SCS-C03 Amazon Web Services AWS Certified Security – Specialty Free Practice Exam Questions (2026 Updated)

AWS CloudTrail provides authoritative records of KMS key creation, origin, and usage. Enabling log file validation ensures tamper detection. S3 Object Lock in compliance mode enforces immutability, which is a core audit requirement cited in AWS Certified Security – Specialty materials.

CloudWatch and DynamoDB do not provide immutable storage guarantees suitable for compliance evidence.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Log File Validation

Amazon S3 Object Lock

Password policies are enforced at the identity provider where authentication occurs. According to the AWS Certified Security – Specialty Study Guide, when IAM is federated with an external identity provider such as on-premises Active Directory, IAM does not manage or enforce password policies. Instead, password requirements such as minimum length must be enforced directly in Active Directory Group Policy Objects.

Amazon Cognito user pools maintain their own user directory and authentication logic. Cognito provides configurable password policies, including minimum length, complexity, and expiration. To enforce a minimum password length for application users, the Cognito user pool password policy must be updated.

IAM password policies apply only to IAM users that authenticate directly with IAM and do not affect federated users or Cognito users. SCPs and IAM policies cannot enforce password length requirements.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Federation and Password Policies

Amazon Cognito User Pool Security Settings

The immediate containment step for exposed access keys is todisable (deactivate) the compromised IAM access key(Option B). This prevents any further use of the leaked credentials, which is essential once secrets are publicly exposed. Creating a new key (Option D) may be part of recovery later, but it does not stop abuse of the already exposed key unless the exposed key is first deactivated.

To determine whether the credentials were used, you need evidence of access activity. Among the provided options, the best fit is generating and reviewing theIAM credential report(Option E). The report includes metadata such as access key status and “last used” style details that help triage whether the user’s credentials have been exercised recently. While deeper investigation would typically rely on CloudTrail “AccessKeyId” searches, the credential report is a quick AWS-native step aligned to the answer choices.

Option A is not correct: IAM Access Analyzer helps identify external access paths to resources and validate policies; it does not provide a definitive history of what a specific access key did. Option C is not a GuardDuty capability—GuardDuty generates findings; it does not “block” a specific access key. Therefore, deactivating the key and using credential reporting to assess recent usage best matches the requirements.

AWS Key Management Service (KMS) customer managed keys areregional resources. According to the AWS Certified Security – Specialty Official Study Guide and KMS documentation, a KMS key created in one AWS Regioncannot be used directly in another Region. When copying an encrypted Amazon Aurora DB snapshot across Regions, the destination Region must have access to a KMS keythat exists in that Region.

Because the original KMS key resides in us-east-1, it cannot be accessed or referenced in us-west-1. The correct and supported approach is tocreate a new customer managed KMS key in us-west-1and specify that key when performing the cross-Region snapshot copy. Amazon RDS automatically decrypts the snapshot using the source Region key and re-encrypts it using the destination Region key during the copy process.

Option A is invalid because KMS keys cannot be stored or transferred through AWS Secrets Manager. Options C and D are incorrect because IAM policies cannot grant cross-Region usage of a KMS key; KMS enforces strict regional boundaries regardless of IAM permissions.

AWS documentation clearly states thatcross-Region encrypted snapshot copies require a KMS key in the destination Region, making this approach mandatory for compliance and encryption continuity.

AWS Certified Security – Specialty Official Study Guide

AWS Key Management Service Developer Guide

Amazon Aurora Security Documentation

Network ACLs arestateless, so you must allow both the outbound request and the inboundreturn traffic. For outbound TLS to an internet service on TCP443, you need an outbound allow rule permitting destination port 443. The return traffic from the internet service will come back to the instance’sephemeral port(typically in the range 1024–65535) on the inbound path. Therefore, you must allow inbound TCP traffic on the ephemeral port range to support established outbound connections.

At the same time, the requirement is todeny inbound MySQL (TCP 3306). Because NACLs process rules in order (lowest rule number first), placing an explicit deny for port 3306 as a low-numbered inbound rule ensures that traffic destined for MySQL is blocked even if there are broader allow rules later.

Option B does exactly this: it denies inbound TCP 3306 first, then allows inbound ephemeral ports for return traffic, and allows outbound TCP 443. Option A/D incorrectly allow inbound 443 (not needed for outbound-only TLS) and fail to explicitly allow ephemeral return traffic correctly. Option C allows ephemeral inbound first, and then denies 3306 later; while 3306 is not in the ephemeral range, B is the clean, canonical ordering and matches the intended stateless-return-traffic pattern most directly.

