Amazon Web Services SCS-C03 Dumps

In a properly segmented VPC architecture,public subnets route internet-bound traffic to an internet gateway, whileprivate subnets route outbound internet traffic through a NAT gatewaythat resides in a public subnet. According to the AWS Certified Security – Specialty Official Study Guide and Amazon VPC documentation, private subnets must never have a direct route to an internet gateway.

The issue described indicates that private subnets are incorrectly routing traffic directly to the internet gateway. To remediate this, aNAT gateway must be provisioned in each public subnetto ensure high availability across Availability Zones. This satisfies the requirement that private resources can initiate outbound connections without being directly reachable from the internet.

Next, the route tables associated with theprivate subnets must be updatedso that the default route (0.0.0.0/0) points to the NAT gateway in the same Availability Zone. This ensures proper traffic flow and prevents cross-AZ dependencies.

Option B is incorrect because NAT gateways must reside in public subnets. Option C is unnecessary because local routes to the VPC CIDR range are automatically created. Option E is explicitly insecure, as it would reintroduce direct internet gateway access from private subnets.

AWS documentation consistently identifiesNAT gateways plus correct private subnet routingas the standard design for secure VPC segmentation.

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Route Table Documentation

AWS Well-Architected Framework – Security Pillar

AWS KMS keys are strictly regional resources. According to AWS Certified Security – Specialty documentation, a KMS key created in one Region cannot be used to encrypt or decrypt data in another Region. This includes encrypted RDS and Aurora snapshots.

When copying an encrypted snapshot to a different Region, the destination Region must have its own KMS key. AWS automatically re-encrypts the snapshot using the specified KMS key in the destination Region during the copy operation.

Options C and D are invalid because IAM policies cannot extend a KMS key’s scope across Regions. Option A is incorrect because Secrets Manager does not store or manage KMS keys themselves.

AWS best practices require creating a new customer managed key in the target Region and using it during the snapshot copy process.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Regional Key Limitations

Amazon RDS Encrypted Snapshot Copy

To enforce encryption in transit to Aurora, you must require clients to useTLS/SSLwhen connecting to the database. Aurora (depending on engine flavor) supports a parameter that enforces secure transport by rejecting non-TLS connections. Setting the DB (cluster/instance) parameter such asrequire_secure_transporttoONforces clients to negotiate SSL/TLS; otherwise the server refuses the connection, ensuring all data in transit is encrypted. This directly enforces the compliance requirement at the database endpoint itself, independent of client behavior.

Kerberos authentication (Option B) provides centralized authentication and can be useful for IAM/AD integration, but it does not by itself guarantee that the network session is encrypted. Option C is incorrect because Aurora/RDS usesRDS-provided certificatesfor TLS; you don’t attach ACM certificates to Aurora the way you would for ALB/CloudFront. Option D is not the right enforcement mechanism: RDS Proxy can help with connection pooling and IAM auth patterns, but it does not inherently force all client-to-proxy or proxy-to-db connections to be encrypted in the way a DB parameter enforcement does (and you’d still need to ensure clients use TLS). Therefore, enabling the parameter that requires secure transport is the correct solution.

In an Auto Scaling group, instances are ephemeral—local disks and instance-level log files can disappear during scale-in or replacement. The most durable, operationally simple pattern is tostream logs off-host continuouslyto a managed log service. Installing and configuring theCloudWatch agent(or unified agent) to ship application logs toAmazon CloudWatch Logsensures logs are centralized and remain available regardless of instance lifecycle events. This directly solves the “logs lost after scale-in” problem and provides high availability for audit and investigation.

CloudWatch Logs also supports retention controls. The security engineer can set the log group retention toat least 1 year(or longer), meeting the audit requirement without building custom storage workflows. Access can be controlled with IAM to restrict who can view or export logs, and CloudWatch logs can be further integrated with Athena/OpenSearch/SIEM tools if needed.

Option A adds complexity and still ties durability to managing volumes across instance churn, with operational risk and scaling challenges. Option B requires daily copy jobs and can still lose logs between copy intervals; it also adds shared filesystem management overhead. Option D is manual and does not ensure durability, and it introduces operational friction during scale-in. Therefore, centralized log shipping to CloudWatch Logs is the best recommendation.

When AWS IAM Identity Center is used to manage user access across an AWS Organization, Identity Center is the authoritative control plane for enabling and disabling user access. According to the AWS Certified Security – Specialty Official Study Guide, disabling a user in IAM Identity Center immediately prevents that user from accessing any AWS account or role that is assigned through permission sets, satisfying the requirement to stop access organization-wide.

Disabling an IAM user in a single account or removing attached policies (Options A and B) does not prevent access through IAM Identity Center–managed roles in other accounts. Option C is incomplete because removing permission sets does not immediately disable authentication and still requires querying logs from an unsupported source.

For investigation and evidence collection, AWS CloudTrail organizational event data stores provide centralized, queryable access to all management and data events across all accounts in the organization. CloudTrail Lake enables security engineers to run SQL-based queries directly against event data without exporting logs to other services. This allows rapid collection of all actions that the compromised user performed during the last 7 days.

AWS documentation explicitly identifies the combination of IAM Identity Center for access revocation and CloudTrail Lake for organization-wide investigation as a best practice for identity-related incident response.

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Documentation

AWS CloudTrail Lake User Guide

AWS Incident Response Best Practices

To enforce encryption in transit for Amazon S3, AWS best practice is to require HTTPS (TLS) by using a bucket policy condition that denies any request where aws:SecureTransport is false. The requirement includes both existing buckets and future buckets, so the control must continuously evaluate configuration drift and automatically remediate. AWS Config is the service intended for continuous configuration compliance monitoring across resources, and AWS Config managed rules provide standardized checks with low operational overhead. The s3-bucket-ssl-requests-only managed rule evaluates whether S3 buckets enforce SSL-only requests, aligning directly with enforcing encryption in transit. Setting the trigger type to Hybrid ensures evaluation both on configuration changes and periodically. Automatic remediation with an AWS Systems Manager Automation runbook allows the organization to apply or correct the bucket policy consistently at scale without manual work. This approach also supports governance by maintaining a measurable compliance status while actively fixing noncompliance. Option A is not the best fit because a “proactive” custom policy rule does not by itself remediate existing buckets and “block resource creation” is not how AWS Config enforces controls. Option C is incorrect because Amazon Inspector is a vulnerability management service and does not govern S3 bucket transport policies. Option D is inefficient and indirect because CloudTrail data events are not a compliance engine and would require custom processing.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for S3 Compliance

Amazon S3 Security Best Practices for SSL-only Access

Amazon S3 Block Public Access configured at the AWS account level is the recommended and most effective approach to protect data stored in Amazon S3 while minimizing operational overhead. AWS Security Specialty documentation explains that S3 Block Public Access provides centralized, preventative controls designed to block public access to S3 buckets and objects regardless of individual bucket policies or object-level ACL configurations. When enabled at the account level, these controls automatically apply to all existing and newly created buckets, significantly reducing the risk of accidental exposure caused by misconfigured permissions.

