Free Practice Questions for Amazon Web Services SCS-C03 Exam

The database islatency-sensitive, so the connectivity option should minimize jitter and provide more consistent performance than traversing the public internet.AWS Direct Connectprovides a dedicated network connection from the on-premises environment into AWS, typically delivering more stable throughput and lower/consistent latency characteristics compared with internet-based paths. However, Direct Connect by itself does not automatically provideIPsec encryption.

To satisfy the explicit requirement that traffic must haveIPsec encryption, the common AWS pattern is to run anAWS Site-to-Site VPN(IPsec tunnels) in conjunction with Direct Connect. This can be done as “VPN over Direct Connect” to encrypt the traffic while still taking advantage of Direct Connect’s private, predictable connectivity. This combination meets both requirements: improved latency characteristics (Direct Connect) and IPsec encryption (Site-to-Site VPN).

The other options do not fit. VPN CloudHub (Option C) is for connecting multiple remote sites together via AWS as a hub-and-spoke, not a primary low-latency private link. VPC peering (Option D) is only for VPC-to-VPC connectivity and does not connect to on-premises. NAT gateway (Option E) is for outbound internet/NAT translation and does not provide private encrypted connectivity to on-premises.

Amazon Cognito identity pools provide temporary AWS credentials by exchanging web identity tokens with AWS STS using AssumeRoleWithWebIdentity. According to AWS Certified Security – Specialty documentation, this is the correct mechanism for granting applications AWS credentials.

User pools authenticate users but do not issue AWS credentials. Identity pools integrate with IAM roles and STS, enabling secure, temporary access to AWS services.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito Identity Pools

AWS STS Web Identity Federation

Amazon GuardDuty provides continuous threat detection for compromised instances by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. According to AWS Certified Security – Specialty guidance, GuardDuty is the fastest service to enable for detecting malware and compromised EC2 instances.

To notify the security team, Amazon SNS provides a native email notification mechanism with minimal setup. Amazon EventBridge integrates directly with GuardDuty findings and can filter based on severity. Creating an EventBridge rule that matches high severity GuardDuty findings and publishes to SNS ensures immediate notification.

Security Hub is not required for this use case and adds additional setup time. Amazon SQS does not support email subscriptions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty Findings and Severity

Amazon EventBridge Integration with GuardDuty

SSE-S3 uses AWS-managed keys and does not provide customer control. AWS Certified Security – Specialty documentation states that SSE-KMS with customer managed keys allows full control, auditing, and key rotation. The security engineer must first create a customer managed KMS key, then update the bucket to use SSE-KMS. Existing objects must be re-encrypted to ensure compliance.

SSE-C requires the application to manage keys, increasing complexity and risk. AWS managed keys do not meet the requirement for customer-controlled encryption.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Encryption Options

AWS KMS Customer Managed Keys

In IAM Identity Center, users see accounts and permission sets in the AWS access portal based onassignments. Here, the new permission set was assigned to theDevOps groupfor a specific member account. Sinceall developers except onecan see the permission set, the permission set itself and the account assignment are working correctly. The most likely cause is that the remaining developer isnot actually a memberof the DevOps group in the identity source (AWS Directory Service / Active Directory), or their group membership is not reflected due to missing/incorrect directory group assignment.

The least disruptive fix is to ensure the developer’s identity is correctly included in theDevOpsgroup within the directory. Once the user is a member of the assigned group (and after normal identity sync/refresh behavior), IAM Identity Center will evaluate the user as entitled to that permission set, and it will appear in the access portal.

Option B is unnecessary because the assignment is already effective for others. Option C is unrelated; service-linked roles for Organizations do not determine portal entitlements. Option D would not explain why only one user cannot see the permission set; if console access were misconfigured, it would affect all users assigned that permission set.

For centralized, organization-wide user access to AWS services and supported applications, AWS best practice is to useAWS IAM Identity Center(successor to AWS SSO). IAM Identity Center provides a single place to manage workforce identities, permission sets, and account assignments across AWS Organizations. Amazon Q Developer is integrated for centralized access using IAM Identity Center, where you can assign the relevant permissions to users and groups and enable access consistently across multiple AWS accounts. Setting Amazon Q Developer up as anAWS managed applicationaligns with IAM Identity Center’s model for centrally provisioning and controlling access with minimal operational overhead.

Amazon Cognito is primarily intended forcustomer identity and application sign-up/sign-inscenarios, not for workforce access to AWS managed developer tools across multiple AWS accounts. “Identity pools” are a Cognito concept for exchanging identities for AWS credentials, which adds unnecessary complexity and is not the standard approach for centrally granting employees access to Amazon Q Developer in an organization. Therefore, enabling IAM Identity Center and configuring Amazon Q Developer as an AWS managed application is the correct solution.

