SCS-C03 AWS Certified Security – Specialty Questions and Answers

Amazon WorkSpaces is a fully managed desktop-as-a-service solution designed to minimize infrastructure and operational overhead. According to AWS Certified Security – Specialty documentation, WorkSpaces supports device trust by using client certificates to restrict access to approved devices.

By deploying client certificates only to company-managed devices and enforcing restricted access at the directory level, the organization ensures that only trusted endpoints can authenticate. This approach avoids the cost and complexity of building and maintaining a custom VDI or managing individual EC2 instances.

Option A and B significantly increase management overhead. Option C is incorrect because IAM does not manage WorkSpaces authentication gateway policies or device trust.

AWS best practices highlight Amazon WorkSpaces with certificate-based device trust as the most efficient solution for secure, managed desktops.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon WorkSpaces Security Controls

Amazon WorkSpaces Device Trust

Amazon GuardDuty generates security findings when it detects suspicious or malicious activity, including CryptoCurrency:EC2/* findings that indicate an EC2 instance may be involved in unauthorized cryptocurrency mining. According to AWS Certified Security – Specialty documentation, GuardDuty findings are published as events to Amazon EventBridge (formerly Amazon CloudWatch Events).

Amazon EventBridge is the recommended service for building automated incident response workflows. By creating an EventBridge rule that listens for GuardDuty findings of type CryptoCurrency:EC2/*, the security engineer can automatically invoke a Lambda function to isolate the affected EC2 instance by modifying its security group attachments.

Option A is incorrect because GuardDuty does not directly invoke Lambda functions. Option B and Option D are incorrect because AWS Config tracks configuration compliance and resource changes, not real-time threat detection events. Cryptocurrency findings are security detections, not configuration changes.

AWS documentation explicitly describes this pattern—GuardDuty → EventBridge → Lambda → remediation action—as a best practice for automated threat response and containment.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide – Findings

Amazon EventBridge User Guide

AWS Incident Response Best Practices

AWS Audit Manager is specifically designed to help organizations continuously audit their AWS usage against compliance frameworks and generate audit-ready reports. According to AWS Certified Security – Specialty documentation, Audit Manager includes AWS managed frameworks for compliance standards, including PCI DSS v4.0.

Audit Manager automatically collects evidence from AWS services such as API Gateway, Lambda, RDS, CloudTrail, and Config, and maps the evidence directly to PCI DSS controls. Importantly, Audit Manager allows compliance teams to upload and attach manual evidence, which is a key requirement in this scenario.

Option C provides visibility into control status but does not support adding manual evidence. Option B evaluates configuration compliance but does not generate formal compliance reports. Option A requires extensive manual effort and is not aligned with PCI reporting workflows.

AWS documentation positions Audit Manager as the authoritative service for compliance reporting and audit evidence management.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Audit Manager PCI DSS Framework

AWS Compliance Reporting Best Practices

When an internet-facing ALB is used as a CloudFront origin, it remains directly accessible unless additional access controls are enforced. According to AWS Certified Security – Specialty guidance, CloudFront IP allow lists alone are insufficient, because CloudFront IP ranges change and are not guaranteed to be exclusive.

The recommended and most secure approach is to configure CloudFront to send a custom origin header (such as X-Shared-Secret) with a secret value on every request to the origin. The ALB listener rules are then configured to forward traffic only when the header exists and matches the expected value. Requests that attempt to bypass CloudFront will not include this header and will be denied.

Option A is invalid because CloudFront does not support PrivateLink origins. Option B introduces unnecessary architectural changes and is not required. Option C is brittle and operationally risky due to changing IP ranges.

AWS documentation explicitly recommends custom origin headers as the best practice to ensure that only CloudFront can access an internet-facing ALB when AWS WAF is attached at the CloudFront layer.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Origin Security Documentation

AWS WAF and ALB Integration Guidance

AWS IAM Identity Center centrally manages user access across an AWS Organization. Disabling the user in Identity Center immediately revokes access to all AWS accounts. According to AWS Certified Security – Specialty documentation, organizational CloudTrail event data stores provide centralized, queryable access to all events across accounts.

