SCS-C03 — AWS Certified Security – Specialty Quick Review

Last revised: June 29, 2026

Quick Review for AWS Certified Security – Specialty (SCS-C03): high-yield AWS security concepts, decision rules, traps, and practice guidance.

Quick Review purpose

This Quick Review is for candidates preparing for the real AWS Certified Security – Specialty (SCS-C03) exam from AWS. Use it to refresh high-yield security concepts before moving into topic drills, mock exams, and detailed explanations.

This page is IT Mastery exam-prep support. It is not affiliated with AWS and does not replace the official exam guide, AWS documentation, or hands-on practice.

How to use this review

Read the decision rules first. The exam often tests which AWS security service or control best fits a scenario.
Review the traps. Many wrong answers are plausible but fail because they are too broad, too manual, not centralized, or do not meet least-privilege requirements.
Practice immediately afterward. Use original practice questions and topic drills to test whether you can apply the rules under exam-style pressure.
Read explanations carefully. For SCS-C03, the explanation is often more valuable than the score because it exposes AWS service boundaries.

SCS-C03 exam mindset

The AWS Certified Security – Specialty (SCS-C03) exam expects more than memorizing services. Strong candidates can choose secure, scalable, auditable solutions across identity, infrastructure, data protection, detection, incident response, and multi-account governance.

Expect questions that ask you to balance:

Decision area	What the exam commonly rewards
Least privilege	Narrow permissions, scoped resources, conditions, temporary credentials
Central governance	AWS Organizations, service control policies, delegated administration, centralized logging
Automation	Event-driven remediation, managed detection, infrastructure as code, repeatable response
Defense in depth	IAM + network controls + encryption + monitoring + detective controls
Auditability	CloudTrail, immutable or protected logs, Config, Security Hub, clear evidence trails
Data protection	KMS key policy design, S3 controls, Secrets Manager, encryption in transit and at rest
Operational security	Fast containment, preserving evidence, minimizing blast radius
Service fit	Choosing the AWS-native service that directly solves the stated requirement

High-yield service map

Requirement	Usually consider	Common traps
Record AWS API activity	AWS CloudTrail	Confusing with VPC Flow Logs or CloudWatch metrics
Detect suspicious AWS account behavior	Amazon GuardDuty	Treating GuardDuty as a firewall or prevention tool
Centralize security findings	AWS Security Hub	Expecting it to generate all findings by itself
Discover sensitive data in S3	Amazon Macie	Using Macie for databases or generic malware scanning
Scan EC2, ECR, Lambda workloads for vulnerabilities	Amazon Inspector	Confusing with GuardDuty malware/suspicious behavior detection
Evaluate resource configuration	AWS Config	Confusing with CloudTrail event history
Enforce org-wide maximum permissions	Service control policies, or SCPs	Using SCPs as identity policies or resource grants
Manage human workforce access	IAM Identity Center	Creating long-lived IAM users for each person
Grant app/workload access	IAM roles	Embedding access keys in code
Protect secrets	AWS Secrets Manager or Systems Manager Parameter Store	Storing secrets in plaintext environment variables or code
Encrypt with customer control	AWS KMS customer managed keys	Assuming encryption alone solves access control
Protect web apps from Layer 7 attacks	AWS WAF	Using security groups for HTTP request inspection
DDoS protection	AWS Shield, CloudFront, Route 53, AWS WAF	Expecting WAF alone to solve volumetric DDoS
Private access to AWS services	VPC endpoints	Routing through public internet unnecessarily
Inspect network traffic centrally	AWS Network Firewall, Gateway Load Balancer patterns	Expecting NACLs to do deep inspection
Capture network metadata	VPC Flow Logs	Expecting packet payloads
Protect S3 from public access	S3 Block Public Access, bucket policies, IAM, Access Analyzer	Relying only on “private by default” assumptions

Identity and access management

IAM policy evaluation: know the order conceptually

For exam questions, remember the practical rule:

An explicit deny wins. Otherwise, access requires an applicable allow, and all applicable guardrails must permit the action.

