Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

Amazon Inspector provides native Lambda code vulnerability scanning. GuardDuty focuses on runtime threats, not static code analysis.

AWS Elastic Disaster Recovery (AWS DRS)is purpose-built for continuously replicatingphysical and virtual serversinto AWS with low RTO/RPO. It uses lightweight replication agents to stream block-level changes to a low-coststaging areain AWS, which helps optimize storage costs (only the staging resources run continuously) and reduces bandwidth usage through efficient replication mechanisms. In a disaster or test, AWS DRS can automatically launch recovery instances in AWS based on a defined blueprint (instance types, networking, security groups), enabling rapid failover workflows that commonly meetsub-hour RTOobjectives.

Option A is not the intended service model: AWS Backup protects AWS-native resources and does not “directly replicate” arbitrary on-prem servers as a continuous replication DR system. Option B (Storage Gateway Volume Gateway) can support backups of certain storage use cases via snapshots, but it is not a general continuous replication solution for diverse physical/virtual servers and may not meet the RTO requirement as directly as AWS DRS. Option D (Direct Connect + custom automation) can help with connectivity, but it does not provide continuous server replication by itself and would require significant custom engineering and ongoing operational effort.

Therefore, enabling AWS Elastic Disaster Recovery and configuring replication agents is the best automated, cost-optimized solution.

To achieve true separation of duties, the company needs a design whereS3 access alone is not sufficientto read plaintext data.SSE-KMS with a customer managed KMS keyprovides that separation because successful object reads require both: (1) S3 permissions to read the object and (2) permission to use the KMS key to decrypt it. This enables the operations team to manage bucket and object permissions while the security team independently controls key usage through theKMS key policy(and grants). If either team misconfigures only their part, the data is still protected: an overly permissive bucket policy won’t expose plaintext unless KMS decrypt is also allowed; similarly, KMS permissions alone are not sufficient without S3 read access.

Option B also adds a bucket policy requirement enforcingSSE-KMSso objects are consistently protected with the customer managed key. SSE-S3 options (A and C) do not provide the same separation because S3 manages the keys and decryption is not independently controlled by a separate team via KMS policies. Option D is invalid because SSE-C uses customer-provided keys that are supplied with each request and are not stored/managed in KMS as described. Therefore, SSE-KMS with customer managed keys plus restrictive key policy is the correct solution.

AWS Shield Advanced is the AWS-native managed service specifically designed to provide detection, mitigation, and visibility for Distributed Denial of Service (DDoS) attacks at both the network and application layers. Shield Advanced integrates directly with Amazon CloudWatch by publishing DDoS-related metrics such as DDoSDetected, AttackVolume, and AttackVector, which can be monitored using CloudWatch alarms to trigger alerts in near real time. This makes option D the correct and fully supported solution.

Amazon Macie focuses on discovering and protecting sensitive data (such as PII) in Amazon S3 using machine learning and does not provide DDoS detection capabilities, making option A incorrect. Amazon Inspector is a vulnerability management service that assesses EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure; it does not detect live DDoS attacks, so option B is incorrect. AWS Firewall Manager is a centralized management service for configuring AWS WAF, Shield Advanced, and security groups across accounts, but it does not emit native DDoS detection metrics for alerting, which eliminates option C.

According to AWS Security Specialty documentation, the recommended best practice for DDoS detection and alerting is to enable AWS Shield Advanced and configure Amazon CloudWatch alarms on Shield metrics, optionally integrating with Amazon SNS for notifications and AWS Incident Manager for response automation.

Toenforcerequired tagging and approved values at scale, the strongest guardrail is anSCPbecause SCPs can prevent API calls across accounts/OUs before resources are created or tags are changed. By using the aws:RequestTag/CostCenter condition key and checking that the value is one of the approved values, an SCP candeny Create (and TagResource/UntagResource where supported)* when the request attempts to set a non-approved value. This prevents “bad” CostCenter values from being introduced.

AWS Config (including custom policy rules with CloudFormation Guard) is excellent fordetectingnoncompliance and reporting, but on its own it is not a hard preventative control. Pairing Config rule evaluation with an SCP guardrail gives both visibility and prevention. Option A is the only option that explicitly combines an enforceable preventive control (SCP deny based on aws:RequestTag/CostCenter) with compliance evaluation logic.