Amazon CloudWatch Logs provides a centralized, scalable service for collecting and storing logs from Amazon EC2 instances, regardless of whether the instances are On-Demand or Spot Instances. According to the AWS Certified Security – Specialty Official Study Guide, CloudWatch Logs is therecommended service for centralized log aggregation and near-real-time analysisof application and system logs.

By configuring all EC2 instances to send logs to asingle CloudWatch Logs log group, the security engineer ensures that logs from all instances are available in one centralized location. Access to the log group can be restricted by using IAM policies, ensuring that only authorized users can view and analyze the logs.

CloudWatch Logs Insights provides apowerful query language with SQL-like syntax, enabling users to search, filter, aggregate, and analyze log data efficiently. This directly satisfies the requirement for SQL-style queries to identify event patterns and perform root cause analysis without requiring data movement or additional services.

Option B is incorrect because CloudWatch Logs Insights cannot query log files stored in Amazon S3. Option C is inefficient and operationally complex, as Athena cannot directly query CloudWatch Logs log groups. Option D is invalid because Amazon Detective is designed for security investigations using GuardDuty findings, not for general application log analysis.

AWS documentation explicitly states thatCloudWatch Logs combined with CloudWatch Logs Insightsis the most efficient and secure approach for centralized log analysis in EC2-based architectures.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs Documentation

CloudWatch Logs Insights Query Guide

Toenforcerequired tagging and approved values at scale, the strongest guardrail is anSCPbecause SCPs can prevent API calls across accounts/OUs before resources are created or tags are changed. By using the aws:RequestTag/CostCenter condition key and checking that the value is one of the approved values, an SCP candeny Create (and TagResource/UntagResource where supported)* when the request attempts to set a non-approved value. This prevents “bad” CostCenter values from being introduced.

AWS Config (including custom policy rules with CloudFormation Guard) is excellent fordetectingnoncompliance and reporting, but on its own it is not a hard preventative control. Pairing Config rule evaluation with an SCP guardrail gives both visibility and prevention. Option A is the only option that explicitly combines an enforceable preventive control (SCP deny based on aws:RequestTag/CostCenter) with compliance evaluation logic.

Option B cannot “block creation” reliably because EventBridge/Lambda isafter-the-fact; by the time the function runs, the resource is already created. Option C relies on tag policies enforcement semantics; tag policies primarilystandardize and reporttag usage, and the provided SCP in C only checks for null/missing values, not for non-approved values or for preventing later changes. Option D is also reactive and not a guaranteed preventative control.

This is a classic Layer 7 rate-limiting requirement tied toclient IPand atime window, and AWS WAF provides this natively withrate-based rules. Placing AWS WAF in front of the ALB allows the company to count requests per source IP over a rolling window and take action (block, CAPTCHA/challenge, or count depending on configuration) once the threshold is exceeded. This approach mitigates scanning and application-layer request floods early, before requests consume EC2 or DynamoDB capacity, and it requires minimal custom code or operational work.

Options B and C require building and maintaining custom counting logic (either in Lambda or in the application), which increases complexity and risk of errors, and it also introduces operational overhead for scaling state tracking across many IPs. Option D is not appropriate: altering DynamoDB capacity does not enforce “per-IP reads,” and storing per-request metadata in the same table is an anti-pattern that increases write load and complexity.

Therefore, using AWS WAF rate-based protection at the ALB is the least-effort, most effective solution.

To enforce encryption in transit for Amazon S3, AWS best practice is to require HTTPS (TLS) by using a bucket policy condition that denies any request where aws:SecureTransport is false. The requirement includes both existing buckets and future buckets, so the control must continuously evaluate configuration drift and automatically remediate. AWS Config is the service intended for continuous configuration compliance monitoring across resources, and AWS Config managed rules provide standardized checks with low operational overhead. The s3-bucket-ssl-requests-only managed rule evaluates whether S3 buckets enforce SSL-only requests, aligning directly with enforcing encryption in transit. Setting the trigger type to Hybrid ensures evaluation both on configuration changes and periodically. Automatic remediation with an AWS Systems Manager Automation runbook allows the organization to apply or correct the bucket policy consistently at scale without manual work. This approach also supports governance by maintaining a measurable compliance status while actively fixing noncompliance. Option A is not the best fit because a “proactive” custom policy rule does not by itself remediate existing buckets and “block resource creation” is not how AWS Config enforces controls. Option C is incorrect because Amazon Inspector is a vulnerability management service and does not govern S3 bucket transport policies. Option D is inefficient and indirect because CloudTrail data events are not a compliance engine and would require custom processing.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for S3 Compliance

Amazon S3 Security Best Practices for SSL-only Access