Try 65 free AWS SCS-C03 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
This free full-length AWS SCS-C03 practice exam includes 65 original IT Mastery questions across the exam domains.
Use these questions for self-assessment, scope review, and deciding what to drill next.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
Need concept review first? Read the AWS SCS-C03 Cheat Sheet for compact concept review before returning to timed practice.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
| Domain | Weight |
|---|---|
| Detection | 16% |
| Incident Response | 14% |
| Infrastructure Security | 18% |
| Identity and Access Management | 20% |
| Data Protection | 18% |
| Security Foundations and Governance | 14% |
Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and full practice.
Topic: Infrastructure Security
A security team reviews VPC Flow Logs for a production application. An Amazon RDS for PostgreSQL security group allows inbound TCP 5432 from the entire VPC CIDR. The logs show that only EC2 instances in the application tier must connect to the database. The application tier uses an Auto Scaling group, and downtime is unacceptable. Which change is the BEST security decision?
Options:
A. Allow TCP 5432 from the application subnet CIDR only
B. Allow TCP 5432 from current application instance IPs only
C. Allow TCP 5432 from the application security group only
D. Add an AWS Network Firewall allow rule and keep the current rule
Best answer: C
Explanation: Security groups are the right control for least-privilege instance-to-database access in this scenario. Because the application tier uses Auto Scaling, rules based on current instance IP addresses are fragile. A security group rule that uses the application tier security group as the source allows only resources associated with that group to connect to the RDS database on PostgreSQL TCP 5432. This preserves required communication when instances are replaced and removes unnecessary access from the rest of the VPC CIDR. The key is to narrow the source to the application identity at the network layer, not merely to a subnet or an additional inspection layer.
Topic: Incident Response
A Security Hub custom action receives this event during an incident drill:
Source finding: GuardDuty
Finding type: Backdoor:EC2/C&CActivity.B
Resource: i-0abc123example
Account: 111122223333
Requirement: capture EC2 forensic artifacts within minutes using the same approved process for every case
Current evidence: no other affected resources identified
Which next action is best supported by the evidence and requirement?
Options:
A. Terminate the instance immediately to stop possible command-and-control traffic
B. Disable all IAM users in the account until scope is confirmed
C. Invoke the Automated Forensics Orchestrator for Amazon EC2 workflow for the instance
D. Create a manual EBS snapshot and wait for analyst approval
Best answer: C
Explanation: Automated Forensics Orchestrator for Amazon EC2 is appropriate when an incident process must collect EC2 forensic evidence quickly and consistently. The evidence points to one EC2 instance and does not establish broader account compromise. Starting the orchestrated workflow preserves a repeatable process for collecting relevant artifacts before destructive remediation or broad containment actions. Termination or sweeping IAM changes would overreact to the visible scope and could destroy evidence or disrupt unaffected workloads.
The key distinction is that this is a supported next action for timely evidence capture, not a final conclusion about compromise scope.
Topic: Detection
A company uses one shared SNS topic for all monitoring notifications. The security team reports alert fatigue.
Evidence summary for the last 24 hours:
| Source | Volume | Notes |
|---|---|---|
| CloudWatch alarms | 1,800 | ECS CPU and latency alarms |
| AWS Config | 900 | Expected NOT_APPLICABLE in test accounts |
| GuardDuty | 6 | High-severity findings in production |
| Security Hub | 4 | Critical controls failed in production |
Which monitoring design change best separates noisy operational events from actionable security events?
Options:
A. Send all findings to Security Hub and page on every imported finding
B. Route events by source, severity, account, and tags using EventBridge rules
C. Treat all Config NOT_APPLICABLE evaluations as security incidents
D. Disable CloudWatch alarms that generated the highest event volume
Best answer: B
Explanation: The evidence shows mixed operational telemetry and security findings flowing through the same notification path. A better monitoring design should classify and route events before notification. CloudWatch performance alarms can go to operations channels, while GuardDuty and Security Hub findings can be routed to security responders based on source, severity, production account, resource tags, or other context. EventBridge is commonly used to apply these routing rules and send events to the right targets, such as SNS topics, ticketing systems, or automation workflows. The key is not to suppress all noisy sources blindly, but to separate event classes and prioritize actionable security signals.
NOT_APPLICABLE results in test accounts are not confirmed incidents.Topic: Identity and Access Management
A security team is reviewing failed deployment attempts from an external CI system. The CI job presents an OIDC token and must deploy to one AWS account without storing AWS access keys.
Evidence:
CloudTrail event: AssumeRoleWithWebIdentity
Issuer: https://token.actions.example.com
Audience: sts.amazonaws.com
Subject: repo:example/app:ref:refs/heads/main
Result: AccessDenied
Note: No matching trusted OIDC provider or role trust condition
Which next action best supports the required access pattern?
Options:
A. Configure IAM Identity Center permission sets for the CI job
B. Use a presigned URL for the deployment role
C. Create an IAM user and require the job to call GetSessionToken
D. Create an OIDC provider and role trust for AssumeRoleWithWebIdentity
Best answer: D
Explanation: The access pattern is workload federation from an external OIDC issuer to AWS without long-lived access keys. For this pattern, configure an IAM OIDC identity provider for the issuer and an IAM role trust policy that allows sts:AssumeRoleWithWebIdentity with conditions that match the token audience and subject. STS then exchanges the valid web identity token for temporary role credentials scoped by the role permissions. The CloudTrail evidence does not indicate that the deployment permissions are wrong yet; it shows the trust path for issuing credentials is not established.
GetSessionToken can issue temporary credentials.Topic: Security Foundations and Governance
A company is moving 80 workloads into AWS accounts managed by AWS Organizations. Security needs resource-level ABAC for deployment roles, finance needs monthly cost allocation by product and cost center, and compliance needs reports that identify regulated-data resources. Tags must be created consistently through IaC pipelines and must not expose sensitive values. Which tagging strategy is the BEST security decision?
Options:
A. Allow each workload team to define its own tags and map them manually during audits.
B. Standardize non-sensitive tags, enforce them in IaC and tag policies, activate cost allocation tags, and use them for ABAC and reporting.
C. Rely on account names and AWS-generated cost tags instead of resource tags.
D. Store customer identifiers in tags so compliance reports can directly identify regulated records.
Best answer: B
Explanation: A strong AWS tagging strategy uses a controlled taxonomy with required, non-sensitive keys such as Application, Environment, Owner, CostCenter, and DataClassification. IaC pipelines should apply tags consistently, while AWS Organizations tag policies and pipeline checks help standardize allowed keys and values. Activated cost allocation tags support finance reporting, and IAM ABAC can compare principal tags to resource tags for least-privilege access. Compliance teams can then query tags with services such as AWS Config or reporting tools to identify regulated-data resources. Tags should not contain secrets, personal data, or customer-specific sensitive values because tags can appear in billing, logs, APIs, and reports.
Topic: Infrastructure Security
A retail application uses CloudFront in front of an ALB. The team’s threat model has shifted from volumetric DDoS to credential stuffing against /login. Current edge controls are AWS Shield Advanced, AWS WAF managed IP reputation rules, and a geo block.
Evidence from the last 30 minutes:
| Signal | Observation |
|---|---|
| AWS WAF samples | 1.8 million POST /login requests |
| Source pattern | 220,000 client IPs, mostly residential ASNs |
| Per-IP rate | Usually below the existing rate limit |
| CloudFront | Large 401 spike; origin CPU normal |
| Shield Advanced | No L3/L4 DDoS event detected |
| WAF managed rules | No SQLi or XSS matches |
Which next action is best supported by the evidence?
Options:
A. Increase Shield Advanced protection for the ALB.
B. Add AWS WAF bot and account takeover controls at CloudFront.
C. Treat the SQLi managed rule as misconfigured.
D. Block all residential ASN traffic globally.
Best answer: B
Explanation: The evidence supports an application-layer credential stuffing pattern, not a volumetric network DDoS or injection attack. The traffic is concentrated on /login, produces many 401 responses, comes from a very large number of IPs, and stays below the current per-IP rate limit. That pattern can evade simple IP reputation lists, geo blocks, and basic rate limits. The better edge strategy is to apply AWS WAF controls at CloudFront that evaluate bot behavior and login abuse, such as bot mitigation, account takeover protections, challenges, CAPTCHA, and rate rules using more appropriate aggregation keys. Shield Advanced remains useful for DDoS visibility and response, but the finding does not show an L3/L4 event.
Topic: Security Foundations and Governance
A security team must detect S3 buckets with public access and EBS volumes without encryption across 80 AWS accounts. The solution must cover all governed Regions, include newly created accounts with minimal manual work, and provide centralized compliance evidence. What is the best security decision?
Options:
A. Create local AWS Config rules manually in each account
B. Deploy AWS Config organization rules from a delegated administrator
C. Create SCPs that deny public buckets and unencrypted volumes
D. Enable Security Hub standards only in the audit account
Best answer: B
Explanation: AWS Config organization rules are the best fit for centralized compliance detection across an AWS Organizations environment. A delegated administrator can manage the rules centrally, while AWS Config configuration recorders must be enabled in each target account and governed Region so resource configuration changes are evaluated. Deploying the rules in each governed Region provides regional coverage, and organization-level deployment reduces manual work as accounts are added. The resulting compliance evaluations can be aggregated for audit evidence.
Preventive controls such as SCPs can reduce future risk, but they do not replace detection and compliance evidence for existing resources.
Topic: Incident Response
A security team receives a GuardDuty finding that an IAM role made unusual s3:GetObject calls against a sensitive S3 bucket. The organization trail currently records CloudTrail management events only. The team needs evidence to validate whether objects were read, identify the principal/session, and correlate the activity to the source IP during future investigations. Which log source should the team enable and query?