Using CloudTrail Lake enables direct querying of activity without exporting logs. Disabling the user at the Identity Center level ensures full containment.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Incident Response

AWS CloudTrail Lake

AWS CloudFormation supports the use of a service role, which allows CloudFormation to assume a dedicated IAM role to create and manage resources on behalf of users. According to the AWS Certified Security – Specialty Study Guide, using a service role is the most secure and consistent way to ensure predictable stack deployments when users have varying permission sets.

By creating a service role with cloudformation.amazonaws.com as the trusted service principal (Option B), CloudFormation—not individual users—assumes responsibility for resource creation. Updating each stack to explicitly use this service role (Option E) ensures that all deployments use the same permission set, eliminating inconsistencies.

Granting the team members permission to pass the service role via iam:PassRole (Option F) is required so that CloudFormation can assume the role during stack operations. This approach adheres to the principle of least privilege and prevents users from gaining direct access to elevated permissions.

Composite principals (Option A) are unnecessary and insecure. Referencing stack ARNs (Option C) does not solve the root cause. While Option D reflects good policy design, it is implicit in creating the service role and is not a required standalone step.

AWS documentation clearly identifies CloudFormation service roles combined with iam:PassRole as best practice for secure, consistent infrastructure deployments.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Role Documentation

AWS IAM Best Practices

AWS KMS access control is primarily enforced through key policies (and optionally grants), and AWS recommends using key policy condition keys to restrict how keys can be used. The kms:ViaService condition key is specifically designed to restrict KMS API usage to requests that come through a particular AWS service endpoint in a specific Region. This is the most robust way to ensure a key can be used only via AWS Lambda (for example, lambda..amazonaws.com) and not via Amazon EC2 (ec2..amazonaws.com), even if IAM permissions exist elsewhere. By writing a key policy that uses the Lambda execution role as the principal and conditions on kms:ViaService, the company can tightly bind key usage to Lambda-originated cryptographic operations while preventing use through EC2 service paths. Option A is weaker because EC2 is not the only way an IAM principal might use KMS, and relying on attaching explicit deny policies broadly is harder to manage and can miss principals. Option C is incorrect because aws:AuthorizedService is not the typical mechanism for KMS service restriction, and SourceIp is unreliable for service-to-service calls. Option D is not ideal because SCPs do not provide fine-grained service-path restrictions for KMS usage and cannot “allow” beyond IAM; key policy controls still apply.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Key Policies and Condition Keys

AWS KMS Best Practices for Service-Scoped Key Usage

Network Load Balancers operate at Layer 4 and are optimized for extreme performance, ultra-low latency, and handling sudden traffic spikes. According to AWS Certified Security – Specialty documentation, using a TCP listener on an NLB allows TLS traffic to pass through directly to backend containers without termination, preserving true end-to-end encryption.

This approach eliminates the overhead of decrypting and re-encrypting traffic at the load balancer, reducing latency and maximizing throughput. NLBs scale automatically to handle volatile traffic patterns and millions of requests per second.

Application Load Balancers operate at Layer 7 and introduce additional latency due to TLS termination and HTTP processing. Route 53 multivalue routing does not provide load balancing at the transport layer and does not ensure encryption handling.

AWS recommends NLB TCP pass-through for high-performance, end-to-end encrypted container workloads.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Elastic Load Balancing Architecture

Network Load Balancer Performance Characteristics

Amazon GuardDuty is a fully managed, organization-aware threat detection service that continuously analyzes AWS logs such as CloudTrail events, VPC Flow Logs, DNS logs, EKS audit logs, and RDS activity. According to the AWS Certified Security – Specialty Official Study Guide, GuardDuty is designed to operate at scale across AWS Organizations with minimal operational overhead.