The AWS Certified Security – Specialty Study Guide emphasizes that public access misconfiguration is a leading cause of data leaks in cloud environments. Account-level S3 Block Public Access acts as a guardrail by overriding any attempt to grant public permissions through bucket policies or ACLs. This eliminates the need to manage security settings on a per-bucket or per-object basis, thereby reducing administrative complexity and human error.

Configuring Block Public Access at the object level, as in option B, requires continuous monitoring and manual configuration, which increases operational overhead. Disabling ACLs alone, as described in option C, does not fully prevent public access because bucket policies can still allow public permissions. Using AWS PrivateLink, as in option D, controls network access but does not protect against public exposure through misconfigured S3 policies.

AWS security best practices explicitly recommend enabling S3 Block Public Access at the account level as the primary mechanism for preventing unintended public data exposure with minimal management effort.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Security Best Practices Documentation

Amazon S3 Block Public Access Overview

AWS Well-Architected Framework – Security Pillar

When Amazon CloudFront is used in front of an Application Load Balancer, CloudFront becomes the immediate source of incoming requests to the ALB. As a result, AWS WAF logs record theCloudFront edge location IP addressesas the client IPs, not the original viewer IP addresses. This behavior is explicitly documented in the AWS Certified Security – Specialty Study Guide and the AWS WAF and CloudFront integration documentation.

To preserve the original client IP address, CloudFront automatically adds theX-Forwarded-For HTTP header, which contains the IP address of the originating client followed by any proxy addresses involved in forwarding the request. AWS WAF logs include this header, making it the authoritative source for identifying true client IP addresses when CloudFront is used.

Option A is incorrect because VPC Flow Logs capture network-level metadata and will only show CloudFront IP addresses, not the original client IPs. Option C is incorrect because disabling connection reuse does not change how client IPs are logged in AWS WAF. Option D is unnecessary and unsupported as a requirement because CloudFront already provides the required information through standard headers.

AWS documentation consistently states thatX-Forwarded-Foris the correct and supported mechanism for tracing client IPs in CloudFront-protected applications.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Logging

Amazon CloudFront Developer Guide – Request Headers

AWS KMS keys are regional resources and cannot be used across Regions. According to AWS Certified Security – Specialty documentation, applications that are deployed in multiple Regions should use region-specific customer managed keys while referencing keys by alias instead of key ID.

By creating a new customer managed key in eu-north-1 and assigning it the same alias as the key in eu-west-1, the application code can continue to reference the alias without modification. Each Region resolves the alias to the correct local key, ensuring encryption continues to function correctly.

Option A is invalid because KMS keys are regional. Option B requires application changes. Option D introduces unsupported alias patterns.

AWS best practices recommend alias-based key references for multi-Region deployments.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Regional Keys and Aliases

AWS KMS Best Practices

AWS Systems ManagerSession Managerprovides interactive shell access to managed instanceswithout inbound SSH,without bastion hosts, andwithout managing SSH keys. Access is controlled through IAM policies, and every session can be logged to CloudWatch Logs/S3 for auditability. This directly satisfies the “no SSH keys” requirement and reduces the network exposure surface because you can keep port 22 closed and still obtain shell access when needed.

To meet the isolation requirement, the instances can be placed in private subnets with no inbound access, and you can use Systems Manager connectivity (via SSM endpoints/agents) for administrative sessions only when required. On-premises servers can also be managed by Systems Manager by registering them as managed instances (hybrid activations), allowing the same no-SSH-key operational model across EC2 and on-prem environments.

Options A and D still require network paths and do not eliminate key management; a bastion host is additional infrastructure that must be secured and maintained. CloudShell (Option C) is an AWS-managed shell environment but does not provide a direct, managed, keyless session channel into arbitrary EC2/on-prem hosts by itself. Therefore, Session Manager is the best solution.

A credential stuffing attack at the ALB is aLayer 7problem and is best mitigated withAWS WAF. The attacker is distributed across many IPs, so blocking by IP in a security group (Option B) is ineffective and operationally heavy. A CloudWatch alarm (Option A) only alerts; it does not block or mitigate requests.

Because the malicious traffic uses a distinctive, knownUser-Agentstring associated with a mobile device emulator, AWS WAF can quickly reduce the attack by inspecting the User-Agent header and blocking matching requests. This approach is targeted: it blocks the identified automated attack pattern while allowing legitimate users who do not present that emulator User-Agent to continue logging in. The WAF rule can be deployed immediately on the existing ALB-associated web ACL and can be further refined (for example, applied only to /login paths, combined with rate-based rules, or integrated with Bot Control) to minimize false positives.

Option D is risky because “allow only legitimate user agents” is brittle: user agents are diverse and change frequently, and a strict allow-list can accidentally block real users. Therefore, a WAF custom block rule for the known malicious User-Agent string is the correct solution.

Amazon Cognito is a fully managed identity service that providesuser authentication, authorization, and user managementfor web and mobile applications. According to AWS Certified Security – Specialty documentation, Cognito user pools are specifically designed to offload authentication responsibilities from applications while maintaining strong security controls.

By federating authentication with third-party identity providers (such as social IdPs), Cognito eliminates the need for the company to manage user passwords directly. This dramatically reduces password reset requests and customer service overhead, while also improving security throughindustry-standard authentication mechanisms, including MFA and token-based access.

Option A is insecure and incorrect because IAM access keys are not intended for end users. Option B simply relocates password storage and does not reduce operational burden. Option D uses API keys, which are not designed for user authentication and provide no identity verification.

AWS guidance clearly states thatAmazon Cognito is the recommended service for scalable, secure user authentication, especially when reducing password management complexity is a requirement.