Relevant policy types may include:

Policy/control	Purpose	Key exam point
Identity-based policy	Attached to IAM user, group, or role	Grants permissions to the principal
Resource-based policy	Attached to resource, such as S3 bucket, KMS key, SQS queue, Lambda function	Grants access to principals, including cross-account principals
Permissions boundary	Maximum permissions for an identity	Does not grant access by itself
SCP	Organization/account-level maximum permissions	Does not grant access by itself
Session policy	Limits permissions for a role session	Useful for temporary constrained access
KMS key policy	Authoritative access control for KMS keys	Must allow key use or delegate appropriately
VPC endpoint policy	Restricts access through an endpoint	Does not replace IAM/resource policy
S3 Block Public Access	Prevents public exposure patterns	Can override bucket or access point policies that would make data public

IAM decision rules

Scenario	Strong answer pattern
Application on EC2 needs AWS API access	Attach an IAM role to the instance profile
Lambda function needs AWS API access	Use the Lambda execution role
ECS task needs AWS API access	Use an ECS task role, not the container instance role
EKS workload needs AWS API access	Use IAM roles for service accounts or appropriate pod identity mechanism
Cross-account workload access	Use IAM role assumption with trust policy and scoped permissions
Third party needs account access	Use a cross-account role with external ID where appropriate
Human access to many accounts	Use IAM Identity Center integrated with an identity provider
Emergency administrative access	Use controlled break-glass access with MFA, logging, and limited use
Need to prevent privilege escalation	Restrict IAM, STS, PassRole, policy attachment, and boundary modification actions

Common IAM traps

SCPs do not grant permissions. They only set maximum permissions for accounts or organizational units.
Permissions boundaries do not grant permissions. They limit what identity policies can grant.
Resource policies can allow cross-account access, but the principal side may also need permission depending on the service and scenario.
KMS access is special. Having S3 or EBS permissions is not enough if the data is encrypted with a KMS key the principal cannot use.
iam:PassRole is high risk. If a user can pass a powerful role to a service they can control, they may indirectly escalate.
Avoid long-term access keys for workloads. Prefer roles and temporary credentials.
Do not solve least privilege with AdministratorAccess. Exam scenarios often include a clue requiring narrowly scoped permissions.

AWS Organizations and multi-account security

Multi-account design is central to AWS security. The exam often expects you to isolate workloads, centralize logging, and apply guardrails consistently.

Need	AWS capability
Separate production, development, security, and logging environments	Multiple AWS accounts
Apply maximum permission guardrails	SCPs
Centralize security service administration	Delegated administrator patterns
Centralize findings	Security Hub aggregation
Centralize threat detection	GuardDuty organization configuration
Centralize logs	CloudTrail organization trails, centralized S3 logging account
Detect public or cross-account access risk	IAM Access Analyzer
Enforce baseline configuration	AWS Config aggregators, conformance packs, automation

Organization-level traps

Do not put logs in the same account as the workload only. Central log accounts reduce tampering risk.
Do not rely on SCPs for resource-level detail if an IAM policy or resource policy is the better control.
Do not forget delegated administrators. Many AWS security services can be managed centrally across accounts.
Use separate accounts to reduce blast radius. VPC separation alone is not always enough.

Logging, monitoring, and detection

Core logging services

Service/log source	What it tells you	High-yield notes
AWS CloudTrail	AWS API calls and account activity	Enable broadly; use organization trails for multi-account visibility
CloudTrail Lake	Query and analyze CloudTrail events	Useful for investigations and audit queries
Amazon CloudWatch Logs	Application, system, and service logs	Supports metric filters, alarms, subscriptions
Amazon CloudWatch Metrics	Numeric time-series metrics	Used for alarms and operational thresholds
Amazon EventBridge	Event routing and automation	Common for event-driven remediation
VPC Flow Logs	Network metadata for ENIs, subnets, or VPCs	No packet payloads; useful for traffic analysis
Route 53 Resolver query logs	DNS query visibility	Useful for detecting suspicious domains or exfiltration indicators
Elastic Load Balancing access logs	Client requests to load balancers	Useful for web and traffic analysis
S3 server access logs / CloudTrail data events	Object-level activity evidence	CloudTrail data events are important for object operations

