Free Practice Questions for Amazon Web Services SCS-C03 Exam

Amazon CloudWatch Logs is designed to collect, store, and analyze log data from ephemeral compute resources such as EC2 instances in Auto Scaling groups. According to the AWS Certified Security – Specialty Study Guide, using the CloudWatch agent to stream logs off instances ensures log durability even when instances are terminated during scale-in events.

CloudWatch Logs Insights provides a fully managed, serverless query engine that enables ad hoc querying, filtering, and aggregation of log data without requiring additional infrastructure. This directly satisfies the requirement to query logs for application sessions and user troubleshooting.

Option A introduces operational risk because logs could be lost between cron executions. Option B requires additional services and data pipelines, increasing cost and complexity. Option E adds storage cost and management overhead and is not necessary for log analytics.

AWS best practices recommend CloudWatch Logs and Logs Insights as the most cost-effective and scalable solution for centralized log retention and analysis in Auto Scaling environments.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon CloudWatch Logs and Logs Insights

AWS Logging Best Practices

In a properly segmented VPC architecture, public subnets route internet-bound traffic to an internet gateway, while private subnets route outbound internet traffic through a NAT gateway that resides in a public subnet. According to the AWS Certified Security – Specialty Official Study Guide and Amazon VPC documentation, private subnets must never have a direct route to an internet gateway.

The issue described indicates that private subnets are incorrectly routing traffic directly to the internet gateway. To remediate this, a NAT gateway must be provisioned in each public subnet to ensure high availability across Availability Zones. This satisfies the requirement that private resources can initiate outbound connections without being directly reachable from the internet.

Next, the route tables associated with the private subnets must be updated so that the default route (0.0.0.0/0) points to the NAT gateway in the same Availability Zone. This ensures proper traffic flow and prevents cross-AZ dependencies.

Option B is incorrect because NAT gateways must reside in public subnets. Option C is unnecessary because local routes to the VPC CIDR range are automatically created. Option E is explicitly insecure, as it would reintroduce direct internet gateway access from private subnets.

AWS documentation consistently identifies NAT gateways plus correct private subnet routing as the standard design for secure VPC segmentation.

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Route Table Documentation

AWS Well-Architected Framework – Security Pillar

AWS CloudFormation dynamic references provide a secure mechanism for retrieving sensitive values from AWS Secrets Manager at stack creation or update time. According to the AWS Certified Security – Specialty documentation, dynamic references ensure that sensitive data such as database credentials are never stored in plaintext in CloudFormation templates, parameters, stack metadata, or logs.

When a dynamic reference to Secrets Manager is used, CloudFormation retrieves the secret value at runtime and passes it securely to the resource that requires it. The secret value is not exposed to users who view the template, stack, or change sets.

Option B is insecure because parameters can be exposed through the CloudFormation console and APIs. Option C is incorrect because SecureString parameters are a feature of AWS Systems Manager Parameter Store, not Secrets Manager. Option D is invalid because KMS encrypts data but does not store secrets or manage secret rotation.

AWS best practices clearly state that CloudFormation dynamic references to Secrets Manager are the recommended solution for securely handling sensitive configuration values.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Security Best Practices

AWS Secrets Manager Documentation

Amazon Detective is specifically designed to help security teams investigate and visualize the root cause of security findings. According to AWS Certified Security – Specialty documentation, Detective automatically aggregates and correlates data from GuardDuty, CloudTrail, and VPC Flow Logs to provide interactive visualizations and timelines.

Detective enables investigators to pivot from GuardDuty findings to IAM roles, API calls, network traffic, and resource behavior. This makes it the most efficient tool for understanding how IAM roles were used during suspicious activity.

Amazon Inspector focuses on vulnerability assessment, not behavioral investigation. Security Hub aggregates findings but does not provide deep investigation graphs. Manual analysis with Athena requires significantly more effort.

AWS guidance explicitly recommends Amazon Detective for root cause analysis and visualization of security incidents.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Detective Investigation Capabilities

AWS Threat Detection and Analysis

In AWS IAM Identity Center (formerly AWS Single Sign-On), users and groups do not automatically gain access to all accounts in an AWS Organization simply because the accounts exist. Access is explicitly granted by assigning a principal (user or group) to a specific AWS account along with a permission set. Permission sets define the IAM policies that are provisioned into the target account as IAM roles.

In this scenario, employees in the Cloud Active Directory group can access nearly all AWS accounts, which confirms that AD Connector synchronization is functioning correctly, eliminating option B. The fact that Account A exists but is inaccessible strongly indicates that the required account assignment is missing. Without explicitly assigning the Cloud group to Account A with a valid permission set, IAM Identity Center will not provision the necessary IAM role, and users will not see or access the account in the AWS access portal.

Option A is incorrect because accounts do not need to be placed in an OU to be accessible through IAM Identity Center. Option D is incorrect because IAM permissions boundaries do not control access to entire accounts and are not applied at the account level to block IAM Identity Center access.

AWS Security Specialty documentation emphasizes that account assignments are mandatory for IAM Identity Center access, making option C the correct answer.

AWS WAF provides managed and custom rules that can immediately mitigate common web exploits such as SQL injection without modifying application code. According to AWS Certified Security – Specialty documentation, placing AWS WAF in front of an Application Load Balancer is a recommended rapid-response control for legacy applications with known vulnerabilities.

Creating an ALB in front of the existing EC2 instances allows seamless traffic migration. AWS WAF SQL injection rules can be deployed and tested without downtime. Updating Route 53 to point to the ALB preserves normal operations. Restricting EC2 security groups afterward prevents bypassing the WAF.

Option B introduces CloudFront changes and single-origin testing, increasing complexity. Option C cannot be completed within 24 hours and risks downtime. Option D is invalid because AWS WAF cannot be attached directly to EC2 instances.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Web ACL Architecture

AWS Application Load Balancer Security

Amazon S3 Block Public Access provides centralized controls to prevent public access through bucket policies and ACLs. AWS Certified Security – Specialty guidance recommends enabling Block Public Access to reduce accidental exposure and to enforce guardrails that override public grants. Enabling Block Public Access on the bucket removes current public exposure when combined with correcting policies/ACLs and prevents future misconfiguration. To ensure the bucket cannot be made public again, the security engineer must prevent principals from disabling Block Public Access. An SCP that denies s3:PutPublicAccessBlock prevents changes that would remove or weaken the PublicAccessBlock configuration, enforcing the guardrail across the OU or account. Options A and D do not directly address public exposure control. Option B denies object reads but does not ensure public access cannot be re-enabled; it also does not address the root misconfiguration pathways and could disrupt legitimate access patterns. Option C specifically combines the correct preventive control (PublicAccessBlock) with organizational enforcement to stop future reversal.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Block Public Access

AWS Organizations SCP Guardrails for S3 Controls