Practice Free SCS-C03 Exam Online Questions
Question #1
A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact: IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application.
Which solution will meet these requirements MOST quickly?
- A . Log in to the AWS account by using read-only credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.
- B . Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use Amazon Detective to review the API calls in context.
- C . Log in to the AWS account by using administrator credentials. Review the GuardDuty finding for details about the IAM credentials that were used. Use the IAM console to add a DenyAll policy to the IAM principal.
- D . Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to determine which API calls initiated the finding. Use AWS CloudTrail Insights and AWS CloudTrail Lake to review the API calls in context.
Correct Answer: B
B
Explanation:
Amazon GuardDuty findings provide high-level detection of suspicious activity but are not designed for deep investigation on their own. The AWS Certified Security C Specialty documentation explains that Amazon Detective is purpose-built to support rapid investigations by automatically collecting, correlating, and visualizing data from GuardDuty, AWS CloudTrail, and VPC Flow Logs. Detective enables security engineers to analyze API calls, user behavior, and resource interactions in context without making any changes to the environment.
Using read-only credentials ensures that the investigation does not impact the production application. Amazon Detective allows investigators to pivot directly from a GuardDuty finding into a detailed activity graph, showing which IAM user made anomalous calls, what resources were accessed, and how behavior deviated from the baseline. This significantly accelerates incident investigation.
Options A and C involve applying DenyAll policies, which are containment actions and could affect application availability.
Option D requires manual analysis and setup and is slower than using Amazon Detective, which is designed for immediate investigative workflows.
AWS incident response guidance recommends using Detective for rapid, non-intrusive analysis after GuardDuty findings.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon GuardDuty and Amazon Detective Integration
AWS Incident Response Investigation Best Practices
B
Explanation:
Amazon GuardDuty findings provide high-level detection of suspicious activity but are not designed for deep investigation on their own. The AWS Certified Security C Specialty documentation explains that Amazon Detective is purpose-built to support rapid investigations by automatically collecting, correlating, and visualizing data from GuardDuty, AWS CloudTrail, and VPC Flow Logs. Detective enables security engineers to analyze API calls, user behavior, and resource interactions in context without making any changes to the environment.
Using read-only credentials ensures that the investigation does not impact the production application. Amazon Detective allows investigators to pivot directly from a GuardDuty finding into a detailed activity graph, showing which IAM user made anomalous calls, what resources were accessed, and how behavior deviated from the baseline. This significantly accelerates incident investigation.
Options A and C involve applying DenyAll policies, which are containment actions and could affect application availability.
Option D requires manual analysis and setup and is slower than using Amazon Detective, which is designed for immediate investigative workflows.
AWS incident response guidance recommends using Detective for rapid, non-intrusive analysis after GuardDuty findings.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon GuardDuty and Amazon Detective Integration
AWS Incident Response Investigation Best Practices
Question #2
A company’s data scientists want to create artificial intelligence and machine learning (AI/ML) training models by using Amazon SageMaker. The training models will use large datasets in an Amazon S3 bucket. The datasets contain sensitive information.
On average, the data scientists need 30 days to train models. The S3 bucket has been secured appropriately. The company’s data retention policy states that all data that is older than 45 days must be removed from the S3 bucket.
Which action should a security engineer take to enforce this data retention policy?
- A . Configure an S3 Lifecycle rule on the S3 bucket to delete objects after 45 days.
- B . Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an S3 event notification to invoke the Lambda function for each PutObject operation.
- C . Create an AWS Lambda function to check the last-modified date of the S3 objects and delete objects that are older than 45 days. Create an Amazon EventBridge rule to invoke the Lambda function each month.
- D . Configure S3 Intelligent-Tiering on the S3 bucket to automatically transition objects to another storage class.
Correct Answer: A
A
Explanation:
Amazon S3 Lifecycle rules provide a native, fully managed mechanism to automatically transition or delete objects based on their age. According to the AWS Certified Security C Specialty Official Study Guide, S3 Lifecycle policies are the recommended and most secure method for enforcing data retention requirements because they operate automatically, consistently, and without custom code.