CloudTrail review

Requirement	CloudTrail feature/control
Track management API activity	Management events
Track S3 object-level or Lambda invoke activity	Data events
Track activity across accounts	Organization trail
Detect log file modification	Log file validation
Protect delivered logs	S3 bucket policy, KMS encryption, MFA Delete/Object Lock where appropriate
Alert on specific API calls	EventBridge rule or CloudWatch Logs metric filter/alarm
Investigate historical events	CloudTrail event history, S3 logs, CloudTrail Lake depending on setup

Detection service distinctions

Service	Primary role	Not primarily for
GuardDuty	Threat detection from logs and signals	Blocking traffic directly
Security Hub	Findings aggregation and security posture management	Replacing GuardDuty, Inspector, Macie, or Config
Inspector	Vulnerability management for supported workloads	Detecting account compromise behavior
Macie	Sensitive data discovery in S3	Scanning EBS volumes or RDS databases directly
Config	Configuration recording and compliance rules	Capturing packet traffic
Access Analyzer	External/public access analysis and policy reasoning	Runtime threat detection
Detective	Investigation and relationship analysis	Preventing attacks

Alerting and response pattern

    flowchart LR
	    A[Security event or finding] --> B[EventBridge rule]
	    B --> C{Type of issue}
	    C -->|Known safe remediation| D[Lambda or SSM Automation]
	    C -->|Needs approval| E[Ticket / notification / manual review]
	    C -->|Incident severity high| F[Containment playbook]
	    D --> G[Log result and notify]
	    E --> G
	    F --> G

Common monitoring traps

CloudTrail is not a network packet capture tool.
VPC Flow Logs do not show payload contents.
GuardDuty findings are detective, not preventive. Pair with EventBridge and remediation if the scenario requires automated response.
Security Hub aggregates and normalizes findings. It does not replace the services that generate specialized findings.
AWS Config records configuration state and changes. It is not a complete audit log for every API call.
CloudWatch alarms need metrics. Logs may need metric filters or embedded metrics before alarming.

Infrastructure security

VPC security controls

Control	Layer/use	Key exam point
Security group	Stateful instance/ENI-level filtering	Allows only; return traffic is automatically allowed
Network ACL	Stateless subnet-level filtering	Supports allow and deny; rules evaluated by number
Route table	Network path control	Determines where traffic goes
Internet gateway	Public internet access for VPC resources	Public subnet route alone is not enough without public IP where required
NAT gateway	Outbound internet for private subnets	Does not allow unsolicited inbound connections
VPC endpoint	Private connectivity to AWS services	Helps avoid public internet paths
AWS Network Firewall	Managed network inspection and filtering	Better fit for centralized inspection than NACLs
Gateway Load Balancer	Deploy/scale third-party appliances	Often used in centralized inspection architecture
Transit Gateway	Hub connectivity among VPCs/on-premises	Useful for large-scale network design

Security group vs NACL

Feature	Security group	Network ACL
Scope	ENI/instance level	Subnet level
State	Stateful	Stateless
Rules	Allow rules only	Allow and deny rules
Return traffic	Automatically allowed	Must be explicitly allowed
Evaluation	All rules considered	Lowest numbered matching rule applies
Best for	Workload-level access	Coarse subnet guardrails or explicit deny use cases

Public, private, and isolated subnet review

Subnet type	Typical route	Typical use
Public subnet	Route to internet gateway	Load balancers, bastion alternatives only if required
Private subnet	Route to NAT gateway or egress path	Application servers needing outbound updates
Isolated subnet	No internet route	Databases or internal-only workloads

