SCS-C03 AWS Certified Security – Specialty Questions and Answers

Amazon GuardDuty provides continuous threat detection for compromised instances by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. According to AWS Certified Security – Specialty guidance, GuardDuty is the fastest service to enable for detecting malware and compromised EC2 instances.

To notify the security team, Amazon SNS provides a native email notification mechanism with minimal setup. Amazon EventBridge integrates directly with GuardDuty findings and can filter based on severity. Creating an EventBridge rule that matches high severity GuardDuty findings and publishes to SNS ensures immediate notification.

Security Hub is not required for this use case and adds additional setup time. Amazon SQS does not support email subscriptions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Findings and Severity

Amazon EventBridge Integration with GuardDuty

Option D is the correct solution because it provides fully automated, real-time detection and mitigation of application-layer (Layer 7) DDoS attacks with no manual intervention. AWS Shield Advanced includes automatic application layer DDoS mitigation when it is enabled for supported resources such as Amazon CloudFront distributions. This feature continuously monitors traffic patterns and, when an attack is detected, automatically deploys AWS WAF rules to mitigate malicious requests.

Adding a rate-based rule to the AWS WAF web ACL further strengthens protection by automatically blocking IP addresses that exceed a defined request threshold, which is a common characteristic of Layer 7 DDoS attacks. This combination aligns directly with AWS best practices for protecting web applications against volumetric and application-layer threats.

Option A only provides alerting and visibility but does not ensure automated mitigation. Option B includes proactive engagement with the AWS DDoS Response Team, which is valuable for complex or large-scale attacks but still involves human interaction and therefore does not meet the “no manual effort” requirement. Option C introduces unnecessary complexity and is not recommended for protecting CloudFront-based applications against Layer 7 DDoS attacks.

AWS Security Specialty documentation explicitly recommends AWS Shield Advanced with automatic application layer DDoS mitigation and AWS WAF rate-based rules for fully automated, real-time protection of public web applications.

Amazon GuardDuty generates security findings when it detects suspicious or malicious activity, includingCryptoCurrency:EC2/* findings that indicate an EC2 instance may be involved in unauthorized cryptocurrency mining. According to AWS Certified Security – Specialty documentation, GuardDuty findings are published as events toAmazon EventBridge(formerly Amazon CloudWatch Events).

Amazon EventBridge is the recommended service for buildingautomated incident response workflows. By creating an EventBridge rule that listens for GuardDuty findings of type CryptoCurrency:EC2/*, the security engineer can automatically invoke a Lambda function to isolate the affected EC2 instance by modifying its security group attachments.

Option A is incorrect because GuardDuty does not directly invoke Lambda functions. Option B and Option D are incorrect because AWS Config tracks configuration compliance and resource changes, not real-time threat detection events. Cryptocurrency findings are security detections, not configuration changes.

AWS documentation explicitly describes this pattern—GuardDuty → EventBridge → Lambda → remediation action—as a best practice for automated threat response and containment.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide – Findings

Amazon EventBridge User Guide

AWS Incident Response Best Practices

For encrypted RDS snapshots that must be shared across accounts and still bedecryptablein the target accounts, you should use acustomer managed KMS keyand explicitly grant cross-account use of that key. AWS-managed default keys (Option A/C) generally cannot be shared for cross-account decryption in the same flexible way as customer managed keys, and you cannot “copy” an AWS-managed key to another account. Likewise, you cannot “import” an existing KMS key into another account via Lambda as described in Option B; KMS keys are account-scoped resources and are not copied between accounts like that.

With acustomer managed key (CMK), the key policy (and/or grants) can allow principals in the DR accounts to use the key for the required cryptographic operations (for example, kms:Decrypt, kms:CreateGrant, and relevant describe permissions). Then, when the snapshot is shared and copied/used in the destination account during a DR event, the destination account can decrypt it because it has been granted permission to use the same CMK. This approach is the standard AWS pattern for cross-account encrypted snapshot sharing and meets both encryption and recoverability requirements with strong governance and auditability through CloudTrail.

The correct Config rule for finding buckets that are not usingSSE-KMS by defaultiss3-default-encryption-kms. It evaluates the bucket’s default encryption settings and flags buckets that do not have KMS default encryption enabled. The s3-bucket-ssl-requests-only rule focuses on enforcing HTTPS-only requests and does not validate encryption-at-rest settings, so it cannot satisfy the “identify not encrypted with KMS” requirement.

For preventing uploads of objects that are not encrypted with KMS, an organization-wide control is needed. AnSCPcan restrict s3:PutObject so that uploads succeed only when the request specifiesSSE-KMS(and optionally a specific KMS key). This provides broad, low-touch enforcement across many accounts and buckets. While bucket policies can also enforce SSE-KMS, managing and verifying hundreds of bucket policies is more operationally heavy than a centrally managed SCP guardrail.

Option B enforcesSSE-S3, which does not meet the requirement forKMSencryption. Option D uses the wrong Config rule and relies on an “allow-only” pattern rather than explicit deny logic, making it an unreliable fit for the stated goal. Therefore, A is the best answer.

Amazon Cognito is a fully managed identity service that providesuser authentication, authorization, and user managementfor web and mobile applications. According to AWS Certified Security – Specialty documentation, Cognito user pools are specifically designed to offload authentication responsibilities from applications while maintaining strong security controls.

By federating authentication with third-party identity providers (such as social IdPs), Cognito eliminates the need for the company to manage user passwords directly. This dramatically reduces password reset requests and customer service overhead, while also improving security throughindustry-standard authentication mechanisms, including MFA and token-based access.

Option A is insecure and incorrect because IAM access keys are not intended for end users. Option B simply relocates password storage and does not reduce operational burden. Option D uses API keys, which are not designed for user authentication and provide no identity verification.

AWS guidance clearly states thatAmazon Cognito is the recommended service for scalable, secure user authentication, especially when reducing password management complexity is a requirement.

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito User Pools Documentation

AWS IAM Security Best Practices

Option C is the best fit because Amazon GuardDuty provides managed threat detection forEKSby analyzingEKS control plane audit logs(EKS Protection) and correlating those signals withruntime telemetry(Runtime Monitoring) that includesprocess/OS activity, network connections, and file activityon the worker nodes. This directly matches the requirement to monitor EKS audit logsin addition tooperating system, networking, and file events to detect Kubernetes security risks.

