Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

The correct solution is option D because it effectively prevents direct access to the internet-facing ALB while allowing legitimate traffic that originates from Amazon CloudFront. By configuring CloudFront to include a custom HTTP header (such as X-Shared-Secret) in all origin requests, and then configuring ALB listener rules to only forward requests that contain the expected header value, the ALB will reject any requests that bypass CloudFront.

This approach is a documented AWS best practice when CloudFront is placed in front of an ALB and AWS WAF is associated with the CloudFront distribution. AWS WAF only evaluates traffic that flows through CloudFront; therefore, preventing direct access to the ALB is critical to ensure that all requests are inspected by the web ACL.

Option A is invalid because CloudFront does not support AWS PrivateLink endpoints as origins. Option B is incorrect because CloudFront cannot use an internal ALB as an origin; CloudFront requires a publicly reachable origin. Option C is not recommended because CloudFront IP ranges change frequently, making IP-based allow lists operationally complex and error-prone, and AWS does not provide a supported CloudFront prefix list for ALB listener rules.

AWS Security Specialty guidance explicitly recommends using custom origin headers to restrict ALB access to CloudFront-only traffic, making option D the correct and secure solution.

Amazon GuardDuty generates security findings when it detects suspicious or malicious activity, including CryptoCurrency:EC2/* findings that indicate an EC2 instance may be involved in unauthorized cryptocurrency mining. According to AWS Certified Security – Specialty documentation, GuardDuty findings are published as events to Amazon EventBridge (formerly Amazon CloudWatch Events).

Amazon EventBridge is the recommended service for building automated incident response workflows. By creating an EventBridge rule that listens for GuardDuty findings of type CryptoCurrency:EC2/*, the security engineer can automatically invoke a Lambda function to isolate the affected EC2 instance by modifying its security group attachments.

Option A is incorrect because GuardDuty does not directly invoke Lambda functions. Option B and Option D are incorrect because AWS Config tracks configuration compliance and resource changes, not real-time threat detection events. Cryptocurrency findings are security detections, not configuration changes.

AWS documentation explicitly describes this pattern—GuardDuty → EventBridge → Lambda → remediation action—as a best practice for automated threat response and containment.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide – Findings

Amazon EventBridge User Guide

AWS Incident Response Best Practices

AWS KMS key policies can restrict how and when a key is used by applying conditions such as kms:ViaService, which limits usage to requests that originate from a specific AWS service. According to the AWS Certified Security – Specialty Official Study Guide and AWS KMS documentation, the kms:ViaService condition is evaluated against the service that calls KMS on behalf of the principal.

Using StringEquals with kms:ViaService restricts usage to exactly one service endpoint. However, AWS services can invoke KMS through service variants, internal endpoints, or additional service integrations. When StringEquals is used, these variations can unintentionally bypass the condition, allowing the key to be used by other services through different internal service paths.

Changing the condition operator from StringEquals to StringLike ensures that only EC2-related service calls that match the intended service pattern are allowed, while still preventing use by unrelated AWS services. This aligns with AWS guidance to use StringLike when service invocation patterns may vary.

Option B is incorrect because the root principal statement is required to retain administrative control over the key. Option C is invalid because changing Regions does not address unauthorized service usage. Option D does not restrict key usage and does not mitigate the issue.

AWS documentation explicitly recommends tightening condition operators in KMS key policies to prevent unintended service access while maintaining required functionality.

AWS Certified Security – Specialty Official Study Guide

AWS Key Management Service Developer Guide

AWS KMS Key Policy Best Practices

AWS KMS provides condition keys that can be used to tightly scope how and where a customer managed key can be used. According to the AWS Certified Security – Specialty Study Guide, the kms:ViaService condition key is specifically designed to restrict key usage to requests that originate from a particular AWS service in a specific Region.

By configuring the key policy to allow KMS cryptographic operations only when kms:ViaService equals s3..amazonaws.com, the security engineer ensures that the key can be used exclusively by Amazon S3. Even if other IAM principals have permissions to use the key, the key cannot be used by other services such as Amazon EC2, Amazon RDS, or AWS Lambda.

Option A is incorrect because AWS services do not assume identities in key policies. Options C and D modify IAM role policies, which do not control how a KMS key is used by AWS services. AWS documentation clearly states that service-level restrictions must be enforced at the KMS key policy level using condition keys.

This approach enforces strong separation of duties and limits blast radius, which aligns with AWS security best practices.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Key Policy Condition Keys

AWS KMS Best Practices

Amazon Inspector provides native CI/CD integration capabilities that allow security checks to occur before container images are pushed to Amazon ECR. According to AWS Certified Security – Specialty documentation, Inspector does not block image pushes automatically. Instead, prevention must occur inside the CI/CD pipeline itself.

By generating a Software Bill of Materials (SBOM) using the Amazon Inspector SBOM generator and submitting it to Inspector for scanning, the pipeline can detect critical vulnerabilities before the image is uploaded. If vulnerabilities exceed policy thresholds, the pipeline fails, preventing deployment.