VPC endpoint decision rules

Need	Endpoint type commonly used
Private S3 or DynamoDB access	Gateway endpoint
Private access to many AWS services through ENIs	Interface endpoint powered by AWS PrivateLink
Restrict which resources can be accessed through endpoint	Endpoint policy plus IAM/resource policies
Keep traffic off public internet	VPC endpoints, private DNS where appropriate

Edge and application protection

Requirement	Strong AWS-native option
Block common web exploits	AWS WAF
Rate-limit abusive HTTP clients	AWS WAF rate-based rules
DDoS resilience for edge apps	AWS Shield, CloudFront, Route 53, AWS WAF
Global edge caching and TLS termination	Amazon CloudFront
Protect custom origins	Origin access controls, restricted origin access, security groups where applicable
Central firewall policy across accounts	AWS Firewall Manager

Infrastructure traps

A private subnet is not private just because of its name. Routes determine reachability.
Security groups are stateful; NACLs are stateless. Many exam questions hinge on return traffic.
NAT gateway is outbound-focused. It is not a secure inbound access method.
Use Systems Manager Session Manager instead of public bastion hosts when the scenario emphasizes reduced exposure and auditability.
VPC endpoints can need multiple policy layers. Endpoint policy, IAM policy, resource policy, and KMS key policy may all matter.
WAF is Layer 7. It inspects HTTP/S request attributes, not arbitrary TCP payloads.

Data protection and encryption

AWS KMS essentials

AWS Key Management Service is a frequent SCS-C03 focus. Know the difference between who can administer a key, who can use a key, and which service uses the key on behalf of a principal.

Concept	Review point
AWS owned keys	Managed by AWS; customer does not manage policy
AWS managed keys	Managed by AWS for a service in your account; limited customer control
Customer managed keys	Customer controls policy, rotation settings, grants, aliases, permissions
Key policy	Primary control for KMS key access
Grants	Temporary/delegated KMS permissions, often used by AWS services
Encryption context	Additional authenticated data; can be used in conditions
Envelope encryption	Data key encrypts data; KMS key protects data key
Multi-Region keys	Related keys in multiple Regions for certain cross-Region use cases
External key store / imported material	Advanced control patterns with operational tradeoffs

KMS policy decision points

Requirement	Check
Principal can call KMS directly	IAM permission plus key policy permission or delegation
AWS service needs to decrypt data	Key policy allows service usage path and relevant principal
Cross-account encrypted data access	Resource policy + IAM permission + KMS key policy
Restrict key use to a service	Use KMS condition keys such as service context where appropriate
Separate key admins from key users	Distinct administrative and cryptographic permissions
Prevent accidental deletion	Restrict key deletion and schedule controls

Envelope encryption concept

\[ \text{Plaintext data} \xrightarrow{\text{data key}} \text{ciphertext data} \]\[ \text{Data key} \xrightarrow{\text{KMS key}} \text{encrypted data key} \]

The application stores the encrypted data and encrypted data key. To decrypt, it asks KMS to decrypt the encrypted data key, subject to KMS permissions and key policy.

S3 data protection

Requirement	Strong control
Prevent accidental public exposure	S3 Block Public Access
Enforce encryption on upload	Bucket policy requiring server-side encryption
Use customer managed KMS key	SSE-KMS with appropriate key policy
Immutable retention	S3 Object Lock where appropriate
Restrict access by network path	Bucket policy with VPC endpoint conditions where appropriate
Detect public/cross-account exposure	IAM Access Analyzer for S3
Discover sensitive data	Amazon Macie
Audit object access	CloudTrail data events and/or S3 access logs depending on need
Secure static website alternatives	CloudFront with controlled origin access when appropriate

Database and storage encryption

Service area	Common security points
EBS	Encryption at rest, snapshots, KMS permissions, sharing restrictions
EFS	Encryption at rest/in transit, file system policies, security groups
RDS/Aurora	Encryption at rest, TLS, IAM authentication where supported, Secrets Manager integration
DynamoDB	Encryption at rest, IAM fine-grained access patterns, point-in-time recovery
Redshift	Encryption, audit logging, network isolation, IAM integration
OpenSearch	Encryption at rest, node-to-node encryption, fine-grained access control, VPC access