By designating a GuardDuty administrator account in the organization’s management account and enabling GuardDuty organization-wide, the company can automatically enable threat detection across hundreds of AWS accounts. Enabling EKS Protection allows GuardDuty to analyze Kubernetes audit logs for suspicious activity, while RDS Protection provides anomaly detection for Amazon Aurora databases.

Options B, C, and D require custom log aggregation, processing, and analytics pipelines, which significantly increase operational effort and maintenance complexity. Amazon Inspector does not analyze logs, Athena-based analysis is manual, and Kinesis plus Lambda requires custom detection logic.

AWS documentation explicitly identifies GuardDuty with AWS Organizations integration as the recommended solution for centralized, automated threat detection across multi-account environments with minimal operational effort.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide

GuardDuty Organization Administration Documentation

Amazon Detective is a purpose-built AWS service designed to analyze, investigate, and visualize security data to help identify the root cause of suspicious or malicious activity. According to the AWS Certified Security – Specialty Official Study Guide, Amazon Detective directly integrates with Amazon GuardDuty findings, AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon EKS audit logs to automatically create behavior graphs and timelines.

When GuardDuty generates findings related to anomalous activity, Amazon Detective enables security engineers to pivot directly to an investigation focused on a specific IAM role, user, or resource. Detective automatically correlates historical activity, identifies deviations from baseline behavior, and highlights indicators of compromise, such as unusual API calls, credential misuse, or suspicious network activity.

AWS Audit Manager (Option B) is designed for compliance and audit evidence collection, not threat investigation. Amazon Inspector (Options C and D) is focused on vulnerability scanning of compute resources and does not analyze IAM behavior or GuardDuty findings.

AWS documentation explicitly states that Amazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, providing enriched context and investigation reports for security incidents.

AWS Certified Security – Specialty Official Study Guide

Amazon Detective User Guide

Amazon GuardDuty Integration Documentation

Amazon S3 Lifecycle rules are the native and most efficient way to enforce data retention policies. AWS Certified Security – Specialty documentation recommends lifecycle rules over custom automation to reduce operational complexity and failure risk.

Lifecycle rules automatically and reliably delete objects after a specified age, ensuring compliance without additional compute services. Lambda-based solutions increase cost and management overhead. Intelligent-Tiering manages storage cost, not data deletion.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Management

AWS Lambda automatically sends function execution logs to Amazon CloudWatch Logs when logging is enabled in the function code. However, this logging capability depends on the Lambda execution role having the appropriate permissions. According to the AWS Certified Security – Specialty Study Guide, the execution role must include permissions such as logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.

If these permissions are missing, Lambda cannot create log groups or streams, and no execution logs will appear in CloudWatch Logs—even though the function was successfully invoked. This is the most common reason Lambda logs are unavailable during forensic investigations.

Option B is incorrect because Lambda logs are stored in CloudWatch Logs regardless of whether the invocation source is API Gateway, EventBridge, or another AWS service. Option C is incorrect because CloudWatch Logs does not require direct S3 permissions from the Lambda execution role. Option D is irrelevant because Lambda versions do not affect logging behavior.

AWS documentation emphasizes verifying execution role permissions as a first step when Lambda logs are missing.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Lambda Execution Roles

Amazon CloudWatch Logs Integration with Lambda

Amazon EC2 security groups are stateful, meaning that once a connection is established, return traffic is automatically allowed, even if the inbound rule that originally permitted the connection is later removed. According to the AWS Certified Security – Specialty Official Study Guide and Amazon EC2 security documentation, existing connections are not terminated when security group rules change. This explains why the SSH session remains active even after the security group rules were modified, while new traffic such as ICMP ping is blocked.

To immediately and fully isolate an EC2 instance during an incident response scenario, AWS recommends using stateless network controls. Amazon VPC network ACLs (NACLs) are stateless, which means that every packet is evaluated against the ACL rules regardless of whether the traffic is part of an existing connection. When a deny rule is added, all traffic is immediately blocked, including active sessions.