By configuring a lifecycle rule to delete objects after 45 days, the company ensures that sensitive datasets are retained long enough to support the 30-day model training process while remaining compliant with the data retention policy. Lifecycle rules are enforced by Amazon S3 itself and apply uniformly to all objects in the bucket or to objects that match specific prefixes or tags.
Option B and Option C introduce unnecessary operational complexity and risk by relying on custom Lambda code and scheduling. These approaches are more error-prone, harder to audit, and less reliable than a built-in S3 capability.
Option D is incorrect because S3 Intelligent-Tiering manages storage cost optimization and does not delete data.
AWS documentation explicitly states that S3 Lifecycle rules are the standard control for enforcing retention and deletion policies, particularly for sensitive data stored at scale.
AWS Certified Security C Specialty Official Study Guide
Amazon S3 Lifecycle Configuration Documentation
AWS Data Protection Best Practices
A
Explanation:
Amazon S3 Lifecycle rules provide a native, fully managed mechanism to automatically transition or delete objects based on their age. According to the AWS Certified Security C Specialty Official Study Guide, S3 Lifecycle policies are the recommended and most secure method for enforcing data retention requirements because they operate automatically, consistently, and without custom code.
By configuring a lifecycle rule to delete objects after 45 days, the company ensures that sensitive datasets are retained long enough to support the 30-day model training process while remaining compliant with the data retention policy. Lifecycle rules are enforced by Amazon S3 itself and apply uniformly to all objects in the bucket or to objects that match specific prefixes or tags.
Option B and Option C introduce unnecessary operational complexity and risk by relying on custom Lambda code and scheduling. These approaches are more error-prone, harder to audit, and less reliable than a built-in S3 capability.
Option D is incorrect because S3 Intelligent-Tiering manages storage cost optimization and does not delete data.
AWS documentation explicitly states that S3 Lifecycle rules are the standard control for enforcing retention and deletion policies, particularly for sensitive data stored at scale.
AWS Certified Security C Specialty Official Study Guide
Amazon S3 Lifecycle Configuration Documentation
AWS Data Protection Best Practices
Question #3
A company recently experienced a malicious attack on its cloud-based environment. The company successfully contained and eradicated the attack. A security engineer is performing incident response work. The security engineer needs to recover an Amazon RDS database cluster to the last known good version. The database cluster is configured to generate automated backups with a retention period of 14 days. The initial attack occurred 5 days ago at exactly 3:15 PM.
Which solution will meet this requirement?
- A . Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 5 days ago at 3:14 PM.
- B . Identify the Regional cluster ARN for the database. List snapshots that have been taken of the cluster. Restore the database by using the snapshot that has a creation time that is closest to 5 days ago at 3:14 PM.
- C . List all snapshots that have been taken of all the company’s RDS databases. Identify the snapshot that was taken closest to 5 days ago at 3:14 PM and restore it.
- D . Identify the Regional cluster ARN for the database. Use the ARN to restore the Regional cluster by using the restore to point in time feature. Set a target time 14 days ago.
Correct Answer: A
A
Explanation:
Amazon RDS supports point-in-time recovery (PITR) using automated backups within the configured retention window. According to the AWS Certified Security C Specialty Study Guide, PITR allows recovery to any second within the retention period, making it the most precise recovery method following a security incident.
By restoring the database cluster to a point just before the attack occurred, such as 3:14 PM, the security engineer ensures that the restored database reflects the last known good state without including malicious changes. This method is more accurate than restoring from snapshots, which are created at fixed intervals and may not align with the exact recovery time.
Options B and C rely on snapshot timing and may reintroduce compromised data.
Option D restores to an arbitrary time and does not meet the requirement to recover to the last known good version.