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito User Pools Documentation

AWS IAM Security Best Practices

The findingInstanceCredentialExfiltrationindicates that credentials available to the EC2 instance (from the instance profile / IMDS) were likely stolen and then used from an unusual location. The fastest way todeny the malicious actor immediatelyis to invalidate the stolen, currently usable credentials. Because these aretemporary credentialsissued to the instance profile role, the correct first containment action is torevoke active sessionsfor that role so the stolen session credentials stop working. This directly blocks continued API use while you continue investigation and remediation.

Changing security groups (Option A) affects inbound network access to the website but does not stop an attacker from using stolen API credentials against AWS APIs. Installing agents and running assessments (Options B and C) are investigative steps that take time and do not immediately cut off the attacker’s current access. After revoking sessions, best practice incident response typically continues with additional containment and eradication steps such as rotating credentials, reviewing CloudTrail for actions taken, checking for persistence (new IAM users/keys, modified policies), patching the instance, and restricting IMDS (for example, enforcing IMDSv2) to reduce risk of further credential theft.

Amazon S3 Lifecycle configuration rules are the native, automated mechanism for managing object retention and deletion. According to AWS Certified Security – Specialty documentation, lifecycle rules can be configured to expire objects based on the number of days since object creation. Once the expiration time is reached, Amazon S3 permanently deletes the objects without manual intervention.

This solution directly enforces a maximum retention period of 72 hours and ensures compliance regardless of whether the vendor downloads the data or not. Lifecycle rules are evaluated continuously by Amazon S3 and do not require scripts, cron jobs, or additional services, making them the most operationally efficient and cost-effective solution.

S3 Versioning controls versions but does not enforce object deletion timelines. S3 Intelligent-Tiering optimizes storage cost but does not delete objects. Presigned URLs only control access duration and do not remove objects from storage.

AWS explicitly recommends lifecycle policies for automated data retention enforcement.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Management

AWS WAF rate-based rules are designed specifically to track the number of requests from a single IP address over a configurable time window. According to AWS Certified Security – Specialty guidance, rate-based rules integrate natively with CloudFront and emit CloudWatch metrics that can trigger alarms.

CloudFront logs and VPC Flow Logs are not real-time detection tools. ASN match rules do not count request rates.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Rate-Based Rules

CloudFront and AWS WAF Integration

AWS CloudFormation supports the use of aservice role, which allows CloudFormation to assume a dedicated IAM role to create and manage resources on behalf of users. According to the AWS Certified Security – Specialty Study Guide, using a service role is themost secure and consistent wayto ensure predictable stack deployments when users have varying permission sets.

By creating a service role with cloudformation.amazonaws.com as the trusted service principal (Option B), CloudFormation—not individual users—assumes responsibility for resource creation. Updating each stack to explicitly use this service role (Option E) ensures that all deployments use the same permission set, eliminating inconsistencies.

Granting the team members permission to pass the service role via iam:PassRole (Option F) is required so that CloudFormation can assume the role during stack operations. This approach adheres to the principle of least privilege and prevents users from gaining direct access to elevated permissions.

Composite principals (Option A) are unnecessary and insecure. Referencing stack ARNs (Option C) does not solve the root cause. While Option D reflects good policy design, it is implicit in creating the service role and is not a required standalone step.

AWS documentation clearly identifiesCloudFormation service roles combined with iam:PassRoleas best practice for secure, consistent infrastructure deployments.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Role Documentation

AWS IAM Best Practices

AWS incident response best practices emphasizecontainment with minimal blast radiuswhile preserving business continuity. According to the AWS Certified Security – Specialty Official Study Guide, isolating a compromised resource while allowing the application to continue operating is the recommended initial response.

By creating an Amazon EventBridge rule that reacts to GuardDuty anomalous traffic findings and invokes an AWS Lambda function, the security engineer can automaticallyremove the affected EC2 instance from the Auto Scaling groupand attach arestricted security group. This immediately stops malicious activity while allowing Auto Scaling to replace the instance and keep the application available.

Option A is inappropriate because EC2 instance profiles do not use long-term access keys. Option C applies subnet-wide changes that could disrupt unrelated workloads. Option D provides notification only and does not meet the automated response requirement.

AWS documentation explicitly identifiesinstance isolation via security groupsas a preferred containment technique that preserves application availability and forensic integrity.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide

AWS Incident Response Best Practices

To keep S3 accessoff the public internet, the standard AWS approach is to use anAmazon S3 gateway VPC endpoint(AWS PrivateLink for S3 is not used; S3 uses gateway endpoints). A gateway endpoint adds routes in the VPC route tables so traffic destined for S3 stays on the AWS backbone network rather than traversing an internet gateway, NAT gateway, or public IP paths. This satisfies the “cannot send traffic over the public internet” requirement while allowing the application in Account A to reach S3 in the same Region.

Cross-account bucket access is controlled byIAM and the S3 bucket policy, not by networking between the two accounts’ VPCs. The bucket resides in S3 (a regional service), not inside Account B’s VPC, so connecting VPC-to-VPC (peering, transit gateway, VPN) does not inherently provide private access to S3. Those options would add complexity and still typically require internet/NAT unless S3 endpoints are used.

With the gateway endpoint in Account A, the application can privately reach S3, and because permissions are already granted to write to the bucket in Account B, the write operations will succeed without public internet routing.

Amazon GuardDuty provides continuous monitoring for anomalous and malicious network activity by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. Enabling GuardDuty across accounts requires minimal configuration and immediately satisfies the requirement to monitor endpoints for anomalous network traffic, as described in the AWS Certified Security – Specialty Study Guide.

Encrypting data in transit for applications behind Elastic Load Balancing is most efficiently achieved by using AWS Certificate Manager (ACM). ACM provisions and manages TLS certificates automatically, and integrating ACM with ELB enables encrypted communication without manual certificate management.

For encryption at rest in Amazon S3, AWS best practices recommend enforcing server-side encryption using AWS KMS. An S3 bucket policy that denies PutObject requests unless the x-amz-server-side-encryption condition is present ensures that all uploaded objects are encrypted at rest using KMS-managed keys. This provides strong encryption guarantees with minimal operational effort.