By creating a network ACL and associating it with the subnet that contains the target instance, and by adding explicit deny rules with the lowest rule numbers for both inbound and outbound traffic, the security engineer ensures that all network communication to and from the instance is immediately interrupted. This approach satisfies the requirement to isolate the instance while preserving its runtime state and memory for forensic analysis.

Other options fail to meet the requirement because security group modifications do not terminate existing sessions, Systems Manager does not enforce network isolation, and host-level firewall changes require instance-level access and do not provide immediate, network-enforced isolation.

AWS Certified Security – Specialty Official Study Guide

Amazon EC2 Security Groups Documentation

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

Amazon Cognito threat protection is purpose-built to detect and mitigate malicious authentication activity such as credential stuffing and bot traffic. It uses adaptive risk-based analysis without disrupting legitimate users.

AWS WAF cannot be directly associated with Cognito user pools.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito Threat Protection

AWS IAM Identity Center relies on SAML assertions and attribute mappings to associate federated users with identities, groups, and permission sets. According to the AWS Certified Security – Specialty documentation, when changing identity providers while maintaining the same underlying directory, existing users and group identities can be preserved by updating attribute mappings to align with the new IdP’s SAML assertions.

By modifying the attribute mappings, IAM Identity Center can correctly interpret usernames, group memberships, and unique identifiers sent by the new IdP without requiring changes to AWS account roles or permission sets. This approach minimizes operational effort and avoids disruption to access management.

Option A unnecessarily disables identities and causes access outages. Option C is incorrect because IAM Identity Center abstracts role trust relationships, and roles do not directly trust the IdP. Option D is unrelated to federation source configuration and only affects authentication timing issues.

AWS best practices recommend updating attribute mappings when switching IdPs that share the same directory source.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center SAML Federation

AWS Identity Federation Best Practices

AWS Service Catalog is designed to allow organizations to create and manage approved sets of CloudFormation templates, known as products, and make them available to specific accounts or organizational units (OUs). According to the AWS Certified Security – Specialty Study Guide, Service Catalog is the preferred governance mechanism for enforcing standardized infrastructure deployments while maintaining strong access controls.

By creating a Service Catalog portfolio in the management account and sharing it with a specific OU, the security engineer ensures that only accounts within that OU can deploy the approved CloudFormation template. This guarantees that third-party developers can deploy infrastructure only in accordance with the company’s predefined deployment plan, without modifying or directly accessing the template itself.

Option B and D use CloudFormation modules, which are intended for reusable resource definitions but do not provide the same level of deployment governance, access control, and lifecycle management as Service Catalog. Option C introduces unnecessary cross-account IAM roles, increasing the attack surface and operational complexity, which violates the “most secure” requirement.

AWS documentation explicitly states that Service Catalog is the recommended service for distributing standardized CloudFormation templates across AWS Organizations, while controlling who can deploy them and where.

AWS Certified Security – Specialty Official Study Guide

AWS Service Catalog Administrator Guide

AWS Organizations Best Practices

AWS Well-Architected Framework – Security Pillar

Amazon GuardDuty Exfiltration:S3/AnomalousBehavior findings indicate that S3 data access patterns are consistent with data exfiltration. In this scenario, the attacker is using temporary credentials obtained from an EC2 instance profile, which are issued by AWS Security Token Service (STS).

According to AWS Certified Security – Specialty documentation, the fastest and most targeted remediation is to revoke the temporary session credentials associated with the compromised instance profile. This can be accomplished by removing or modifying the IAM role permissions, detaching the instance profile, or stopping the instance, which immediately invalidates the temporary credentials and prevents further S3 access.

Option B may limit outbound traffic but does not invalidate already issued credentials. Option C is a detection and classification service and does not prevent active exfiltration. Option D would block all access to the bucket, including legitimate access, and is considered overly disruptive for incident containment.