Secrets management

Requirement	Prefer
Rotate database credentials automatically	AWS Secrets Manager with rotation
Store configuration values and simple secrets	Systems Manager Parameter Store, depending on requirements
Avoid hardcoded credentials	IAM roles, Secrets Manager, Parameter Store
Audit secret access	CloudTrail and service logs
Restrict secret decryption	IAM policy plus KMS key policy

Data protection traps

Encryption does not equal authorization. You still need IAM, resource policies, and network controls.
SSE-S3 and SSE-KMS have different control and audit implications.
KMS key policy can block otherwise valid IAM permissions.
Cross-account encrypted access often fails because the KMS key policy was forgotten.
Secrets Manager is usually the better answer when automatic rotation is required.
Do not expose S3 buckets publicly to serve private content. Use CloudFront access controls and signed URLs/cookies when appropriate.

Incident response and forensics

Incident response priorities

For AWS security scenarios, prefer responses that preserve evidence, contain impact, and automate repeatable steps.

Incident need	Strong action
Suspected compromised IAM access key	Disable/deactivate key, investigate CloudTrail, rotate credentials
Compromised IAM role session	Revoke active sessions where applicable, adjust policies, investigate activity
Compromised EC2 instance	Isolate via security group, preserve snapshots/volumes, capture memory if process exists, investigate logs
Public S3 bucket exposure	Block public access, review bucket policy/ACLs/access points, analyze access logs
Malware or suspicious EC2 behavior	Isolate instance, preserve evidence, inspect with approved tooling, review GuardDuty/Inspector findings
Unauthorized API calls	Identify principal/session/source, contain credentials, review CloudTrail, add detective controls
Data exfiltration suspicion	Analyze CloudTrail data events, S3 logs, VPC Flow Logs, DNS logs, GuardDuty findings

EC2 containment pattern

    flowchart TD
	    A[Potentially compromised EC2 instance] --> B[Do not terminate immediately]
	    B --> C[Attach restrictive isolation security group]
	    C --> D[Preserve evidence: snapshots, logs, metadata]
	    D --> E[Investigate from forensic account or isolated environment]
	    E --> F[Eradicate, rebuild from trusted image, rotate credentials]
	    F --> G[Document lessons and automate controls]

Incident response traps

Do not terminate first if evidence is required. Snapshot and isolate.
Do not log in and change the compromised host casually. You may alter evidence.
Do not reuse compromised credentials. Rotate secrets and keys.
Containment should reduce blast radius quickly. Security group isolation is a common answer for EC2.
Use EventBridge for automated response. For known findings, automated containment or notification is often expected.
Rebuild from known-good artifacts. Do not simply “clean” a compromised instance and return it to service without confidence.

Application and workload security

Compute identity patterns

Workload	Secure AWS access pattern
EC2	Instance profile with IAM role
Lambda	Execution role
ECS	Task role for application permissions
EKS	Pod-level IAM integration where appropriate
On-premises workload	IAM Roles Anywhere or federation patterns when appropriate
CI/CD pipeline	Short-lived credentials and scoped deployment roles

Lambda security review

Area	Review point
Execution role	Least privilege; avoid broad managed policies
Environment variables	Encrypt sensitive values; prefer Secrets Manager for secrets
VPC access	Needed only for private resources; not automatically more secure
Function URL/API Gateway	Control auth, CORS, resource policies, WAF where appropriate
Dependencies	Scan and update packages
Logging	CloudWatch Logs with sensitive data handling

Container security review

Area	Review point
Image scanning	Amazon Inspector/ECR scanning
Runtime permissions	Use task roles, avoid privileged containers unless required
Secrets	Inject securely from Secrets Manager or Parameter Store
Network	Security groups, private subnets, service mesh or network policies where relevant
Registry access	IAM and repository policies
Base images	Use trusted, minimal, patched images

CI/CD security traps

Deployment roles should be scoped. Avoid giving pipelines unrestricted administrator access.
Secrets should not be stored in source control or plaintext build logs.
Artifact integrity matters. Use trusted repositories, signing/verification where appropriate.
Separate build, deploy, and runtime permissions.
Use temporary credentials for automation whenever possible.

