Free Amazon Web Services SCS-C03 Practice Exam with Questions & Answers | Set: 7

Option D is the correct solution because it provides fully automated, real-time detection and mitigation of application-layer (Layer 7) DDoS attacks with no manual intervention. AWS Shield Advanced includes automatic application layer DDoS mitigation when it is enabled for supported resources such as Amazon CloudFront distributions. This feature continuously monitors traffic patterns and, when an attack is detected, automatically deploys AWS WAF rules to mitigate malicious requests.

Adding a rate-based rule to the AWS WAF web ACL further strengthens protection by automatically blocking IP addresses that exceed a defined request threshold, which is a common characteristic of Layer 7 DDoS attacks. This combination aligns directly with AWS best practices for protecting web applications against volumetric and application-layer threats.

Option A only provides alerting and visibility but does not ensure automated mitigation. Option B includes proactive engagement with the AWS DDoS Response Team, which is valuable for complex or large-scale attacks but still involves human interaction and therefore does not meet the “no manual effort” requirement. Option C introduces unnecessary complexity and is not recommended for protecting CloudFront-based applications against Layer 7 DDoS attacks.

AWS Security Specialty documentation explicitly recommends AWS Shield Advanced with automatic application layer DDoS mitigation and AWS WAF rate-based rules for fully automated, real-time protection of public web applications.

AWS abuse notifications are delivered as AWS Health events. According to the AWS Certified Security – Specialty Study Guide, Amazon EventBridge integrates natively with AWS Health and can be used to detect specific event types such as AWS_ABUSE_DOS_REPORT in near real time.

By creating an EventBridge rule that filters for the abuse report event type and publishes directly to Amazon SNS, the solution remains fully managed, low latency, and cost effective.

Polling APIs introduces delay and complexity. CloudTrail does not log abuse notifications. EventBridge with AWS Health is the recommended mechanism for reacting to AWS service events.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Health and EventBridge Integration

AWS Abuse Notification Handling

Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security – Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.

By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.

Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC. Third-party CASB tools add cost and operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security and VPC Endpoints

AWS Organizations Condition Keys

AWS Systems Manager Session Manager provides secure, auditable shell access to EC2 instances without opening inbound ports. According to AWS Certified Security – Specialty guidance, Session Manager records all session activity to CloudWatch Logs or Amazon S3 and integrates with IAM Identity Center for centralized authentication.

This solution meets all requirements: no exposed ports, full audit logging, and identity-based access control. EC2 Instance Connect and serial console access do not integrate with Identity Center and may expose management paths.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Session Manager

AWS IAM Identity Center Integration

AWS WAF supportsWAF loggingas a dedicated feature that can deliver logs to destinations such as Amazon S3 (commonly via Kinesis Data Firehose). These logs contain rich request details (rule matches, action taken, headers, URI, source IP, etc.) that are essential for determining whether traffic spikes are due to application-layer attacks. For analysis with low operational overhead, storing logs inS3and querying them withAmazon Athenais a standard pattern. Usingpartition projectionfurther reduces administrative work by avoiding manual partition management and enabling efficient queries over time-based prefixes.

Options A and D incorrectly route WAF logs through CloudTrail; WAF request logs are not delivered “to a CloudTrail trail.” CloudTrail records AWS API activity, not per-request WAF inspection logs. Option B describes querying S3 data directly with OpenSearch using “partition projection,” which is an Athena/Glue concept; OpenSearch is typically used by ingesting data into an index (often via Firehose), not by directly querying S3 objects as a table in that manner.

Therefore, enabling WAF logs to S3 and analyzing them with Athena using partition projection is the correct solution.

The correct solution is option D because it effectively prevents direct access to the internet-facing ALB while allowing legitimate traffic that originates from Amazon CloudFront. By configuring CloudFront to include a custom HTTP header (such as X-Shared-Secret) in all origin requests, and then configuring ALB listener rules to only forward requests that contain the expected header value, the ALB will reject any requests that bypass CloudFront.

This approach is a documented AWS best practice when CloudFront is placed in front of an ALB and AWS WAF is associated with the CloudFront distribution. AWS WAF only evaluates traffic that flows through CloudFront; therefore, preventing direct access to the ALB is critical to ensure that all requests are inspected by the web ACL.

Option A is invalid because CloudFront does not support AWS PrivateLink endpoints as origins. Option B is incorrect because CloudFront cannot use an internal ALB as an origin; CloudFront requires a publicly reachable origin. Option C is not recommended because CloudFront IP ranges change frequently, making IP-based allow lists operationally complex and error-prone, and AWS does not provide a supported CloudFront prefix list for ALB listener rules.

AWS Security Specialty guidance explicitly recommends using custom origin headers to restrict ALB access to CloudFront-only traffic, making option D the correct and secure solution.

Comprehensive and Detailed 100to 150 words of Explanation From AWS Certified Security – Specialty topics:

Amazon S3 Glacier Vault Lock has a 24-hour in-progress period after initiate-vault-lock is called. During this period, the lock is not yet immutable, and AWS allows the vault lock process to be aborted. Since the security engineer discovered the typo only 12 hours after initiation, the most cost-effective correction is to abort the current vault lock, fix the policy, and initiate the vault lock process again. Copying 10 TB of data to a new location is unnecessary, expensive, and operationally wasteful. Updating the policy without aborting does not correctly resolve a vault lock policy in progress. Once the lock is completed, the policy becomes immutable, so action must be taken before completion.

================

To analyze API access patterns with minimal effort andwithout parsing raw log files, the best approach is to rely onmetricsand built-in query tooling. EnablingDetailed CloudWatch Metricsfor an API Gateway stage (Option E) provides near-real-time, aggregated visibility into usage and performance patterns (such as request counts, latency, error rates like 4XX/5XX) that are ideal for identifying trends and spikes without handling logs.

For deeper pattern exploration when needed,CloudWatch Logs Insights(Option D) provides an interactive query experience over logs that are already in CloudWatch Logs, allowing quick filtering and aggregation. In practice, developers use metrics to understand access patterns at a high level and Logs Insights to slice and dice request data without building a separate parsing pipeline.

Options A and C still rely on enabling access logs and shipping them to S3/Athena, which is more setup and operational overhead (and still involves managing log storage/format). CloudTrail (Option B) records control-plane API calls to AWS services, not end-user access requests to your API methods, so it won’t provide the desired access pattern view for API consumers. Therefore, Detailed CloudWatch Metrics plus CloudWatch Logs Insights is the least-effort combination for access pattern analysis.

The requirement is to havekey material generated and used inside a custom key store backed by an AWS CloudHSM cluster. This is exactly whatAWS KMS Custom Key Storesprovide: KMS manages the keys and policies, but the cryptographic operations for those KMS keys occur in the associatedCloudHSMcluster, keeping the key material within HSM boundaries. For applications that needlocal-use data keys(both symmetric data keys and asymmetric data key pairs), KMS supports generating data keys and data key pairs that applications can use for envelope encryption and local cryptographic operations, while the master key protections remain within KMS (and within CloudHSM when using a custom key store).

For auditing, AWS best practice isAWS CloudTrail, which records KMS API calls (such as CreateKey, GenerateDataKey, GenerateDataKeyPair, Encrypt/Decrypt, etc.) and provides an immutable event history for compliance and investigation. Athena can query logs, but it is not the primary audit record source; GuardDuty is for threat detection, not authoritative key-usage auditing. Therefore, the correct combination isKMS with a CloudHSM-backed custom key storeplusCloudTrailfor auditability.