GuardDuty produces securityfindingsfor suspicious Kubernetes behavior and runtime indicators (for example, unexpected API calls, anomalous container activity, or known malicious behaviors). To notify the security team, anAmazon EventBridgerule can match GuardDuty findings and forward them to anSNS topic. SNS supportsemail subscriptions, so the team’s mailing list can receive near-real-time alerts without building a custom log parsing pipeline.

Option A (Security Hub) aggregates findings and maps to controls/standards but does not itself provide the combined audit-log + runtime event detection described. Option B combines unrelated services and still requires custom processing. Option D only alarms on “new audit logs generated,” which does not detect “security risks” and does not include OS/network/file threat detections.

Amazon EC2 security groups arestateful, meaning that once a connection is established, return traffic is automatically allowed, even if the inbound rule that originally permitted the connection is later removed. According to the AWS Certified Security – Specialty Official Study Guide and Amazon EC2 security documentation,existing connections are not terminated when security group rules change. This explains why the SSH session remains active even after the security group rules were modified, while new traffic such as ICMP ping is blocked.

To immediately and fully isolate an EC2 instance during an incident response scenario, AWS recommends usingstateless network controls. Amazon VPC network ACLs (NACLs) arestateless, which means that every packet is evaluated against the ACL rules regardless of whether the traffic is part of an existing connection. When a deny rule is added,all traffic is immediately blocked, including active sessions.

By creating a network ACL and associating it with the subnet that contains the target instance, and by adding explicit deny rules with the lowest rule numbers for both inbound and outbound traffic, the security engineer ensures thatall network communication to and from the instance is immediately interrupted. This approach satisfies the requirement to isolate the instance while preserving its runtime state and memory for forensic analysis.

Other options fail to meet the requirement because security group modifications do not terminate existing sessions, Systems Manager does not enforce network isolation, and host-level firewall changes require instance-level access and do not provide immediate, network-enforced isolation.

AWS Certified Security – Specialty Official Study Guide

Amazon EC2 Security Groups Documentation

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

The requirement includesremediating existing noncompliant bucketsand also handlingfuture noncompliant bucketsacross multiple accounts and Regions. Anorganization-wide AWS Config aggregatorprovides centralized visibility into compliance status across all member accounts/Regions. To remediate, AWS Config can trigger automation (commonly via EventBridge/SNS) that invokes anAWS Lambda function(or SSM Automation) to take corrective action—such as enabling default encryption, blocking public access, or applying required bucket policies—whenever a bucket is evaluated as noncompliant. This addresses both existing findings (by running remediation on current noncompliant resources) and new ones (by automatically reacting when new buckets appear or configurations drift).

Options C and D are insufficient because they scope only to “accounts and Regions the company currently uses,” which fails the multi-Region/multi-account organization requirement and would miss future expansion. Option B helps prevent creation of new noncompliant resources but does not remediate existing buckets, which is explicitly required. Therefore, the combination of an org-wide aggregator plus automated remediation on Config noncompliance is the best fit.

AWS CloudFormationdynamic referencesprovide a secure mechanism for retrieving sensitive values from AWS Secrets Manager at stack creation or update time. According to the AWS Certified Security – Specialty documentation, dynamic references ensure that sensitive data such as database credentials arenever stored in plaintextin CloudFormation templates, parameters, stack metadata, or logs.

When a dynamic reference to Secrets Manager is used, CloudFormation retrieves the secret value at runtime and passes it securely to the resource that requires it. The secret value is not exposed to users who view the template, stack, or change sets.

Option B is insecure because parameters can be exposed through the CloudFormation console and APIs. Option C is incorrect because SecureString parameters are a feature of AWS Systems Manager Parameter Store, not Secrets Manager. Option D is invalid because KMS encrypts data but does not store secrets or manage secret rotation.

AWS best practices clearly state thatCloudFormation dynamic references to Secrets Managerare the recommended solution for securely handling sensitive configuration values.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Security Best Practices

AWS Secrets Manager Documentation

In AWS IAM Identity Center (formerly AWS Single Sign-On), users and groups do not automatically gain access to all accounts in an AWS Organization simply because the accounts exist. Access is explicitly granted by assigning aprincipal(user or group) to a specific AWS account along with apermission set. Permission sets define the IAM policies that are provisioned into the target account as IAM roles.

In this scenario, employees in theCloudActive Directory group can access nearly all AWS accounts, which confirms that AD Connector synchronization is functioning correctly, eliminating option B. The fact that Account A exists but is inaccessible strongly indicates that the required account assignment is missing. Without explicitly assigning the Cloud group to Account A with a valid permission set, IAM Identity Center will not provision the necessary IAM role, and users will not see or access the account in the AWS access portal.

Option A is incorrect because accounts do not need to be placed in an OU to be accessible through IAM Identity Center. Option D is incorrect because IAM permissions boundaries do not control access to entire accounts and are not applied at the account level to block IAM Identity Center access.

AWS Security Specialty documentation emphasizes thataccount assignments are mandatoryfor IAM Identity Center access, making option C the correct answer.

AWS CloudTrail is theauthoritative source for identity-related activityacross an AWS Organization. According to the AWS Certified Security – Specialty Official Study Guide, CloudTrail recordsall AWS API calls and authentication events, including federated sign-ins that occur through AWS IAM Identity Center with an external SAML identity provider.

When IAM Identity Center is used,successful federated login events are logged in CloudTrailas ConsoleLogin and AssumeRoleWithSAML events. These events are recorded in theorganization’s management accountwhen CloudTrail is configured as an organization trail. This allows security teams to centrally search and correlate authentication activity across all member accounts.

Option A is incorrect because CloudWatch Logs do not natively aggregate authentication events across an organization unless custom pipelines are built. Option B is not scalable and does not provide historical, organization-wide visibility. Option C is invalid because AWS does not ingest external IdP logs into EventBridge automatically, and IdP logs do not reflect AWS-side role assumptions.