AWS incident response best practices emphasize credential revocation as the first containment step when compromise of temporary credentials is confirmed.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide – S3 Protection

AWS STS and IAM Role Security Documentation

AWS Incident Response Best Practices

AWS KMS keys are strictly regional resources. According to AWS Certified Security – Specialty documentation, a KMS key created in one Region cannot be used to encrypt or decrypt data in another Region. This includes encrypted RDS and Aurora snapshots.

When copying an encrypted snapshot to a different Region, the destination Region must have its own KMS key. AWS automatically re-encrypts the snapshot using the specified KMS key in the destination Region during the copy operation.

Options C and D are invalid because IAM policies cannot extend a KMS key’s scope across Regions. Option A is incorrect because Secrets Manager does not store or manage KMS keys themselves.

AWS best practices require creating a new customer managed key in the target Region and using it during the snapshot copy process.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Regional Key Limitations

Amazon RDS Encrypted Snapshot Copy

Amazon GuardDuty provides managed threat detection and supports EKS protection features that analyze Kubernetes audit logs to detect suspicious activity, including unauthorized or unauthenticated access attempts. AWS Certified Security – Specialty documentation recommends GuardDuty for low-overhead detection because it is fully managed and does not require deploying agents or modifying application code. EKS Audit Log Monitoring is designed to consume and analyze relevant control plane audit events to identify anomalous or unauthorized actions against the cluster. Compared to third-party add-ons, GuardDuty reduces operational burden and remains fully within AWS managed services. Security Hub aggregates findings from services like GuardDuty but does not itself perform the detection. CloudWatch Container Insights focuses on performance and operational metrics, not authentication security detections. Therefore, enabling GuardDuty with EKS Audit Log Monitoring provides the required detection with the least operational effort and without requiring additional configuration to the existing EKS workload beyond enabling the feature.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty EKS Protection and Audit Log Monitoring

AWS Threat Detection Best Practices for Kubernetes on AWS

Amazon Cognito is a fully managed identity service that provides user authentication, authorization, and user management for web and mobile applications. According to AWS Certified Security – Specialty documentation, Cognito user pools are specifically designed to offload authentication responsibilities from applications while maintaining strong security controls.

By federating authentication with third-party identity providers (such as social IdPs), Cognito eliminates the need for the company to manage user passwords directly. This dramatically reduces password reset requests and customer service overhead, while also improving security through industry-standard authentication mechanisms, including MFA and token-based access.

Option A is insecure and incorrect because IAM access keys are not intended for end users. Option B simply relocates password storage and does not reduce operational burden. Option D uses API keys, which are not designed for user authentication and provide no identity verification.

AWS guidance clearly states that Amazon Cognito is the recommended service for scalable, secure user authentication, especially when reducing password management complexity is a requirement.

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito User Pools Documentation

AWS IAM Security Best Practices

Step 1: Obtain the SAML metadata from IAM Identity Center.

Step 2: Obtain the SAML metadata from the external IdP.

Step 3: Configure the external IdP as the identity source in IAM Identity Center.

When integrating AWS IAM Identity Center (formerly AWS SSO) with an external identity provider (IdP) using SAML 2.0, AWS requires a specific sequence of steps to establish trust and federation correctly.

Step 1: Obtain the SAML metadata from IAM Identity Center

IAM Identity Center acts as the service provider (SP) in the SAML trust. The external IdP must trust IAM Identity Center, so the IdP needs IAM Identity Center’s SAML metadata first. This metadata contains critical information such as the SP entity ID, ACS (Assertion Consumer Service) URL, and signing certificate. Without this metadata, the external IdP cannot be configured to send assertions to AWS.

Step 2: Obtain the SAML metadata from the external IdP

After the external IdP is configured to trust IAM Identity Center, the IdP generates its own SAML metadata. This metadata includes the IdP entity ID, SSO endpoint, and signing certificate. IAM Identity Center requires this information to validate authentication assertions coming from the external IdP.

