Free Amazon Web Services SCS-C03 Practice Exam with Questions & Answers | Set: 2

AWS CloudTrail is a foundational security service that records API activity and account events. According to the AWS Certified Security – Specialty Official Study Guide, the only way to centrally and reliably prevent CloudTrail from being disabled across multiple AWS accounts is by using AWS Organizations service control policies (SCPs).

SCPs define the maximum available permissions for all accounts in an organization or organizational unit. By creating an SCP with an explicit Deny for the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions and attaching it to the root OU, the security engineer ensures that no principal in any member account—including administrators—can stop or delete CloudTrail trails. Explicit denies in SCPs cannot be overridden by IAM permissions.

Option A is incorrect because log file integrity validation only detects tampering after logs are delivered and does not prevent CloudTrail from being disabled. Option B protects log data at rest but does not prevent trail deletion or logging suspension. Option D removes read-only permissions and does not affect the ability to stop or delete CloudTrail.

AWS documentation explicitly states that SCPs are the recommended mechanism to enforce mandatory security controls such as CloudTrail logging across an organization, making this the correct and most secure solution.

AWS Certified Security – Specialty Official Study Guide

AWS Organizations SCP Documentation

AWS CloudTrail Security Best Practices

Amazon CloudFront includes a native geo restriction (geoblocking) capability that allows content owners to control access to their distributions based on the geographic location of the viewer. The viewer’s country is determined using the IP address from which the request originates. According to the AWS Certified Security – Specialty Official Study Guide and the Amazon CloudFront Developer Guide, geo restriction is specifically designed for scenarios where organizations must comply with regional regulations, licensing requirements, or data sovereignty policies.

From a cost perspective, CloudFront geo restriction is the most cost-effective solution because it is configured directly within the CloudFront distribution and does not require AWS WAF. AWS WAF introduces additional costs for web ACLs, rules, and request processing, which is unnecessary when the requirement is limited strictly to blocking or allowing access based on country.

Option A is incorrect because maintaining IP ranges for entire countries is operationally complex, error-prone, and not scalable. Country-level IP ranges frequently change, making this approach unsuitable and inefficient. Option B, although technically valid, is not the most cost-effective choice because AWS WAF geo match rules incur additional charges and are intended for advanced Layer 7 security controls such as application-layer attacks. Option D is incorrect because geolocation headers provided by CloudFront are informational only and cannot independently enforce access control decisions.

AWS documentation explicitly recommends CloudFront geo restriction when the sole requirement is country-based access control, reserving AWS WAF for advanced security inspection and threat mitigation use cases.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Developer Guide – Geo Restriction

AWS Well-Architected Framework – Security Pillar

AWS Security Best Practices Documentation

AWS KMS key policies can restrict how and when a key is used by applying conditions such as kms:ViaService, which limits usage to requests that originate from a specific AWS service. According to the AWS Certified Security – Specialty Official Study Guide and AWS KMS documentation, the kms:ViaService condition is evaluated against the service that calls KMS on behalf of the principal.

Using StringEquals with kms:ViaService restricts usage to exactly one service endpoint. However, AWS services can invoke KMS through service variants, internal endpoints, or additional service integrations. When StringEquals is used, these variations can unintentionally bypass the condition, allowing the key to be used by other services through different internal service paths.

Changing the condition operator from StringEquals to StringLike ensures that only EC2-related service calls that match the intended service pattern are allowed, while still preventing use by unrelated AWS services. This aligns with AWS guidance to use StringLike when service invocation patterns may vary.

Option B is incorrect because the root principal statement is required to retain administrative control over the key. Option C is invalid because changing Regions does not address unauthorized service usage. Option D does not restrict key usage and does not mitigate the issue.

AWS documentation explicitly recommends tightening condition operators in KMS key policies to prevent unintended service access while maintaining required functionality.

AWS Certified Security – Specialty Official Study Guide

AWS Key Management Service Developer Guide

AWS KMS Key Policy Best Practices

In a properly segmented VPC architecture, public subnets route internet-bound traffic to an internet gateway, while private subnets route outbound internet traffic through a NAT gateway that resides in a public subnet. According to the AWS Certified Security – Specialty Official Study Guide and Amazon VPC documentation, private subnets must never have a direct route to an internet gateway.

The issue described indicates that private subnets are incorrectly routing traffic directly to the internet gateway. To remediate this, a NAT gateway must be provisioned in each public subnet to ensure high availability across Availability Zones. This satisfies the requirement that private resources can initiate outbound connections without being directly reachable from the internet.

Next, the route tables associated with the private subnets must be updated so that the default route (0.0.0.0/0) points to the NAT gateway in the same Availability Zone. This ensures proper traffic flow and prevents cross-AZ dependencies.

Option B is incorrect because NAT gateways must reside in public subnets. Option C is unnecessary because local routes to the VPC CIDR range are automatically created. Option E is explicitly insecure, as it would reintroduce direct internet gateway access from private subnets.

AWS documentation consistently identifies NAT gateways plus correct private subnet routing as the standard design for secure VPC segmentation.

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Route Table Documentation

AWS Well-Architected Framework – Security Pillar

Step 1: Obtain the SAML metadata from IAM Identity Center.

Step 2: Obtain the SAML metadata from the external IdP.

