Free Amazon Web Services SCS-C03 Practice Exam with Questions & Answers

For the earliest detection of abnormal spend, the most direct and purpose-built capability isAWS Cost Anomaly Detection. It continuously evaluates spend patterns and uses machine learning to identify unexpected cost increases soon after they begin, then sends alerts based on the configured thresholds. By creating acost monitor(for example, for linked accounts, services, or cost categories) and configuring an alert to publish toSNS, the security team can receive near-real-time notifications when costs deviate beyond an expected baseline. This is well suited for detecting compromise-driven spend (such as abused EC2 instances serving phishing pages, crypto-mining, or data exfiltration patterns that raise transfer costs).

Option A introduces significant operational overhead and delays because billing/usage exports are not guaranteed to be updated on an hourly cadence in a way that consistently outperforms the native anomaly detector, and the company would be maintaining custom analytics logic. Option C is explicitly slower (daily manual review). Option D may detect suspicious traffic but is indirect for “earliest cost increase” detection and depends on building/operating a separate analytics pipeline; also, not all cost anomalies are visible from flow logs. Therefore, Cost Anomaly Detection provides the fastest and lowest-overhead alerting for unexpected spend.

Option A satisfies all requirements with the most direct, purpose-built AWS logging workflow. By using the CloudWatch Agent (or fluent-bit / unified logging configuration) on each EC2 instance—regardless of whether it is On-Demand or Spot—the application logs can be centralized into asingle Amazon CloudWatch Logs log group. Centralization ensures the logs remain available even as Spot Instances are interrupted and replaced. Access control is handled withIAM policies(and optionally resource policies/KMS encryption) so that only a specific set of users can read/query the log group.

For analysis,CloudWatch Logs Insightsprovides an interactive query language that is SQL-like and commonly treated as “SQL queries” for troubleshooting. It enables fast filtering, aggregation, and pattern detection across large log volumes without building a separate data lake pipeline. This supports event-pattern analysis and root cause investigation directly from the centralized log group.

Option B is incorrect because Logs Insights queries CloudWatch Logs data, not arbitrary log files sitting in S3. Option C is inefficient (many log groups) and Athena cannot directly query CloudWatch log groups as a native data source. Option D is incorrect because Amazon Detective is for security investigations across supported data sources and is not the primary service for ad-hoc SQL-style querying of application logs.

AWS Secrets Manager is a regional service that is accessed through private AWS endpoints. In a VPC without internet access, AWS recommends using AWS PrivateLink through interface VPC endpoints to enable secure, private connectivity to supported AWS services. According to AWS Certified Security – Specialty documentation, interface VPC endpoints allow resources within a VPC to communicate with AWS services without traversing the public internet, NAT devices, or internet gateways.

An interface VPC endpoint for Secrets Manager creates elastic network interfaces (ENIs) within the VPC subnets and assigns private IP addresses that route traffic directly to the Secrets Manager service. Because the VPC has private DNS enabled, the standard Secrets Manager DNS hostname resolves to the private IP addresses of the interface endpoint, allowing the Lambda rotation function to communicate securely and transparently.

Option A introduces unnecessary complexity and expands the attack surface by allowing outbound internet access. Option B is incorrect because gateway VPC endpoints are supported only for Amazon S3 and Amazon DynamoDB. Option D violates the security requirement by exposing the VPC to the internet.

AWS security best practices explicitly recommend interface VPC endpoints as the most secure connectivity method for private VPC workloads accessing AWS managed services.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Secrets Manager Security Architecture

AWS PrivateLink and Interface VPC Endpoints Documentation

In IAM Identity Center, a permission set that includes acustomer managed policydoes not “carry” that policy into each target account automatically unless the policy exists there. When you attach a customer managed policy by name to a permission set, IAM Identity Center expects that policy to be present in each account where the permission set is provisioned. If the policy is missing in any account (common when assigning across multiple accounts), provisioning/assignment can fail because Identity Center cannot attach a non-existent policy to the role it creates in that account.

The correct fix is tocreate the customer managed policy in every target account, ensuring it has thesame nameand the intended permissions in each account. Once the policy exists consistently across accounts, IAM Identity Center can successfully provision the permission set in each account and complete the user assignment.

Options B and D are workarounds that increase complexity and do not address the underlying requirement to use the customer managed policy across accounts. Option C is not the issue here; policy “conflicts” typically do not prevent provisioning—missing referenced customer managed policies do. Therefore, ensuring the customer managed policy exists in each assigned account resolves the failure with the intended multi-account design.

Amazon GuardDuty provides continuous threat detection for compromised instances by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. According to AWS Certified Security – Specialty guidance, GuardDuty is the fastest service to enable for detecting malware and compromised EC2 instances.

To notify the security team, Amazon SNS provides a native email notification mechanism with minimal setup. Amazon EventBridge integrates directly with GuardDuty findings and can filter based on severity. Creating an EventBridge rule that matches high severity GuardDuty findings and publishes to SNS ensures immediate notification.

Security Hub is not required for this use case and adds additional setup time. Amazon SQS does not support email subscriptions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Findings and Severity

Amazon EventBridge Integration with GuardDuty

AWS CloudTrail is theauthoritative source for identity-related activityacross an AWS Organization. According to the AWS Certified Security – Specialty Official Study Guide, CloudTrail recordsall AWS API calls and authentication events, including federated sign-ins that occur through AWS IAM Identity Center with an external SAML identity provider.