Step 3: Configure the external IdP as the identity source in IAM Identity Center

Once both metadata files are available, the security engineer configures the external IdP as the identity source in IAM Identity Center. At this stage, IAM Identity Center imports the IdP metadata and establishes the SAML trust relationship. After this configuration, users authenticated by the external IdP can be federated into AWS accounts and applications via IAM Identity Center.

Why the other options are incorrect:

Creating an IAM role with an IdP API endpoint is used for IAM federation, not IAM Identity Center.

Automatic provisioning (SCIM) is optional and is configured after SAML federation is established.

Automatic provisioning must be enabled on both sides, but it is not required to complete the core IdP integration.

This sequence follows AWS best practices for SAML-based federation with IAM Identity Center.

The Amazon CloudWatch agent requires explicit IAM permissions to create log groups, create log streams, and put log events into Amazon CloudWatch Logs. According to the AWS Certified Security – Specialty Study Guide, the most common cause of CloudWatch agent log delivery failures is missing or insufficient IAM permissions on the EC2 instance role.

The CloudWatchAgentServerPolicy AWS managed policy provides the required permissions, including logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Attaching this policy to the EC2 instance role enables the CloudWatch agent to successfully deliver custom application logs without requiring changes to the application or logging configuration.

Options A, B, and C are incorrect because CloudTrail, Amazon S3, and Amazon Inspector are not designed to ingest custom application logs from EC2 instances in this manner. AWS documentation clearly states that IAM permissions must be granted to the EC2 role for CloudWatch Logs ingestion.

This approach aligns with AWS best practices for least privilege while ensuring reliable detection and monitoring capabilities.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Agent Configuration

AWS IAM Best Practices for Monitoring

AWS CloudTrail Lake is purpose-built to store, query, and analyze CloudTrail events, including data events, without requiring additional infrastructure. The AWS Certified Security – Specialty documentation explains that CloudTrail Lake provides immutable event storage with configurable retention periods, including multi-year retention, which satisfies long-term compliance requirements such as 7-year retention. Events are stored in an append-only, immutable format managed by AWS, reducing operational complexity.

CloudTrail Lake supports SQL-based queries for complex analysis directly against the event data, eliminating the need to export logs to other services for querying. Additionally, CloudTrail Lake includes built-in dashboards and integrations that enable visualization of event trends and patterns without standing up separate analytics or visualization platforms.

Option B is invalid because CloudTrail Event History only retains events for up to 90 days and does not support long-term retention or advanced querying. Option C introduces high operational overhead and cost by requiring persistent Amazon EMR clusters and additional services. Option D incurs ongoing ingestion, indexing, and storage costs for OpenSearch Service over a 7-year period, making it less cost-effective than CloudTrail Lake.

AWS documentation positions CloudTrail Lake as the most cost-effective and operationally efficient solution for long-term, queryable CloudTrail event storage and visualization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Lake Architecture and Retention

AWS CloudTrail Data Events Overview

CloudWatch Logs Insights is a managed, on-demand query capability designed to search and analyze log data stored in CloudWatch Logs without moving the data elsewhere. AWS Certified Security – Specialty documentation highlights Logs Insights as the lowest-effort method for rapid investigations, because it supports filtering, parsing, aggregation, and time-range queries directly over existing log groups. In this scenario, the logs already exist in CloudWatch Logs with sufficient retention. The engineer can write a query that filters for the suspicious IP address, counts occurrences over the last 7 days, and extracts requested URLs using parsing functions. This satisfies both requirements (count and URLs) immediately, without building pipelines or exporting data. Option B adds operational overhead by provisioning and maintaining OpenSearch ingestion and indexing. Options A and D require exporting data and additional services that are not necessary for a one-week forensic query. Therefore, Logs Insights is the most efficient and cost-effective approach.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Insights Querying and Investigation Workflows

Amazon CloudFront includes a built-in geo restriction feature that allows content to be allowed or denied based on the viewer’s country. According to AWS Certified Security – Specialty documentation, CloudFront geo restriction is the most cost-effective method for country-based blocking because it does not require AWS WAF or additional rule processing.

