS WAF, Shield Advanced, and security groups across accounts, but it does not emit native DDoS detection metrics for alerting, which eliminates option C.

According to AWS Security Specialty documentation, the recommended best practice for DDoS detection and alerting is to enable AWS Shield Advanced and configure Amazon CloudWatch alarms on Shield metrics, optionally integrating with Amazon SNS for notifications and AWS Incident Manager for response automation.

AWS incident response best practices emphasize isolating compromised resources rather than immediately terminating them. According to AWS Certified Security – Specialty documentation, removing an instance from an Auto Scaling group prevents replacement loops, while applying a restrictive security group isolates the instance for forensic analysis.

Using Amazon EventBridge to trigger an AWS Lambda function enables automated, consistent responses to GuardDuty findings. This approach minimizes disruption to the application because healthy instances continue serving traffic while the affected instance is isolated.

Disabling credentials or modifying network ACLs can have broader impact on unrelated workloads. SNS notifications alone do not provide response automation.

AWS recommends isolate-and-investigate patterns for EC2 incident response.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Automated Responses

AWS Incident Response Playbooks

AWS CloudFormation supports the use of a service role, which allows CloudFormation to assume a dedicated IAM role to create and manage resources on behalf of users. According to the AWS Certified Security – Specialty Study Guide, using a service role is the most secure and consistent way to ensure predictable stack deployments when users have varying permission sets.

By creating a service role with cloudformation.amazonaws.com as the trusted service principal (Option B), CloudFormation—not individual users—assumes responsibility for resource creation. Updating each stack to explicitly use this service role (Option E) ensures that all deployments use the same permission set, eliminating inconsistencies.

Granting the team members permission to pass the service role via iam:PassRole (Option F) is required so that CloudFormation can assume the role during stack operations. This approach adheres to the principle of least privilege and prevents users from gaining direct access to elevated permissions.

Composite principals (Option A) are unnecessary and insecure. Referencing stack ARNs (Option C) does not solve the root cause. While Option D reflects good policy design, it is implicit in creating the service role and is not a required standalone step.

AWS documentation clearly identifies CloudFormation service roles combined with iam:PassRole as best practice for secure, consistent infrastructure deployments.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Role Documentation

AWS IAM Best Practices

AWS IAM Identity Center is the recommended service for centrally managing workforce access across multiple AWS accounts within an organization. According to AWS Certified Security – Specialty documentation, Amazon Q Developer integrates natively with IAM Identity Center as an AWS managed application.

By enabling IAM Identity Center and assigning Amazon Q Developer to users or groups, the company can centrally control access using permission sets and organizational boundaries. This approach provides centralized authentication, authorization, and auditing with minimal overhead.

Amazon Cognito is intended for customer and application user authentication, not workforce access to AWS services. Identity pools are not applicable to IAM Identity Center integrations.

AWS best practices clearly recommend IAM Identity Center for workforce access to AWS-managed applications.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Integrations

Amazon Q Developer Access Management

Amazon EC2 security groups are stateful, meaning that once a connection is established, return traffic is automatically allowed, even if the inbound rule that originally permitted the connection is later removed. According to the AWS Certified Security – Specialty Official Study Guide and Amazon EC2 security documentation, existing connections are not terminated when security group rules change. This explains why the SSH session remains active even after the security group rules were modified, while new traffic such as ICMP ping is blocked.

To immediately and fully isolate an EC2 instance during an incident response scenario, AWS recommends using stateless network controls. Amazon VPC network ACLs (NACLs) are stateless, which means that every packet is evaluated against the ACL rules regardless of whether the traffic is part of an existing connection. When a deny rule is added, all traffic is immediately blocked, including active sessions.

By creating a network ACL and associating it with the subnet that contains the target instance, and by adding explicit deny rules with the lowest rule numbers for both inbound and outbound traffic, the security engineer ensures that all network communication to and from the instance is immediately interrupted. This approach satisfies the requirement to isolate the instance while preserving its runtime state and memory for forensic analysis.

Other options fail to meet the requirement because security group modifications do not terminate existing sessions, Systems Manager does not enforce network isolation, and host-level firewall changes require instance-level access and do not provide immediate, network-enforced isolation.

AWS Certified Security – Specialty Official Study Guide

Amazon EC2 Security Groups Documentation

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

AWS Config is a fully managed service that provides continuous monitoring and evaluation of AWS resource configurations against desired configuration baselines. According to the AWS Certified Security – Specialty Official Study Guide, AWS Config is the primary service used to track configuration changes, evaluate compliance in near real time, and display compliance states for individual AWS resources.

AWS Config provides managed rules that directly map to the listed Aurora MySQL security requirements, including encryption at rest, public accessibility, deletion protection, and log exports to CloudWatch Logs. These managed rules continuously evaluate resources and mark them as compliant or noncompliant whenever a configuration change occurs.

The AWS Config dashboard enables security engineers to view per-resource and per-rule compliance states at any point in time, satisfying the requirement to display compliance status for each part of the policy.

AWS Audit Manager (Option A) is designed for audit evidence collection and reporting, not continuous monitoring. AWS Security Hub (Option C) aggregates findings from other services but relies on AWS Config for configuration compliance data. Option D introduces unnecessary custom logic and does not provide a native compliance dashboard.

AWS documentation explicitly identifies AWS Config as the authoritative service for continuous compliance monitoring and visibility.