Options:
A. VPC Flow Logs for the application subnets
B. S3 Storage Lens activity metrics
C. AWS Config resource history for the bucket
D. CloudTrail S3 data events for the bucket
Best answer: D
Explanation: CloudTrail management events show control-plane actions, such as role changes or bucket policy updates, but they do not record object-level S3 reads. To validate suspected data access, the team needs CloudTrail data events for the affected bucket. These events capture calls such as GetObject, PutObject, and DeleteObject, along with the calling principal, session context, event time, source IP address, and request details. That evidence supports incident scoping and correlation with the GuardDuty finding. Network or configuration logs can provide context, but they cannot prove which S3 object API action occurred under which IAM identity.
Topic: Security Foundations and Governance
A company is preparing for a SOC 2 audit. The security team must continuously collect, organize, and map evidence from AWS accounts to the audit control framework. The team also wants to avoid confusing this requirement with a workload design review. Which AWS service best satisfies the audit evidence requirement?
Options:
A. AWS Well-Architected Tool
B. AWS Audit Manager
C. AWS Trusted Advisor
D. AWS Security Hub
Best answer: B
Explanation: AWS Audit Manager is the governance service designed to collect, organize, and assess evidence for audits against control frameworks such as SOC 2. It helps map AWS resource configurations and activity to controls so teams can prepare audit-ready evidence. This differs from an architectural best-practice assessment: the AWS Well-Architected Tool evaluates workload design against best-practice pillars, but it is not an audit evidence collection system. The key distinction is evidence management for compliance versus design review for architecture improvement.
Topic: Detection
A company runs applications in multiple AWS accounts. Application logs and several service logs already write to Amazon CloudWatch Logs in each workload account. The security operations team must run centralized CloudWatch Logs Insights queries across selected log groups without duplicating all log data into a separate account. Which architecture best satisfies this requirement?
Options:
A. Create an organization trail in AWS CloudTrail Lake
B. Replicate each log group to S3 with subscription filters
C. Use CloudWatch cross-account observability with a monitoring account
D. Share CloudWatch dashboards from each workload account
Best answer: C
Explanation: CloudWatch cross-account observability is designed for centralized monitoring and analysis across AWS accounts. Workload accounts remain the source accounts that own the CloudWatch Logs data, while the security account becomes the monitoring account that can run CloudWatch Logs Insights queries across linked log groups. This meets the requirement to centralize analysis without building a log-copying pipeline or moving every application log into a separate storage account.
A log lake or S3 export pattern can be useful for long-term retention or broad analytics, but it adds ingestion and storage architecture that the stem does not require. The key takeaway is to centralize the query plane when CloudWatch Logs already contains the needed logs.
Topic: Identity and Access Management
A security audit reviews workforce access for an AWS Organizations environment with 90 member accounts.
Evidence:
- IAM credential reports show named IAM users in 57 accounts.
- CloudTrail shows console logins as IAMUser principals.
- Policies vary by account and are not mapped to job functions.
- The company already uses a corporate SAML identity provider.
Which authentication strategy best addresses the audit finding?
Options:
A. Create matching IAM users in every account with standardized policies
B. Federate the IdP to IAM Identity Center with group-based permission sets
C. Use Amazon Cognito user pools for employee console access
D. Issue IAM Roles Anywhere certificates to all employees
Best answer: B
Explanation: The evidence points to a workforce authentication and authorization scaling problem: human users are authenticating as local IAM users across many accounts, and permissions are inconsistent. IAM Identity Center is designed for centralized workforce access across AWS Organizations accounts. By federating the corporate SAML identity provider to IAM Identity Center, security teams can assign group-based permission sets to accounts, improve auditability, and reduce long-lived IAM user credentials. Permission sets also support job-function-based least privilege instead of account-by-account manual policy drift.
Directly standardizing IAM users would preserve the main risk: duplicated human identities and long-lived credentials in many accounts.
Topic: Incident Response
A security team receives medium-severity findings from GuardDuty and AWS Config across several accounts. The team does not need to declare a major incident or page responders, but it must assign investigation tasks, link related AWS resources, record actions taken, and run approved Systems Manager Automation documents during remediation. Which control best satisfies these requirements?
Options:
A. Use AWS Systems Manager Incident Manager response plans
B. Use Amazon EventBridge rules to invoke Lambda functions
C. Use AWS Security Hub to archive the findings
D. Use AWS Systems Manager OpsCenter to manage OpsItems
Best answer: D
Explanation: AWS Systems Manager OpsCenter is the right fit when the team needs an operational work record rather than a full incident declaration. OpsCenter uses OpsItems to centralize issue context, affected resources, related findings, status, severity, ownership, and remediation history. It also integrates with Systems Manager Automation so responders can run approved runbooks from the same operational record. This supports coordinated response tasks and auditable operational tracking for lower- or medium-severity events. Incident Manager is better when the requirement includes incident declaration, escalation, responder engagement, and on-call coordination.
Topic: Infrastructure Security
A financial services company must connect an on-premises data center to multiple AWS VPCs for regulated transaction processing. Requirements are: avoid public internet transport, provide predictable high throughput, encrypt traffic on the private circuit at Layer 2, and centralize routing to limit blast radius between VPCs. Which design is the BEST security decision?
Options:
A. Use AWS Site-to-Site VPN tunnels over the public internet
B. Use dedicated Direct Connect connections with MACsec and a transit virtual interface
C. Use Direct Connect private virtual interfaces without MACsec
D. Use VPC peering from each VPC to a VPN attachment
Best answer: B
Explanation: For sensitive hybrid connectivity that must avoid public internet transport and provide predictable throughput, AWS Direct Connect is the appropriate base connectivity option. When the requirement specifically calls for Layer 2 encryption on the private circuit, MACsec on supported dedicated Direct Connect connections addresses that control. A transit virtual interface to a Direct Connect gateway associated with AWS Transit Gateway can centralize routing to multiple VPCs and apply segmentation controls, reducing the blast radius compared with many independent connections. Site-to-Site VPN provides IPsec encryption but commonly uses internet transport unless combined with other private connectivity, so it misses the stated private-circuit requirement. Direct Connect alone provides private connectivity but not the requested link-layer encryption.
Topic: Detection
A company uses AWS Organizations with 80 accounts. Security analysts must investigate API activity across all accounts for up to 7 years, run ad hoc SQL queries during incidents, and minimize custom log-ingestion pipelines. Existing account trails deliver CloudTrail logs to separate S3 buckets, which has slowed investigations. Which is the best security decision?
Options:
A. Create an organization CloudTrail Lake event data store
B. Query each S3 trail bucket with Athena
C. Subscribe each trail to CloudWatch Logs
D. Create separate account-level CloudTrail Lake stores
Best answer: A
Explanation: CloudTrail Lake is designed for retaining, querying, and analyzing CloudTrail events at scale. For an AWS Organizations environment, an organization event data store can collect API activity across member accounts and retain events for the configured period. Analysts can run SQL queries directly in CloudTrail Lake, which fits incident investigation needs without building and maintaining custom normalization or partitioning pipelines. Existing S3 trails are still useful for archival delivery, but separate buckets and manual Athena setup add operational friction when analysts need fast cross-account answers. The key fit is centralized, queryable CloudTrail event history for organization-wide security analysis.
Topic: Identity and Access Management
A company uses IAM Identity Center with an external SAML 2.0 identity provider (IdP). A user reports that sign-in to the AWS access portal fails after redirecting to the corporate IdP, before the browser returns to AWS. Other users with the same permission set can sign in. Which evidence source should the security team use first to explain the authentication failure?
Options:
A. Corporate IdP sign-in and MFA audit logs
B. IAM Access Analyzer external access findings
C. IAM Policy Simulator results for the permission set
D. CloudTrail AssumeRole events in the target account
Best answer: A
Explanation: Authentication is failing before the user returns from the external SAML IdP to IAM Identity Center, so the most relevant evidence is the IdP’s sign-in audit trail. Those logs can show whether the user failed password verification, MFA, conditional access, account status, or another IdP-side authentication control. IAM Identity Center and AWS account logs become more useful after AWS receives a valid assertion and begins issuing or using AWS sessions. Because other users with the same permission set can sign in, the permission set is unlikely to explain this user-specific authentication failure. The key is to investigate the layer that actually performed authentication.
Topic: Detection
A security team is investigating possible misuse of a federated administrator role. Evidence so far:
GuardDuty: suspicious API calls in account 111122223333
Scope question: Did the same SAML principal assume admin roles in any AWS Organizations account during the last 18 months?
Need: query API activity across all member accounts and retain results for future investigations
Current state: CloudTrail trails write to S3, but no shared Athena schema or centralized query workflow exists
Which next action is best supported by the evidence?
Options:
A. Search only the GuardDuty finding details
B. Create an organization CloudTrail Lake event data store
C. Use CloudTrail Event history in each account
D. Create CloudWatch metric filters for new API calls
Best answer: B
Explanation: CloudTrail Lake is the best fit when security analysts need centralized retention and ad hoc querying of CloudTrail API activity across an AWS Organizations environment. An organization event data store can collect events from member accounts and supports SQL queries without building and maintaining separate Athena tables or custom log pipelines. For this scenario, the evidence shows an organization-wide scope question, a long lookback period, and a need to investigate API activity, not just alert on future events.
CloudTrail Lake can also import existing CloudTrail logs from S3 when historical analysis is needed. The key takeaway is to use CloudTrail Lake when the requirement is retained, queryable, organization-wide CloudTrail event analysis.
