Free Amazon Web Services SCS-C03 Practice Exam with Questions & Answers

AWS CloudTrail data event logging is the correct solution because it is specifically designed to capture detailed, structured, and near–real-time API activity for Amazon S3 object-level operations. When S3 data events are enabled, CloudTrail records actions such as GetObject, PutObject, and DeleteObject, along with critical context including the IAM principal, source IP address, event time, request parameters, and response elements. These logs are delivered in JSON format, making them highly structured and suitable for security analysis, SIEM integration, and automated detection workflows.

Amazon S3 server access logging (option A) provides basic request-level information but does not include full IAM identity context and is delivered with a significant delay, which does not meet the near–real-time requirement. AWS Config (option C) focuses on resource configuration changes and compliance evaluation; it does not log object-level access events. Amazon Macie (option D) is a data security service that uses machine learning to discover and classify sensitive data in S3 and generate findings for anomalous access patterns, but it is not a comprehensive access logging solution.

AWS Security Specialty documentation clearly states that CloudTrail data events are the authoritative mechanism for auditing S3 object-level access with identity attribution and precise timestamps, making option B the correct and best-practice answer

Amazon S3 Block Public Access provides centralized controls to prevent public access through bucket policies and ACLs. AWS Certified Security – Specialty guidance recommends enabling Block Public Access to reduce accidental exposure and to enforce guardrails that override public grants. Enabling Block Public Access on the bucket removes current public exposure when combined with correcting policies/ACLs and prevents future misconfiguration. To ensure the bucket cannot be made public again, the security engineer must prevent principals from disabling Block Public Access. An SCP that denies s3:PutPublicAccessBlock prevents changes that would remove or weaken the PublicAccessBlock configuration, enforcing the guardrail across the OU or account. Options A and D do not directly address public exposure control. Option B denies object reads but does not ensure public access cannot be re-enabled; it also does not address the root misconfiguration pathways and could disrupt legitimate access patterns. Option C specifically combines the correct preventive control (PublicAccessBlock) with organizational enforcement to stop future reversal.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Block Public Access

AWS Organizations SCP Guardrails for S3 Controls

Amazon Cognito identity pools are designed to provide temporary AWS credentials for applications by exchanging an authenticated identity token for AWS Security Token Service (STS) credentials. AWS Certified Security – Specialty guidance distinguishes between Cognito user pools (authentication) and identity pools (authorization to AWS resources). A user pool can authenticate a user and issue tokens, but an identity pool is required to obtain AWS credentials that can be used to sign AWS API requests, such as S3 API calls. The correct mechanism is for the application to use AssumeRoleWithWebIdentity through STS (which is the underlying federation method used by identity pools) to receive temporary credentials for an IAM role that grants S3 permissions. GetId alone does not provide credentials; it returns an identity identifier that is used as part of the credential exchange flow. Options C and D are incorrect because user pool tokens are not AWS credentials and cannot directly sign S3 requests. The solution therefore must use identity pools to map users to IAM roles and retrieve temporary credentials, satisfying the requirement for authenticated API calls using short-lived credentials.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito Identity Pools and STS Federation

AWS STS AssumeRoleWithWebIdentity

Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security – Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.

By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.

Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC. Third-party CASB tools add cost and operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security and VPC Endpoints

AWS Organizations Condition Keys

AWS WAF rate-based rules are specifically designed to protect applications from traffic floods and distributed attacks that originate from large numbers of IP addresses. According to the AWS Certified Security – Specialty Official Study Guide, rate-based rules automatically track the number of requests coming from individual IP addresses and temporarily block IPs that exceed a defined threshold.

In this scenario, the malicious traffic originates from hundreds of IP addresses across two countries, mixed with legitimate user traffic. A rate-based rule allows the security engineer to limit excessive request rates without fully blocking access from entire geographic regions, ensuring that legitimate users can still access the application.

Option B is incorrect because geographic match rules block all traffic from selected countries, which would deny access to legitimate users and violate the stated requirement. Option C is invalid because security groups do not support geographic filtering. Option D is not scalable, as manually blocking hundreds of IP addresses is operationally inefficient and ineffective against rapidly changing attacker IPs.