AWS documentation explicitly recommends point-in-time recovery for incident response scenarios that require precise restoration.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon RDS Automated Backups and PITR
AWS Incident Response and Recovery Guidance
A
Explanation:
Amazon RDS supports point-in-time recovery (PITR) using automated backups within the configured retention window. According to the AWS Certified Security C Specialty Study Guide, PITR allows recovery to any second within the retention period, making it the most precise recovery method following a security incident.
By restoring the database cluster to a point just before the attack occurred, such as 3:14 PM, the security engineer ensures that the restored database reflects the last known good state without including malicious changes. This method is more accurate than restoring from snapshots, which are created at fixed intervals and may not align with the exact recovery time.
Options B and C rely on snapshot timing and may reintroduce compromised data.
Option D restores to an arbitrary time and does not meet the requirement to recover to the last known good version.
AWS documentation explicitly recommends point-in-time recovery for incident response scenarios that require precise restoration.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon RDS Automated Backups and PITR
AWS Incident Response and Recovery Guidance
Question #4
A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling
group. The EC2 instances are in the same VPC subnet as other workloads.
A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.
The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices for initial response to security incidents and must minimize disruption to the web application.
Which solution will meet these requirements?
- A . Disable the EC2 instance profile credentials by using AWS Lambda.
- B . Create an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty detects anomalous traffic. Configure the function to remove the affected instance from the Auto Scaling group and attach a restricted security group.
- C . Update the subnet network ACL to block traffic from the detected source IP addresses.
- D . Send GuardDuty findings to Amazon SNS for email notification.
Correct Answer: B
B
Explanation:
AWS incident response best practices emphasize rapid containment with minimal blast radius. According to the AWS Certified Security C Specialty Official Study Guide, isolating a compromised resource while allowing the application to continue running is the preferred initial response.
By using Amazon EventBridge to detect GuardDuty findings related to anomalous traffic and invoking a Lambda function, the security engineer can automatically remove the affected EC2 instance from the Auto Scaling group and attach a restricted security group. This immediately isolates the instance while allowing Auto Scaling to launch a replacement instance, ensuring application availability.
Option A is invalid because EC2 instance profiles do not use long-term access keys.
Option C affects the entire subnet and could disrupt unrelated workloads.
Option D provides notification only and does not meet the requirement for automated response.
AWS documentation explicitly recommends instance-level isolation using security groups as a best practice for initial incident containment.
AWS Certified Security C Specialty Official Study Guide
Amazon GuardDuty User Guide
AWS Incident Response Best Practices
B
Explanation:
AWS incident response best practices emphasize rapid containment with minimal blast radius. According to the AWS Certified Security C Specialty Official Study Guide, isolating a compromised resource while allowing the application to continue running is the preferred initial response.
By using Amazon EventBridge to detect GuardDuty findings related to anomalous traffic and invoking a Lambda function, the security engineer can automatically remove the affected EC2 instance from the Auto Scaling group and attach a restricted security group. This immediately isolates the instance while allowing Auto Scaling to launch a replacement instance, ensuring application availability.
Option A is invalid because EC2 instance profiles do not use long-term access keys.
Option C affects the entire subnet and could disrupt unrelated workloads.
Option D provides notification only and does not meet the requirement for automated response.
AWS documentation explicitly recommends instance-level isolation using security groups as a best practice for initial incident containment.
AWS Certified Security C Specialty Official Study Guide
Amazon GuardDuty User Guide
AWS Incident Response Best Practices
Question #5
A company uses an organization in AWS Organizations to manage its 250 member accounts. The company also uses AWS IAM Identity Center with a SAML external identity provider (IdP). IAM Identity Center has been delegated to a member account. The company’s security team has access to the delegated account.
The security team has been investigating a malicious internal user who might be accessing sensitive accounts. The security team needs to know when the user logged into the organization during the last 7 days.
Which solution will quickly identify the access attempts?
- A . In the delegated account, use Amazon CloudWatch Logs to search for events that match the user details for all successful attempts.
- B . In each member account, use the IAM Identity Center console to search for events that match the user details for all attempts.