Option A is unnecessary because Amazon Inspector focuses on vulnerability assessment, not encryption or network anomaly detection. Option C adds network complexity and is not required to meet the stated requirements. Option E is incorrect because x-amz-meta-side-encryption is not a valid enforcement mechanism.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Threat Detection

AWS Certificate Manager and ELB Integration

Amazon S3 Encryption Best Practices

The policy currently grants s3:GetObject but targets thebucket ARN(arn:aws:s3:::DOC-EXAMPLE-BUCKET). For Amazon S3, object-level actions such asGetObjectmust referenceobject ARNs, not the bucket ARN. The correct resource pattern is the bucket ARNwith /*appended (for example, arn:aws:s3:::DOC-EXAMPLE-BUCKET/*) so the permission applies to objects within the bucket. Without this, S3 evaluates the request against a resource that does not match the requested object, resulting in an access denial even though the action appears correct.

The other options do not address the root cause. Expanding actions (Option B) is unnecessary and overly permissive, and it still would not fix the incorrect resource ARN for object reads. Changing principals or removing conditions (Option A) is not required just to allow reads—Lambda typically accesses S3 using the function’sexecution role, and bucket policies are commonly used for cross-account or service-based access control, but the immediate failure here is the mismatch between s3:GetObject and the bucket-only resource. Option D is invalid because it inverts principal/service usage and sets an incorrect resource type for S3 authorization.

GuardDuty supports “Trusted IP lists” to suppress findings that would otherwise be generated for activity originating from known safe IP addresses (for example, corporate NAT egress IPs, security scanners, or monitoring systems). To use a trusted IP list, you create aplain textfile that contains the IP addresses (typically one per line or in supported list form) and store it inAmazon S3. You then configure GuardDuty to reference that S3 object as a trusted IP list. GuardDuty periodically retrieves the file from S3 and uses it to adjust finding generation accordingly.

That maps directly to Option A (create a plaintext file) and Option D (upload to S3 and create a trusted IP list in GuardDuty pointing to the file).

Options B and E are incorrect because GuardDuty trusted IP lists are not configured by pasting JSON into the console; they are sourced from an S3-hosted text list. Option C is not supported because GuardDuty does not accept direct file uploads into the service as the configuration source; S3 is the expected integration point for IP lists and threat intel lists.

AWS CloudTrail is a foundational security service that records API activity and account events. According to the AWS Certified Security – Specialty Official Study Guide,the only way to centrally and reliably prevent CloudTrail from being disabled across multiple AWS accounts is by using AWS Organizations service control policies (SCPs).

SCPs define themaximum available permissionsfor all accounts in an organization or organizational unit. By creating an SCP with an explicitDenyfor the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions and attaching it to theroot OU, the security engineer ensures thatno principal in any member account—including administrators—can stop or delete CloudTrail trails. Explicit denies in SCPs cannot be overridden by IAM permissions.

Option A is incorrect because log file integrity validation only detects tampering after logs are delivered and does not prevent CloudTrail from being disabled. Option B protects log data at rest but does not prevent trail deletion or logging suspension. Option D removes read-only permissions and does not affect the ability to stop or delete CloudTrail.

AWS documentation explicitly states thatSCPs are the recommended mechanism to enforce mandatory security controls such as CloudTrail logging across an organization, making this the correct and most secure solution.

AWS Certified Security – Specialty Official Study Guide

AWS Organizations SCP Documentation

AWS CloudTrail Security Best Practices

Option A satisfies all requirements with the most direct, purpose-built AWS logging workflow. By using the CloudWatch Agent (or fluent-bit / unified logging configuration) on each EC2 instance—regardless of whether it is On-Demand or Spot—the application logs can be centralized into asingle Amazon CloudWatch Logs log group. Centralization ensures the logs remain available even as Spot Instances are interrupted and replaced. Access control is handled withIAM policies(and optionally resource policies/KMS encryption) so that only a specific set of users can read/query the log group.

For analysis,CloudWatch Logs Insightsprovides an interactive query language that is SQL-like and commonly treated as “SQL queries” for troubleshooting. It enables fast filtering, aggregation, and pattern detection across large log volumes without building a separate data lake pipeline. This supports event-pattern analysis and root cause investigation directly from the centralized log group.

Option B is incorrect because Logs Insights queries CloudWatch Logs data, not arbitrary log files sitting in S3. Option C is inefficient (many log groups) and Athena cannot directly query CloudWatch log groups as a native data source. Option D is incorrect because Amazon Detective is for security investigations across supported data sources and is not the primary service for ad-hoc SQL-style querying of application logs.

AWS best practices recommend using a shared secret header between CloudFront and ALB origins to prevent direct access. CloudFront injects a custom header, and the ALB listener rules validate its presence.

IP-based controls are brittle due to CloudFront IP changes. PrivateLink and internal ALBs are not supported as CloudFront origins. Header validation is the most reliable and widely recommended pattern.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

CloudFront Origin Protection

AWS WAF and ALB Integration

The immediate containment step for exposed access keys is todisable (deactivate) the compromised IAM access key(Option B). This prevents any further use of the leaked credentials, which is essential once secrets are publicly exposed. Creating a new key (Option D) may be part of recovery later, but it does not stop abuse of the already exposed key unless the exposed key is first deactivated.

To determine whether the credentials were used, you need evidence of access activity. Among the provided options, the best fit is generating and reviewing theIAM credential report(Option E). The report includes metadata such as access key status and “last used” style details that help triage whether the user’s credentials have been exercised recently. While deeper investigation would typically rely on CloudTrail “AccessKeyId” searches, the credential report is a quick AWS-native step aligned to the answer choices.

Option A is not correct: IAM Access Analyzer helps identify external access paths to resources and validate policies; it does not provide a definitive history of what a specific access key did. Option C is not a GuardDuty capability—GuardDuty generates findings; it does not “block” a specific access key. Therefore, deactivating the key and using credential reporting to assess recent usage best matches the requirements.

AWS incident response best practices emphasizerapid containment, credential revocation, and threat detectionto minimize the blast radius of a compromise. According to the AWS Certified Security – Specialty Official Study Guide, when unauthorized resources such as an Amazon S3 bucket hosting malware are discovered, immediate action must be taken to stop further misuse of the account and to prevent recurrence.

Rotating or deleting all AWS access keys (Option D)is a critical containment step. If an IAM user has been compromised, any long-term credentials associated with that user must be revoked immediately to prevent continued unauthorized access. AWS guidance explicitly lists access key rotation or deletion as a first-response action for suspected credential compromise.