AWS documentation explicitly states thatCloudTrail organization trails provide centralized visibility into user authentication and access activity across all accounts, making this the fastest and most reliable way to identify when a user logged in during a specific time window.

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail User Guide

AWS IAM Identity Center Documentation

AWS Organizations Best Practices

Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security – Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.

By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.

Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC. Third-party CASB tools add cost and operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security and VPC Endpoints

AWS Organizations Condition Keys

Amazon CloudFront includes a built-in geo restriction feature that allows content to be allowed or denied based on the viewer’s country. According to AWS Certified Security – Specialty documentation, CloudFront geo restriction is the most cost-effective method for country-based blocking because it does not require AWS WAF or additional rule processing.

AWS WAF geo match rules incur additional cost and are more appropriate when advanced inspection or layered security controls are required. IP-based blocking is impractical due to frequent IP changes. Geolocation headers do not enforce access control.

CloudFront geo restriction is evaluated at the edge and efficiently blocks disallowed countries with minimal latency and cost.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Geo Restriction

AWS Edge Security Best Practices

To enforce encryption in transit to Aurora, you must require clients to useTLS/SSLwhen connecting to the database. Aurora (depending on engine flavor) supports a parameter that enforces secure transport by rejecting non-TLS connections. Setting the DB (cluster/instance) parameter such asrequire_secure_transporttoONforces clients to negotiate SSL/TLS; otherwise the server refuses the connection, ensuring all data in transit is encrypted. This directly enforces the compliance requirement at the database endpoint itself, independent of client behavior.

Kerberos authentication (Option B) provides centralized authentication and can be useful for IAM/AD integration, but it does not by itself guarantee that the network session is encrypted. Option C is incorrect because Aurora/RDS usesRDS-provided certificatesfor TLS; you don’t attach ACM certificates to Aurora the way you would for ALB/CloudFront. Option D is not the right enforcement mechanism: RDS Proxy can help with connection pooling and IAM auth patterns, but it does not inherently force all client-to-proxy or proxy-to-db connections to be encrypted in the way a DB parameter enforcement does (and you’d still need to ensure clients use TLS). Therefore, enabling the parameter that requires secure transport is the correct solution.

AWS Organizations tag policies are designed to standardize and govern tag keys and allowed values across accounts. AWS Certified Security – Specialty documentation describes tag policies as a governance mechanism that helps enforce consistent tagging by specifying required tag keys and permitted values. To ensure every resource has the CostCenter tag at creation time, an SCP can deny create actions when aws:RequestTag/CostCenter is missing (null). This prevents resources from being created without the required tag. Tag policies then define the three approved values and can be configured to enforce or report noncompliance depending on supported services, ensuring that tag values remain within the allowed set and preventing drift to unapproved values. Compared with custom Lambda-based enforcement, this approach minimizes operational overhead and keeps enforcement within AWS native governance services. Option A partially addresses allowed values at request time but does not address ongoing governance as cleanly across many services. Option B is not preventive because Lambda runs after events and cannot reliably block all creations. Option D still relies on custom logic and is not as operationally efficient as tag policies plus SCP guardrails.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Tag Policies

AWS Organizations SCP Condition Keys for Tag Enforcement

To restrict activity to a single Region in an OU using an SCP, the standard pattern is an explicitDenyfor requests madeoutsidethe allowed Region, while carving out exceptions forglobal servicesthat do not use aws:RequestedRegion in the same way (or that must remain usable regardless of Region). This is done withEffect: Deny, aConditionusing StringNotEquals on aws:RequestedRegion for the allowed Region (here, eu-west-1), andNotActionlisting the global services that should remain available.

This works because SCPs act asguardrails: an explicit Deny in an SCP overrides IAM Allow in member accounts, ensuring the restriction applies consistently to all existing and future accounts placed in the OU. The StringNotEquals condition ensures the deny triggers for any Region other than eu-west-1. The NotAction exception list ensures that the specified global services are not blocked by this deny statement.

Option A is wrong because StringEquals would deny actionsineu-west-1 rather than outside it. Options B and D useAllowstatements, which do not enforce “only this Region” safely in SCPs unless combined with a comprehensive deny strategy; they would not reliably restrict all other services/regions. Therefore, option C is the correct SCP structure.

An RPO of1 hourmeans the company must be able to restore data with at most60 minutes of loss. Option A directly meets this by usingAWS Backupto takehourly backupsof both the compute layer (EC2) and the data layer (S3). AWS Backup provides centralized policy-based scheduling, retention, and (when configured) immutable protections such as Backup Vault Lock to help defend backups from tampering—important in ransomware recovery scenarios. Backing up the S3 buckets hourly also addresses recovery of critical objects such as images and music that users rely on.

In addition, recovery to “normal operations” is not only about data restoration; it also requires rapidly re-creating infrastructure reliably. UsingAWS CloudFormation templatesstored in aversion-controlled Git repositorysupports consistent, repeatable rebuilds of the ALB, EC2 fleet configuration, IAM roles, security groups, and related components. This infrastructure-as-code approach reduces human error under incident pressure and accelerates disaster recovery execution.

Option B fails the RPO because daily backups can lose up to 24 hours of data. Option C focuses on logging/governance rather than backups and does not establish a 1-hour recovery point. Option D also fails the RPO (4-hour snapshots) and is reactive to a specific finding type rather than a comprehensive DR plan for EC2 and S3.

Amazon Macie’sautomated sensitive data discoveryis designed for exactly this: at scale, Macie continuously evaluates andsamplesobjects across S3 buckets to identify where sensitive data (PII, financial data, credentials, etc.) is likely present. This gives the security engineer a low-touch way toidentify which buckets contain sensitive datawithout having to orchestrate per-bucket scanning workflows. Once Macie flags buckets with sensitive data findings, the engineer can then prioritize and runadditional, more targeted scanning(for example, deeper classification jobs on those specific buckets) rather than scanning everything exhaustively all the time.

The other options increase operational burden significantly. CRR to another Region (A) doubles storage/transfer complexity and is not needed for discovery. An event-driven Lambda scan per object (B) is expensive and complex at high object volumes and is not how Macie classification is intended to be orchestrated. Aggregating results into DynamoDB (D) adds an extra system to maintain when Macie already provides centralized findings, dashboards, and integrations.