AWS Certified Security – Specialty Official Study Guide

AWS Config Developer Guide

Amazon Aurora Security Best Practices

AWS Well-Architected Framework – Security Pillar

AWS IAM Identity Center centrally manages user access across an AWS Organization. Disabling the user in Identity Center immediately revokes access to all AWS accounts. According to AWS Certified Security – Specialty documentation, organizational CloudTrail event data stores provide centralized, queryable access to all events across accounts.

Using CloudTrail Lake enables direct querying of activity without exporting logs. Disabling the user at the Identity Center level ensures full containment.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Incident Response

AWS CloudTrail Lake

AWS WAF logs capture detailed request-level information, including source IP address, request URI, headers, and rule evaluation results. According to the AWS Certified Security – Specialty documentation, AWS WAF logging is a critical detection control when application-level attacks are suspected, especially when host-based logs are unreliable or can be erased by attackers.

By configuring the AWS WAF web ACL to send logs to Amazon Data Firehose, the company ensures that all future requests are centrally captured and delivered to a durable storage service such as Amazon S3. Using Amazon Athena, the security team can query these logs to identify requests targeting specific application paths such as new-user-creation.php and extract the originating client IP addresses.

Option A is incorrect because VPC Flow Logs operate at the network layer and do not capture HTTP request paths. Option B is invalid because ALBs do not support CloudWatch agents. Option C is viable but introduces additional operational complexity and cost, making it less appropriate than the native WAF logging solution.

AWS documentation highlights AWS WAF logging combined with Athena as a best practice for forensic analysis and attacker identification.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging Documentation

Amazon Athena User Guide

AWS Detection and Monitoring Best Practices

AWS Organizations tag policies are designed to standardize and govern tag keys and allowed values across accounts. AWS Certified Security – Specialty documentation describes tag policies as a governance mechanism that helps enforce consistent tagging by specifying required tag keys and permitted values. To ensure every resource has the CostCenter tag at creation time, an SCP can deny create actions when aws:RequestTag/CostCenter is missing (null). This prevents resources from being created without the required tag. Tag policies then define the three approved values and can be configured to enforce or report noncompliance depending on supported services, ensuring that tag values remain within the allowed set and preventing drift to unapproved values. Compared with custom Lambda-based enforcement, this approach minimizes operational overhead and keeps enforcement within AWS native governance services. Option A partially addresses allowed values at request time but does not address ongoing governance as cleanly across many services. Option B is not preventive because Lambda runs after events and cannot reliably block all creations. Option D still relies on custom logic and is not as operationally efficient as tag policies plus SCP guardrails.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Tag Policies

AWS Organizations SCP Condition Keys for Tag Enforcement

Amazon Detective is a purpose-built AWS service designed to analyze, investigate, and visualize security data to help identify the root cause of suspicious or malicious activity. According to the AWS Certified Security – Specialty Official Study Guide, Amazon Detective directly integrates with Amazon GuardDuty findings, AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon EKS audit logs to automatically create behavior graphs and timelines.

When GuardDuty generates findings related to anomalous activity, Amazon Detective enables security engineers to pivot directly to an investigation focused on a specific IAM role, user, or resource. Detective automatically correlates historical activity, identifies deviations from baseline behavior, and highlights indicators of compromise, such as unusual API calls, credential misuse, or suspicious network activity.

AWS Audit Manager (Option B) is designed for compliance and audit evidence collection, not threat investigation. Amazon Inspector (Options C and D) is focused on vulnerability scanning of compute resources and does not analyze IAM behavior or GuardDuty findings.

AWS documentation explicitly states that Amazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, providing enriched context and investigation reports for security incidents.

AWS Certified Security – Specialty Official Study Guide

Amazon Detective User Guide

Amazon GuardDuty Integration Documentation

AWS KMS supports additional authenticated data (AAD) through the use of encryption context. According to the AWS Certified Security – Specialty documentation, encryption context is a set of key-value pairs that is cryptographically bound to the ciphertext. Any attempt to decrypt the data must include the same encryption context, or decryption will fail. This mechanism protects against ciphertext tampering and unauthorized reuse.

The kms:EncryptionContext condition key allows security engineers to enforce the use of specific encryption context values in IAM or key policies. By defining conditions that require particular encryption context attributes, access to encrypted data can be tightly controlled and bound to specific applications, environments, or workflows.

Option A does not provide integrity protection. Option B controls access but does not enforce the use of AAD. Option D restricts administrative access but does not address encryption context enforcement.

AWS documentation explicitly states that encryption context combined with policy conditions is the recommended method to implement authenticated encryption and fine-grained access control with KMS.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Encryption Context

AWS KMS Policy Condition Keys

AWS best practices strongly discourage the use of long-term credentials and recommend cross-account IAM roles with temporary credentials for third-party access. According to the AWS Certified Security – Specialty Study Guide, creating an IAM role in the resource-owning account and allowing a trusted external AWS account to assume that role is the recommended pattern for external access.

By creating the IAM role in the company’s production account and specifying the consultant agency’s AWS account as the trusted principal, the company retains full control over permissions. The trust policy can enforce MFA by using the aws:MultiFactorAuthPresent condition key, ensuring that all access requires MFA. Access is granted through AWS Security Token Service (STS), which issues short-lived credentials.

Option A violates the requirement to avoid long-term credentials. Option B is designed for application user authentication, not AWS account access. Option C incorrectly places the role in the consultant’s account, reducing the company’s control over access.

This solution satisfies MFA enforcement, eliminates long-term credentials, and aligns with AWS third-party access best practices.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Cross-Account Access

AWS STS and MFA Enforcement