Deleting unrecognized or unauthorized resources (Option F)directly removes the malicious infrastructure that is being abused. In this case, deleting the unauthorized S3 bucket immediately stops malware distribution and reduces reputational and compliance impact.

Turning on Amazon GuardDuty (Option B)enables continuous threat detection by analyzing CloudTrail events, VPC Flow Logs, and DNS logs. GuardDuty can identify additional malicious activity, compromised credentials, or persistence mechanisms that the attacker may have established. AWS documentation recommends enabling GuardDuty during or immediately after an incident to detect ongoing or future threats.

Option A does not reduce the impact of the current compromise. Option C is overly disruptive and not recommended; credential rotation should be targeted. Option E is unnecessary because there is no indication that EBS-backed compute resources are involved.

AWS incident response guidance clearly prioritizescredential revocation, malicious resource removal, and threat detectionto minimize consequences.

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon GuardDuty User Guide

AWS IAM Security Best Practices

Amazon OpenSearch Service is designed for near real-time log ingestion, indexing, and search across large volumes of data. According to the AWS Certified Security – Specialty Study Guide, OpenSearch supports advanced log analytics use cases and integrates with OpenSearch Security Analytics, which provides prebuilt and custom detection rules.

Security Analytics can continuously evaluate incoming logs from multiple AWS services and generate alerts when detection rules are matched. These alerts can be forwarded to Amazon SNS with minimal configuration. OpenSearch also provides powerful search and query capabilities through APIs and dashboards.

Option C supports detection but lacks advanced correlation and scalable search capabilities. Option B is not a log analytics service. Option D is a visualization service and does not support real-time detection.

AWS guidance recommends OpenSearch Service for centralized, near real-time log analysis and alerting.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon OpenSearch Service Security Analytics

AWS Logging and Monitoring Architecture

Amazon CloudWatch Logs is designed to collect, store, and analyze log data from ephemeral compute resources such as EC2 instances in Auto Scaling groups. According to the AWS Certified Security – Specialty Study Guide, using the CloudWatch agent to stream logs off instances ensures log durability even when instances are terminated during scale-in events.

CloudWatch Logs Insights provides a fully managed, serverless query engine that enables ad hoc querying, filtering, and aggregation of log data without requiring additional infrastructure. This directly satisfies the requirement to query logs for application sessions and user troubleshooting.

Option A introduces operational risk because logs could be lost between cron executions. Option B requires additional services and data pipelines, increasing cost and complexity. Option E adds storage cost and management overhead and is not necessary for log analytics.

AWS best practices recommend CloudWatch Logs and Logs Insights as the most cost-effective and scalable solution for centralized log retention and analysis in Auto Scaling environments.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs and Logs Insights

AWS Logging Best Practices

Amazon GuardDuty provides managed threat detection and supports EKS protection features that analyze Kubernetes audit logs to detect suspicious activity, including unauthorized or unauthenticated access attempts. AWS Certified Security – Specialty documentation recommends GuardDuty for low-overhead detection because it is fully managed and does not require deploying agents or modifying application code. EKS Audit Log Monitoring is designed to consume and analyze relevant control plane audit events to identify anomalous or unauthorized actions against the cluster. Compared to third-party add-ons, GuardDuty reduces operational burden and remains fully within AWS managed services. Security Hub aggregates findings from services like GuardDuty but does not itself perform the detection. CloudWatch Container Insights focuses on performance and operational metrics, not authentication security detections. Therefore, enabling GuardDuty with EKS Audit Log Monitoring provides the required detection with the least operational effort and without requiring additional configuration to the existing EKS workload beyond enabling the feature.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty EKS Protection and Audit Log Monitoring

AWS Threat Detection Best Practices for Kubernetes on AWS

AWS Systems Manager Run Command enables secure, remote execution of commands on EC2 instances without requiring network access or inbound ports. According to the AWS Certified Security – Specialty Study Guide, Run Command is a recommended mechanism for incident response actions such as installing forensic tools, collecting evidence, or applying quarantine controls.

By granting the SSM Agent permission to execute a predefined Run Command document, the security engineer can immediately run the quarantine script across affected instances. This approach supports automation, scalability, and auditability, all of which are critical during security incidents.

Options A, B, and C do not directly enforce quarantine or execute response actions. Tracking versions and storing scripts alone do not trigger incident response.

AWS documentation highlights Systems Manager Run Command as a core capability for automated containment and investigation.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Run Command

AWS Incident Response Automation

Continuous monitoring requires an always-on compliance service that evaluates resources over time. AWS Config provides managed rules that assess configuration state and compliance continuously. AWS Certified Security – Specialty guidance highlights AWS Config for continuous compliance across accounts and regions when used with AWS Organizations. The ec2-managedinstance-applications-required managed rule evaluates whether specified software is installed on managed instances, leveraging Systems Manager inventory/managed instance status. By enabling AWS Config organization-wide and deploying this managed rule across all accounts, the company can continuously evaluate both existing and newly launched instances for required application presence. This provides a consistent compliance dashboard and history of compliance changes. Option D can provide inventory lists, but it is not a compliance rule engine that flags noncompliance with the same governance reporting and remediation pathways. Options B and C are operational approaches but do not provide continuous compliance state across the organization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for EC2 and SSM Managed Instances

AWS Organizations Integration with AWS Config

Network ACLs arestatelessand are evaluated in order based on rule number, with lower rule numbers taking precedence. According to AWS Certified Security – Specialty incident response guidance, network ACLs can be used toimmediately block traffic at the subnet levelwithout restarting instances or modifying their runtime state.

By adding a deny rule with alower priority number (10)that explicitly denies TCP traffic on port 22 from the offending IP address (10.0.1.5), the unauthorized SSH session is immediately interrupted. This approach satisfies the requirement to keep the instance running and to preserve memory for forensic analysis.

Option A violates the requirement because restarting the instance clears memory. Option C would disrupt all legitimate SSH access, not just the unauthorized session. Option D would block all internet access and could cause widespread service disruption.

AWS documentation emphasizes usingnetwork ACL deny rules for rapid, targeted containmentwhen immediate interruption is required without altering instance state.

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

Amazon Inspector provides native CI/CD integration capabilities that allow security checks to occur before container images are pushed to Amazon ECR. According to AWS Certified Security – Specialty documentation, Inspector does not block image pushes automatically. Instead, prevention must occur inside the CI/CD pipeline itself.

