Free Practice Questions for Amazon Web Services SCS-C03 Exam

Amazon WorkSpaces is a fully managed desktop-as-a-service solution designed to minimize infrastructure and operational overhead. According to AWS Certified Security – Specialty documentation, WorkSpaces supports device trust by using client certificates to restrict access to approved devices.

By deploying client certificates only to company-managed devices and enforcing restricted access at the directory level, the organization ensures that only trusted endpoints can authenticate. This approach avoids the cost and complexity of building and maintaining a custom VDI or managing individual EC2 instances.

Option A and B significantly increase management overhead. Option C is incorrect because IAM does not manage WorkSpaces authentication gateway policies or device trust.

AWS best practices highlight Amazon WorkSpaces with certificate-based device trust as the most efficient solution for secure, managed desktops.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon WorkSpaces Security Controls

Amazon WorkSpaces Device Trust

Amazon S3 Lifecycle configuration rules are the native, automated mechanism for managing object retention and deletion. According to AWS Certified Security – Specialty documentation, lifecycle rules can be configured to expire objects based on the number of days since object creation. Once the expiration time is reached, Amazon S3 permanently deletes the objects without manual intervention.

This solution directly enforces a maximum retention period of 72 hours and ensures compliance regardless of whether the vendor downloads the data or not. Lifecycle rules are evaluated continuously by Amazon S3 and do not require scripts, cron jobs, or additional services, making them the most operationally efficient and cost-effective solution.

S3 Versioning controls versions but does not enforce object deletion timelines. S3 Intelligent-Tiering optimizes storage cost but does not delete objects. Presigned URLs only control access duration and do not remove objects from storage.

AWS explicitly recommends lifecycle policies for automated data retention enforcement.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Management

CloudWatch Logs Insights is a managed, on-demand query capability designed to search and analyze log data stored in CloudWatch Logs without moving the data elsewhere. AWS Certified Security – Specialty documentation highlights Logs Insights as the lowest-effort method for rapid investigations, because it supports filtering, parsing, aggregation, and time-range queries directly over existing log groups. In this scenario, the logs already exist in CloudWatch Logs with sufficient retention. The engineer can write a query that filters for the suspicious IP address, counts occurrences over the last 7 days, and extracts requested URLs using parsing functions. This satisfies both requirements (count and URLs) immediately, without building pipelines or exporting data. Option B adds operational overhead by provisioning and maintaining OpenSearch ingestion and indexing. Options A and D require exporting data and additional services that are not necessary for a one-week forensic query. Therefore, Logs Insights is the most efficient and cost-effective approach.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Insights Querying and Investigation Workflows

AWS WAF rate-based rules are designed to help protect applications and resources from traffic floods and application-layer DDoS attacks by tracking the number of requests from individual source IP addresses over a rolling time window. According to the AWS Certified Security – Specialty Official Study Guide and AWS WAF documentation, rate-based rules can be configured with different actions, including Count, Block, and Allow.

When a security engineer is determining an appropriate rate limit that will not block legitimate traffic, AWS best practices recommend initially configuring the rate-based rule with the Count action. The Count action allows AWS WAF to monitor and log requests that exceed the specified rate threshold without actively blocking them. This provides visibility into traffic patterns and enables the security engineer to analyze how the rule would behave in production.

By using the Count action, the security engineer can safely evaluate whether legitimate users would be affected by the chosen rate limit. Once the engineer is confident that the threshold accurately distinguishes between normal traffic and malicious behavior, the action can later be changed to Block.

Option B is incorrect because immediately blocking traffic without validation risks denying service to legitimate users. Option C is invalid because AWS WAF does not have a Monitor action. Option D is incorrect because the Allow action does not enforce rate limiting.

AWS documentation explicitly recommends starting rate-based rules in Count mode to fine-tune thresholds before enforcing blocks, especially for DDoS protection scenarios.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rate-Based Rules

AWS DDoS Resiliency Best Practices

AWS CloudTrail provides a record of all API calls made in an AWS account, including calls initiated by AWS CloudFormation. According to the AWS Certified Security – Specialty Study Guide, CloudTrail is the primary source for troubleshooting authorization failures because it records denied actions and the policy type that caused the denial, including service control policies.

Reviewing CloudTrail logs allows a security engineer to identify which specific API calls failed during the CloudFormation deployment and whether the denial was caused by an SCP, an IAM policy, or a permission boundary. This evidence-based approach is the recommended first step before making any configuration changes.

Option B is unsafe and violates governance best practices by removing SCPs in production. Option C may be necessary later, but it does not identify whether SCPs are the root cause. Option D introduces unnecessary risk and bypasses the purpose of differentiated controls across OUs.