- C . In the external IdP, use Amazon EventBridge to search for events that match the user details for all attempts.
- D . In the organization’s management account, use AWS CloudTrail to search for events that match the user details for all successful attempts.
Correct Answer: D
D
Explanation:
AWS CloudTrail is the authoritative source for identity-related activity across an AWS Organization. According to the AWS Certified Security C Specialty Official Study Guide, CloudTrail records all AWS API calls and authentication events, including federated sign-ins that occur through AWS IAM Identity Center with an external SAML identity provider.
When IAM Identity Center is used, successful federated login events are logged in CloudTrail as ConsoleLogin and AssumeRoleWithSAML events. These events are recorded in the organization’s management account when CloudTrail is configured as an organization trail. This allows security teams to centrally search and correlate authentication activity across all member accounts.
Option A is incorrect because CloudWatch Logs do not natively aggregate authentication events across an organization unless custom pipelines are built.
Option B is not scalable and does not provide historical, organization-wide visibility.
Option C is invalid because AWS does not ingest external IdP logs into EventBridge automatically, and IdP logs do not reflect AWS-side role assumptions.
AWS documentation explicitly states that CloudTrail organization trails provide centralized visibility into user authentication and access activity across all accounts, making this the fastest and most reliable way to identify when a user logged in during a specific time window.
AWS Certified Security C Specialty Official Study Guide
AWS CloudTrail User Guide
AWS IAM Identity Center Documentation
AWS Organizations Best Practices
D
Explanation:
AWS CloudTrail is the authoritative source for identity-related activity across an AWS Organization. According to the AWS Certified Security C Specialty Official Study Guide, CloudTrail records all AWS API calls and authentication events, including federated sign-ins that occur through AWS IAM Identity Center with an external SAML identity provider.
When IAM Identity Center is used, successful federated login events are logged in CloudTrail as ConsoleLogin and AssumeRoleWithSAML events. These events are recorded in the organization’s management account when CloudTrail is configured as an organization trail. This allows security teams to centrally search and correlate authentication activity across all member accounts.
Option A is incorrect because CloudWatch Logs do not natively aggregate authentication events across an organization unless custom pipelines are built.
Option B is not scalable and does not provide historical, organization-wide visibility.
Option C is invalid because AWS does not ingest external IdP logs into EventBridge automatically, and IdP logs do not reflect AWS-side role assumptions.
AWS documentation explicitly states that CloudTrail organization trails provide centralized visibility into user authentication and access activity across all accounts, making this the fastest and most reliable way to identify when a user logged in during a specific time window.
AWS Certified Security C Specialty Official Study Guide
AWS CloudTrail User Guide
AWS IAM Identity Center Documentation
AWS Organizations Best Practices
Question #6
A company has a web application that reads from and writes to an Amazon S3 bucket. The company needs to use AWS credentials to authenticate all S3 API calls to the S3 bucket.
Which solution will provide the application with AWS credentials to make S3 API calls?
- A . Integrate with Cognito identity pools and use GetId to obtain AWS credentials.
- B . Integrate with Cognito identity pools and use AssumeRoleWithWebIdentity to obtain AWS credentials.
- C . Integrate with Cognito user pools and use the ID token to obtain AWS credentials.
- D . Integrate with Cognito user pools and use the access token to obtain AWS credentials.