By generating a Software Bill of Materials (SBOM) using the Amazon Inspector SBOM generator and submitting it to Inspector for scanning, the pipeline can detect critical vulnerabilities before the image is uploaded. If vulnerabilities exceed policy thresholds, the pipeline fails, preventing deployment.

Post-push scanning solutions only detect vulnerabilities after exposure. Event-driven blocking does not prevent the initial risk.

AWS best practices require “shift-left” security controls to prevent vulnerable artifacts from entering production.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Inspector CI/CD Integration

AWS KMS key policies can restrict how and when a key is used by applyingconditions such as kms:ViaService, which limits usage to requests that originate from a specific AWS service. According to the AWS Certified Security – Specialty Official Study Guide and AWS KMS documentation, the kms:ViaService condition is evaluated against the service that calls KMS on behalf of the principal.

Using StringEquals with kms:ViaService restricts usage toexactly one service endpoint. However, AWS services can invoke KMS throughservice variants, internal endpoints, or additional service integrations. When StringEquals is used, these variations can unintentionally bypass the condition, allowing the key to be used by other services through different internal service paths.

Changing the condition operator from StringEquals to StringLike ensures thatonly EC2-related service callsthat match the intended service pattern are allowed, while still preventing use by unrelated AWS services. This aligns with AWS guidance to use StringLike when service invocation patterns may vary.

Option B is incorrect because the root principal statement is required to retain administrative control over the key. Option C is invalid because changing Regions does not address unauthorized service usage. Option D does not restrict key usage and does not mitigate the issue.

AWS documentation explicitly recommendstightening condition operatorsin KMS key policies to prevent unintended service access while maintaining required functionality.

AWS Certified Security – Specialty Official Study Guide

AWS Key Management Service Developer Guide

AWS KMS Key Policy Best Practices

To achieve true separation of duties, the company needs a design whereS3 access alone is not sufficientto read plaintext data.SSE-KMS with a customer managed KMS keyprovides that separation because successful object reads require both: (1) S3 permissions to read the object and (2) permission to use the KMS key to decrypt it. This enables the operations team to manage bucket and object permissions while the security team independently controls key usage through theKMS key policy(and grants). If either team misconfigures only their part, the data is still protected: an overly permissive bucket policy won’t expose plaintext unless KMS decrypt is also allowed; similarly, KMS permissions alone are not sufficient without S3 read access.

Option B also adds a bucket policy requirement enforcingSSE-KMSso objects are consistently protected with the customer managed key. SSE-S3 options (A and C) do not provide the same separation because S3 manages the keys and decryption is not independently controlled by a separate team via KMS policies. Option D is invalid because SSE-C uses customer-provided keys that are supplied with each request and are not stored/managed in KMS as described. Therefore, SSE-KMS with customer managed keys plus restrictive key policy is the correct solution.

Before beginning an investigation, incident response best practice is topreserve evidence,prevent accidental loss of the asset, andclearly mark and control the potentially affected resource. Enablingtermination protection(Option B) helps ensure the instance is not accidentally terminated during triage, which would destroy volatile evidence and complicate forensics and recovery.

TakingEBS snapshotsof all attached data volumes (Option C) preserves a point-in-time copy of disk evidence for later forensic analysis, malware scanning, or offline investigation. Snapshots allow responders to create forensic volumes or AMIs in an isolated environment without repeatedly touching the potentially compromised instance.

Capturinginstance metadataand tagging the instance asunder quarantine(Option E) supports both investigation and operational control. Metadata capture (instance ID, IAM role, network interfaces, security groups, user-data, tags, recent changes) provides context for responders. Quarantine tagging enables automated workflows (for example, incident runbooks that isolate the instance, restrict IAM, or move it to a quarantine security group) and signals to other teams/tools that the instance is under investigation.

Option A is the opposite of what you want. Option D destroys evidence. Option F is not an appropriate “before investigation” step; altering metadata risks losing evidence and is not the primary containment approach.

AWS IAM Access Analyzer policy generation is specifically designed to help security engineers generate least-privilege IAM policies based on actual usage recorded in AWS CloudTrail. According to the AWS Certified Security – Specialty documentation, policy generation analyzes historical CloudTrail data to identify the exact API actions and resources that a role has accessed over a specified time period.

Because the role has been actively used for three months, there is sufficient CloudTrail data for IAM Access Analyzer to generate a refined customer managed policy automatically. This significantly reduces manual effort and eliminates the need to analyze logs or infer permissions. The generated policy can be reviewed and attached directly to the role, ensuring least privilege access with minimal engineering effort.

Option B only validates existing policies for security warnings and does not reduce permissions. Option C requires manual analysis of CloudWatch logs, which is time-consuming and error-prone. Option D does not analyze real usage and cannot generate role-specific least privilege policies.

AWS documentation explicitly recommends IAM Access Analyzer policy generation as the fastest and most accurate method to refine IAM permissions based on observed behavior.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Access Analyzer Policy Generation

AWS IAM Least Privilege Best Practices

WithSSE-KMS, authorization is a two-part check: the caller must have S3 permissions to read the objectandthe caller must be allowed to use the KMS key for decryption. Even if an IAM policy grants kms:Decrypt, the request will still fail if theKMS key policydoes not allow the principal (or does not allow the account to delegate use of the key). KMS key policies are authoritative: they can prevent key usage even when IAM policies appear to allow it.

A common misconfiguration is editing the key policy and removing the statement that grants the AWS account (or key administrators) the ability to manage and delegate permissions for the key—often described as removing “Enable IAM user permissions” or otherwise blocking the account from using IAM policies to authorize key usage. In that case, the IAM user’s kms:Decrypt permission in IAM is not sufficient because the key policy no longer permits it, resulting in Access Denied when S3 attempts to call KMS on the user’s behalf during GetObject.

Option A is not required for decrypting data (DescribeKey is useful for discovery but not necessary for GetObject). Option B would not inherently cause access denied if permissions align. Option C is incorrect because same-account S3 access can be granted purely via IAM without a bucket policy. Therefore, the key policy change is a valid reason.

AWS CloudFormationdynamic referencesprovide a secure mechanism for retrieving sensitive values from AWS Secrets Manager at stack creation or update time. According to the AWS Certified Security – Specialty documentation, dynamic references ensure that sensitive data such as database credentials arenever stored in plaintextin CloudFormation templates, parameters, stack metadata, or logs.

