Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

Amazon SQS is an AWS-managed service and does not operate within customer VPCs. Therefore, security groups and network ACLs cannot be used to control access to SQS, making options A and B invalid. According to AWS Certified Security – Specialty documentation, the recommended approach to securely access AWS services from within a VPC is throughinterface VPC endpoints (AWS PrivateLink).

By creatinginterface VPC endpoints for Amazon SQS, the company ensures that traffic to SQS stays within the AWS network and does not traverse the public internet. Adding anSQS resource policywith the aws:SourceVpce condition restricts access so that only requests originating from the specified VPC endpoint are allowed. Additionally, using the aws:PrincipalOrgId condition ensures that only principals belonging to the same AWS Organization can access the queue.

Option D introduces an external tool, increasing cost and compliance complexity, which directly violates the requirement to minimize investment outside AWS.

AWS documentation clearly identifiesVPC endpoints combined with IAM condition keysas a best practice for securing service access in multi-account environments.

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security Best Practices

AWS Organizations Documentation

AWS PrivateLink User Guide

Amazon Inspector is the AWS service designed specifically for vulnerability management across compute workloads, including Amazon ECR container images and AWS Lambda functions. According to the AWS Certified Security – Specialty documentation, Amazon Inspector provides automated vulnerability assessments for container images stored in ECR by performing enhanced image scanning that identifies common vulnerabilities and exposures (CVEs) in operating systems and application dependencies.

Inspector also supports Lambda code scanning to analyze function packages and container-based Lambda images for known software vulnerabilities. Findings include severity ratings and remediation guidance, allowing security teams to identify and prioritize risks efficiently.

Amazon GuardDuty focuses on threat detection using behavioral analysis and does not perform static vulnerability scanning of container images or Lambda code. AWS Security Hub aggregates findings from other services but does not perform scanning itself.

AWS best practices recommend Amazon Inspector for vulnerability detection in container images and serverless workloads.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Inspector for ECR and Lambda

AWS Vulnerability Management Best Practices

AWS best practices require CloudFormation to assume a dedicated service role. This ensures consistent permissions regardless of the user. Users must have iam:PassRole permission to pass the role. Updating stacks to use the service role enforces uniform deployment behavior.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Roles

Continuous monitoring requires an always-on compliance service that evaluates resources over time. AWS Config provides managed rules that assess configuration state and compliance continuously. AWS Certified Security – Specialty guidance highlights AWS Config for continuous compliance across accounts and regions when used with AWS Organizations. The ec2-managedinstance-applications-required managed rule evaluates whether specified software is installed on managed instances, leveraging Systems Manager inventory/managed instance status. By enabling AWS Config organization-wide and deploying this managed rule across all accounts, the company can continuously evaluate both existing and newly launched instances for required application presence. This provides a consistent compliance dashboard and history of compliance changes. Option D can provide inventory lists, but it is not a compliance rule engine that flags noncompliance with the same governance reporting and remediation pathways. Options B and C are operational approaches but do not provide continuous compliance state across the organization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for EC2 and SSM Managed Instances

AWS Organizations Integration with AWS Config

For the earliest detection of abnormal spend, the most direct and purpose-built capability isAWS Cost Anomaly Detection. It continuously evaluates spend patterns and uses machine learning to identify unexpected cost increases soon after they begin, then sends alerts based on the configured thresholds. By creating acost monitor(for example, for linked accounts, services, or cost categories) and configuring an alert to publish toSNS, the security team can receive near-real-time notifications when costs deviate beyond an expected baseline. This is well suited for detecting compromise-driven spend (such as abused EC2 instances serving phishing pages, crypto-mining, or data exfiltration patterns that raise transfer costs).

Option A introduces significant operational overhead and delays because billing/usage exports are not guaranteed to be updated on an hourly cadence in a way that consistently outperforms the native anomaly detector, and the company would be maintaining custom analytics logic. Option C is explicitly slower (daily manual review). Option D may detect suspicious traffic but is indirect for “earliest cost increase” detection and depends on building/operating a separate analytics pipeline; also, not all cost anomalies are visible from flow logs. Therefore, Cost Anomaly Detection provides the fastest and lowest-overhead alerting for unexpected spend.