Therefore, enabling Macie automated discovery and then performing deeper scans only on buckets where Macie detects sensitive data provides the least administrative overhead.

When Amazon CloudFront is used in front of an Application Load Balancer, CloudFront becomes the immediate source of incoming requests to the ALB. As a result, AWS WAF logs record theCloudFront edge location IP addressesas the client IPs, not the original viewer IP addresses. This behavior is explicitly documented in the AWS Certified Security – Specialty Study Guide and the AWS WAF and CloudFront integration documentation.

To preserve the original client IP address, CloudFront automatically adds theX-Forwarded-For HTTP header, which contains the IP address of the originating client followed by any proxy addresses involved in forwarding the request. AWS WAF logs include this header, making it the authoritative source for identifying true client IP addresses when CloudFront is used.

Option A is incorrect because VPC Flow Logs capture network-level metadata and will only show CloudFront IP addresses, not the original client IPs. Option C is incorrect because disabling connection reuse does not change how client IPs are logged in AWS WAF. Option D is unnecessary and unsupported as a requirement because CloudFront already provides the required information through standard headers.

AWS documentation consistently states thatX-Forwarded-Foris the correct and supported mechanism for tracing client IPs in CloudFront-protected applications.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Logging

Amazon CloudFront Developer Guide – Request Headers

AWS WAF provides managed and custom rules that can immediately mitigate common web exploits such as SQL injection without modifying application code. According to AWS Certified Security – Specialty documentation, placing AWS WAF in front of an Application Load Balancer is a recommended rapid-response control for legacy applications with known vulnerabilities.

Creating an ALB in front of the existing EC2 instances allows seamless traffic migration. AWS WAF SQL injection rules can be deployed and tested without downtime. Updating Route 53 to point to the ALB preserves normal operations. Restricting EC2 security groups afterward prevents bypassing the WAF.

Option B introduces CloudFront changes and single-origin testing, increasing complexity. Option C cannot be completed within 24 hours and risks downtime. Option D is invalid because AWS WAF cannot be attached directly to EC2 instances.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Web ACL Architecture

AWS Application Load Balancer Security

AWS CloudTrail data event logging is the correct solution because it is specifically designed to capture detailed, structured, and near–real-time API activity for Amazon S3 object-level operations. When S3 data events are enabled, CloudTrail records actions such as GetObject, PutObject, and DeleteObject, along with critical context including the IAM principal, source IP address, event time, request parameters, and response elements. These logs are delivered in JSON format, making them highly structured and suitable for security analysis, SIEM integration, and automated detection workflows.

Amazon S3 server access logging (option A) provides basic request-level information but does not include full IAM identity context and is delivered with a significant delay, which does not meet the near–real-time requirement. AWS Config (option C) focuses on resource configuration changes and compliance evaluation; it does not log object-level access events. Amazon Macie (option D) is a data security service that uses machine learning to discover and classify sensitive data in S3 and generate findings for anomalous access patterns, but it is not a comprehensive access logging solution.

AWS Security Specialty documentation clearly states that CloudTrail data events are the authoritative mechanism for auditing S3 object-level access with identity attribution and precise timestamps, making option B the correct and best-practice answer

AWS Service Catalog is designed to allow organizations to create and manageapproved sets of CloudFormation templates, known as products, and make them available to specific accounts or organizational units (OUs). According to the AWS Certified Security – Specialty Study Guide, Service Catalog is thepreferred governance mechanismfor enforcing standardized infrastructure deployments while maintaining strong access controls.

By creating a Service Catalog portfolio in the management account and sharing it with a specific OU, the security engineer ensures that only accounts within that OU can deploy the approved CloudFormation template. This guarantees that third-party developers can deploy infrastructureonly in accordance with the company’s predefined deployment plan, without modifying or directly accessing the template itself.

Option B and D use CloudFormation modules, which are intended for reusable resource definitions but do not provide the same level ofdeployment governance, access control, and lifecycle managementas Service Catalog. Option C introduces unnecessary cross-account IAM roles, increasing the attack surface and operational complexity, which violates the “most secure” requirement.

AWS documentation explicitly states thatService Catalog is the recommended service for distributing standardized CloudFormation templates across AWS Organizations, while controlling who can deploy them and where.

AWS Certified Security – Specialty Official Study Guide

AWS Service Catalog Administrator Guide

AWS Organizations Best Practices

AWS Well-Architected Framework – Security Pillar

AWS incident response best practices emphasize rapid containment to prevent further data exposure. According to the AWS Certified Security – Specialty Study Guide, the fastest and least disruptive containment method for compromised compute resources is to immediately revoke credentials and permissions rather than modifying data or infrastructure.

Revoking the IAM role’s active sessions prevents the EC2 instance from continuing to access AWS services. Updating the S3 bucket policy to explicitly deny access to the IAM role ensures immediate enforcement, even if temporary credentials remain cached. Removing the IAM role from the instance profile further prevents new credentials from being issued.

Option A and D involve large-scale data movement or re-encryption, which is time-consuming and operationally expensive. Option B relies on network-level controls that do not prevent access through private AWS endpoints.

AWS guidance explicitly recommends credential revocation and policy-based denial as the fastest containment step during active incidents.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

AWS IAM Role Session Management

AWS Health providesreal-time visibility into events that affect AWS accounts, including abuse notifications such asAWS_ABUSE_DOS_REPORT. According to the AWS Certified Security – Specialty Study Guide, AWS Health events are natively integrated withAmazon EventBridge, enabling automated, near-real-time responses without polling or custom code.

By creating an EventBridge rule that listens for AWS Health events related to abuse reports and configuring the rule to publish messages to an SNS topic, the security engineer ensures immediate notification to the security team whenever AWS issues a DoS-related abuse report for the account.

Option A and C rely on periodic polling using Lambda functions, which introduces latency and operational complexity. Option D is incorrect because CloudTrail does not log AWS abuse notifications.

AWS documentation explicitly identifiesAWS Health + EventBridge + SNSas the recommended architecture for near-real-time operational and security alerts originating from AWS.