Topic: Incident Response
A GuardDuty finding indicates that an Amazon EC2 instance in an Auto Scaling group is communicating with a known command-and-control domain. The instance processes regulated data, its EBS volume must be preserved for forensics, and the application must remain available. The instance profile can read from one sensitive Amazon S3 bucket. Which runbook sequence is the BEST security decision?
Options:
A. Add a WAF block rule for the domain and leave the instance running.
B. Validate signals, snapshot evidence, isolate the instance, deny S3 access, and recover with a clean replacement.
C. Terminate the instance immediately and let Auto Scaling launch a replacement.
D. Rotate the S3 bucket KMS key, then investigate the instance later.
Best answer: B
Explanation: A strong incident runbook uses a disciplined sequence: validate the detection, preserve evidence, contain the affected resource, eradicate the root cause, and recover safely. In this scenario, responders should confirm the GuardDuty signal with available logs or investigation tools, capture evidence such as EBS snapshots and relevant logs, then isolate the EC2 instance from production traffic and outbound access. Because the instance profile can read sensitive S3 data, containment should also restrict that access. Availability is maintained by replacing the instance from a clean, approved AMI rather than reusing the suspected host. The key balance is preserving evidence while rapidly reducing blast radius.
Topic: Data Protection
A company stores CloudTrail logs and application audit logs in a central S3 bucket. Audit evidence must be retained for 7 years, security analysts routinely query the most recent 180 days, older logs are rarely accessed, and application account administrators must not be able to delete logs or shorten retention. Which lifecycle and retention plan is the BEST security decision?
Options:
A. Use S3 Object Lock compliance mode for 7 years and transition older logs
B. Expire all log objects after 365 days with an S3 lifecycle rule
C. Keep all logs in S3 Standard for 7 years without Object Lock
D. Retain 180 days in CloudWatch Logs and export older logs on demand
Best answer: A
Explanation: The key issue is retaining immutable evidence long enough for audit and investigation needs while managing storage cost. S3 Object Lock in compliance mode prevents protected object versions from being overwritten or deleted, and the retention period cannot be shortened during the lock. A lifecycle rule can still transition locked objects to a lower-cost storage class after the 180-day active investigation period, but it cannot expire them before the retention date. This satisfies the 7-year audit requirement, supports recent investigations, and reduces the cost of older evidence.
Topic: Incident Response
A company receives high-severity GuardDuty findings for possible command-and-control traffic from an EC2 instance that processes regulated data. The incident response plan must identify responders, preserve forensic evidence before host changes, route notifications to security and legal contacts, and automate containment only after approval. Which approach best satisfies these requirements?
Options:
A. Use Systems Manager Incident Manager with an approval-gated Automation runbook
B. Use AWS Config to mark the instance noncompliant
C. Use an SCP to deny all EC2 actions in the account
D. Use EventBridge to immediately terminate the instance
Best answer: A
Explanation: For this incident type, the response plan needs both coordination and controlled AWS service actions. AWS Systems Manager Incident Manager is designed for response plans: it can define engagement contacts, escalation paths, chat channels, and runbooks. The runbook can invoke AWS Systems Manager Automation steps to snapshot EBS volumes, collect instance metadata, tag evidence, and then isolate the instance by changing security group membership or network controls after human approval. This preserves evidence quality while reducing blast radius. Immediate destructive remediation is risky because it can erase volatile evidence and bypass required communication paths.
Topic: Data Protection
A financial services company is storing customer tax documents in Amazon S3 and related metadata in Amazon RDS. Compliance requires encryption at rest, customer control over key policies, auditable key use, annual key rotation, and the ability to quickly suspend access to protected data without deleting the data. The security team does not want to manage HSM infrastructure. Which approach best meets these requirements?
Options:
A. Use AWS KMS customer managed keys for S3 and RDS encryption
B. Use SSE-S3 for S3 and default RDS encryption
C. Use AWS managed KMS keys for each AWS service
D. Use AWS CloudHSM with application-managed encryption
Best answer: A
Explanation: AWS KMS customer managed keys are the best fit when sensitive data needs AWS-native encryption at rest plus customer-controlled authorization and auditability. S3 and RDS integrate directly with KMS, so the company can use envelope encryption without building custom cryptography. Customer managed keys support key policies, IAM authorization, grants, CloudTrail logging of KMS API use, rotation configuration, and disabling a key to suspend decryption access while leaving encrypted data intact. This meets the compliance and operational requirements without managing HSM clusters. CloudHSM can provide dedicated HSM control, but it shifts more cryptographic and operational responsibility to the customer and is not the simplest native control for these services.
Topic: Security Foundations and Governance
A company already uses AWS Organizations with separate production and development OUs. Accounts were created manually, and security baselines such as centralized logging and mandatory controls are inconsistent. The company needs governed account setup for future accounts and wants to bring existing accounts under the same governance model. Which approach best satisfies these requirements?
Options:
A. Create organization-wide SCPs and continue creating accounts manually.
B. Use AWS Config conformance packs in each account without changing account provisioning.
C. Deploy AWS Control Tower, register the OUs, enroll existing accounts, and use Account Factory for new accounts.
D. Assign IAM Identity Center permission sets to administrators in each account.
Best answer: C
Explanation: AWS Control Tower is the AWS-managed landing zone service for governed multi-account setup. In an existing AWS Organizations environment, you can set up or extend a Control Tower landing zone, register OUs so controls apply consistently, enroll eligible existing accounts, and use Account Factory to provision future accounts with standardized baselines. This addresses both governance drift in existing accounts and repeatable account vending for new workloads. SCPs, Config rules, and IAM Identity Center can be part of governance, but they do not by themselves provide the full Control Tower account lifecycle and landing zone governance model.
Topic: Identity and Access Management
A payments application runs as an Amazon ECS task in Account A. It must read settlement files from one S3 prefix in Account B and decrypt those objects with one customer managed KMS key. Requirements: no long-lived credentials, blast radius limited to this service, and cross-account access must be reviewable. Which authorization control is the BEST security decision?
Options:
A. Store an IAM user’s access keys in AWS Secrets Manager.
B. Use a dedicated cross-account role trusted only by the ECS task role.
C. Use an SCP to allow only S3 and KMS actions in Account A.
D. Add a bucket policy that allows all principals in Account A.
Best answer: B
Explanation: For a workload identity, the least-privilege pattern is to use temporary credentials through an IAM role. In this scenario, Account B should have a dedicated role whose trust policy allows only the ECS task role from Account A to assume it. The role permissions should allow only the required s3:GetObject access to the specific prefix and the required kms:Decrypt access to the specific KMS key. This limits blast radius to one application path and leaves a clear cross-account trust relationship for review. Broad resource policies or account-wide guardrails do not provide the same precise workload authorization boundary.
Topic: Data Protection
An application on EC2 instances in private subnets writes regulated objects to an S3 bucket. A review finds that S3 traffic currently leaves through a NAT gateway to public S3 endpoints. The requirement is to keep this traffic off public internet paths and ensure the bucket rejects plaintext requests. Which control best addresses the data-in-transit risk?
Options:
A. Place CloudFront with an ACM certificate in front of the bucket
B. Require SSE-KMS on the bucket and rotate the KMS key
C. Route S3 traffic through a NAT gateway and allow only TCP 443
D. Create an S3 gateway VPC endpoint and enforce aws:SourceVpce and aws:SecureTransport
Best answer: D
Explanation: For private subnet workloads accessing S3, an S3 VPC endpoint is the right network-layer control to avoid routing object traffic through a NAT gateway to public S3 endpoints. A bucket policy can then enforce both the expected endpoint path with aws:SourceVpce and encrypted transport with aws:SecureTransport. This combines private access with TLS enforcement at the resource boundary, so requests that bypass the endpoint or attempt HTTP are denied. Encryption at rest or an edge TLS certificate does not solve the specific in-transit path risk for EC2-to-S3 traffic.
Topic: Identity and Access Management
An AWS Organizations management account attaches an RCP to a production OU to prevent S3 data access by principals outside the organization. The RCP explicitly denies s3:GetObject when aws:PrincipalOrgID is not the organization ID. A bucket policy and the vendor role’s identity policy both allow s3:GetObject on a specific prefix, but the vendor receives AccessDenied. The company must keep the external-principal data perimeter intact. Which approach best satisfies the requirement?
Options:
A. Add the vendor role again to the bucket policy
B. Replace the RCP with an SCP on the bucket account
C. Attach broader S3 permissions to the vendor role
D. Have the vendor assume a role in a member account
Best answer: D
Explanation: Resource control policies define the maximum permissions available to resources in the affected AWS Organizations scope. They do not grant access, and an explicit deny in an RCP overrides otherwise valid identity-based and resource-based allows. In this scenario, direct access by the external vendor principal fails because the RCP denies s3:GetObject unless the principal belongs to the organization. To preserve the perimeter, the vendor should use a controlled trust path, such as assuming a least-privilege role in a member account that is then allowed by the bucket policy. Changing only IAM or the bucket policy cannot override the RCP deny.
Topic: Infrastructure Security
A company runs a public web application behind Amazon CloudFront. Recent AWS WAF sampled requests from a test distribution and application logs show SQL injection strings and reflected XSS probes against login and search endpoints. The application handles customer PII, must reduce origin exposure quickly, and the security team wants centralized edge logging for tuning. Which is the BEST security decision?