To analyze API access patterns with minimal effort andwithout parsing raw log files, the best approach is to rely onmetricsand built-in query tooling. EnablingDetailed CloudWatch Metricsfor an API Gateway stage (Option E) provides near-real-time, aggregated visibility into usage and performance patterns (such as request counts, latency, error rates like 4XX/5XX) that are ideal for identifying trends and spikes without handling logs.

For deeper pattern exploration when needed,CloudWatch Logs Insights(Option D) provides an interactive query experience over logs that are already in CloudWatch Logs, allowing quick filtering and aggregation. In practice, developers use metrics to understand access patterns at a high level and Logs Insights to slice and dice request data without building a separate parsing pipeline.

Options A and C still rely on enabling access logs and shipping them to S3/Athena, which is more setup and operational overhead (and still involves managing log storage/format). CloudTrail (Option B) records control-plane API calls to AWS services, not end-user access requests to your API methods, so it won’t provide the desired access pattern view for API consumers. Therefore, Detailed CloudWatch Metrics plus CloudWatch Logs Insights is the least-effort combination for access pattern analysis.

When an internet-facing ALB is used as a CloudFront origin, it remains directly accessible unless additional access controls are enforced. According to AWS Certified Security – Specialty guidance,CloudFront IP allow lists alone are insufficient, because CloudFront IP ranges change and are not guaranteed to be exclusive.

The recommended and most secure approach is to configure CloudFront to send acustom origin header(such as X-Shared-Secret) with a secret value on every request to the origin. The ALB listener rules are then configured toforward traffic only when the header exists and matches the expected value. Requests that attempt to bypass CloudFront will not include this header and will be denied.

Option A is invalid because CloudFront does not support PrivateLink origins. Option B introduces unnecessary architectural changes and is not required. Option C is brittle and operationally risky due to changing IP ranges.

AWS documentation explicitly recommendscustom origin headersas the best practice to ensure that only CloudFront can access an internet-facing ALB when AWS WAF is attached at the CloudFront layer.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Origin Security Documentation

AWS WAF and ALB Integration Guidance

The requirement is twofold:cross-Region replicationfor disaster recovery andimmutabilityso that even administrators cannot permanently delete data in the secondary Region. The S3-native feature designed to prevent deletion (including version deletion) for a defined retention period isS3 Object Lock. When Object Lock is configured incompliance mode,no user, including the root user and administrators, can remove Object Lock protections or permanently delete protected object versions before retention expires. This meets the “admins cannot permanently delete” requirement far better than policy-based controls.

To replicate the data for DR, the company can configureS3 replicationfrom the primary Region bucket to a bucket in the secondary Region. With Object Lock in place (and the destination bucket appropriately configured to support Object Lock and versioning), replicated objects can be retained immutably, providing a strongly protected copy for recovery.

Option D (versioning alone) prevents accidental overwrites but does not stop an admin from deleting all versions. Option C only blocks replication deletes; it does not prevent an admin from deleting objects directly in the secondary bucket. Option A uses AWS Backup vault lock ingovernancemode, which still allows privileged users with special permissions to override retention; it also creates backups rather than true object-level replication. Therefore, Object Lock in compliance mode combined with replication is the best match.

AWS WAF provides managed and custom rules that can immediately mitigate common web exploits such as SQL injection without modifying application code. According to AWS Certified Security – Specialty documentation, placing AWS WAF in front of an Application Load Balancer is a recommended rapid-response control for legacy applications with known vulnerabilities.

Creating an ALB in front of the existing EC2 instances allows seamless traffic migration. AWS WAF SQL injection rules can be deployed and tested without downtime. Updating Route 53 to point to the ALB preserves normal operations. Restricting EC2 security groups afterward prevents bypassing the WAF.

Option B introduces CloudFront changes and single-origin testing, increasing complexity. Option C cannot be completed within 24 hours and risks downtime. Option D is invalid because AWS WAF cannot be attached directly to EC2 instances.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Web ACL Architecture

AWS Application Load Balancer Security

The database islatency-sensitive, so the connectivity option should minimize jitter and provide more consistent performance than traversing the public internet.AWS Direct Connectprovides a dedicated network connection from the on-premises environment into AWS, typically delivering more stable throughput and lower/consistent latency characteristics compared with internet-based paths. However, Direct Connect by itself does not automatically provideIPsec encryption.