AWS Certified Security – Specialty Official Study Guide

AWS Health User Guide

Amazon EventBridge Documentation

AWS Incident Response Best Practices

To minimize downtime during future DDoS events, the company should use services that provideactive DDoS protection and rapid mitigationat scale.AWS Shield Advanced(Option B) is designed for enhanced DDoS protection for internet-facing applications. It provides expanded detection and mitigation capabilities, cost protection in certain cases, and—critically—access to theAWS DDoS Response Team (DRT)through AWS Support so the company can engage experts during an attack to reduce impact and restore availability faster.

In addition,AWS WAF(Option E) helps mitigateapplication-layer (Layer 7)attacks that often accompany DDoS events (such as HTTP floods, bot-driven abuse, and known exploit patterns). WAF can block or challenge suspicious requests, apply rate-based controls, and use managed rule groups to reduce malicious traffic before it reaches the origin, improving resilience and availability.

Option A is incorrect because GuardDuty is a detection service; it does not automatically block traffic. Option C (Flow Logs + Lambda + SG blocks) is slow and brittle for DDoS because attackers are often distributed across many IPs and can change rapidly; security group updates are not an effective DDoS mitigation strategy. Option D is more about configuration governance and remediation, not real-time DDoS traffic mitigation.

The most secure and AWS-recommended pattern for cross-account access is to create anIAM role in the target account (production)and allow trusted principals from the source account (developer) toassume the roleby using AWS STS. This avoids long-term credentials in the production account, supports short-lived session credentials, and enables strong controls such as MFA requirements, session duration limits, and precise least-privilege permissions attached to the role. It also centralizes ownership of production permissions in the production account, which is important for separation of duties and governance.

Option A is insecure because it requires password sharing and uses a long-lived IAM user credential, which is against AWS best practices. Option C is also poor because it relies on a long-lived IAM user in the production account and encourages credential sharing/duplication. Option B places the role in the developer account; while you can attach permissions there, access to production resources is governed by the production account. The standard approach is a production-account role with a trust policy that names the developer account principals (or a role) as allowed to assume it. Therefore, Option D is the most secure solution.

To achieve true separation of duties, the company needs a design whereS3 access alone is not sufficientto read plaintext data.SSE-KMS with a customer managed KMS keyprovides that separation because successful object reads require both: (1) S3 permissions to read the object and (2) permission to use the KMS key to decrypt it. This enables the operations team to manage bucket and object permissions while the security team independently controls key usage through theKMS key policy(and grants). If either team misconfigures only their part, the data is still protected: an overly permissive bucket policy won’t expose plaintext unless KMS decrypt is also allowed; similarly, KMS permissions alone are not sufficient without S3 read access.

Option B also adds a bucket policy requirement enforcingSSE-KMSso objects are consistently protected with the customer managed key. SSE-S3 options (A and C) do not provide the same separation because S3 manages the keys and decryption is not independently controlled by a separate team via KMS policies. Option D is invalid because SSE-C uses customer-provided keys that are supplied with each request and are not stored/managed in KMS as described. Therefore, SSE-KMS with customer managed keys plus restrictive key policy is the correct solution.

In a properly segmented VPC architecture,public subnets route internet-bound traffic to an internet gateway, whileprivate subnets route outbound internet traffic through a NAT gatewaythat resides in a public subnet. According to the AWS Certified Security – Specialty Official Study Guide and Amazon VPC documentation, private subnets must never have a direct route to an internet gateway.

The issue described indicates that private subnets are incorrectly routing traffic directly to the internet gateway. To remediate this, aNAT gateway must be provisioned in each public subnetto ensure high availability across Availability Zones. This satisfies the requirement that private resources can initiate outbound connections without being directly reachable from the internet.

Next, the route tables associated with theprivate subnets must be updatedso that the default route (0.0.0.0/0) points to the NAT gateway in the same Availability Zone. This ensures proper traffic flow and prevents cross-AZ dependencies.

Option B is incorrect because NAT gateways must reside in public subnets. Option C is unnecessary because local routes to the VPC CIDR range are automatically created. Option E is explicitly insecure, as it would reintroduce direct internet gateway access from private subnets.

AWS documentation consistently identifiesNAT gateways plus correct private subnet routingas the standard design for secure VPC segmentation.

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Route Table Documentation

AWS Well-Architected Framework – Security Pillar

AWS Config provides managed rules that continuously evaluate resource configurations against compliance requirements. The AWS Certified Security – Specialty documentation highlights AWS Config managed rules as the preferred mechanism for enforcing configuration compliance at scale. The managed rule for encrypted RDS storage automatically detects DB instances and clusters that are created without encryption enabled.

By configuring automatic remediation, AWS Config can immediately invoke corrective actions without manual intervention. Integrating remediation with an Amazon SNS topic enables automated email notifications, while an AWS Lambda function can terminate the noncompliant resource. This creates a fully automated detect-alert-remediate workflow.

Option B requires manual remediation, which increases operational effort and delays enforcement. Options C and D rely on Amazon EventBridge, which evaluates events rather than configuration state and does not provide continuous compliance monitoring. AWS Config is explicitly designed for configuration compliance and governance use cases.

This solution aligns with AWS governance best practices by combining continuous monitoring, automated remediation, and centralized alerting with minimal operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules

AWS Config Automatic Remediation

In an Auto Scaling group, instances are ephemeral—local disks and instance-level log files can disappear during scale-in or replacement. The most durable, operationally simple pattern is tostream logs off-host continuouslyto a managed log service. Installing and configuring theCloudWatch agent(or unified agent) to ship application logs toAmazon CloudWatch Logsensures logs are centralized and remain available regardless of instance lifecycle events. This directly solves the “logs lost after scale-in” problem and provides high availability for audit and investigation.

CloudWatch Logs also supports retention controls. The security engineer can set the log group retention toat least 1 year(or longer), meeting the audit requirement without building custom storage workflows. Access can be controlled with IAM to restrict who can view or export logs, and CloudWatch logs can be further integrated with Athena/OpenSearch/SIEM tools if needed.

Option A adds complexity and still ties durability to managing volumes across instance churn, with operational risk and scaling challenges. Option B requires daily copy jobs and can still lose logs between copy intervals; it also adds shared filesystem management overhead. Option D is manual and does not ensure durability, and it introduces operational friction during scale-in. Therefore, centralized log shipping to CloudWatch Logs is the best recommendation.