Options:
A. Deploy Route 53 Resolver DNS Firewall to block injection attempts
B. Enable AWS Shield Advanced on CloudFront and rely on DDoS protections
C. Use security groups to block suspicious HTTP payloads at the origin
D. Attach an AWS WAF web ACL to CloudFront with managed OWASP-aligned rule groups and logging
Best answer: D
Explanation: OWASP Top 10 risks should influence edge design when the threat is web application abuse, such as injection and cross-site scripting, especially for internet-facing applications that process sensitive data. In this scenario, the evidence points to HTTP-layer attack patterns, and the requirement is to reduce origin exposure quickly while retaining logs for tuning. AWS WAF associated with CloudFront is the appropriate edge control because it can inspect web requests, use AWS Managed Rules that address common OWASP-style vulnerabilities, add custom rules if needed, and send logs for analysis. Shield Advanced, security groups, and DNS Firewall can be useful controls, but they do not inspect and filter HTTP request content for SQL injection or XSS at the edge.
Topic: Security Foundations and Governance
A security team reviews the following IaC validation evidence for a CloudFormation template in a CI/CD pipeline before deployment.
Stage: pre-deploy template validation
cfn-lint: PASS
cfn-guard: FAIL
Rule set: org-s3-baseline.guard
Failed rules:
- S3 buckets must enable BlockPublicAccess
- S3 buckets must use SSE-KMS with an approved CMK alias
Affected logical ID: ReportsBucket
No stack update has run.
Which next action is best supported by this evidence?
Options:
A. Allow deployment because cfn-lint passed
B. Run GuardDuty to confirm S3 data exfiltration
C. Declare an active incident for a public unencrypted S3 bucket
D. Block deployment until the template is fixed or excepted
Best answer: D
Explanation: CloudFormation Guard evaluates templates against organization-defined policy-as-code rules, such as required S3 public access blocking or approved KMS encryption. In this evidence, cfn-lint passed, which means the template did not fail linting checks such as syntax, schema, or supported resource properties. However, the cfn-guard result failed specific security baseline rules before any stack update occurred. The supported action is to prevent the template from being deployed until the CloudFormation resource definition is corrected or an approved exception is recorded. The evidence does not prove that a live S3 bucket is exposed, because the stack update has not run.
cfn-lint and CloudFormation Guard serve different validation purposes.Topic: Detection
A company is investigating suspected credential stuffing against a multi-account web application and possible DNS-based exfiltration from a compromised ECS task. Traffic path: CloudFront with AWS WAF in a shared edge account → public ALBs in application accounts → ECS tasks in private subnets. ECS tasks use NAT gateways and Route 53 Resolver for outbound access. Which logging approach best supports the investigation in a central security account?
Options:
A. Ingest CloudTrail management events and Security Hub findings from all involved accounts
B. Enable NAT gateway metrics and GuardDuty findings only in the central security account
C. Enable ALB access logs and ECS application logs only in the application accounts
D. Ingest CloudFront, AWS WAF, ALB, VPC Flow Logs, and Resolver query logs from all involved accounts
Best answer: D
Explanation: Security investigations should collect logs at each layer where the threat can be observed. In this design, credential stuffing evidence starts at the edge, so CloudFront and AWS WAF logs help identify client patterns, request attributes, and blocked or allowed decisions. ALB access logs connect edge traffic to origin requests. For suspected exfiltration from private ECS tasks, VPC Flow Logs show network connections and Route 53 Resolver query logs show domain lookups. Because the workload spans a shared edge account and application accounts, these sources must be centralized from all involved accounts, not collected only from one account or one service. Findings and metrics can speed triage, but they do not replace the underlying logs needed to validate scope and impact.
Topic: Data Protection
A security engineer is reviewing an audit finding for a payment workload that uses AWS KMS keys for Amazon S3 and Amazon RDS encryption.
Audit finding: Nonconforming
Requirement: Cryptographic key material must remain in an HSM operated by the company outside AWS.
Requirement: The company must be able to immediately prevent AWS from using the key material.
Current state: AWS KMS customer managed keys use AWS-generated key material.
What is the best next action supported by this finding?
Options:
A. Create an AWS KMS external key store backed by the company key manager
B. Enable automatic rotation on the existing KMS keys
C. Replicate the KMS keys as multi-Region keys
D. Import company-generated key material into the existing KMS keys
Best answer: A
Explanation: The finding is about key custody, not just key origin or rotation. AWS KMS external key stores are designed for cases where ordinary AWS-generated KMS key material cannot satisfy custody requirements. With an external key store, KMS keys in AWS reference key material held by an external key manager through an external key store proxy. This allows AWS services to continue using KMS-integrated encryption while the organization keeps the key material outside AWS and can deny AWS access by controlling the external key manager or proxy. The tradeoff is operational: availability, latency, and failure of the external key manager can directly affect cryptographic operations. Imported key material gives customer-originated key material, but it still brings that material into AWS KMS rather than keeping it solely outside AWS.
Topic: Data Protection
A security engineer reviews certificate-related audit evidence for an application migration.
Audit note:
Endpoint: https://api.example.com
Current certificate: ACM public certificate
Client trust requirement: public browsers and mobile apps
Endpoint: https://orders.service.internal
Current certificate request: ACM public certificate failed validation
Client trust requirement: only corporate workloads should trust it
Which interpretation and next action are best supported by this evidence?
Options:
A. Treat the failed public certificate validation as evidence of compromise.
B. Use ACM public certificates for both endpoints.
C. Replace the public endpoint certificate with an AWS Private CA certificate.
D. Use ACM public for api.example.com and AWS Private CA with ACM private certificates for the internal endpoint.
Best answer: D
Explanation: ACM public certificates are intended for publicly trusted DNS names, such as internet-facing HTTPS endpoints used by browsers and mobile clients. Internal-only names and private trust requirements should use private certificates issued from AWS Private Certificate Authority, often managed through ACM for supported integrated services. The failed ACM public certificate validation does not prove an incident; it indicates that the internal endpoint does not fit the public certificate trust and validation model. The key distinction is whether clients must trust a public CA hierarchy or a private CA hierarchy controlled by the organization.
api.example.com.Topic: Security Foundations and Governance
A security team needs to prevent noncompliant AWS CloudFormation templates from reaching deployment. The CI pipeline must fail before a change set is created if a template defines public S3 access or omits required encryption settings. Which approach best satisfies this requirement?
Options:
A. Enable AWS Config managed rules after stack creation
B. Use IAM Access Analyzer on the deployment role
C. Review Security Hub findings after the stack deploys
D. Run CloudFormation Guard with custom security rules in CI
Best answer: D
Explanation: CloudFormation Guard is the right control when an organization needs to validate infrastructure templates against security requirements before deployment. It lets teams express required properties, such as S3 public access blocks or encryption settings, as policy-as-code rules and fail the CI build if a template violates those rules. cfn-lint is also useful in pipelines, but it focuses primarily on template validity, resource specifications, and best-practice checks; custom governance rules are the stronger fit for this requirement. Post-deployment detective controls can still help, but they do not prevent the noncompliant stack from being created.
Topic: Incident Response
A security team receives an alert that payroll.csv was downloaded from an S3 bucket by a role used by EC2 workloads. During incident response, the team must preserve and query evidence that links the role session, exact S3 object, network path from the VPC, and timestamp of the download. Which approach best satisfies this requirement?
Options:
A. Compare S3 Storage Lens with NAT Gateway metrics
B. Review GuardDuty finding details as the complete evidence record
C. Use IAM credential reports and S3 Inventory reports
D. Correlate CloudTrail S3 data events with VPC Flow Logs
Best answer: D
Explanation: Evidence correlation should combine object-level API evidence with network telemetry. For S3 object access, CloudTrail data events show who made the request, which bucket and object were accessed, the API action, and the event time. VPC Flow Logs add network context such as source addresses, network interfaces, and traffic timing that can validate the path from the workload VPC. Querying both sources together, such as through a centralized log lake or Security Lake workflow, provides the strongest link across identity, resource, network path, and timestamp. Derived findings and aggregate metrics can support triage, but they are not the complete evidentiary chain.
Topic: Data Protection
A security engineer reviews the following ransomware-readiness audit note for a production AWS account.
Workload: Amazon EC2 instances with EBS volumes
Current protection: Amazon Data Lifecycle Manager creates daily EBS snapshots
Snapshot location: same production account and Region
Retention: 30 days
Finding: production administrators can delete the DLM policy and snapshots
Requirement: retain recoverable backups for 30 days even if the production account is compromised
What is the best next action supported by this evidence?
Options:
A. Create AWS Backup copies in a locked vault in a separate account
B. Increase the Data Lifecycle Manager retention period to 90 days
C. Use DataSync to copy the volumes to an S3 bucket
D. Enable EBS encryption with a customer managed KMS key
Best answer: A
Explanation: The evidence shows that the current DLM snapshots are in the same account and can be deleted by compromised production administrators. For ransomware-resistant backup design, place backup recovery points outside the compromised administrative boundary and make them resistant to deletion for the required retention period. AWS Backup can copy supported recovery points to a backup vault in a separate account, and AWS Backup Vault Lock can enforce retention controls. DLM is useful for EBS snapshot lifecycle automation, but by itself it does not address the same-account compromise risk shown in the audit note.
The key takeaway is to separate backup control from production control, then enforce retention on the backup vault.
Topic: Security Foundations and Governance
A security architecture review produced this audit note:
Accounts: 42, created by separate teams
OU/account standard: none
Security Hub: enabled in 19 accounts; standards vary
AWS Config: no organization aggregator
GuardDuty: findings sent to 6 different email lists
Audit request: prove all new accounts get baseline controls
Which governance improvement is best supported by this evidence?