Correct Answer: B
B
Explanation:
Amazon Cognito identity pools are designed to provide temporary AWS credentials for applications by exchanging an authenticated identity token for AWS Security Token Service (STS) credentials. AWS Certified Security C Specialty guidance distinguishes between Cognito user pools (authentication) and identity pools (authorization to AWS resources). A user pool can authenticate a user and issue tokens, but an identity pool is required to obtain AWS credentials that can be used to sign AWS API requests, such as S3 API calls. The correct mechanism is for the application to use AssumeRoleWithWebIdentity through STS (which is the underlying federation method used by identity pools) to receive temporary credentials for an IAM role that grants S3 permissions. GetId alone does not provide credentials; it returns an identity identifier that is used as part of the credential exchange flow. Options C and D are incorrect because user pool tokens are not AWS credentials and cannot directly sign S3 requests. The solution therefore must use identity pools to map users to IAM roles and retrieve temporary credentials, satisfying the requirement for authenticated API calls using short-lived credentials.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Cognito Identity Pools and STS Federation
AWS STS AssumeRoleWithWebIdentity
B
Explanation:
Amazon Cognito identity pools are designed to provide temporary AWS credentials for applications by exchanging an authenticated identity token for AWS Security Token Service (STS) credentials. AWS Certified Security C Specialty guidance distinguishes between Cognito user pools (authentication) and identity pools (authorization to AWS resources). A user pool can authenticate a user and issue tokens, but an identity pool is required to obtain AWS credentials that can be used to sign AWS API requests, such as S3 API calls. The correct mechanism is for the application to use AssumeRoleWithWebIdentity through STS (which is the underlying federation method used by identity pools) to receive temporary credentials for an IAM role that grants S3 permissions. GetId alone does not provide credentials; it returns an identity identifier that is used as part of the credential exchange flow. Options C and D are incorrect because user pool tokens are not AWS credentials and cannot directly sign S3 requests. The solution therefore must use identity pools to map users to IAM roles and retrieve temporary credentials, satisfying the requirement for authenticated API calls using short-lived credentials.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Cognito Identity Pools and STS Federation
AWS STS AssumeRoleWithWebIdentity
Question #7
A company runs workloads in an AWS account. A security engineer observes some unusual findings in Amazon GuardDuty. The security engineer wants to investigate a specific IAM role and generate an investigation report. The report must contain details about anomalous behavior and any indicators of compromise.
Which solution will meet these requirements?
- A . Use Amazon Detective to perform an investigation on the IAM role.
- B . Use AWS Audit Manager to create an assessment. Specify the IAM role. Run an assessment report.
- C . Use Amazon Inspector to create an assessment. Specify the IAM role. Run an assessment report.
- D . Use Amazon Inspector to run an on-demand scan of the IAM role.
Correct Answer: A
A
Explanation:
Amazon Detective is a purpose-built AWS service designed to analyze, investigate, and visualize security data to help identify the root cause of suspicious or malicious activity. According to the AWS Certified Security C Specialty Official Study Guide, Amazon Detective directly integrates with Amazon GuardDuty findings, AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon EKS audit logs to automatically create behavior graphs and timelines.
When GuardDuty generates findings related to anomalous activity, Amazon Detective enables security engineers to pivot directly to an investigation focused on a specific IAM role, user, or resource. Detective automatically correlates historical activity, identifies deviations from baseline behavior, and highlights indicators of compromise, such as unusual API calls, credential misuse, or suspicious network activity.
AWS Audit Manager (Option B) is designed for compliance and audit evidence collection, not threat investigation. Amazon Inspector (Options C and D) is focused on vulnerability scanning of compute resources and does not analyze IAM behavior or GuardDuty findings.
AWS documentation explicitly states that Amazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, providing enriched context and investigation reports for security incidents.
AWS Certified Security C Specialty Official Study Guide
Amazon Detective User Guide
Amazon GuardDuty Integration Documentation
A
Explanation:
Amazon Detective is a purpose-built AWS service designed to analyze, investigate, and visualize security data to help identify the root cause of suspicious or malicious activity. According to the AWS Certified Security C Specialty Official Study Guide, Amazon Detective directly integrates with Amazon GuardDuty findings, AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon EKS audit logs to automatically create behavior graphs and timelines.
When GuardDuty generates findings related to anomalous activity, Amazon Detective enables security engineers to pivot directly to an investigation focused on a specific IAM role, user, or resource. Detective automatically correlates historical activity, identifies deviations from baseline behavior, and highlights indicators of compromise, such as unusual API calls, credential misuse, or suspicious network activity.