AWS WAF rate-based rules are designed specifically to track the number of requests from a single IP address over a configurable time window. According to AWS Certified Security – Specialty guidance, rate-based rules integrate natively with CloudFront and emit CloudWatch metrics that can trigger alarms.

CloudFront logs and VPC Flow Logs are not real-time detection tools. ASN match rules do not count request rates.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Rate-Based Rules

CloudFront and AWS WAF Integration

AWS WAF logs capturedetailed request-level information, including source IP address, request URI, headers, and rule evaluation results. According to the AWS Certified Security – Specialty documentation, AWS WAF logging is acritical detection controlwhen application-level attacks are suspected, especially when host-based logs are unreliable or can be erased by attackers.

By configuring the AWS WAF web ACL to send logs toAmazon Data Firehose, the company ensures that all future requests are centrally captured and delivered to a durable storage service such as Amazon S3. UsingAmazon Athena, the security team can query these logs to identify requests targeting specific application paths such as new-user-creation.php and extract the originating client IP addresses.

Option A is incorrect because VPC Flow Logs operate at the network layer and do not capture HTTP request paths. Option B is invalid because ALBs do not support CloudWatch agents. Option C is viable but introduces additional operational complexity and cost, making it less appropriate than the native WAF logging solution.

AWS documentation highlightsAWS WAF logging combined with Athenaas a best practice for forensic analysis and attacker identification.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging Documentation

Amazon Athena User Guide

AWS Detection and Monitoring Best Practices

To performcustom validation at sign-upand explicitlyaccept or denyregistrations, Amazon Cognito providesLambda triggers. APre sign-up triggerruns synchronously during the sign-up flow (including the Hosted UI) and can implement custom checks (for example, IP reputation checks, email/domain validation, velocity checks, allow/deny lists, or geo checks using an external service). Based on the trigger logic, the function can allow the sign-up to proceed or reject it, meeting the “custom validation” and “accept/deny” requirement directly.

Because the observed fraud largely originatesoutside France, adding a front-door geographic control reduces unwanted traffic before it reaches Cognito.AWS WAFsupportsGeo matchconditions in a web ACL to allow/deny requests by country, which is a common mitigation for region-scoped applications. Associating a WAF web ACL to protect the Hosted UI endpoint helps block sign-up requests from non-French locations early, reducing fraud attempts and load.

The other options do not meet the requirement: Cognito user pools do not provide a native “geographic restriction setting” for sign-up (D), app client ID validation does not stop fraudulent sign-ups (C), and using a social IdP does not provide custom accept/deny validation for all sign-ups (E).

AWS Lambda automatically sends function execution logs to Amazon CloudWatch Logs when logging is enabled in the function code. However, this logging capability depends on the Lambda execution role having the appropriate permissions. According to the AWS Certified Security – Specialty Study Guide, the execution role must include permissions such as logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.

If these permissions are missing, Lambda cannot create log groups or streams, and no execution logs will appear in CloudWatch Logs—even though the function was successfully invoked. This is the most common reason Lambda logs are unavailable during forensic investigations.

Option B is incorrect because Lambda logs are stored in CloudWatch Logs regardless of whether the invocation source is API Gateway, EventBridge, or another AWS service. Option C is incorrect because CloudWatch Logs does not require direct S3 permissions from the Lambda execution role. Option D is irrelevant because Lambda versions do not affect logging behavior.

AWS documentation emphasizes verifying execution role permissions as a first step when Lambda logs are missing.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Lambda Execution Roles

Amazon CloudWatch Logs Integration with Lambda

Password policies are enforced at the identity provider where authentication occurs. According to the AWS Certified Security – Specialty Study Guide, when IAM is federated with an external identity provider such as on-premises Active Directory, IAM does not manage or enforce password policies. Instead, password requirements such as minimum length must be enforced directly in Active Directory Group Policy Objects.

Amazon Cognito user pools maintain their own user directory and authentication logic. Cognito provides configurable password policies, including minimum length, complexity, and expiration. To enforce a minimum password length for application users, the Cognito user pool password policy must be updated.

IAM password policies apply only to IAM users that authenticate directly with IAM and do not affect federated users or Cognito users. SCPs and IAM policies cannot enforce password length requirements.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Federation and Password Policies

Amazon Cognito User Pool Security Settings

AmazonMacieis the AWS service purpose-built todiscover and classify sensitive data in S3(PII, financial data, credentials, etc.) and produce findings that can be aggregated centrally. In a multi-account organization, the recommended centralized model is to designate adelegated administrator accountfor Macie so the security team can manage discovery across member accounts from one place.

To make the findings visible from a single location and integrate them with broader security visibility,AWS Security Hubprovides centralized aggregation of security findings across accounts and services. By also configuring the security account as thedelegated administrator for Security Hub, the company can aggregate findings across the organization. Macie integrates with Security Hub so that sensitive data discovery findings flow into Security Hub’s centralized view, giving the security team a single console and API surface to build an “inventory” of sensitive data locations and severity.

Inspector (options B and C) is focused on vulnerability management (EC2, ECR, and related scanning use cases), not sensitive data classification in S3. Trusted Advisor is not the primary destination for sensitive data discovery findings at organizational scale. Therefore, Macie + Security Hub with delegated administration in the security account is the correct solution.

AWS IAM Identity Center relies on SAML assertions and attribute mappings to associate federated users with identities, groups, and permission sets. According to the AWS Certified Security – Specialty documentation, when changing identity providers while maintaining the same underlying directory, existing users and group identities can be preserved by updating attribute mappings to align with the new IdP’s SAML assertions.

By modifying the attribute mappings, IAM Identity Center can correctly interpret usernames, group memberships, and unique identifiers sent by the new IdP without requiring changes to AWS account roles or permission sets. This approach minimizes operational effort and avoids disruption to access management.

Option A unnecessarily disables identities and causes access outages. Option C is incorrect because IAM Identity Center abstracts role trust relationships, and roles do not directly trust the IdP. Option D is unrelated to federation source configuration and only affects authentication timing issues.