Options:
A. Move all workloads into one shared production account.
B. Create an SCP that blocks creation of new IAM users.
C. Establish an AWS Organizations landing zone with AWS Control Tower.
D. Enable Security Hub only for regulated workload accounts.
Best answer: C
Explanation: The evidence shows a governance problem across account strategy, baseline deployment, compliance evidence, and security operations. A landing zone based on AWS Organizations and AWS Control Tower provides an OU-based account structure, standardized account provisioning, preventive and detective controls, and integration points for delegated security service administration. This supports consistent onboarding of new accounts and centralized visibility for services such as Security Hub, GuardDuty, and AWS Config. The audit note does not show a single misconfiguration; it shows that controls are inconsistent because the organization lacks a governed account foundation.
A narrow service change or a single SCP would not address account vending, evidence aggregation, and operational routing together.
Topic: Detection
A security engineer is investigating a GuardDuty finding that an EC2 instance profile in Account A may have accessed sensitive S3 objects in Account B after resolving a suspicious domain. The organization has 40 accounts, and the security account already ingests CloudTrail management and data events, VPC Flow Logs, and Route 53 Resolver query logs into Amazon Security Lake. The team must validate scope across accounts, identify the network path, and preserve centralized evidence. Which action is the BEST security decision?
Options:
A. Query Security Lake OCSF tables from the security account
B. Assume administrator roles in each account and download logs locally
C. Enable VPC Traffic Mirroring on the suspected instance
D. Use CloudTrail Lake to query only S3 data events
Best answer: A
Explanation: The investigation requires correlating identity activity, S3 object access, DNS lookups, and network flow records across multiple accounts. Because those sources are already centralized in Amazon Security Lake, the best decision is to query the normalized OCSF data from the security account, using the GuardDuty finding time window, account IDs, role session details, source IPs, ENIs, and destination information as pivots. This supports scope validation and network-path reconstruction while preserving centralized evidence and avoiding broad access into workload accounts. CloudTrail-only analysis can help identify API calls, but it will not show the full DNS and network path needed by the stem.
Topic: Data Protection
A company stores regulated documents in an Amazon S3 bucket. Internal applications, partner SDKs, and presigned URLs access the bucket directly. Compliance requires rejecting any client request that does not use TLS, regardless of the caller identity or access method. Which control best satisfies this requirement?
Options:
A. Enable SSE-KMS as the default bucket encryption setting.
B. Require Signature Version 4 for all S3 requests.
C. Add an S3 bucket policy denying requests when aws:SecureTransport is false.
D. Attach an ACM public certificate to the S3 bucket endpoint.
Best answer: C
Explanation: For Amazon S3, the resource-policy condition key aws:SecureTransport is the right control for requiring encrypted client connections. An explicit deny in the bucket policy for s3:* when aws:SecureTransport is false blocks plaintext HTTP requests before other allows can grant access. This applies across caller identities and access patterns because the enforcement is on the bucket resource, not only on one application path. Presigned URLs are also subject to the bucket policy evaluation when the request is made. The key distinction is data in transit versus data at rest: TLS enforcement must be handled at the request layer, not by an encryption-at-rest setting.
Topic: Security Foundations and Governance
A company deploys production stacks from CloudFormation templates through a CI/CD pipeline. The pipeline currently deploys automatically after a pull request is merged. Auditors found that templates can introduce public S3 buckets or security groups open to 0.0.0.0/0 without a security review. The company needs automated pre-deployment enforcement and an approval record for exceptions. Which approach best satisfies this requirement?
Options:
A. Enable AWS Config managed rules to evaluate stacks after deployment.
B. Run cfn-lint and deploy templates that pass syntax validation.
C. Use AWS Organizations tag policies to require security tags.
D. Add a required CloudFormation Guard policy gate and exception approval before production.
Best answer: D
Explanation: The missing control is a pre-deployment policy validation and review gate in the IaC workflow. CloudFormation Guard can evaluate templates against security rules before the pipeline deploys them, such as denying public S3 bucket settings or overly permissive security group ingress. Making that check a required pipeline stage enforces the rule at the correct layer: before resources are created. A manual approval or exception workflow before production provides the review evidence auditors need when a deployment intentionally deviates from policy. Post-deployment detection can still be useful, but it does not prevent noncompliant infrastructure from being created.
Topic: Incident Response
A company wants to test its AWS incident response plan for a suspected compromised EC2 workload. The test must exercise detection, escalation, containment, and evidence collection. It must not affect customer traffic or real customer data. Security leaders also require CloudTrail, GuardDuty, Security Hub, and CloudWatch evidence to remain available for post-test review. Which test procedure is the BEST security decision?
Options:
A. Perform only a tabletop review and mark each runbook step complete
B. Leak a live production IAM access key to trigger real attacker activity
C. Run a controlled game day in staging with AWS FIS and simulated findings
D. Disable detection services before the exercise to test manual reporting
Best answer: C
Explanation: Incident response testing should validate the runbook under realistic but controlled conditions. A game day in an isolated staging account can exercise detection, escalation, containment, and evidence collection without exposing customer workloads or data. AWS Fault Injection Service can introduce controlled failures against tagged resources, while GuardDuty sample findings or Security Hub test findings can drive the security workflow. CloudWatch alarms and FIS stop conditions limit blast radius, and keeping CloudTrail, GuardDuty, Security Hub, and CloudWatch enabled preserves evidence for post-test review. The key is to test the response path, not to create an uncontrolled compromise.
Topic: Identity and Access Management
A company has 150 AWS accounts and delegates IAM role administration to product teams. The security team needs one reusable permission set per product team, no per-account role allowlists, and an ownership namespace visible in IAM role ARNs. Product teams must not be able to modify central security or break-glass roles. Which configuration approach best meets these requirements?
Options:
A. Use an SCP that references AWS Organizations OU names in role ARNs.
B. Place each product team in a separate IAM group.
C. Use IAM role paths and scope permissions to path-based role ARNs.
D. Require permission boundaries on all roles without path-based scoping.
Best answer: C
Explanation: IAM paths are useful for organizing IAM roles at scale because the path becomes part of the role ARN, such as arn:aws:iam::123456789012:role/app/team-a/DeployRole. A delegated administration policy can allow actions only on arn:aws:iam::*:role/app/team-a/* while excluding paths reserved for security, break-glass, or AWS-managed identities. This provides a reusable namespace-based control without maintaining a list of every role in every account. Paths do not grant or deny access by themselves; they become effective when IAM policies, permission sets, or automation consistently reference the path pattern. Permission boundaries can complement this design, but they do not replace resource scoping.
Topic: Infrastructure Security
A company runs application workloads in private subnets across several VPCs. Security requirements state that outbound HTTPS must be limited to approved domain names, traffic to known malicious IP ranges must be blocked, and allowed and denied egress events must be logged centrally. The company wants a VPC-level control that does not require frequent changes to each instance’s security group.
Which security decision best meets these requirements?
Options:
A. Attach AWS WAF rules to each application load balancer
B. Restrict each security group to outbound TCP 443 only
C. Use network ACL deny rules for malicious IP ranges
D. Route egress through AWS Network Firewall with stateful rules and logging
Best answer: D
Explanation: AWS Network Firewall is the best fit when the requirement is centralized VPC-level traffic filtering with stateful inspection, domain-based controls, IP block lists, and firewall logging. Security groups are stateful and useful for instance or ENI-level allow rules, but they do not provide domain-name filtering or centralized inspection logs. Network ACLs can allow or deny traffic at the subnet boundary, but they are stateless and not suited to scalable domain-based egress filtering. AWS WAF protects HTTP/S requests to supported web resources, not general outbound traffic from private subnets.
The key distinction is control layer: use security groups for workload-level least privilege, network ACLs for coarse subnet guardrails, and AWS Network Firewall for centralized stateful network inspection and logging.
Topic: Infrastructure Security
A security team reviews an audit finding for new EC2 instances in a production account. The organization requires approved images to include SSM Agent, the CloudWatch Agent configuration, and baseline hardening before deployment.
Evidence:
AWS Config custom rule: NON_COMPLIANT
Resource: i-0abc123
AMI: ami-marketplace-789, not in approved AMI parameter
SSM inventory: unavailable; SSM Agent not detected
CloudWatch Agent: no host metrics or security log stream
CloudTrail: RunInstances called with user data bootstrap script
User data result: bootstrap download timed out
What is the best next action supported by this evidence?
Options:
A. Treat the finding as confirmed malware execution on the instance.
B. Build and distribute hardened AMIs with the required agents and baseline controls baked in.
C. Rotate the instance profile credentials for all instances in the account.
D. Allow any AMI but require teams to rerun the bootstrap script manually.
Best answer: B
Explanation: The finding supports a design problem in the compute image lifecycle: the instance was launched from an unapproved AMI, and the required security agents were expected to install at first boot through user data. Because that bootstrap failed, monitoring and inventory controls were missing. A hardened AMI pipeline, such as one built with EC2 Image Builder, should bake in required agents, configuration, patches, and baseline hardening, then validate the image before teams deploy it. Enforcement can be added separately, but the image design issue is that required controls were not reliably present at launch. The evidence does not prove compromise; it proves a gap in hardened image creation and use.
Topic: Data Protection
A company runs a customer portal behind an Application Load Balancer. A new compliance requirement says that external users must connect over TLS and must present client certificates issued by the company’s private CA before any request reaches the application. The application team does not want to implement certificate validation in application code.
Which control best satisfies this requirement?
Options:
A. Configure an ALB HTTPS listener with mutual TLS verify mode
B. Attach an AWS WAF rule that checks for a certificate header
C. Issue an ACM public certificate for the ALB domain only
D. Encrypt the application database with an AWS KMS key
Best answer: A
Explanation: Mutual TLS is the right data-in-transit control when both the server and the client must prove identity with certificates during the TLS handshake. For an application behind an Application Load Balancer, an HTTPS listener can use an ACM server certificate for the portal domain and mutual TLS in verify mode with a trust store that contains the issuing CA certificates. This enforces client certificate validation at the load balancer layer before traffic is forwarded to targets, so the application does not need to perform the certificate validation itself. A normal server certificate protects user-to-ALB encryption but does not authenticate client certificates.