Amazon EC2 security groups arestateful, meaning that once a connection is established, return traffic is automatically allowed, even if the inbound rule that originally permitted the connection is later removed. According to the AWS Certified Security – Specialty Official Study Guide and Amazon EC2 security documentation,existing connections are not terminated when security group rules change. This explains why the SSH session remains active even after the security group rules were modified, while new traffic such as ICMP ping is blocked.

To immediately and fully isolate an EC2 instance during an incident response scenario, AWS recommends usingstateless network controls. Amazon VPC network ACLs (NACLs) arestateless, which means that every packet is evaluated against the ACL rules regardless of whether the traffic is part of an existing connection. When a deny rule is added,all traffic is immediately blocked, including active sessions.

By creating a network ACL and associating it with the subnet that contains the target instance, and by adding explicit deny rules with the lowest rule numbers for both inbound and outbound traffic, the security engineer ensures thatall network communication to and from the instance is immediately interrupted. This approach satisfies the requirement to isolate the instance while preserving its runtime state and memory for forensic analysis.

Other options fail to meet the requirement because security group modifications do not terminate existing sessions, Systems Manager does not enforce network isolation, and host-level firewall changes require instance-level access and do not provide immediate, network-enforced isolation.

AWS Certified Security – Specialty Official Study Guide

Amazon EC2 Security Groups Documentation

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

AWS Config is purpose-built torecord resource configuration stateand track how that state changes over time. When multiple updates occur close together, AWS Config captures configuration items that represent the resource’scurrent recorded configuration, which is exactly what a compliance engineer needs to evaluate the final (cumulative) state after a burst of changes. AWS Config also integrates directly with compliance evaluation throughConfig rules, which can continuously assess whether the latest configuration meets required standards. This is the most operationally efficient approach because it avoids building custom log filtering, state reconstruction, or timing logic.

CloudTrail and CloudWatch-based approaches (Options A and C) captureAPI events, not authoritative “current configuration state.” Reconstructing the final configuration from a series of API calls can be error-prone, especially when changes are made by different services, via consoles, or through chained automation. CloudTrail is excellent for “who did what and when,” but AWS Config is the service that maintains thelatest configuration snapshotsuitable for compliance posture evaluation.

AWS Cloud Map (Option D) is for service discovery and naming, not compliance configuration history. Therefore, AWS Config is the correct and most efficient solution.

For centralized, organization-wide user access to AWS services and supported applications, AWS best practice is to useAWS IAM Identity Center(successor to AWS SSO). IAM Identity Center provides a single place to manage workforce identities, permission sets, and account assignments across AWS Organizations. Amazon Q Developer is integrated for centralized access using IAM Identity Center, where you can assign the relevant permissions to users and groups and enable access consistently across multiple AWS accounts. Setting Amazon Q Developer up as anAWS managed applicationaligns with IAM Identity Center’s model for centrally provisioning and controlling access with minimal operational overhead.

Amazon Cognito is primarily intended forcustomer identity and application sign-up/sign-inscenarios, not for workforce access to AWS managed developer tools across multiple AWS accounts. “Identity pools” are a Cognito concept for exchanging identities for AWS credentials, which adds unnecessary complexity and is not the standard approach for centrally granting employees access to Amazon Q Developer in an organization. Therefore, enabling IAM Identity Center and configuring Amazon Q Developer as an AWS managed application is the correct solution.

AWS CloudFormation supports dynamic references to AWS Secrets Manager, which allow sensitive values to be retrieved securely at stack runtime. According to AWS Certified Security – Specialty guidance, dynamic references prevent secrets from being stored in plaintext in templates, stack metadata, or logs.

Using dynamic references ensures that secrets remain encrypted at rest and are accessed only when required. CloudFormation does not support SecureString parameters for Secrets Manager references, and encrypting templates does not prevent exposure during execution.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Dynamic References

AWS Secrets Manager Best Practices

SSE-S3 uses AWS-managed keys and does not provide customer control. AWS Certified Security – Specialty documentation states that SSE-KMS with customer managed keys allows full control, auditing, and key rotation. The security engineer must first create a customer managed KMS key, then update the bucket to use SSE-KMS. Existing objects must be re-encrypted to ensure compliance.

SSE-C requires the application to manage keys, increasing complexity and risk. AWS managed keys do not meet the requirement for customer-controlled encryption.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Encryption Options

AWS KMS Customer Managed Keys