AWS best practices recommend updating attribute mappings when switching IdPs that share the same directory source.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center SAML Federation

AWS Identity Federation Best Practices

Continuous monitoring requires an always-on compliance service that evaluates resources over time. AWS Config provides managed rules that assess configuration state and compliance continuously. AWS Certified Security – Specialty guidance highlights AWS Config for continuous compliance across accounts and regions when used with AWS Organizations. The ec2-managedinstance-applications-required managed rule evaluates whether specified software is installed on managed instances, leveraging Systems Manager inventory/managed instance status. By enabling AWS Config organization-wide and deploying this managed rule across all accounts, the company can continuously evaluate both existing and newly launched instances for required application presence. This provides a consistent compliance dashboard and history of compliance changes. Option D can provide inventory lists, but it is not a compliance rule engine that flags noncompliance with the same governance reporting and remediation pathways. Options B and C are operational approaches but do not provide continuous compliance state across the organization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for EC2 and SSM Managed Instances

AWS Organizations Integration with AWS Config

Amazon Inspector is the AWS service designed specifically for vulnerability management across compute workloads, including Amazon ECR container images and AWS Lambda functions. According to the AWS Certified Security – Specialty documentation, Amazon Inspector provides automated vulnerability assessments for container images stored in ECR by performing enhanced image scanning that identifies common vulnerabilities and exposures (CVEs) in operating systems and application dependencies.

Inspector also supports Lambda code scanning to analyze function packages and container-based Lambda images for known software vulnerabilities. Findings include severity ratings and remediation guidance, allowing security teams to identify and prioritize risks efficiently.

Amazon GuardDuty focuses on threat detection using behavioral analysis and does not perform static vulnerability scanning of container images or Lambda code. AWS Security Hub aggregates findings from other services but does not perform scanning itself.

AWS best practices recommend Amazon Inspector for vulnerability detection in container images and serverless workloads.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Inspector for ECR and Lambda

AWS Vulnerability Management Best Practices

Amazon CloudFront includes a native geo restriction (geoblocking) capability that allows content owners to control access to their distributions based on the geographic location of the viewer. The viewer’s country is determined using the IP address from which the request originates. According to the AWS Certified Security – Specialty Official Study Guide and the Amazon CloudFront Developer Guide, geo restriction is specifically designed for scenarios where organizations must comply with regional regulations, licensing requirements, or data sovereignty policies.

From a cost perspective, CloudFront geo restriction is the most cost-effective solution because it is configured directly within the CloudFront distribution and does not require AWS WAF. AWS WAF introduces additional costs for web ACLs, rules, and request processing, which is unnecessary when the requirement is limited strictly to blocking or allowing access based on country.

Option A is incorrect because maintaining IP ranges for entire countries is operationally complex, error-prone, and not scalable. Country-level IP ranges frequently change, making this approach unsuitable and inefficient. Option B, although technically valid, is not the most cost-effective choice because AWS WAF geo match rules incur additional charges and are intended for advanced Layer 7 security controls such as application-layer attacks. Option D is incorrect because geolocation headers provided by CloudFront are informational only and cannot independently enforce access control decisions.

AWS documentation explicitly recommends CloudFront geo restriction when the sole requirement is country-based access control, reserving AWS WAF for advanced security inspection and threat mitigation use cases.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Developer Guide – Geo Restriction

AWS Well-Architected Framework – Security Pillar

AWS Security Best Practices Documentation

AWS Organizations and CloudFormation StackSets provide an organizational deployment mechanism for consistent infrastructure across accounts. AWS Certified Security – Specialty guidance emphasizes minimizing use of the management account and using delegated administrator capabilities where available for centralized governance while reducing blast radius. By configuring a delegated administrator account for AWS CloudFormation, the company can create and manage StackSets without performing day-to-day deployment operations from the management account. Targeting the organization root ensures the StackSet deploys to all existing accounts. Enabling automatic deployment ensures that any future accounts that join the organization (or move into targeted OUs, depending on configuration) automatically receive the monitoring service without manual intervention. This directly meets the requirement to deploy to all existing and future accounts with minimal effort. Option A requires ongoing manual updates when accounts are added, increasing operational overhead. Options C and D rely on Systems Manager Automation, which can work but introduces additional operational complexity and is not the standard AWS mechanism for organization-wide infrastructure rollout compared to StackSets with auto-deployment. StackSets also provide consistent change control, drift detection, and centralized update mechanisms, which align with governance expectations for compliance tooling.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Delegated Administration

AWS CloudFormation StackSets for Multi-Account Governance

The requirement is twofold:cross-Region replicationfor disaster recovery andimmutabilityso that even administrators cannot permanently delete data in the secondary Region. The S3-native feature designed to prevent deletion (including version deletion) for a defined retention period isS3 Object Lock. When Object Lock is configured incompliance mode,no user, including the root user and administrators, can remove Object Lock protections or permanently delete protected object versions before retention expires. This meets the “admins cannot permanently delete” requirement far better than policy-based controls.

To replicate the data for DR, the company can configureS3 replicationfrom the primary Region bucket to a bucket in the secondary Region. With Object Lock in place (and the destination bucket appropriately configured to support Object Lock and versioning), replicated objects can be retained immutably, providing a strongly protected copy for recovery.

Option D (versioning alone) prevents accidental overwrites but does not stop an admin from deleting all versions. Option C only blocks replication deletes; it does not prevent an admin from deleting objects directly in the secondary bucket. Option A uses AWS Backup vault lock ingovernancemode, which still allows privileged users with special permissions to override retention; it also creates backups rather than true object-level replication. Therefore, Object Lock in compliance mode combined with replication is the best match.

Network ACLs arestatelessand are evaluated in order based on rule number, with lower rule numbers taking precedence. According to AWS Certified Security – Specialty incident response guidance, network ACLs can be used toimmediately block traffic at the subnet levelwithout restarting instances or modifying their runtime state.

By adding a deny rule with alower priority number (10)that explicitly denies TCP traffic on port 22 from the offending IP address (10.0.1.5), the unauthorized SSH session is immediately interrupted. This approach satisfies the requirement to keep the instance running and to preserve memory for forensic analysis.