Topic: Data Protection
A private EC2 application stores regulated customer documents in an Amazon S3 bucket. The proposed design sends S3 API traffic through a NAT gateway to the public S3 endpoint. Requirements are to avoid unnecessary public internet paths, keep deployment changes small, minimize recurring cost, and restrict the bucket to this application VPC. What is the best security decision?
Options:
A. Use an S3 gateway VPC endpoint and require aws:sourceVpce.
B. Proxy S3 traffic through an internet-facing Application Load Balancer.
C. Route S3 traffic through an on-premises firewall over VPN.
D. Keep the NAT gateway and allow only its Elastic IP.
Best answer: A
Explanation: For S3 access from resources in a VPC, a gateway VPC endpoint removes the need to route sensitive object traffic through a NAT gateway and public S3 endpoint. The route table sends S3 prefix-list traffic to the endpoint, and the bucket policy can require the specific endpoint with aws:sourceVpce. This meets the private-path requirement, keeps changes small, and avoids the recurring hourly and data-processing cost profile of interface endpoints or proxy designs. TLS is still used, but the main security improvement is eliminating unnecessary internet egress for the connection path. IP-based controls on a NAT gateway do not provide the same private connectivity or least-privilege resource binding.
Topic: Infrastructure Security
A security team is hardening several AWS compute workloads. An EC2 application must read from a specific S3 bucket, a Lambda function must read one Secrets Manager secret, and an EKS application pod must write to one DynamoDB table. The team must avoid long-lived credentials and scope AWS permissions to the individual workload wherever supported. Which configuration best satisfies these requirements?
Options:
A. Store IAM user access keys in each workload’s environment variables
B. Attach one broad IAM role to all EC2 instances, Lambda functions, and EKS nodes
C. Use an EC2 instance profile, a Lambda execution role, and an EKS pod-level IAM role
D. Use AWS Organizations SCPs to grant the required service permissions
Best answer: C
Explanation: AWS compute workloads should receive temporary credentials through the identity mechanism designed for that compute layer. EC2 uses an IAM role attached through an instance profile. Lambda uses an execution role that the service assumes when the function runs. EKS workloads should use pod-scoped identity, such as IAM Roles for Service Accounts or EKS Pod Identity, so permissions are assigned to the application pod rather than broadly to the worker node. This approach avoids long-lived access keys and keeps least-privilege permissions close to the workload that needs them. A node role or shared role can over-permit unrelated workloads on the same infrastructure.
Topic: Infrastructure Security
A financial services company is moving a payment-processing backend to private subnets in several AWS accounts. An on-premises data center must exchange high-volume traffic with these VPCs. Requirements: avoid the public internet, encrypt traffic across the hybrid link, keep latency predictable, and centralize routing to reduce VPC-to-data-center blast radius. Which security decision best meets these requirements?
Options:
A. Use AWS Direct Connect with MACsec and a transit gateway
B. Use AWS Site-to-Site VPN over the internet
C. Use AWS Verified Access for the backend subnets
D. Use public Application Load Balancers with AWS WAF
Best answer: A
Explanation: For high-volume hybrid workload communication that must avoid the public internet and have predictable latency, AWS Direct Connect is the best fit. MACsec adds encryption on supported dedicated Direct Connect links, addressing the requirement to encrypt traffic across the hybrid connection. A transit gateway provides centralized routing to multiple VPCs and accounts, reducing the need for many point-to-point connections and improving blast-radius control. Site-to-Site VPN encrypts traffic but traverses the public internet and is less predictable. Verified Access is intended for application access by users and devices, not private data center-to-VPC workload connectivity.
Topic: Detection
A company runs a multi-account AWS workload that processes PII through CloudFront, AWS WAF, an Application Load Balancer, Amazon ECS, and Amazon S3. Security must detect credential misuse, web attacks, and possible data exfiltration, then reconstruct incidents for at least 1 year. Application teams must not be able to delete or alter investigation evidence. Which monitoring requirement set is the best security decision?
Options:
A. Centralize CloudTrail, WAF, ALB, VPC Flow Logs, DNS logs, and app auth logs with protected 1-year retention
B. Enable GuardDuty and Security Hub findings only, without retaining the source logs
C. Store CloudTrail management events in each account where application administrators manage retention
D. Collect CloudWatch metrics and application error logs in each workload account for 30 days
Best answer: A
Explanation: A monitoring requirement set should support both fast detection and later reconstruction. For this workload, the useful evidence spans multiple layers: CloudTrail management and relevant S3 data events for API and object access, AWS WAF and ALB logs for web activity, VPC Flow Logs and Route 53 Resolver query logs for network and DNS behavior, and application authentication logs for user context. Centralizing these logs in a security-owned account or log lake with protected retention helps preserve evidence from workload administrators and supports correlation across accounts for at least 1 year. Detection services such as GuardDuty and Security Hub are valuable, but their findings should be backed by retained source telemetry.
Topic: Data Protection
A security engineer reviews an audit note for a production AWS KMS key used by several services through alias/prod-payments.
| Evidence | Value |
|---|---|
| Key origin | EXTERNAL |
| Imported material | Expires in 18 days |
| Recent use | Decrypt events in CloudTrail today |
| Audit controls | CloudTrail KMS management events retained |
Which next action best supports rotation without disrupting access or losing compliance evidence?
Options:
A. Enable automatic key rotation on the existing EXTERNAL-origin KMS key.
B. Disable the current key immediately, then create an AWS-generated KMS key for all workloads.
C. Create a new EXTERNAL-origin KMS key, import new material, repoint the alias, and keep the old key enabled for decrypts.
D. Delete the current imported key material, then import new material into the same KMS key.
Best answer: C
Explanation: AWS KMS keys with imported key material require careful manual rotation planning. The evidence shows the current key is still actively decrypting data, so removing or disabling its material would risk an outage and could make existing ciphertext undecryptable. A safe rotation pattern is to create a new customer managed KMS key with EXTERNAL origin, import the new key material, update the alias or application configuration so new encrypt operations use the new key, and keep the old key enabled until dependent data is re-encrypted or retired. CloudTrail KMS management events provide evidence for key creation, import, and alias update activities. The key point is to separate new encryption from continued access to old ciphertext.
Topic: Infrastructure Security
A company exposes a public web application through Amazon CloudFront to an Application Load Balancer. Recent testing found input validation weaknesses that could allow common OWASP Top 10 attacks, including SQL injection and cross-site scripting. The security team needs an edge-layer control that can reduce exploit attempts before requests reach the origin while developers fix the code. Which approach best satisfies this requirement?
Options:
A. Attach an AWS WAF web ACL with managed OWASP-focused rule groups to CloudFront
B. Restrict the ALB security group to CloudFront IP ranges
C. Enable AWS Shield Advanced on the CloudFront distribution
D. Require IAM authentication for all ALB listener requests
Best answer: A
Explanation: OWASP Top 10 risks such as injection and cross-site scripting should influence edge design when the threat involves malicious HTTP request content reaching a public application. AWS WAF is the AWS edge control designed to inspect and filter web requests by using managed rule groups, custom rules, rate-based rules, and labels. Associating the web ACL with CloudFront places the inspection point before the ALB and origin application, reducing exposure while application fixes are implemented. This does not replace secure coding, but it provides a compensating control at the correct layer.
Topic: Data Protection
A security audit reviewed an application that stores regulated records in Amazon S3, Amazon EBS, and Amazon RDS. The team wants to keep using native AWS service encryption and must not build custom cryptography.
Audit note:
Current: Data encrypted with AWS managed KMS keys
Finding: Key material must be generated and stored in HSMs
Requirement: HSMs must be controlled by the company in AWS
Which encryption approach best addresses the finding?
Options:
A. Encrypt data in the application with a custom AES implementation
B. Use AWS KMS custom key stores backed by AWS CloudHSM
C. Continue using AWS managed KMS keys for all resources
D. Use AWS CloudHSM directly for all S3, EBS, and RDS encryption
Best answer: B
Explanation: The finding requires a data-at-rest encryption approach that keeps AWS service-native encryption while placing key material in HSMs controlled by the company in AWS. AWS KMS custom key stores backed by AWS CloudHSM meet that pattern for supported AWS services: workloads can still use KMS-integrated encryption, while the key material is generated and protected in a CloudHSM cluster the company controls. This avoids designing or maintaining custom cryptographic code. The key distinction is not merely “customer managed key” versus “AWS managed key”; it is where the key material is generated and protected.
Topic: Identity and Access Management
A production ECS service began failing to read encrypted application secrets after a deployment changed the task role from OldAppRole to AppTaskRole. Which action is the least-disruptive correction supported by the evidence?
CloudTrail: kms:Decrypt -> AccessDenied
Principal: arn:aws:sts::111122223333:assumed-role/AppTaskRole/task
IAM policy simulation: kms:Decrypt on the key = allowed
KMS key policy: grants kms:Decrypt to OldAppRole only
KMS key policy: no statement enabling account IAM policies
Options:
A. Add AppTaskRole to the KMS key policy for kms:Decrypt.
B. Attach an IAM policy allowing kms:* on all KMS keys.
C. Create a new KMS key and reencrypt the secrets.
D. Revert the ECS service to OldAppRole.
Best answer: A
Explanation: AWS KMS authorization depends on the key policy in addition to IAM permissions. The evidence shows that AppTaskRole has an identity-based allow for kms:Decrypt, but the KMS key policy grants decrypt access only to OldAppRole and does not delegate authorization to account IAM policies. The least-disruptive fix is to update the existing key policy to authorize the new production role for the specific decrypt action needed. This restores the intended access without broadening permissions across all keys, changing the running service role back, or rotating and reencrypting data unnecessarily.