AWS WAF geo match rules incur additional cost and are more appropriate when advanced inspection or layered security controls are required. IP-based blocking is impractical due to frequent IP changes. Geolocation headers do not enforce access control.

CloudFront geo restriction is evaluated at the edge and efficiently blocks disallowed countries with minimal latency and cost.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Geo Restriction

AWS Edge Security Best Practices

Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security – Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.

By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.

Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC. Third-party CASB tools add cost and operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security and VPC Endpoints

AWS Organizations Condition Keys

AWS WAF supports logging of detailed HTTP request information, including source IP addresses, request URIs, headers, and rule evaluation results. According to the AWS Certified Security – Specialty documentation, Amazon S3 combined with Amazon Athena is the recommended and most cost-effective solution for ad hoc and forensic analysis of AWS WAF logs.

By configuring AWS WAF to deliver logs to Amazon S3 and using Athena with partition projection, the security engineer can efficiently query large volumes of log data without maintaining partitions manually. This enables rapid identification of application-layer attacks such as SQL injection, cross-site scripting, and bot activity.

Options A and D are incorrect because AWS WAF logs are not delivered to CloudTrail. Option B is invalid because OpenSearch cannot directly query data stored in S3 without ingestion or additional tooling.

AWS documentation highlights S3 + Athena as a best practice for scalable, serverless analysis of AWS WAF logs.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging Documentation

Amazon Athena Best Practices

Password policies are enforced at the identity provider where authentication occurs. According to the AWS Certified Security – Specialty Study Guide, when IAM is federated with an external identity provider such as on-premises Active Directory, IAM does not manage or enforce password policies. Instead, password requirements such as minimum length must be enforced directly in Active Directory Group Policy Objects.

Amazon Cognito user pools maintain their own user directory and authentication logic. Cognito provides configurable password policies, including minimum length, complexity, and expiration. To enforce a minimum password length for application users, the Cognito user pool password policy must be updated.

IAM password policies apply only to IAM users that authenticate directly with IAM and do not affect federated users or Cognito users. SCPs and IAM policies cannot enforce password length requirements.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Federation and Password Policies

Amazon Cognito User Pool Security Settings

AWS IAM Identity Center permission sets that include customer managed policies require those policies to exist in each target account. According to the AWS Certified Security – Specialty Study Guide, customer managed policies are account-scoped and are not automatically propagated across accounts by Identity Center.

When assigning a permission set across multiple accounts, Identity Center attempts to attach the referenced customer managed policy in each account. If the policy does not exist, the assignment fails. Creating the same customer managed policy with identical name and permissions in every target account resolves the issue.

Option B increases complexity. Option C does not address the root cause. Option D violates Identity Center management best practices.

AWS documentation clearly states that customer managed policies must be present in all accounts where permission sets are applied.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Permission Sets

AWS Organizations and Identity Center Policy Management

Amazon RDS supports point-in-time recovery (PITR) using automated backups within the configured retention window. According to the AWS Certified Security – Specialty Study Guide, PITR allows recovery to any second within the retention period, making it the most precise recovery method following a security incident.

By restoring the database cluster to a point just before the attack occurred, such as 3:14 PM, the security engineer ensures that the restored database reflects the last known good state without including malicious changes. This method is more accurate than restoring from snapshots, which are created at fixed intervals and may not align with the exact recovery time.

Options B and C rely on snapshot timing and may reintroduce compromised data. Option D restores to an arbitrary time and does not meet the requirement to recover to the last known good version.

AWS documentation explicitly recommends point-in-time recovery for incident response scenarios that require precise restoration.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon RDS Automated Backups and PITR

AWS Incident Response and Recovery Guidance

Amazon CloudWatch Logs provides a centralized, scalable service for collecting and storing logs from Amazon EC2 instances, regardless of whether the instances are On-Demand or Spot Instances. According to the AWS Certified Security – Specialty Official Study Guide, CloudWatch Logs is the recommended service for centralized log aggregation and near-real-time analysis of application and system logs.

