Amazon Web Services SCS-C03 - AWS Certified Security – Specialty

Amazon GuardDuty provides managed threat detection and supports EKS protection features that analyze Kubernetes audit logs to detect suspicious activity, including unauthorized or unauthenticated access attempts. AWS Certified Security – Specialty documentation recommends GuardDuty for low-overhead detection because it is fully managed and does not require deploying agents or modifying application code. EKS Audit Log Monitoring is designed to consume and analyze relevant control plane audit events to identify anomalous or unauthorized actions against the cluster. Compared to third-party add-ons, GuardDuty reduces operational burden and remains fully within AWS managed services. Security Hub aggregates findings from services like GuardDuty but does not itself perform the detection. CloudWatch Container Insights focuses on performance and operational metrics, not authentication security detections. Therefore, enabling GuardDuty with EKS Audit Log Monitoring provides the required detection with the least operational effort and without requiring additional configuration to the existing EKS workload beyond enabling the feature.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty EKS Protection and Audit Log Monitoring

AWS Threat Detection Best Practices for Kubernetes on AWS

The correct Config rule for finding buckets that are not usingSSE-KMS by defaultiss3-default-encryption-kms. It evaluates the bucket’s default encryption settings and flags buckets that do not have KMS default encryption enabled. The s3-bucket-ssl-requests-only rule focuses on enforcing HTTPS-only requests and does not validate encryption-at-rest settings, so it cannot satisfy the “identify not encrypted with KMS” requirement.

For preventing uploads of objects that are not encrypted with KMS, an organization-wide control is needed. AnSCPcan restrict s3:PutObject so that uploads succeed only when the request specifiesSSE-KMS(and optionally a specific KMS key). This provides broad, low-touch enforcement across many accounts and buckets. While bucket policies can also enforce SSE-KMS, managing and verifying hundreds of bucket policies is more operationally heavy than a centrally managed SCP guardrail.

Option B enforcesSSE-S3, which does not meet the requirement forKMSencryption. Option D uses the wrong Config rule and relies on an “allow-only” pattern rather than explicit deny logic, making it an unreliable fit for the stated goal. Therefore, A is the best answer.

For encrypted RDS snapshots that must be shared across accounts and still bedecryptablein the target accounts, you should use acustomer managed KMS keyand explicitly grant cross-account use of that key. AWS-managed default keys (Option A/C) generally cannot be shared for cross-account decryption in the same flexible way as customer managed keys, and you cannot “copy” an AWS-managed key to another account. Likewise, you cannot “import” an existing KMS key into another account via Lambda as described in Option B; KMS keys are account-scoped resources and are not copied between accounts like that.

With acustomer managed key (CMK), the key policy (and/or grants) can allow principals in the DR accounts to use the key for the required cryptographic operations (for example, kms:Decrypt, kms:CreateGrant, and relevant describe permissions). Then, when the snapshot is shared and copied/used in the destination account during a DR event, the destination account can decrypt it because it has been granted permission to use the same CMK. This approach is the standard AWS pattern for cross-account encrypted snapshot sharing and meets both encryption and recoverability requirements with strong governance and auditability through CloudTrail.