When a dynamic reference to Secrets Manager is used, CloudFormation retrieves the secret value at runtime and passes it securely to the resource that requires it. The secret value is not exposed to users who view the template, stack, or change sets.

Option B is insecure because parameters can be exposed through the CloudFormation console and APIs. Option C is incorrect because SecureString parameters are a feature of AWS Systems Manager Parameter Store, not Secrets Manager. Option D is invalid because KMS encrypts data but does not store secrets or manage secret rotation.

AWS best practices clearly state thatCloudFormation dynamic references to Secrets Managerare the recommended solution for securely handling sensitive configuration values.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Security Best Practices

AWS Secrets Manager Documentation

AWS incident response best practices emphasize isolating compromised resources rather than immediately terminating them. According to AWS Certified Security – Specialty documentation, removing an instance from an Auto Scaling group prevents replacement loops, while applying a restrictive security group isolates the instance for forensic analysis.

Using Amazon EventBridge to trigger an AWS Lambda function enables automated, consistent responses to GuardDuty findings. This approach minimizes disruption to the application because healthy instances continue serving traffic while the affected instance is isolated.

Disabling credentials or modifying network ACLs can have broader impact on unrelated workloads. SNS notifications alone do not provide response automation.

AWS recommends isolate-and-investigate patterns for EC2 incident response.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Automated Responses

AWS Incident Response Playbooks

Amazon Macie is the AWS service designed specifically to discover, classify, and report sensitive data stored in Amazon S3. According to the AWS Certified Security – Specialty Study Guide, Macie uses machine learning and managed data identifiers to automatically detect sensitive data types such as PII and financial information.

Macie integrates natively with Amazon EventBridge, allowing findings to be routed to other services such as Amazon SNS with minimal configuration. Creating an EventBridge rule to forward Macie findings to an existing SNS topic satisfies the notification requirement without custom code.

Option A is invalid because AWS Config does not inspect object contents. Option B requires custom development and ongoing maintenance. Option D is incorrect because Amazon GuardDuty focuses on threat detection, not sensitive data discovery.

AWS documentation emphasizes Macie as the lowest-effort and most accurate solution for sensitive data identification in S3.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Macie Sensitive Data Discovery

Amazon EventBridge Integration with Security Services

CloudTrail trails can be configured as eithersingle-Regionormulti-Region. A single-Region trail delivers events only for the Region in which it is created; when the company begins using additional Regions, those events will not be logged to the existing S3 destination unless the trail is updated. The least operational overhead is tomodify the existing trailand enablemulti-Regionlogging (that is, configure the trail to “apply to all Regions”). This preserves the current S3 bucket destination, encryption settings, log file validation configuration, IAM roles, and any integrations that already depend on the existing trail name and S3 prefix structure.

Creating a new trail (Options A or C) increases overhead because the engineer would need to manage multiple trails or migrate downstream processes (alerting, Athena tables, SIEM ingestion, retention policies, and lifecycle rules). Option B is not how CloudTrail works—S3 notifications do not cause CloudTrail to collect events from other Regions; CloudTrail must be configured to generate and deliver those logs. Therefore, updating the existing trail to be multi-Region is the simplest and most maintainable fix.

Amazon Detective is a purpose-built AWS service designed toanalyze, investigate, and visualize security datato help identify the root cause of suspicious or malicious activity. According to the AWS Certified Security – Specialty Official Study Guide, Amazon Detective directly integrates withAmazon GuardDuty findings, AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon EKS audit logs to automatically create behavior graphs and timelines.

When GuardDuty generates findings related to anomalous activity, Amazon Detective enables security engineers to pivot directly to an investigation focused on a specific IAM role, user, or resource. Detective automatically correlates historical activity, identifies deviations from baseline behavior, and highlightsindicators of compromise, such as unusual API calls, credential misuse, or suspicious network activity.

AWS Audit Manager (Option B) is designed for compliance and audit evidence collection, not threat investigation. Amazon Inspector (Options C and D) is focused on vulnerability scanning of compute resources and does not analyze IAM behavior or GuardDuty findings.

AWS documentation explicitly states thatAmazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, providing enriched context and investigation reports for security incidents.

AWS Certified Security – Specialty Official Study Guide

Amazon Detective User Guide

Amazon GuardDuty Integration Documentation

AWS Firewall Manager applies and enforces AWS WAF protections based on thepolicy scopeyou define. In this scenario, the policy is explicitly scoped toonlythose resources that have the tag keyWAF-protectedwith a value oftrue. If the API Gateway REST API does not have that exact tag (correct key, correct value, correct spelling/case), Firewall Manager will treat the resource asout of scope. Out-of-scope resources are not evaluated for compliance and are not remediated, so the expected automatic association of the web ACL will never occur.

This is the most common reason for “nothing happens” when Firewall Manager is configured with tag-based scoping: the resource is missing the tag, the value is different (for example “True” vs “true”), or the tag was applied to a different resource than the one Firewall Manager evaluates.

Option A is incorrect because AWS WAF web ACLscanprotect API Gateway REST APIs (regional). Option C is not a blocker because a web ACL can generally be associated with multiple resources (within the supported scope). Option D is irrelevant to preventing association here; CloudFront uses a global scope and does not inherently block regional associations.

Password policies are enforced at the identity provider where authentication occurs. According to the AWS Certified Security – Specialty Study Guide, when IAM is federated with an external identity provider such as on-premises Active Directory, IAM does not manage or enforce password policies. Instead, password requirements such as minimum length must be enforced directly in Active Directory Group Policy Objects.

Amazon Cognito user pools maintain their own user directory and authentication logic. Cognito provides configurable password policies, including minimum length, complexity, and expiration. To enforce a minimum password length for application users, the Cognito user pool password policy must be updated.

IAM password policies apply only to IAM users that authenticate directly with IAM and do not affect federated users or Cognito users. SCPs and IAM policies cannot enforce password length requirements.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Federation and Password Policies

Amazon Cognito User Pool Security Settings

The requirement includesremediating existing noncompliant bucketsand also handlingfuture noncompliant bucketsacross multiple accounts and Regions. Anorganization-wide AWS Config aggregatorprovides centralized visibility into compliance status across all member accounts/Regions. To remediate, AWS Config can trigger automation (commonly via EventBridge/SNS) that invokes anAWS Lambda function(or SSM Automation) to take corrective action—such as enabling default encryption, blocking public access, or applying required bucket policies—whenever a bucket is evaluated as noncompliant. This addresses both existing findings (by running remediation on current noncompliant resources) and new ones (by automatically reacting when new buckets appear or configurations drift).