AWS Audit Manager (Option B) is designed for compliance and audit evidence collection, not threat investigation. Amazon Inspector (Options C and D) is focused on vulnerability scanning of compute resources and does not analyze IAM behavior or GuardDuty findings.
AWS documentation explicitly states that Amazon Detective is the recommended service for deep-dive investigations following GuardDuty alerts, providing enriched context and investigation reports for security incidents.
AWS Certified Security C Specialty Official Study Guide
Amazon Detective User Guide
Amazon GuardDuty Integration Documentation
Question #8
A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.
A security engineer must implement a solution to prevent CloudTrail from being disabled.
Which solution will meet this requirement?
- A . Enable CloudTrail log file integrity validation from the organization’s management account.
- B . Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.
- C . Create a service control policy (SCP) that includes an explicit Deny rule for the cloudtrail:StopLogging action and the cloudtrail:DeleteTrail action. Attach the SCP to the root OU.
- D . Create IAM policies for all the company’s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.
Correct Answer: C
C
Explanation:
AWS CloudTrail is a foundational security service that records API activity and account events. According to the AWS Certified Security C Specialty Official Study Guide, the only way to centrally and reliably prevent CloudTrail from being disabled across multiple AWS accounts is by using AWS Organizations service control policies (SCPs).
SCPs define the maximum available permissions for all accounts in an organization or organizational unit. By creating an SCP with an explicit Deny for the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions and attaching it to the root OU, the security engineer ensures that no principal in any member account―including administrators―can stop or delete CloudTrail trails. Explicit denies in SCPs cannot be overridden by IAM permissions.
Option A is incorrect because log file integrity validation only detects tampering after logs are delivered and does not prevent CloudTrail from being disabled.
Option B protects log data at rest but does not prevent trail deletion or logging suspension.
Option D removes read-only permissions and does not affect the ability to stop or delete CloudTrail.
AWS documentation explicitly states that SCPs are the recommended mechanism to enforce mandatory security controls such as CloudTrail logging across an organization, making this the correct and most secure solution.
AWS Certified Security C Specialty Official Study Guide
AWS Organizations SCP Documentation
AWS CloudTrail Security Best Practices
C
Explanation:
AWS CloudTrail is a foundational security service that records API activity and account events. According to the AWS Certified Security C Specialty Official Study Guide, the only way to centrally and reliably prevent CloudTrail from being disabled across multiple AWS accounts is by using AWS Organizations service control policies (SCPs).
SCPs define the maximum available permissions for all accounts in an organization or organizational unit. By creating an SCP with an explicit Deny for the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions and attaching it to the root OU, the security engineer ensures that no principal in any member account―including administrators―can stop or delete CloudTrail trails. Explicit denies in SCPs cannot be overridden by IAM permissions.
Option A is incorrect because log file integrity validation only detects tampering after logs are delivered and does not prevent CloudTrail from being disabled.
Option B protects log data at rest but does not prevent trail deletion or logging suspension.
Option D removes read-only permissions and does not affect the ability to stop or delete CloudTrail.
AWS documentation explicitly states that SCPs are the recommended mechanism to enforce mandatory security controls such as CloudTrail logging across an organization, making this the correct and most secure solution.
AWS Certified Security C Specialty Official Study Guide
AWS Organizations SCP Documentation
AWS CloudTrail Security Best Practices
Question #9
A company detects bot activity targeting Amazon Cognito user pool endpoints. The solution must block malicious requests while maintaining access for legitimate users.
Which solution meets these requirements?
- A . Enable Amazon Cognito threat protection.
- B . Restrict access to authenticated users only.
- C . Associate AWS WAF with the Cognito user pool.
- D . Monitor requests with CloudWatch.
Correct Answer: A
A
Explanation:
Amazon Cognito threat protection is purpose-built to detect and mitigate malicious authentication activity such as credential stuffing and bot traffic. It uses adaptive risk-based analysis without disrupting legitimate users.
