Free Practice Questions for Amazon Web Services SCS-C03 Exam

AWS KMS provides condition keys that can be used to tightly scope how and where a customer managed key can be used. According to the AWS Certified Security – Specialty Study Guide, the kms:ViaService condition key is specifically designed to restrict key usage to requests that originate from a particular AWS service in a specific Region.

By configuring the key policy to allow KMS cryptographic operations only when kms:ViaService equals s3. < region > .amazonaws.com, the security engineer ensures that the key can be used exclusively by Amazon S3. Even if other IAM principals have permissions to use the key, the key cannot be used by other services such as Amazon EC2, Amazon RDS, or AWS Lambda.

Option A is incorrect because AWS services do not assume identities in key policies. Options C and D modify IAM role policies, which do not control how a KMS key is used by AWS services. AWS documentation clearly states that service-level restrictions must be enforced at the KMS key policy level using condition keys.

This approach enforces strong separation of duties and limits blast radius, which aligns with AWS security best practices.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Key Policy Condition Keys

AWS KMS Best Practices

AWS Config provides managed rules that continuously evaluate resource configurations against compliance requirements. The AWS Certified Security – Specialty documentation highlights AWS Config managed rules as the preferred mechanism for enforcing configuration compliance at scale. The managed rule for encrypted RDS storage automatically detects DB instances and clusters that are created without encryption enabled.

By configuring automatic remediation, AWS Config can immediately invoke corrective actions without manual intervention. Integrating remediation with an Amazon SNS topic enables automated email notifications, while an AWS Lambda function can terminate the noncompliant resource. This creates a fully automated detect-alert-remediate workflow.

Option B requires manual remediation, which increases operational effort and delays enforcement. Options C and D rely on Amazon EventBridge, which evaluates events rather than configuration state and does not provide continuous compliance monitoring. AWS Config is explicitly designed for configuration compliance and governance use cases.

This solution aligns with AWS governance best practices by combining continuous monitoring, automated remediation, and centralized alerting with minimal operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules

AWS Config Automatic Remediation

Delegated administration for IAM Identity Center allows the organization to designate an account (or administrators) to manage Identity Center tasks without giving broad control to everyone in the management account. Before configuring delegated administration, the organization should ensure that appropriate administrative access is set up following least privilege (Option A) so only the intended administrators can manage Identity Center configuration and assignments.

Next, IAM Identity Center relies onpermission setsandassignments(users/groups to accounts/permission sets) to deliver access through the AWS access portal. Creating the requiredpermission sets(Option D) and establishing the necessaryuser assignments(Option F) in the management account provides the baseline Identity Center configuration that will be administered and delegated. These are core Identity Center primitives and are commonly prepared as part of initial setup so delegated admins have clearly defined roles and scope to manage.

Option B is not required because IAM Identity Center uses an identity source (such as AWS Directory Service, an external IdP, or the Identity Center directory) that is configured once; you don’t typically “create a new directory” as a prerequisite for delegated admin unless you are changing identity sources. Option C is irrelevant; delegated administration is not dependent on adding a second Region. Option E is incorrect because IAM Identity Center is intended to reduce reliance on IAM users for workforce access, not require creating new IAM users.