Topic: Identity and Access Management
A security engineer must let an external auditor download one sensitive S3 object. The auditor has no AWS identity. Access must expire in 15 minutes, avoid long-term credentials, and remain attributable to the internal employee who approved the download. What is the BEST security decision?
Options:
A. Generate a presigned URL using an STS role session with a 15-minute duration
B. Generate a 15-minute presigned URL using an IAM user access key
C. Temporarily allow public read access to the object
D. Create an IAM user for the auditor and delete it after use
Best answer: A
Explanation: For presigned S3 access, the effective authentication context comes from the credentials that sign the URL. Using temporary STS credentials avoids long-term keys, limits the URL to the shorter of the requested expiration or the session lifetime, and keeps CloudTrail attribution tied to the assumed role session. If the employee assumes the role with an identifiable session name or source identity, the approval context can be preserved without giving the auditor an AWS principal.
The key takeaway is that presigned URL validity is not only the URL expiration value; it is also bounded by the credential source and session duration.
Topic: Data Protection
A security audit reviews an S3 bucket that receives daily compliance evidence exports. The bucket already blocks public access and uses SSE-KMS. The audit note says:
Risk: Users with write access could replace or delete evidence objects
Requirement: Preserve each exported object in a tamper-resistant state for 7 years
Concern type: Data integrity, not confidentiality
Which control is the best next action supported by this evidence?
Options:
A. Apply a CloudWatch Logs data protection policy
B. Replicate the bucket to another AWS Region
C. Enable default SSE-KMS encryption on the bucket
D. Store the exports with S3 Object Lock retention
Best answer: D
Explanation: The audit evidence points to a data integrity risk: evidence objects could be replaced or deleted after creation. S3 Object Lock, used with versioning and a retention period, is the AWS control designed to make S3 object versions tamper-resistant for a defined period. This addresses unauthorized or accidental modification and deletion of retained evidence. Encryption controls such as SSE-KMS protect confidentiality at rest, not object immutability. Replication can improve durability or recovery options, but it does not by itself prevent tampered objects from being replicated. Data protection policies for logs help mask sensitive data, which is also a confidentiality concern rather than an integrity control.
Topic: Security Foundations and Governance
A company deploys workloads to several AWS accounts by using CloudFormation and Terraform. The security team must organize resources by department, cost center, environment, and security owner so that incident findings can be routed quickly and finance can allocate costs. The solution should avoid manual tagging drift and should work consistently for new deployments. Which decision is the BEST fit?
Options:
A. Store ownership details only in a central spreadsheet
B. Add required business and security tags in the IaC templates
C. Encode department and environment only in resource names
D. Create separate AWS accounts for each security owner
Best answer: B
Explanation: Tags are the primary AWS mechanism for attaching business, cost, environment, and security ownership metadata to resources. In this scenario, the company already uses IaC, so the most reliable decision is to define the required tag keys in the templates or modules and apply them when resources are created. This makes tags consistent across accounts and deployments, supports cost allocation and search, and gives security operations useful ownership context for findings or incident routing. Naming conventions can help humans, but they are not a substitute for tag metadata that AWS services and governance tools can evaluate. The key takeaway is to make required tags part of the deployment process, not a manual afterthought.
Topic: Incident Response
During a tabletop exercise for a suspected EC2 compromise, the incident team recorded this audit note:
Signal: GuardDuty finding on an EC2 instance
Delay: 47 minutes before responder access
Cause: private instances lacked SSM managed-node setup
Workaround: temporary SSH access was requested
Evidence step: EBS snapshots were created manually
Goal: isolate hosts and collect initial evidence without inbound admin ports
Which pre-incident deployment would best enable faster response for this runbook?
Options:
A. Add AWS WAF managed rules to public applications
B. Enable Macie discovery jobs for all S3 buckets
C. Create temporary SSH access during each incident
D. Deploy Systems Manager managed-node access and Automation runbooks
Best answer: D
Explanation: The audit note points to an incident-response readiness gap for EC2: responders could not access private instances safely, and evidence collection depended on manual steps. Before an incident, EC2 instances should be prepared as Systems Manager managed nodes with the required agent, IAM permissions, and network path such as VPC endpoints where needed. Session Manager can provide audited access without inbound admin ports, and Automation runbooks can standardize actions such as changing security groups, tagging resources, and creating EBS snapshots. This supports faster, repeatable containment and initial evidence preservation. Macie and WAF are useful controls, but they do not address the specific EC2 access and evidence-collection delay shown in the audit note.
Topic: Incident Response
A company is improving its incident response process after an event that involved application logs, CloudTrail activity, VPC Flow Logs, and GuardDuty findings from several AWS accounts in three Regions. Investigators need a central, queryable evidence store that can correlate security data across applications, accounts, and Regions with normalized schemas. Which approach best meets this requirement?
Options:
A. Create an organization CloudTrail Lake event data store
B. Aggregate CloudWatch Logs into one cross-account log group
C. Deploy Amazon Security Lake with organization-wide sources and OCSF custom ingestion
D. Forward all findings to one Amazon EventBridge event bus
Best answer: C
Explanation: Amazon Security Lake is the best fit when investigators must correlate diverse security evidence across applications, accounts, and Regions. It can be configured for an AWS Organizations environment, collect supported AWS security log sources, store data centrally, and normalize records to the Open Cybersecurity Schema Framework (OCSF). Custom application sources can also be added when they are prepared for the expected schema and delivery pattern. This gives responders a common structure for querying and correlating API activity, network telemetry, findings, and application evidence. CloudTrail Lake is valuable for CloudTrail events, but it does not cover the full evidence set in the scenario.
Topic: Detection
A security team reviews a threat-modeling audit note for a production application.
Workloads: CloudFront/ALB public API, private EC2 services,
Lambda upload processors, EKS payment services, S3 document buckets
Threats: web exploits, C2 DNS from private subnets,
compromised Lambda role access, container crypto mining,
sensitive data exposure in S3
Which monitoring scope is best supported by the note?
Options:
A. Monitor only CloudFront, ALB, and AWS WAF signals.
B. Monitor only S3 access logs and Amazon Macie findings.
C. Monitor only VPC Flow Logs and Route 53 Resolver logs.
D. Monitor edge/web, DNS/VPC, Lambda, EKS runtime, and S3 data signals.
Best answer: D
Explanation: The audit note identifies threats across multiple workload types, so the monitoring scope should match the full threat surface. Public web exploit attempts need edge and web telemetry such as CloudFront, ALB, AWS WAF, and related findings. C2 DNS from private subnets requires private-network and DNS visibility, such as VPC Flow Logs and Route 53 Resolver query logs. Compromised Lambda role activity needs CloudTrail and function-level logs. Container crypto mining or runtime abuse needs EKS control plane, audit, and runtime signals. Sensitive data exposure in S3 requires data access events and discovery findings such as Macie. A single-layer scope would leave stated threats unmonitored.
Topic: Identity and Access Management
A company runs a central security automation Lambda function in a Security Tooling account. The function must read Security Hub findings from multiple workload accounts in the same AWS Organizations organization. The company requires no long-term credentials and wants each workload account to control exactly which read actions the automation can perform. Which authorization design best meets these requirements?
Options:
A. Use an SCP to allow the Security Tooling account to read findings in all workload accounts.
B. Create a read-only role in each workload account that trusts the Lambda execution role and let the function assume it.
C. Attach a resource-based policy to the Lambda function allowing access to each workload account.
D. Create IAM users in each workload account and store their access keys in Secrets Manager.
Best answer: B
Explanation: For cross-account application or system access, the usual pattern is an IAM role in the target account that the source workload can assume with AWS STS. The workload account owns the role permissions, so it can grant only the required read actions for Security Hub. The trust policy limits which principal can assume the role, such as the Lambda execution role in the Security Tooling account. This avoids long-term credentials and keeps authorization at the account boundary where the protected resources live. An SCP can set guardrails, but it does not grant permissions by itself.
Topic: Identity and Access Management
A security team is reviewing authentication paths for a multi-account AWS application.
Evidence:
CloudTrail: arn:aws:sts::<acct>:assumed-role/AWSReservedSSO_SecurityAdmin/alice@example.com
ALB app log: shopper123 authenticated by Amazon Cognito user pool
ECS task metadata: task uses arn:aws:iam::<acct>:role/OrdersTaskRole to call DynamoDB
Which interpretation is best supported by the evidence?
Options:
A. The Cognito user pool represents workload authentication because it issues tokens.
B. IAM Identity Center is workforce; Cognito is customer; ECS task role is workload.
C. All three entries represent customer authentication because the application has a login flow.
D. The ECS task role represents workforce authentication because it appears as an assumed role.
Best answer: B
Explanation: AWS security designs separate identity types by who or what is authenticating. Workforce authentication is for employees, contractors, or administrators, commonly through IAM Identity Center or federation to AWS roles. Customer authentication is for application end users and is commonly implemented with Amazon Cognito user pools or an external customer IdP. Workload authentication is for applications, compute, and services that need AWS permissions, typically through IAM roles and temporary credentials such as an ECS task role. The presence of STS or an assumed role does not automatically mean a human workforce user; the principal context and use case matter.
Topic: Infrastructure Security
A security team receives an Amazon Inspector finding for a production EC2 web tier.