Policy conditions and least privilege

Condition keys are often the difference between a broad answer and the best answer.

Goal	Condition idea
Require MFA for sensitive actions	MFA-related condition keys
Restrict by source IP	Source IP conditions, noting limitations with AWS service calls
Restrict by VPC endpoint	Source VPC endpoint conditions
Restrict by organization	Principal organization conditions
Restrict by Region	Requested Region conditions
Restrict S3 uploads to encrypted objects	S3 server-side encryption condition
Restrict KMS use via a specific service	KMS via-service style conditions
Restrict role assumption context	External ID, principal tags, session tags, source identity where appropriate

Least-privilege review checklist

Scope Action to required API calls.
Scope Resource to specific ARNs when the service supports it.
Add Condition keys for context, such as MFA, tags, network path, encryption, or organization.
Avoid wildcard administrative permissions.
Separate human, workload, and break-glass access.
Review unused permissions with access analysis tools.
Protect policy editing permissions because they can become privilege escalation paths.

Service-specific quick hits

IAM Access Analyzer

Use when a question asks to identify unintended public or cross-account access, validate policies, or reason about external access. It is especially relevant for S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, and Secrets Manager secrets.

AWS Config

Use when a question asks whether resources comply with required configurations over time. Config rules can trigger remediation. Config is not the same as CloudTrail; it records configuration state, not every API event.

Amazon GuardDuty

Use for threat detection across supported data sources. Findings may indicate compromised credentials, suspicious network activity, malware-related behavior, or anomalous activity. Pair with EventBridge for response.

AWS Security Hub

Use for centralized findings and posture management. It integrates findings from AWS services and partner tools. It is a strong answer when the requirement is aggregation, prioritization, compliance views, or centralized security operations.

Amazon Inspector

Use for vulnerability detection in supported compute and container environments. It is the better fit for CVEs, vulnerable packages, and exposure analysis than GuardDuty.

Amazon Macie

Use for sensitive data discovery in S3, such as personally identifiable information patterns. Do not choose Macie for generic network threat detection.

AWS WAF

Use for HTTP/S inspection, managed rule groups, SQL injection/XSS patterns, rate limits, and application-layer filtering. Associate it with CloudFront, Application Load Balancer, API Gateway, and supported resources.

AWS Shield

Use for DDoS protection. Standard protection is broadly available; advanced DDoS scenarios may involve AWS Shield Advanced, AWS WAF, CloudFront, Route 53, and architecture choices. Do not treat Shield as a web request rule engine; that is AWS WAF.

AWS Firewall Manager

Use when the requirement is centrally managing firewall/security policies across accounts, such as AWS WAF rules, Shield Advanced protections, security group policies, or network firewall policies.

AWS Network Firewall

Use for managed network traffic filtering and inspection at the VPC level. It is a stronger fit than NACLs when the scenario needs centralized, stateful inspection or domain/protocol-aware network controls.

Scenario decision table

If the question says…	Think…
“Central security team must enforce across all accounts”	AWS Organizations, delegated admin, Firewall Manager, Security Hub, GuardDuty organization setup
“Developers can create roles but must not exceed approved permissions”	Permissions boundaries
“Prevent accounts in an OU from using a service”	SCP
“Third-party vendor needs access to your account”	Cross-account role, external ID, least privilege, CloudTrail
“Find who changed this resource”	CloudTrail
“Find whether this resource is compliant”	AWS Config
“Find whether this S3 bucket exposes data externally”	IAM Access Analyzer, S3 Block Public Access, bucket policy review
“Find sensitive data in S3”	Macie
“Detect compromised credentials”	GuardDuty, CloudTrail investigation
“Aggregate security findings”	Security Hub
“Scan workloads for vulnerabilities”	Inspector
“Block SQL injection attempts”	AWS WAF
“Private access to S3 from VPC”	S3 gateway endpoint and bucket policy conditions
“Private access to Secrets Manager from VPC”	Interface endpoint
“Rotate database password automatically”	Secrets Manager rotation
“Application needs AWS access without stored keys”	IAM role
“Preserve evidence after EC2 compromise”	Isolate, snapshot, investigate, rebuild
“Restrict use of KMS key to requests from S3”	KMS key policy/conditions with service context
“Prevent public S3 buckets account-wide”	S3 Block Public Access and guardrails