Step 3: Configure the external IdP as the identity source in IAM Identity Center.

When integrating AWS IAM Identity Center (formerly AWS SSO) with an external identity provider (IdP) using SAML 2.0, AWS requires a specific sequence of steps to establish trust and federation correctly.

Step 1: Obtain the SAML metadata from IAM Identity Center

IAM Identity Center acts as the service provider (SP) in the SAML trust. The external IdP must trust IAM Identity Center, so the IdP needs IAM Identity Center’s SAML metadata first. This metadata contains critical information such as the SP entity ID, ACS (Assertion Consumer Service) URL, and signing certificate. Without this metadata, the external IdP cannot be configured to send assertions to AWS.

Step 2: Obtain the SAML metadata from the external IdP

After the external IdP is configured to trust IAM Identity Center, the IdP generates its own SAML metadata. This metadata includes the IdP entity ID, SSO endpoint, and signing certificate. IAM Identity Center requires this information to validate authentication assertions coming from the external IdP.

Step 3: Configure the external IdP as the identity source in IAM Identity Center

Once both metadata files are available, the security engineer configures the external IdP as the identity source in IAM Identity Center. At this stage, IAM Identity Center imports the IdP metadata and establishes the SAML trust relationship. After this configuration, users authenticated by the external IdP can be federated into AWS accounts and applications via IAM Identity Center.

Why the other options are incorrect:

Creating an IAM role with an IdP API endpoint is used for IAM federation, not IAM Identity Center.

Automatic provisioning (SCIM) is optional and is configured after SAML federation is established.

Automatic provisioning must be enabled on both sides, but it is not required to complete the core IdP integration.

This sequence follows AWS best practices for SAML-based federation with IAM Identity Center.

AWS KMS keys are regional resources and cannot be used across Regions. According to AWS Certified Security – Specialty documentation, applications that are deployed in multiple Regions should use region-specific customer managed keys while referencing keys by alias instead of key ID.

By creating a new customer managed key in eu-north-1 and assigning it the same alias as the key in eu-west-1, the application code can continue to reference the alias without modification. Each Region resolves the alias to the correct local key, ensuring encryption continues to function correctly.

Option A is invalid because KMS keys are regional. Option B requires application changes. Option D introduces unsupported alias patterns.

AWS best practices recommend alias-based key references for multi-Region deployments.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Regional Keys and Aliases

AWS KMS Best Practices

AWS Audit Manager is specifically designed to help organizations continuously audit their AWS usage against compliance frameworks and generate audit-ready reports. According to AWS Certified Security – Specialty documentation, Audit Manager includes AWS managed frameworks for compliance standards, including PCI DSS v4.0.

Audit Manager automatically collects evidence from AWS services such as API Gateway, Lambda, RDS, CloudTrail, and Config, and maps the evidence directly to PCI DSS controls. Importantly, Audit Manager allows compliance teams to upload and attach manual evidence, which is a key requirement in this scenario.

Option C provides visibility into control status but does not support adding manual evidence. Option B evaluates configuration compliance but does not generate formal compliance reports. Option A requires extensive manual effort and is not aligned with PCI reporting workflows.

AWS documentation positions Audit Manager as the authoritative service for compliance reporting and audit evidence management.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Audit Manager PCI DSS Framework

AWS Compliance Reporting Best Practices

Amazon Cognito threat protection is purpose-built to detect and mitigate malicious authentication activity such as credential stuffing and bot traffic. It uses adaptive risk-based analysis without disrupting legitimate users.

AWS WAF cannot be directly associated with Cognito user pools.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito Threat Protection

Amazon OpenSearch Service is designed for near real-time log ingestion, indexing, and search across large volumes of data. According to the AWS Certified Security – Specialty Study Guide, OpenSearch supports advanced log analytics use cases and integrates with OpenSearch Security Analytics, which provides prebuilt and custom detection rules.

Security Analytics can continuously evaluate incoming logs from multiple AWS services and generate alerts when detection rules are matched. These alerts can be forwarded to Amazon SNS with minimal configuration. OpenSearch also provides powerful search and query capabilities through APIs and dashboards.

Option C supports detection but lacks advanced correlation and scalable search capabilities. Option B is not a log analytics service. Option D is a visualization service and does not support real-time detection.

AWS guidance recommends OpenSearch Service for centralized, near real-time log analysis and alerting.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon OpenSearch Service Security Analytics

AWS Logging and Monitoring Architecture

Amazon Detective is specifically designed to help security teams investigate and visualize the root cause of security findings. According to AWS Certified Security – Specialty documentation, Detective automatically aggregates and correlates data from GuardDuty, CloudTrail, and VPC Flow Logs to provide interactive visualizations and timelines.

Detective enables investigators to pivot from GuardDuty findings to IAM roles, API calls, network traffic, and resource behavior. This makes it the most efficient tool for understanding how IAM roles were used during suspicious activity.

Amazon Inspector focuses on vulnerability assessment, not behavioral investigation. Security Hub aggregates findings but does not provide deep investigation graphs. Manual analysis with Athena requires significantly more effort.

AWS guidance explicitly recommends Amazon Detective for root cause analysis and visualization of security incidents.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Detective Investigation Capabilities

AWS Threat Detection and Analysis