Severity: Critical CVE, fixed package version available
Resource: Auto Scaling group web-prod behind a public ALB
Evidence: No GuardDuty findings; no unusual CloudTrail activity
Constraints: Immutable AMIs, rolling deployments supported, PII handled, no downtime allowed
Which response is the BEST security decision?
Options:
A. Restrict the instance profile policy for the web tier
B. Build a patched AMI and roll replace the instances
C. Isolate all instances and snapshot their volumes first
D. Manually patch the running instances with Session Manager
Best answer: B
Explanation: An Inspector vulnerability finding indicates exposure that needs remediation, but it is not by itself proof of compromise. Here, the CVE is critical and internet-facing, so remediation should be prompt. However, the stem states there are no GuardDuty findings or unusual CloudTrail events, and the environment uses immutable AMIs with rolling deployments. The best response is to create a patched AMI, replace the instances through the Auto Scaling group, and verify that Inspector no longer reports the CVE. This preserves availability and avoids configuration drift. Isolation and forensic preservation are more appropriate when there is evidence of compromise or active exploitation.
Topic: Infrastructure Security
A company hosts several private web applications behind internal Application Load Balancers in separate VPCs. Employees and contractors must access the apps from managed laptops over encrypted connections. Compliance requires user and device posture checks for each application and segmentation so access to one app does not grant network access to the others. Which design best meets these requirements?
Options:
A. Use AWS PrivateLink endpoint services for each application VPC.
B. Use AWS Client VPN with SAML authentication and VPC routes.
C. Use AWS Verified Access with per-application policies and trust providers.
D. Use AWS Direct Connect with MACsec and transit gateway route tables.
Best answer: C
Explanation: AWS Verified Access is designed for identity-aware access to private applications without placing users on the network. It can integrate with an identity provider and device trust provider, then enforce policies per application or application group. This matches the requirement for encrypted access, user/device posture checks, and segmentation between private web applications. Network connectivity options such as VPN or Direct Connect can encrypt traffic and segment routes, but they primarily grant network reachability and do not provide the same per-application identity boundary.
Topic: Identity and Access Management
A company uses direct SAML federation from its corporate IdP to an IAM role for AWS console access. After the IdP team rotated the SAML signing certificate, all federated users receive an authentication error before the console opens.
CloudTrail evidence:
eventSource: sts.amazonaws.com
eventName: AssumeRoleWithSAML
errorCode: InvalidIdentityToken
principalArn: arn:aws:iam::111122223333:saml-provider/CorpIdP
roleArn: arn:aws:iam::111122223333:role/DeveloperAccess
Which configuration change best addresses the failure?
Options:
A. Add the users to an IAM Identity Center permission set.
B. Update the IAM SAML provider metadata with the new IdP signing certificate.
C. Attach a broader permissions policy to the DeveloperAccess role.
D. Create IAM access keys for the affected federated users.
Best answer: B
Explanation: For direct SAML federation, AWS STS validates the SAML assertion against the IAM SAML provider configuration before issuing role credentials. The CloudTrail event shows AssumeRoleWithSAML failed with InvalidIdentityToken, and the failure began immediately after the IdP signing certificate changed. That points to a trust validation problem between AWS and the IdP, not to role authorization. Updating the IAM SAML provider metadata or certificate lets STS validate new assertions signed by the IdP.
Changing role permissions would matter only after authentication succeeds and credentials are issued.
Topic: Identity and Access Management
A security engineer is reviewing an IAM Access Analyzer finding for a production SQS queue after a routine audit.
Evidence:
| Source | Summary |
|---|---|
| Access Analyzer | Active external access finding on payments-events-prod |
| Queue policy | Allows sqs:ReceiveMessage and sqs:DeleteMessage to arn:aws:iam::999988887777:root with no condition |
| CloudTrail | SetQueueAttributes was called by the internal CICDDeployRole yesterday |
Which conclusion is best supported by the evidence?
Options:
A. The CICDDeployRole identity policy directly grants the external access.
B. The queue policy grants broad access to an external account and should be validated.
C. The external account has already consumed production messages.
D. An SCP in the production account will block the external principal automatically.
Best answer: B
Explanation: IAM Access Analyzer findings identify resource policies that grant access outside the intended zone of trust, such as another AWS account. Here, the SQS queue resource policy allows an external account root principal to receive and delete messages without conditions. CloudTrail shows which internal role changed the queue attributes, which helps investigate how the authorization was introduced. The evidence supports validating whether that external account is expected and then narrowing or removing the statement if it is unintended. It does not prove that the external account used the permission or that data was exfiltrated.
Topic: Identity and Access Management
A company uses AWS Organizations with separate tooling and workload accounts. Human administrators authenticate through an external IdP, and a CI/CD pipeline in the tooling account deploys to workload accounts. Requirements: no long-lived access keys, account-specific least privilege, CI/CD cannot create roles beyond an approved boundary, and CloudTrail must show whether access came from a human or the pipeline. Which design is the best security decision?
Options:
A. Use IAM Identity Center for humans and scoped cross-account deployment roles with required permission boundaries and STS session context.
B. Use one shared cross-account role with AdministratorAccess for both administrators and the pipeline.
C. Create IAM users in each workload account for administrators and the pipeline, and manage access with IAM groups.
D. Use SCPs to grant the pipeline deployment permissions and block all other access paths.
Best answer: A
Explanation: The best design separates human access from workload access while using temporary credentials for both. IAM Identity Center can federate human administrators from the external IdP into account-specific permission sets. The CI/CD pipeline should assume dedicated deployment roles in each workload account with scoped policies. If the pipeline creates or passes IAM roles, its permissions should require an approved permissions boundary so it cannot escalate beyond the intended maximum permissions. STS session names or session tags help CloudTrail show whether an action came from a named human session or the pipeline. SCPs can add guardrails, but they do not grant access by themselves.
Topic: Detection
A security team expects a CloudWatch alarm to notify on repeated failed SSH logins from an Amazon EC2 fleet. The alarm did not trigger during a test. Review the evidence and choose the best next action supported by it.
CloudWatch metric: IncomingLogEvents = 0 for /prod/linux/secure
Agent status on instance: running
CloudWatch Agent log:
AccessDeniedException: not authorized to perform logs:PutLogEvents
Resource: arn:aws:logs:us-east-1:111122223333:log-group:/prod/linux/secure:*
Role: arn:aws:iam::111122223333:role/WebServerRole
Options:
A. Treat the test as confirmed credential compromise
B. Modify the metric filter pattern for failed SSH logins
C. Grant the instance role permission to write to the log group
D. Enable CloudTrail data events for the EC2 instances
Best answer: C
Explanation: The core issue is a CloudWatch Agent delivery failure, not an alarm logic problem. IncomingLogEvents = 0 shows that the log group is not receiving events, and the agent log identifies the specific cause: the EC2 instance role is denied logs:PutLogEvents. The practical remediation is to update the instance profile role with appropriate CloudWatch Logs write permissions, such as a scoped custom policy or the managed policy commonly used for the CloudWatch Agent, and then confirm log ingestion resumes. Only after events arrive should the team validate the metric filter and alarm behavior.
Changing detection logic cannot help when the source logs are not being delivered.
Topic: Infrastructure Security
A security engineer reviews an Amazon Inspector finding for an Amazon ECS service that runs on AWS Fargate. The finding identifies a critical CVE in an OpenSSL package inside the container image digest that is currently deployed. A fixed package version is available. The company uses immutable container deployments and does not allow shell access to running containers. Which response best remediates the finding?
Options:
A. Deny the task execution role access to pull the vulnerable image
B. Run Systems Manager Patch Manager against the Fargate tasks
C. Quarantine the tasks by removing all security group egress
D. Rebuild the image with the fixed package and redeploy the service
Best answer: D
Explanation: Amazon Inspector is reporting vulnerable software in the deployed container image, not a host configuration or IAM authorization problem. Because the workload runs on Fargate and the organization uses immutable deployments, the correct layer is the build and deployment pipeline: update the base image or package dependency, rebuild and scan the image, push a new digest to Amazon ECR, and update the ECS service so old tasks are replaced. Runtime patching is not the right model for immutable containers. Isolation can be useful for suspected active exploitation, but it does not remove the vulnerable package from the deployed artifact.
Topic: Detection
A company publishes ALB 5xx counts, application login failures, and CloudTrail-derived privileged API activity as Amazon CloudWatch metrics. The public shopping API has predictable weekly traffic spikes during promotions. The internal admin console has low traffic but high business impact if compromised. Security leadership wants fewer false positives without delaying escalation of high-risk activity. Which alerting approach best meets these requirements?
Options:
A. Use one account-wide static threshold for all failed logins, 5xx errors, and privileged API activity.
B. Disable custom CloudWatch alarms and rely only on GuardDuty findings for escalation.
C. Set all thresholds above the highest promotion-period metric values to prevent false positives.
D. Use risk-tiered CloudWatch alarms with anomaly detection for traffic metrics and stricter static thresholds for admin and privileged events.
Best answer: D
Explanation: Alert thresholds should be based on both expected behavior and business impact. For metrics with predictable variation, such as promotion-driven API traffic, CloudWatch anomaly detection can learn normal patterns and alert on deviations instead of using a brittle fixed number. For low-volume but high-risk signals, such as admin console login failures or privileged CloudTrail events, stricter static thresholds are appropriate because a small count can justify rapid escalation. The key is to tune thresholds by signal type and risk, not by applying one universal number across unrelated workloads.
Use the AWS SCS-C03 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try AWS SCS-C03 on Web View AWS SCS-C03 Practice Test
Use the practice page above for mixed-topic practice, timed mocks, explanations, and app access.