AWS documentation emphasizes that rate-based rules are the recommended first-line mitigation for sudden traffic spikes and potential application-layer DDoS attacks when business continuity must be preserved.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rate-Based Rules

AWS DDoS Resiliency Best Practices

AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security – Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal to write objects. Additionally, the IAM role used by AWS Config must allow s3:GetBucketAcl and s3:PutObject.

If either permission is missing, AWS Config cannot deliver snapshots and will log delivery errors in CloudTrail. This dual-permission model ensures least privilege while maintaining secure delivery of compliance data.

Other options reference incorrect principals or irrelevant permissions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Prerequisites

AWS WAF logs capture detailed request-level information, including source IP address, request URI, headers, and rule evaluation results. According to the AWS Certified Security – Specialty documentation, AWS WAF logging is a critical detection control when application-level attacks are suspected, especially when host-based logs are unreliable or can be erased by attackers.

By configuring the AWS WAF web ACL to send logs to Amazon Data Firehose, the company ensures that all future requests are centrally captured and delivered to a durable storage service such as Amazon S3. Using Amazon Athena, the security team can query these logs to identify requests targeting specific application paths such as new-user-creation.php and extract the originating client IP addresses.

Option A is incorrect because VPC Flow Logs operate at the network layer and do not capture HTTP request paths. Option B is invalid because ALBs do not support CloudWatch agents. Option C is viable but introduces additional operational complexity and cost, making it less appropriate than the native WAF logging solution.

AWS documentation highlights AWS WAF logging combined with Athena as a best practice for forensic analysis and attacker identification.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging Documentation

Amazon Athena User Guide

AWS Detection and Monitoring Best Practices

AWS best practices recommend using a shared secret header between CloudFront and ALB origins to prevent direct access. CloudFront injects a custom header, and the ALB listener rules validate its presence.

IP-based controls are brittle due to CloudFront IP changes. PrivateLink and internal ALBs are not supported as CloudFront origins. Header validation is the most reliable and widely recommended pattern.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

CloudFront Origin Protection

AWS WAF and ALB Integration

Amazon GuardDuty Exfiltration:S3/AnomalousBehavior findings indicate that S3 data access patterns are consistent with data exfiltration. In this scenario, the attacker is using temporary credentials obtained from an EC2 instance profile, which are issued by AWS Security Token Service (STS).

According to AWS Certified Security – Specialty documentation, the fastest and most targeted remediation is to revoke the temporary session credentials associated with the compromised instance profile. This can be accomplished by removing or modifying the IAM role permissions, detaching the instance profile, or stopping the instance, which immediately invalidates the temporary credentials and prevents further S3 access.

Option B may limit outbound traffic but does not invalidate already issued credentials. Option C is a detection and classification service and does not prevent active exfiltration. Option D would block all access to the bucket, including legitimate access, and is considered overly disruptive for incident containment.

AWS incident response best practices emphasize credential revocation as the first containment step when compromise of temporary credentials is confirmed.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide – S3 Protection

AWS STS and IAM Role Security Documentation

AWS Incident Response Best Practices

EC2 Instance Connect endpoints provide secure, private connectivity to EC2 instances without requiring public IP addresses, inbound internet access, or VPN connectivity. According to AWS Certified Security – Specialty documentation, Instance Connect endpoints are designed specifically for incident response and secure administrative access scenarios.

By deploying an EC2 Instance Connect endpoint in the VPC, the security team can block all external network access while still maintaining controlled access to EC2 instances through the AWS Management Console. The endpoint uses AWS-managed infrastructure and private connectivity, and access is authorized using IAM policies and instance profiles.

Options A and B rely on direct EC2 Instance Connect installation and network paths that may still depend on external access. Option C is incorrect because tunneling is not required when using the console-based Instance Connect endpoint.

This solution enables forensic access during incidents without reopening external network paths, aligning with AWS incident response best practices.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

EC2 Instance Connect Endpoint Architecture

AWS Incident Response Best Practices