Post-push scanning solutions only detect vulnerabilities after exposure. Event-driven blocking does not prevent the initial risk.

AWS best practices require “shift-left” security controls to prevent vulnerable artifacts from entering production.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Inspector CI/CD Integration

Amazon SQS is an AWS-managed service and does not operate within customer VPCs. Therefore, security groups and network ACLs cannot be used to control access to SQS, making options A and B invalid. According to AWS Certified Security – Specialty documentation, the recommended approach to securely access AWS services from within a VPC is through interface VPC endpoints (AWS PrivateLink).

By creating interface VPC endpoints for Amazon SQS, the company ensures that traffic to SQS stays within the AWS network and does not traverse the public internet. Adding an SQS resource policy with the aws:SourceVpce condition restricts access so that only requests originating from the specified VPC endpoint are allowed. Additionally, using the aws:PrincipalOrgId condition ensures that only principals belonging to the same AWS Organization can access the queue.

Option D introduces an external tool, increasing cost and compliance complexity, which directly violates the requirement to minimize investment outside AWS.

AWS documentation clearly identifies VPC endpoints combined with IAM condition keys as a best practice for securing service access in multi-account environments.

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security Best Practices

AWS Organizations Documentation

AWS PrivateLink User Guide

AWS incident response guidance emphasizes immediate containment, credential invalidation, and removal of malicious resources. According to the AWS Certified Security – Specialty documentation, compromised credentials must be rotated or deleted immediately to prevent further unauthorized actions. Rotating or deleting access keys directly mitigates ongoing abuse.

Deleting unrecognized or unauthorized resources, such as the malicious S3 bucket, removes the active threat and limits further damage. Enabling Amazon GuardDuty provides continuous monitoring and helps identify additional compromised resources or malicious behavior that may not yet be visible.

Changing passwords for all IAM users is disruptive and unnecessary if compromise scope is limited. Encrypting CloudTrail logs does not reduce active impact. Taking EBS snapshots is primarily for forensic investigation, not immediate consequence minimization.

AWS best practices recommend GuardDuty activation, credential rotation, and removal of malicious resources as first-response actions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon GuardDuty Threat Detection

Amazon Detective is a purpose-built AWS service designed to analyze, investigate, and visualize security data to help identify the root cause of suspicious or malicious activity. According to the AWS Certified Security – Specialty Official Study Guide, Amazon Detective directly integrates with Amazon GuardDuty findings, AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon EKS audit logs to automatically create behavior graphs and timelines.

When GuardDuty generates findings related to anomalous activity, Amazon Detective enables security engineers to pivot directly to an investigation focused on a specific IAM role, user, or resource. Detective automatically correlates historical activity, identifies deviations from baseline behavior, and highlights indicators of compromise, such as unusual API calls, credential misuse, or suspicious network activity.

AWS Audit Manager (Option B) is designed for compliance and audit evidence collection, not threat investigation. Amazon Inspector (Options C and D) is focused on vulnerability scanning of compute resources and does not analyze IAM behavior or GuardDuty findings.

AWS documentation explicitly states that Amazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, providing enriched context and investigation reports for security incidents.

AWS Certified Security – Specialty Official Study Guide

Amazon Detective User Guide

Amazon GuardDuty Integration Documentation

AWS IAM Identity Center centrally manages user access across an AWS Organization. Disabling the user in Identity Center immediately revokes access to all AWS accounts. According to AWS Certified Security – Specialty documentation, organizational CloudTrail event data stores provide centralized, queryable access to all events across accounts.

Using CloudTrail Lake enables direct querying of activity without exporting logs. Disabling the user at the Identity Center level ensures full containment.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Incident Response

AWS CloudTrail Lake

Amazon GuardDuty is a fully managed, organization-aware threat detection service that continuously analyzes AWS logs such as CloudTrail events, VPC Flow Logs, DNS logs, EKS audit logs, and RDS activity. According to the AWS Certified Security – Specialty Official Study Guide, GuardDuty is designed to operate at scale across AWS Organizations with minimal operational overhead.

By designating a GuardDuty administrator account in the organization’s management account and enabling GuardDuty organization-wide, the company can automatically enable threat detection across hundreds of AWS accounts. Enabling EKS Protection allows GuardDuty to analyze Kubernetes audit logs for suspicious activity, while RDS Protection provides anomaly detection for Amazon Aurora databases.

Options B, C, and D require custom log aggregation, processing, and analytics pipelines, which significantly increase operational effort and maintenance complexity. Amazon Inspector does not analyze logs, Athena-based analysis is manual, and Kinesis plus Lambda requires custom detection logic.

AWS documentation explicitly identifies GuardDuty with AWS Organizations integration as the recommended solution for centralized, automated threat detection across multi-account environments with minimal operational effort.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide

GuardDuty Organization Administration Documentation