Option A violates the requirement because restarting the instance clears memory. Option C would disrupt all legitimate SSH access, not just the unauthorized session. Option D would block all internet access and could cause widespread service disruption.

AWS documentation emphasizes usingnetwork ACL deny rules for rapid, targeted containmentwhen immediate interruption is required without altering instance state.

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

AWS IAM Identity Center delegated administration requires foundational configuration to be completed in the organization’s management account before delegation. According to the AWS Certified Security – Specialty documentation, IAM Identity Center must be enabled with a directory in the management account before any delegation can occur.

Permission sets must be created in the management account because they define the permissions that will later be delegated to member accounts. Additionally, user assignments must initially exist in the management account to establish baseline access control before delegation is configured.

Option A is too generic and not a required prerequisite step. Option C is unrelated to Identity Center delegation. Option E is incorrect because IAM Identity Center uses identities from its directory or external IdPs, not IAM users.

AWS guidance clearly outlines directory creation, permission set definition, and initial user assignments as mandatory preparatory steps for delegated administration.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Delegated Administration

AWS Organizations and Identity Center Integration

The most efficient approach is to useAWS Configbecause Config is designed for continuous compliance evaluation and can automatically triggermanaged remediationwhen a resource drifts from the desired state. A managed Config rule that detects when CloudTrail is not logging, combined with theAWS-EnableCloudTrailremediation action, provides an automated way to re-enable CloudTrail without building and maintaining custom event processing code. This is especially valuable in multi-Region environments because Config can evaluate configurations across Regions and enforce the intended posture consistently.

Option B is illogical: triggering on StartLogging does not help when CloudTrail is turned off. Option C is not as operationally efficient because CloudWatch alarms are not the standard mechanism for reacting to CloudTrail API events; EventBridge is the proper event bus for API call events, but you would still be writing and maintaining Lambda logic and multi-Region plumbing. Option D is manual and delayed, not automated remediation.

Therefore, AWS Config with a managed rule and the AWS-provided remediation to enable CloudTrail is the most maintainable and efficient solution.

AWS WAF rate-based rules are designed to help protect applications and resources fromtraffic floods and application-layer DDoS attacksby tracking the number of requests from individual source IP addresses over a rolling time window. According to the AWS Certified Security – Specialty Official Study Guide and AWS WAF documentation, rate-based rules can be configured with different actions, includingCount,Block, andAllow.

When a security engineer is determining an appropriate rate limit that will not block legitimate traffic, AWS best practices recommend initially configuring the rate-based rule with theCountaction. The Count action allows AWS WAF tomonitor and log requests that exceed the specified rate threshold without actively blocking them. This provides visibility into traffic patterns and enables the security engineer to analyze how the rule would behave in production.

By using the Count action, the security engineer can safely evaluate whether legitimate users would be affected by the chosen rate limit. Once the engineer is confident that the threshold accurately distinguishes between normal traffic and malicious behavior, the action can later be changed to Block.

Option B is incorrect because immediately blocking traffic without validation risks denying service to legitimate users. Option C is invalid because AWS WAF does not have a Monitor action. Option D is incorrect because the Allow action does not enforce rate limiting.

AWS documentation explicitly recommendsstarting rate-based rules in Count modeto fine-tune thresholds before enforcing blocks, especially for DDoS protection scenarios.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rate-Based Rules

AWS DDoS Resiliency Best Practices

AWS Firewall Manager applies and enforces AWS WAF protections based on thepolicy scopeyou define. In this scenario, the policy is explicitly scoped toonlythose resources that have the tag keyWAF-protectedwith a value oftrue. If the API Gateway REST API does not have that exact tag (correct key, correct value, correct spelling/case), Firewall Manager will treat the resource asout of scope. Out-of-scope resources are not evaluated for compliance and are not remediated, so the expected automatic association of the web ACL will never occur.

This is the most common reason for “nothing happens” when Firewall Manager is configured with tag-based scoping: the resource is missing the tag, the value is different (for example “True” vs “true”), or the tag was applied to a different resource than the one Firewall Manager evaluates.

Option A is incorrect because AWS WAF web ACLscanprotect API Gateway REST APIs (regional). Option C is not a blocker because a web ACL can generally be associated with multiple resources (within the supported scope). Option D is irrelevant to preventing association here; CloudFront uses a global scope and does not inherently block regional associations.

AWS incident response best practices emphasize isolating compromised resources rather than immediately terminating them. According to AWS Certified Security – Specialty documentation, removing an instance from an Auto Scaling group prevents replacement loops, while applying a restrictive security group isolates the instance for forensic analysis.

Using Amazon EventBridge to trigger an AWS Lambda function enables automated, consistent responses to GuardDuty findings. This approach minimizes disruption to the application because healthy instances continue serving traffic while the affected instance is isolated.

Disabling credentials or modifying network ACLs can have broader impact on unrelated workloads. SNS notifications alone do not provide response automation.

AWS recommends isolate-and-investigate patterns for EC2 incident response.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Automated Responses

AWS Incident Response Playbooks

Toenforcerequired tagging and approved values at scale, the strongest guardrail is anSCPbecause SCPs can prevent API calls across accounts/OUs before resources are created or tags are changed. By using the aws:RequestTag/CostCenter condition key and checking that the value is one of the approved values, an SCP candeny Create (and TagResource/UntagResource where supported)* when the request attempts to set a non-approved value. This prevents “bad” CostCenter values from being introduced.

AWS Config (including custom policy rules with CloudFormation Guard) is excellent fordetectingnoncompliance and reporting, but on its own it is not a hard preventative control. Pairing Config rule evaluation with an SCP guardrail gives both visibility and prevention. Option A is the only option that explicitly combines an enforceable preventive control (SCP deny based on aws:RequestTag/CostCenter) with compliance evaluation logic.

Option B cannot “block creation” reliably because EventBridge/Lambda isafter-the-fact; by the time the function runs, the resource is already created. Option C relies on tag policies enforcement semantics; tag policies primarilystandardize and reporttag usage, and the provided SCP in C only checks for null/missing values, not for non-approved values or for preventing later changes. Option D is also reactive and not a guaranteed preventative control.