To satisfy the explicit requirement that traffic must haveIPsec encryption, the common AWS pattern is to run anAWS Site-to-Site VPN(IPsec tunnels) in conjunction with Direct Connect. This can be done as “VPN over Direct Connect” to encrypt the traffic while still taking advantage of Direct Connect’s private, predictable connectivity. This combination meets both requirements: improved latency characteristics (Direct Connect) and IPsec encryption (Site-to-Site VPN).

The other options do not fit. VPN CloudHub (Option C) is for connecting multiple remote sites together via AWS as a hub-and-spoke, not a primary low-latency private link. VPC peering (Option D) is only for VPC-to-VPC connectivity and does not connect to on-premises. NAT gateway (Option E) is for outbound internet/NAT translation and does not provide private encrypted connectivity to on-premises.

Amazon Cognito is a fully managed identity service that providesuser authentication, authorization, and user managementfor web and mobile applications. According to AWS Certified Security – Specialty documentation, Cognito user pools are specifically designed to offload authentication responsibilities from applications while maintaining strong security controls.

By federating authentication with third-party identity providers (such as social IdPs), Cognito eliminates the need for the company to manage user passwords directly. This dramatically reduces password reset requests and customer service overhead, while also improving security throughindustry-standard authentication mechanisms, including MFA and token-based access.

Option A is insecure and incorrect because IAM access keys are not intended for end users. Option B simply relocates password storage and does not reduce operational burden. Option D uses API keys, which are not designed for user authentication and provide no identity verification.

AWS guidance clearly states thatAmazon Cognito is the recommended service for scalable, secure user authentication, especially when reducing password management complexity is a requirement.

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito User Pools Documentation

AWS IAM Security Best Practices

Option C best meets the requirements because Amazon GuardDuty provides Kubernetes-focused threat detection for Amazon EKS by analyzingEKS control plane audit logs(EKS Protection) and combining that signal withruntime telemetryfrom the worker nodes (Runtime Monitoring). EKS audit logs capture Kubernetes API activity and authorization decisions, allowing GuardDuty to detect suspicious cluster actions such as unusual API calls, unexpected access patterns, or indicators of compromise within the cluster. Runtime Monitoring extends coverage tooperating system/process activity, network connections, and file activityon the nodes, which directly aligns with the need to monitor OS, networking, and file events in addition to audit logs.

For notifications, GuardDuty generatesfindingsthat can be delivered throughAmazon EventBridgerules. EventBridge can route relevant GuardDuty findings to anAmazon SNS topic, and SNS can sendemail alertsto the security team by subscribing the team’s mailing list to the topic. This approach is fully managed, near real time, and avoids building custom log-parsing pipelines while still providing actionable alerts based on GuardDuty’s curated EKS threat detections.

AWS Organizations service control policies (SCPs) are designed to enforce preventive guardrails across accounts without requiring application-level changes. According to the AWS Certified Security – Specialty documentation, SCPs can restrict specific API actions or require certain condition keys to enforce security standards centrally. AWS Lambda function URLs support two authentication modes: AWS_IAM and NONE. When the authentication type is set to NONE, the function URL becomes publicly accessible, which introduces a significant security risk in production environments.

By using an SCP that explicitly denies the lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions when the lambda:FunctionUrlAuthType condition key equals NONE, the organization ensures that unauthenticated function URLs cannot be created or modified in production accounts. This enforcement occurs at the AWS Organizations level and applies automatically to all accounts within the specified organizational units (OUs). Developers are not required to change their workflows or add additional controls, satisfying the requirement of no additional developer effort.

Option A relates to browser-based access controls and does not provide authentication or authorization enforcement. Option B is not valid because AWS WAF cannot be attached directly to AWS Lambda function URLs. Option C is incorrect because SCPs do not grant permissions; they only limit permissions. AWS documentation clearly states that SCPs define maximum available permissions and are evaluated before IAM policies.

This approach aligns with AWS best practices for centralized governance, least privilege, and preventive security controls.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Service Control Policies Documentation

AWS Lambda Security and Function URL Authentication Overview

AWS WAF string match rule statements allow inspection of HTTP headers, including the User-Agent header. According to AWS Certified Security – Specialty guidance, when malicious traffic can be uniquely identified by a consistent request attribute, such as a device-specific user agent, a string match rule provides precise mitigation with minimal false positives.

IP-based blocking is ineffective for globally distributed botnets. Geographic blocking risks denying access to legitimate users. Rate-based rules limit request volume but do not prevent low-and-slow attacks.