By configuring all EC2 instances to send logs to a single CloudWatch Logs log group, the security engineer ensures that logs from all instances are available in one centralized location. Access to the log group can be restricted by using IAM policies, ensuring that only authorized users can view and analyze the logs.

CloudWatch Logs Insights provides a powerful query language with SQL-like syntax, enabling users to search, filter, aggregate, and analyze log data efficiently. This directly satisfies the requirement for SQL-style queries to identify event patterns and perform root cause analysis without requiring data movement or additional services.

Option B is incorrect because CloudWatch Logs Insights cannot query log files stored in Amazon S3. Option C is inefficient and operationally complex, as Athena cannot directly query CloudWatch Logs log groups. Option D is invalid because Amazon Detective is designed for security investigations using GuardDuty findings, not for general application log analysis.

AWS documentation explicitly states that CloudWatch Logs combined with CloudWatch Logs Insights is the most efficient and secure approach for centralized log analysis in EC2-based architectures.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Documentation

CloudWatch Logs Insights Query Guide

AWS WAF rate-based rules are designed to help protect applications and resources from traffic floods and application-layer DDoS attacks by tracking the number of requests from individual source IP addresses over a rolling time window. According to the AWS Certified Security – Specialty Official Study Guide and AWS WAF documentation, rate-based rules can be configured with different actions, including Count, Block, and Allow.

When a security engineer is determining an appropriate rate limit that will not block legitimate traffic, AWS best practices recommend initially configuring the rate-based rule with the Count action. The Count action allows AWS WAF to monitor and log requests that exceed the specified rate threshold without actively blocking them. This provides visibility into traffic patterns and enables the security engineer to analyze how the rule would behave in production.

By using the Count action, the security engineer can safely evaluate whether legitimate users would be affected by the chosen rate limit. Once the engineer is confident that the threshold accurately distinguishes between normal traffic and malicious behavior, the action can later be changed to Block.

Option B is incorrect because immediately blocking traffic without validation risks denying service to legitimate users. Option C is invalid because AWS WAF does not have a Monitor action. Option D is incorrect because the Allow action does not enforce rate limiting.

AWS documentation explicitly recommends starting rate-based rules in Count mode to fine-tune thresholds before enforcing blocks, especially for DDoS protection scenarios.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rate-Based Rules

AWS DDoS Resiliency Best Practices

AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security – Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal to write objects. Additionally, the IAM role used by AWS Config must allow s3:GetBucketAcl and s3:PutObject.

If either permission is missing, AWS Config cannot deliver snapshots and will log delivery errors in CloudTrail. This dual-permission model ensures least privilege while maintaining secure delivery of compliance data.

Other options reference incorrect principals or irrelevant permissions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Prerequisites

AWS Key Management Service (KMS) customer managed keys are regional resources. According to the AWS Certified Security – Specialty Official Study Guide and KMS documentation, a KMS key created in one AWS Region cannot be used directly in another Region. When copying an encrypted Amazon Aurora DB snapshot across Regions, the destination Region must have access to a KMS key that exists in that Region.

Because the original KMS key resides in us-east-1, it cannot be accessed or referenced in us-west-1. The correct and supported approach is to create a new customer managed KMS key in us-west-1 and specify that key when performing the cross-Region snapshot copy. Amazon RDS automatically decrypts the snapshot using the source Region key and re-encrypts it using the destination Region key during the copy process.

Option A is invalid because KMS keys cannot be stored or transferred through AWS Secrets Manager. Options C and D are incorrect because IAM policies cannot grant cross-Region usage of a KMS key; KMS enforces strict regional boundaries regardless of IAM permissions.

AWS documentation clearly states that cross-Region encrypted snapshot copies require a KMS key in the destination Region, making this approach mandatory for compliance and encryption continuity.

AWS Certified Security – Specialty Official Study Guide

AWS Key Management Service Developer Guide

Amazon Aurora Security Documentation