When IAM Identity Center is used,successful federated login events are logged in CloudTrailas ConsoleLogin and AssumeRoleWithSAML events. These events are recorded in theorganization’s management accountwhen CloudTrail is configured as an organization trail. This allows security teams to centrally search and correlate authentication activity across all member accounts.

Option A is incorrect because CloudWatch Logs do not natively aggregate authentication events across an organization unless custom pipelines are built. Option B is not scalable and does not provide historical, organization-wide visibility. Option C is invalid because AWS does not ingest external IdP logs into EventBridge automatically, and IdP logs do not reflect AWS-side role assumptions.

AWS documentation explicitly states thatCloudTrail organization trails provide centralized visibility into user authentication and access activity across all accounts, making this the fastest and most reliable way to identify when a user logged in during a specific time window.

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail User Guide

AWS IAM Identity Center Documentation

AWS Organizations Best Practices

To addresssoftware vulnerabilities, you need both (1) a vulnerability assessment capability and (2) a consistent patching mechanism.Amazon Inspectorcontinuously scans EC2 instances for known software vulnerabilities and exposures (CVEs), package-level issues, and security misconfigurations relevant to the supported scan types. It provides prioritized findings and helps the security team understand which instances are exposed and why.

To mitigate those vulnerabilities,AWS Systems Manager Patch Managerprovides automated, policy-driven patching for fleets of EC2 instances. Patch Manager can schedule patch windows, control reboots, enforce baselines, and report compliance, allowing the company to remediate issues at scale with controlled operational impact.

Option B focuses on firewall/AV tooling, which can be helpful, but it is not a complete vulnerability detection-and-patching solution and is heavier to manage across large fleets. Option C is centered on log anomaly detection, not vulnerability management. Option D mixes GuardDuty Malware Protection (malware detection) with patching; GuardDuty is not a vulnerability scanner and does not replace Inspector for CVE detection. Therefore, Inspector + Patch Manager is the correct combined solution to detect and mitigate software vulnerabilities.

AWS CloudTrail is a foundational security service that records API activity and account events. According to the AWS Certified Security – Specialty Official Study Guide,the only way to centrally and reliably prevent CloudTrail from being disabled across multiple AWS accounts is by using AWS Organizations service control policies (SCPs).

SCPs define themaximum available permissionsfor all accounts in an organization or organizational unit. By creating an SCP with an explicitDenyfor the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions and attaching it to theroot OU, the security engineer ensures thatno principal in any member account—including administrators—can stop or delete CloudTrail trails. Explicit denies in SCPs cannot be overridden by IAM permissions.

Option A is incorrect because log file integrity validation only detects tampering after logs are delivered and does not prevent CloudTrail from being disabled. Option B protects log data at rest but does not prevent trail deletion or logging suspension. Option D removes read-only permissions and does not affect the ability to stop or delete CloudTrail.

AWS documentation explicitly states thatSCPs are the recommended mechanism to enforce mandatory security controls such as CloudTrail logging across an organization, making this the correct and most secure solution.

AWS Certified Security – Specialty Official Study Guide

AWS Organizations SCP Documentation

AWS CloudTrail Security Best Practices

AWS IAM Identity Center relies on SAML assertions and attribute mappings to associate federated users with identities, groups, and permission sets. According to the AWS Certified Security – Specialty documentation, when changing identity providers while maintaining the same underlying directory, existing users and group identities can be preserved by updating attribute mappings to align with the new IdP’s SAML assertions.

By modifying the attribute mappings, IAM Identity Center can correctly interpret usernames, group memberships, and unique identifiers sent by the new IdP without requiring changes to AWS account roles or permission sets. This approach minimizes operational effort and avoids disruption to access management.

Option A unnecessarily disables identities and causes access outages. Option C is incorrect because IAM Identity Center abstracts role trust relationships, and roles do not directly trust the IdP. Option D is unrelated to federation source configuration and only affects authentication timing issues.

AWS best practices recommend updating attribute mappings when switching IdPs that share the same directory source.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center SAML Federation

AWS Identity Federation Best Practices

AWS Service Catalog is designed to allow organizations to create and manageapproved sets of CloudFormation templates, known as products, and make them available to specific accounts or organizational units (OUs). According to the AWS Certified Security – Specialty Study Guide, Service Catalog is thepreferred governance mechanismfor enforcing standardized infrastructure deployments while maintaining strong access controls.

By creating a Service Catalog portfolio in the management account and sharing it with a specific OU, the security engineer ensures that only accounts within that OU can deploy the approved CloudFormation template. This guarantees that third-party developers can deploy infrastructureonly in accordance with the company’s predefined deployment plan, without modifying or directly accessing the template itself.

Option B and D use CloudFormation modules, which are intended for reusable resource definitions but do not provide the same level ofdeployment governance, access control, and lifecycle managementas Service Catalog. Option C introduces unnecessary cross-account IAM roles, increasing the attack surface and operational complexity, which violates the “most secure” requirement.

AWS documentation explicitly states thatService Catalog is the recommended service for distributing standardized CloudFormation templates across AWS Organizations, while controlling who can deploy them and where.

AWS Certified Security – Specialty Official Study Guide

AWS Service Catalog Administrator Guide

AWS Organizations Best Practices

AWS Well-Architected Framework – Security Pillar