AWS documentation emphasizes observing and validating before modifying security controls, making CloudTrail log analysis the correct initial troubleshooting step.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Service Control Policies

AWS CloudTrail Authorization Failure Analysis

AWS CloudTrail Lake is purpose-built to store, query, and analyze CloudTrail events, including data events, without requiring additional infrastructure. The AWS Certified Security – Specialty documentation explains that CloudTrail Lake provides immutable event storage with configurable retention periods, including multi-year retention, which satisfies long-term compliance requirements such as 7-year retention. Events are stored in an append-only, immutable format managed by AWS, reducing operational complexity.

CloudTrail Lake supports SQL-based queries for complex analysis directly against the event data, eliminating the need to export logs to other services for querying. Additionally, CloudTrail Lake includes built-in dashboards and integrations that enable visualization of event trends and patterns without standing up separate analytics or visualization platforms.

Option B is invalid because CloudTrail Event History only retains events for up to 90 days and does not support long-term retention or advanced querying. Option C introduces high operational overhead and cost by requiring persistent Amazon EMR clusters and additional services. Option D incurs ongoing ingestion, indexing, and storage costs for OpenSearch Service over a 7-year period, making it less cost-effective than CloudTrail Lake.

AWS documentation positions CloudTrail Lake as the most cost-effective and operationally efficient solution for long-term, queryable CloudTrail event storage and visualization.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Lake Architecture and Retention

AWS CloudTrail Data Events Overview

AWS WAF logs capture detailed request-level information, including source IP address, request URI, headers, and rule evaluation results. According to the AWS Certified Security – Specialty documentation, AWS WAF logging is a critical detection control when application-level attacks are suspected, especially when host-based logs are unreliable or can be erased by attackers.

By configuring the AWS WAF web ACL to send logs to Amazon Data Firehose, the company ensures that all future requests are centrally captured and delivered to a durable storage service such as Amazon S3. Using Amazon Athena, the security team can query these logs to identify requests targeting specific application paths such as new-user-creation.php and extract the originating client IP addresses.

Option A is incorrect because VPC Flow Logs operate at the network layer and do not capture HTTP request paths. Option B is invalid because ALBs do not support CloudWatch agents. Option C is viable but introduces additional operational complexity and cost, making it less appropriate than the native WAF logging solution.

AWS documentation highlights AWS WAF logging combined with Athena as a best practice for forensic analysis and attacker identification.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging Documentation

Amazon Athena User Guide

AWS Detection and Monitoring Best Practices

AWS Config is the AWS service designed to continuously evaluate resource configurations against defined rules. According to the AWS Certified Security – Specialty Study Guide, AWS Config managed rules exist specifically to check database encryption, public accessibility, deletion protection, and log exports for Amazon RDS and Aurora.

AWS Config provides a real-time compliance timeline and displays the compliance state of each resource against each rule at any point in time. This granular visibility is required to assess ongoing compliance with security policies.

Audit Manager generates reports but does not provide continuous compliance monitoring. Security Hub aggregates findings but does not track configuration drift. EventBridge and Lambda introduce unnecessary complexity.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for RDS

AWS Continuous Compliance Monitoring

AWS WAF rate-based rules are designed specifically to track the number of requests from a single IP address over a configurable time window. According to AWS Certified Security – Specialty guidance, rate-based rules integrate natively with CloudFront and emit CloudWatch metrics that can trigger alarms.

CloudFront logs and VPC Flow Logs are not real-time detection tools. ASN match rules do not count request rates.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Rate-Based Rules

CloudFront and AWS WAF Integration

AWS WAF rate-based rules are specifically designed to protect applications from traffic floods and distributed attacks that originate from large numbers of IP addresses. According to the AWS Certified Security – Specialty Official Study Guide, rate-based rules automatically track the number of requests coming from individual IP addresses and temporarily block IPs that exceed a defined threshold.

In this scenario, the malicious traffic originates from hundreds of IP addresses across two countries, mixed with legitimate user traffic. A rate-based rule allows the security engineer to limit excessive request rates without fully blocking access from entire geographic regions, ensuring that legitimate users can still access the application.

Option B is incorrect because geographic match rules block all traffic from selected countries, which would deny access to legitimate users and violate the stated requirement. Option C is invalid because security groups do not support geographic filtering. Option D is not scalable, as manually blocking hundreds of IP addresses is operationally inefficient and ineffective against rapidly changing attacker IPs.

AWS documentation emphasizes that rate-based rules are the recommended first-line mitigation for sudden traffic spikes and potential application-layer DDoS attacks when business continuity must be preserved.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rate-Based Rules

AWS DDoS Resiliency Best Practices