By matching the unique IoT device brand in the User-Agent header, the security engineer can block only malicious requests while preserving customer access.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Rule Statements

AWS DDoS Mitigation Best Practices

Amazon Inspector provides native Lambda code vulnerability scanning. GuardDuty focuses on runtime threats, not static code analysis.

Amazon GuardDuty findings provide high-level detection of suspicious activity but are not designed for deep investigation on their own. The AWS Certified Security – Specialty documentation explains that Amazon Detective is purpose-built to support rapid investigations by automatically collecting, correlating, and visualizing data from GuardDuty, AWS CloudTrail, and VPC Flow Logs. Detective enables security engineers to analyze API calls, user behavior, and resource interactions in context without making any changes to the environment.

Using read-only credentials ensures that the investigation does not impact the production application. Amazon Detective allows investigators to pivot directly from a GuardDuty finding into a detailed activity graph, showing which IAM user made anomalous calls, what resources were accessed, and how behavior deviated from the baseline. This significantly accelerates incident investigation.

Options A and C involve applying DenyAll policies, which are containment actions and could affect application availability. Option D requires manual analysis and setup and is slower than using Amazon Detective, which is designed for immediate investigative workflows.

AWS incident response guidance recommends using Detective for rapid, non-intrusive analysis after GuardDuty findings.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty and Amazon Detective Integration

AWS Incident Response Investigation Best Practices

AWS CloudFormation supports the use of aservice role, which allows CloudFormation to assume a dedicated IAM role to create and manage resources on behalf of users. According to the AWS Certified Security – Specialty Study Guide, using a service role is themost secure and consistent wayto ensure predictable stack deployments when users have varying permission sets.

By creating a service role with cloudformation.amazonaws.com as the trusted service principal (Option B), CloudFormation—not individual users—assumes responsibility for resource creation. Updating each stack to explicitly use this service role (Option E) ensures that all deployments use the same permission set, eliminating inconsistencies.

Granting the team members permission to pass the service role via iam:PassRole (Option F) is required so that CloudFormation can assume the role during stack operations. This approach adheres to the principle of least privilege and prevents users from gaining direct access to elevated permissions.

Composite principals (Option A) are unnecessary and insecure. Referencing stack ARNs (Option C) does not solve the root cause. While Option D reflects good policy design, it is implicit in creating the service role and is not a required standalone step.

AWS documentation clearly identifiesCloudFormation service roles combined with iam:PassRoleas best practice for secure, consistent infrastructure deployments.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Role Documentation

AWS IAM Best Practices

KMS grantsare purpose-built for givingtemporary, scoped permissionsto use a customer managed key without continually editing key policies. A grant can allow only the specific cryptographic operations the application process needs (for example, Encrypt/Decrypt/GenerateDataKey) and can be constrained to a particular AWS principal and (optionally) conditions. When access is no longer required, the security team canrevokethe grant immediately, returning the key to its previous access posture. This meets the “temporary access occasionally” requirement with minimal operational work and lower risk than policy churn.

Option B requires repeated key policy edits and rollbacks, which is operationally noisy and increases the chance of misconfiguration or leaving access in place longer than intended. Option A is not supported in the way described—KMS key material for standard KMS customer managed keys is not something you “export” for sharing, and exposing key material breaks managed key controls. Option D introduces significant overhead and complexity by generating/importing key material repeatedly and is not the intended model for occasional access. Grants are the standard AWS pattern for delegating KMS key usage temporarily and safely.

AWS KMS enforces amandatory minimum waiting period of 7 daysbefore a customer managed key can be deleted. According to AWS Certified Security – Specialty incident response guidance,no method exists to immediately delete a KMS key. The fastest possible deletion is achieved by scheduling deletion with theminimum 7-day waiting period.

In this scenario, although deletion was previously scheduled, the key remains enabled and usable. The most authoritative and reliable method to regain control and reissue deletion immediately is touse the AWS account root user, which has implicit permissions to manage KMS keys regardless of compromised IAM principals.

Option B is incorrect because KMS keys are regional resources; multi-Region keys require coordinated deletion but do not shorten the waiting period. Option C is unnecessary because the key policy already allows kms:*. Option D increases the deletion waiting period to 30 days, which violates the requirement to delete the key as quickly as possible.

AWS documentation clearly states thatroot user access is the ultimate authority for KMS key managementand that7 days is the minimum deletion window, making this the fastest valid option.

AWS Certified Security – Specialty Official Study Guide

AWS Key Management Service Developer Guide

AWS Incident Response Best Practices