AWS WAF cannot be directly associated with Cognito user pools.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Cognito Threat Protection
A
Explanation:
Amazon Cognito threat protection is purpose-built to detect and mitigate malicious authentication activity such as credential stuffing and bot traffic. It uses adaptive risk-based analysis without disrupting legitimate users.
AWS WAF cannot be directly associated with Cognito user pools.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Cognito Threat Protection
Question #10
A company is expanding its group of stores. On the day that each new store opens, the company wants to launch a customized web application for that store. Each store’s application will have a non-production environment and a production environment. Each environment will be deployed in a separate AWS account. The company uses AWS Organizations and has an OU that is used only for these accounts.
The company distributes most of the development work to third-party development teams. A security engineer needs to ensure that each team follows the company’s deployment plan for AWS resources. The security engineer also must limit access to the deployment plan to only the developers who need access. The security engineer already has created an AWS CloudFormation template that implements the deployment plan.
What should the security engineer do next to meet the requirements in the MOST secure way?
- A . Create an AWS Service Catalog portfolio in the organization’s management account. Upload the CloudFormation template. Add the template to the portfolio’s product list. Share the portfolio with the OU.
- B . Use the CloudFormation CLI to create a module from the CloudFormation template. Register the module as a private extension in the CloudFormation registry. Publish the extension. Create an SCP that allows access to the extension.
- C . Create an AWS Service Catalog portfolio and create an IAM role for cross-account access. Attach the AWSServiceCatalogEndUserFullAccess managed policy to the role.
- D . Use the CloudFormation CLI to create a module and share the extension directly with the OU.
Correct Answer: A
A
Explanation:
AWS Service Catalog is specifically designed to help organizations govern and control how AWS resources are provisioned at scale. According to the AWS Certified Security C Specialty Official Study Guide, Service Catalog enables administrators to define approved CloudFormation templates as products and to control which accounts, users, or organizational units can deploy those products.
By creating a Service Catalog portfolio in the management account and sharing it with a specific OU, the security engineer ensures that only accounts within that OU can deploy the approved infrastructure. Third-party developers can deploy resources only by using the predefined CloudFormation template and cannot alter the deployment plan, which enforces consistency and compliance.
This approach also limits access to the deployment plan itself, because developers interact with the Service Catalog product rather than the raw template. No cross-account IAM roles or excessive permissions are required, which reduces the attack surface.
CloudFormation modules and extensions (Options B and D) provide reuse but do not enforce deployment governance or access control.
Option C introduces unnecessary cross-account IAM roles, which is less secure than native Service Catalog sharing.
AWS documentation explicitly identifies AWS Service Catalog + AWS Organizations as the recommended pattern for secure, standardized multi-account deployments.
AWS Certified Security C Specialty Official Study Guide
AWS Service Catalog Administrator Guide
AWS Organizations Best Practices
A
Explanation:
AWS Service Catalog is specifically designed to help organizations govern and control how AWS resources are provisioned at scale. According to the AWS Certified Security C Specialty Official Study Guide, Service Catalog enables administrators to define approved CloudFormation templates as products and to control which accounts, users, or organizational units can deploy those products.
By creating a Service Catalog portfolio in the management account and sharing it with a specific OU, the security engineer ensures that only accounts within that OU can deploy the approved infrastructure. Third-party developers can deploy resources only by using the predefined CloudFormation template and cannot alter the deployment plan, which enforces consistency and compliance.
This approach also limits access to the deployment plan itself, because developers interact with the Service Catalog product rather than the raw template. No cross-account IAM roles or excessive permissions are required, which reduces the attack surface.
CloudFormation modules and extensions (Options B and D) provide reuse but do not enforce deployment governance or access control.
Option C introduces unnecessary cross-account IAM roles, which is less secure than native Service Catalog sharing.
AWS documentation explicitly identifies AWS Service Catalog + AWS Organizations as the recommended pattern for secure, standardized multi-account deployments.
AWS Certified Security C Specialty Official Study Guide
AWS Service Catalog Administrator Guide
AWS Organizations Best Practices