Options C and D are insufficient because they scope only to “accounts and Regions the company currently uses,” which fails the multi-Region/multi-account organization requirement and would miss future expansion. Option B helps prevent creation of new noncompliant resources but does not remediate existing buckets, which is explicitly required. Therefore, the combination of an org-wide aggregator plus automated remediation on Config noncompliance is the best fit.

Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security – Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.

By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.

Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC. Third-party CASB tools add cost and operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security and VPC Endpoints

AWS Organizations Condition Keys

Amazon Detective is a managed service designed specifically toinvestigate and analyze security findingsby automatically correlating data from Amazon GuardDuty, AWS CloudTrail, and VPC Flow Logs. According to the AWS Certified Security – Specialty Official Study Guide, Detective enables security teams to identifyroot causes, anomalous behavior, and indicators of compromisethrough interactive visualizations.

Amazon Detective allows investigators to pivot directly toIAM roles, users, and resources that are involved in GuardDuty findings. Detective builds behavior graphs and timelines that show API activity, network traffic, and historical context, making it easier to understand how and why a security incident occurred.

Amazon Inspector (Option B) focuses on vulnerability scanning of compute resources and does not investigate IAM behavior. Option C requires manual analysis and lacks native visualization. AWS Security Hub (Option D) aggregates findings but does not perform root-cause investigation or behavioral analysis.

AWS documentation explicitly states thatAmazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, especially when IAM roles are involved.

AWS Certified Security – Specialty Official Study Guide

Amazon Detective User Guide

Amazon GuardDuty Integration Documentation

In IAM Identity Center, a permission set that includes acustomer managed policydoes not “carry” that policy into each target account automatically unless the policy exists there. When you attach a customer managed policy by name to a permission set, IAM Identity Center expects that policy to be present in each account where the permission set is provisioned. If the policy is missing in any account (common when assigning across multiple accounts), provisioning/assignment can fail because Identity Center cannot attach a non-existent policy to the role it creates in that account.

The correct fix is tocreate the customer managed policy in every target account, ensuring it has thesame nameand the intended permissions in each account. Once the policy exists consistently across accounts, IAM Identity Center can successfully provision the permission set in each account and complete the user assignment.

Options B and D are workarounds that increase complexity and do not address the underlying requirement to use the customer managed policy across accounts. Option C is not the issue here; policy “conflicts” typically do not prevent provisioning—missing referenced customer managed policies do. Therefore, ensuring the customer managed policy exists in each assigned account resolves the failure with the intended multi-account design.

AWS IAM Identity Center delegated administration requires foundational configuration to be completed in the organization’s management account before delegation. According to the AWS Certified Security – Specialty documentation, IAM Identity Center must be enabled with a directory in the management account before any delegation can occur.

Permission sets must be created in the management account because they define the permissions that will later be delegated to member accounts. Additionally, user assignments must initially exist in the management account to establish baseline access control before delegation is configured.

Option A is too generic and not a required prerequisite step. Option C is unrelated to Identity Center delegation. Option E is incorrect because IAM Identity Center uses identities from its directory or external IdPs, not IAM users.

AWS guidance clearly outlines directory creation, permission set definition, and initial user assignments as mandatory preparatory steps for delegated administration.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Delegated Administration

AWS Organizations and Identity Center Integration

AWS abuse notifications are delivered as AWS Health events. According to the AWS Certified Security – Specialty Study Guide, Amazon EventBridge integrates natively with AWS Health and can be used to detect specific event types such as AWS_ABUSE_DOS_REPORT in near real time.

By creating an EventBridge rule that filters for the abuse report event type and publishes directly to Amazon SNS, the solution remains fully managed, low latency, and cost effective.

Polling APIs introduces delay and complexity. CloudTrail does not log abuse notifications. EventBridge with AWS Health is the recommended mechanism for reacting to AWS service events.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Health and EventBridge Integration

AWS Abuse Notification Handling

AWS CloudTrail data event logging is the correct solution because it is specifically designed to capture detailed, structured, and near–real-time API activity for Amazon S3 object-level operations. When S3 data events are enabled, CloudTrail records actions such as GetObject, PutObject, and DeleteObject, along with critical context including the IAM principal, source IP address, event time, request parameters, and response elements. These logs are delivered in JSON format, making them highly structured and suitable for security analysis, SIEM integration, and automated detection workflows.

Amazon S3 server access logging (option A) provides basic request-level information but does not include full IAM identity context and is delivered with a significant delay, which does not meet the near–real-time requirement. AWS Config (option C) focuses on resource configuration changes and compliance evaluation; it does not log object-level access events. Amazon Macie (option D) is a data security service that uses machine learning to discover and classify sensitive data in S3 and generate findings for anomalous access patterns, but it is not a comprehensive access logging solution.

AWS Security Specialty documentation clearly states that CloudTrail data events are the authoritative mechanism for auditing S3 object-level access with identity attribution and precise timestamps, making option B the correct and best-practice answer

A rate-based rule in AWS WAF is designed to quickly mitigate spikes and potential layer 7 floods bytracking request rates per originating IPand temporarily blocking (or counting/challenging, depending on configuration) IPs that exceed a defined threshold within a 5-minute rolling window. In this scenario, the malicious traffic is distributed acrosshundreds of IPsin two countries, and the application still needs to remain available globally for legitimate users. A rate-based rule provides fast, targeted throttling that reduces abusive request patterns without permanently blocking entire geographies. This aligns with “quickly limit” while minimizing collateral impact.

Blocking both countries with a geo match rule (Option B) would likely block legitimate users located in those countries, which violates the requirement. Security groups (Options C and D) cannot natively enforcegeographicfiltering, and they are not well suited for large, rapidly changing sets of public source IPs at the application layer. Additionally, WAF operates at layer 7 with richer matching (rate limiting, URI/header patterns, bot controls), which is the appropriate control point when the ALB already has a web ACL associated. Therefore, implementing an AWS WAFrate-basedrule is the most effective and least disruptive immediate mitigation.