Amazon Web Services SCS-C02 - AWS Certified Security - Specialty

The condition of "s3:x-amz-server-side-encryption":"IAM:kms" ensures that objects uploaded need to be encrypted.

Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"IAM:kms" is present

The correct answer is B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.

This answer is correct because it meets the requirements of sending an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. By configuring CloudTrail to send events to CloudWatch Logs, the securityengineer can create a metric filter that matches the desired pattern of failed sign-in events.Then, by creating a CloudWatch alarm based on the metric filter, the security engineer can set a threshold of 3 and a period of 5 minutes, and choose an action such as sending an email or an Amazon Simple Notification Service (Amazon SNS) message when the alarm is triggered12.

The other options are incorrect because:

A. Turning on Insights events on the trail and configuring an alarm on the insight is not a solution, because Insights events are used to analyze unusual activity in management events, such as spikes in API call volume or error rates.Insights events do not capturefailed sign-in attempts to the AWS Management Console3.

C. Creating an Amazon Athena table from the CloudTrail events and running a query for failed sign-in events is not a solution, because it does not provide a mechanism to send an alert based on the query results.Amazon Athena is an interactive query service that allows analyzing data in Amazon S3 using standard SQL, but it does not support creating notifications or alarms from queries4.

D. Creating an analyzer in AWS Identity and Access Management Access Analyzer and configuring it to send an Amazon SNS notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes is not a solution, because IAM Access Analyzer is not a service that monitors sign-in events, but a service that helps identify resources that are shared with external entities.IAM Access Analyzer does not generate findings for failed sign-in attempts to the AWS Management Console5.

To ensure that database credentials are stored securely and rotated periodically, the security engineer should do the following:

Use AWS Secrets Manager to store database credentials. This allows the security engineer to encrypt and manage secrets centrally, and to configure automatic rotation schedules for them.

Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only. This allows the security engineer to grant fine-grained permissions to ECS tasks based on their roles, and to avoid sharing credentials as plaintext with other teammates.

you need to configure the Amazon Inspector agent to use the CVE rule package, which is a set of rules that check for vulnerabilitiesand exposures on your EC2 instances5. You also need to install an additional integration library that enables communication between the Amazon Inspector agent and Security Hub6. Security Hub is a service that provides you with a comprehensive view of your securitystate in AWS and helps you check your environment against security industry standards and best practices7. The other options are either incorrect or incomplete for meeting the requirement.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html

Comprehensive and Detailed Explanation From Exact Extract:

AWS Backup supports cross-Region backup copy to another backup vault in a different AWS Region. This is the simplest and most operationally efficient method to meet the requirement of geographic redundancy (i.e., data centers several hundred miles apart).

No custom scripting, Lambda, or EventBridge scheduling is required, minimizing operational overhead and aligning with Data Protection and Disaster Recovery best practices.

To securely and cost-effectively retain log data archives for several years, the company should do the following:

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy. This allows the company to use a low-cost storage class that is designed for long-term archival of data that is rarely accessed. It also allows the company to enforce compliance controls on their S3 Glacier vault by locking a vault access policy that cannot be changed.

Comprehensive and Detailed Explanation From Exact Extract:

KMS grants are lightweight and efficient tools designed specifically for programmatic, temporary, or high-volume delegation of KMS key usage. They are ideal when access needs to be rotated or updated frequently—such as weekly changes in vendors.

KMS grants allow you to control access without changing the key policy itself. They can be easily created and revoked programmatically, which minimizes operational overhead compared to editing key or IAM policies.

This approach aligns with Identity and Access Management best practices in the AWS Certified Security – Specialty study guide for scalable cross-account key access management.