Common candidate mistakes

Choosing the wrong service category

Many candidates choose a familiar service instead of the service that directly satisfies the requirement.

Mistake	Better reasoning
Choosing CloudWatch for all audit questions	CloudTrail is usually for API audit activity
Choosing GuardDuty for compliance configuration	AWS Config evaluates configuration compliance
Choosing Security Hub as the detector	Security Hub aggregates; other services detect
Choosing Macie for all sensitive systems	Macie focuses on S3 sensitive data discovery
Choosing WAF for all network filtering	WAF is Layer 7 web filtering
Choosing NACLs for deep inspection	Use AWS Network Firewall or inspection appliances

Overlooking policy intersections

A principal may need several permissions to complete one operation.

Example: reading an encrypted S3 object may require:

S3 permission to read the object.
Bucket policy that does not deny access.
KMS permission to decrypt using the key.
KMS key policy that allows or delegates that access.
Network or endpoint policy that permits the request path.
No applicable SCP or permissions boundary blocking the action.

Missing the “centralized” clue

If a scenario says “multiple accounts,” “organization-wide,” “central security team,” or “consistent enforcement,” consider:

AWS Organizations.
SCPs.
Delegated administrator.
Security Hub aggregation.
GuardDuty organization configuration.
AWS Config aggregator.
Firewall Manager.
Centralized logging account.

Missing the “automated” clue

If the requirement says “automatically remediate,” “near real time,” or “without manual intervention,” consider:

EventBridge rule.
Lambda remediation.
Systems Manager Automation.
AWS Config remediation.
Security Hub custom actions or automation patterns.
Step Functions for multi-step workflows.

Fast final review checklist

Before practice, make sure you can answer these without notes:

What is the difference between identity-based policies, resource-based policies, SCPs, and permissions boundaries?
Why does an explicit deny override an allow?
When does a cross-account role need a trust policy?
Why is iam:PassRole sensitive?
What is the difference between CloudTrail, CloudWatch, Config, and VPC Flow Logs?
Which service detects suspicious account or workload behavior?
Which service aggregates security findings?
Which service scans for vulnerabilities?
Which service discovers sensitive data in S3?
How do you secure S3 against public access?
What extra permission is needed to read KMS-encrypted data?
How do VPC gateway endpoints and interface endpoints differ?
Why are security groups stateful and NACLs stateless?
What should you do first with a compromised EC2 instance when evidence matters?
Which services help enforce security centrally across multiple AWS accounts?
How do you avoid long-term credentials for applications?
When should you choose Secrets Manager over Parameter Store?
How do WAF, Shield, Network Firewall, and security groups differ?
What logs would you inspect for suspected S3 data exfiltration?
How would you build an automated response to a GuardDuty finding?

Practice strategy after this Quick Review

Use this Quick Review as a map, then move into IT Mastery practice:

Start with topic drills for IAM, KMS, logging, and network security.
Review detailed explanations for every missed or guessed question.
Build a personal error log with the service you confused, the clue you missed, and the correct decision rule.
Take mixed mock exams only after you can explain why each wrong answer is wrong.
Return to weak topics with targeted original practice questions instead of rereading broadly.

A practical next step: begin with focused SCS-C03 topic drills on IAM policy evaluation, KMS access, CloudTrail/Config/GuardDuty distinctions, and VPC security controls, then use detailed explanations to close each gap before attempting a full mock exam.

Continue in IT Mastery

Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official AWS questions, copied live-exam content, or exam dumps.

Study Plan