Option B cannot “block creation” reliably because EventBridge/Lambda isafter-the-fact; by the time the function runs, the resource is already created. Option C relies on tag policies enforcement semantics; tag policies primarilystandardize and reporttag usage, and the provided SCP in C only checks for null/missing values, not for non-approved values or for preventing later changes. Option D is also reactive and not a guaranteed preventative control.

To restrict activity to a single Region in an OU using an SCP, the standard pattern is an explicitDenyfor requests madeoutsidethe allowed Region, while carving out exceptions forglobal servicesthat do not use aws:RequestedRegion in the same way (or that must remain usable regardless of Region). This is done withEffect: Deny, aConditionusing StringNotEquals on aws:RequestedRegion for the allowed Region (here, eu-west-1), andNotActionlisting the global services that should remain available.

This works because SCPs act asguardrails: an explicit Deny in an SCP overrides IAM Allow in member accounts, ensuring the restriction applies consistently to all existing and future accounts placed in the OU. The StringNotEquals condition ensures the deny triggers for any Region other than eu-west-1. The NotAction exception list ensures that the specified global services are not blocked by this deny statement.

Option A is wrong because StringEquals would deny actionsineu-west-1 rather than outside it. Options B and D useAllowstatements, which do not enforce “only this Region” safely in SCPs unless combined with a comprehensive deny strategy; they would not reliably restrict all other services/regions. Therefore, option C is the correct SCP structure.

AWS Secrets Manageris the AWS service designed to store secrets securely and to supportautomatic rotationon a schedule—commonly used for Amazon RDS credentials. Storing credentials in Secrets Manager removes them from source code, enables fine-grained access control, and supports auditability of secret retrieval through CloudTrail. Rotation can be configured to periodically change the database password and update the stored secret automatically, minimizing operational overhead compared to manual rotation processes.

To ensure the credentials are accessibleonly to the application, the correct ECS pattern is to useIAM roles for tasks. A task role can be scoped to allow only secretsmanager:GetSecretValue (and related actions if needed) for the specific secret ARN. Only tasks running with that role can retrieve the secret at runtime, which prevents broad access. This also helps reduce the risk of database administrators sharing plaintext credentials, because the recommended operational model is that humans should not need direct access; the application retrieves the secret programmatically, and access can be limited to break-glass workflows if required.

Systems Manager Parameter Store can store encrypted parameters, but Secrets Manager provides stronger native secret lifecycle features (notably rotation) for databases. Inline policies (Option B) are not necessary; managed or attached policies on the task role achieve the same goal with cleaner administration.

Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security – Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.

By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.

Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC. Third-party CASB tools add cost and operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security and VPC Endpoints

AWS Organizations Condition Keys

The company uses two different identity systems, and password policy must be enforcedat the system that actually stores and manages the passwords. For users authenticating throughIAM federation with on-premises Active Directory, IAM is not storing the users’ passwords; the password policy is enforced byActive Directory. Therefore, the minimum password length must be configured in theon-premises AD password policyso federated users are subject to the requirement during password creation/changes.

For the cloud application that usesAmazon Cognito user poolsas its user database, Cognitodoesstore and manage user passwords for those users. Cognito user pools include a configurable password policy (minimum length and complexity requirements). Updating the Cognito user pool password policy enforces the required minimum length for the application’s users going forward.

Options D and E are not applicable. Service control policies (SCPs) restrict AWS API actions; they cannot enforce end-user password-length rules inside AD or Cognito. Similarly, IAM policies control authorization to AWS resources and APIs, not password complexity/length requirements across external IdPs or Cognito user databases. Updating IAM password policy (Option A) would apply only toIAM users(local users in AWS), which is not the authentication model described for the federated workforce.

Amazon Detective is specifically designed to help security teams investigate and visualize the root cause of security findings. According to AWS Certified Security – Specialty documentation, Detective automatically aggregates and correlates data from GuardDuty, CloudTrail, and VPC Flow Logs to provide interactive visualizations and timelines.

Detective enables investigators to pivot from GuardDuty findings to IAM roles, API calls, network traffic, and resource behavior. This makes it the most efficient tool for understanding how IAM roles were used during suspicious activity.

Amazon Inspector focuses on vulnerability assessment, not behavioral investigation. Security Hub aggregates findings but does not provide deep investigation graphs. Manual analysis with Athena requires significantly more effort.

AWS guidance explicitly recommends Amazon Detective for root cause analysis and visualization of security incidents.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Detective Investigation Capabilities

AWS Threat Detection and Analysis