Practice Free SCS-C03 Exam Online Questions
Question #11
A company’s developers are using AWS Lambda function URLs to invoke functions directly. The company must ensure that developers cannot configure or deploy unauthenticated functions in production accounts. The company wants to meet this requirement by using AWS Organizations. The solution must not require additional work for the developers.
Which solution will meet these requirements?
- A . Require the developers to configure all function URLs to support cross-origin resource sharing (CORS) when the functions are called from a different domain.
- B . Use an AWS WAF delegated administrator account to view and block unauthenticated access to
function URLs in production accounts, based on the OU of accounts that are using the functions. - C . Use SCPs to allow all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of AWS_IAM.
- D . Use SCPs to deny all lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions that have a lambda:FunctionUrlAuthType condition key value of NONE.
Correct Answer: D
D
Explanation:
AWS Organizations service control policies (SCPs) are designed to enforce preventive guardrails across accounts without requiring application-level changes. According to the AWS Certified Security
C Specialty documentation, SCPs can restrict specific API actions or require certain condition keys to enforce security standards centrally. AWS Lambda function URLs support two authentication modes: AWS_IAM and NONE. When the authentication type is set to NONE, the function URL becomes publicly accessible, which introduces a significant security risk in production environments.
By using an SCP that explicitly denies the lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions when the lambda:FunctionUrlAuthType condition key equals NONE, the organization ensures that unauthenticated function URLs cannot be created or modified in production accounts. This enforcement occurs at the AWS Organizations level and applies automatically to all accounts within the specified organizational units (OUs). Developers are not required to change their workflows or add additional controls, satisfying the requirement of no additional developer effort.
Option A relates to browser-based access controls and does not provide authentication or authorization enforcement.
Option B is not valid because AWS WAF cannot be attached directly to AWS Lambda function URLs.
Option C is incorrect because SCPs do not grant permissions; they only limit permissions. AWS documentation clearly states that SCPs define maximum available permissions and are evaluated before IAM policies.
This approach aligns with AWS best practices for centralized governance, least privilege, and preventive security controls.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide AWS Organizations Service Control Policies Documentation
AWS Lambda Security and Function URL Authentication Overview
D
Explanation:
AWS Organizations service control policies (SCPs) are designed to enforce preventive guardrails across accounts without requiring application-level changes. According to the AWS Certified Security
C Specialty documentation, SCPs can restrict specific API actions or require certain condition keys to enforce security standards centrally. AWS Lambda function URLs support two authentication modes: AWS_IAM and NONE. When the authentication type is set to NONE, the function URL becomes publicly accessible, which introduces a significant security risk in production environments.
By using an SCP that explicitly denies the lambda:CreateFunctionUrlConfig and lambda:UpdateFunctionUrlConfig actions when the lambda:FunctionUrlAuthType condition key equals NONE, the organization ensures that unauthenticated function URLs cannot be created or modified in production accounts. This enforcement occurs at the AWS Organizations level and applies automatically to all accounts within the specified organizational units (OUs). Developers are not required to change their workflows or add additional controls, satisfying the requirement of no additional developer effort.
Option A relates to browser-based access controls and does not provide authentication or authorization enforcement.
Option B is not valid because AWS WAF cannot be attached directly to AWS Lambda function URLs.
Option C is incorrect because SCPs do not grant permissions; they only limit permissions. AWS documentation clearly states that SCPs define maximum available permissions and are evaluated before IAM policies.
This approach aligns with AWS best practices for centralized governance, least privilege, and preventive security controls.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide AWS Organizations Service Control Policies Documentation
AWS Lambda Security and Function URL Authentication Overview
Question #12
A company’s data scientists use Amazon SageMaker with datasets stored in Amazon S3. Data older than 45 days must be removed according to policy.
Which action should enforce this policy?
- A . Configure an S3 Lifecycle rule to delete objects after 45 days.
- B . Create a Lambda function triggered on object upload to delete old data.
- C . Create a scheduled Lambda function to delete old objects monthly.
- D . Configure S3 Intelligent-Tiering.
Correct Answer: A
A
Explanation:
Amazon S3 Lifecycle rules are the native and most efficient way to enforce data retention policies. AWS Certified Security C Specialty documentation recommends lifecycle rules over custom automation to reduce operational complexity and failure risk.
Lifecycle rules automatically and reliably delete objects after a specified age, ensuring compliance without additional compute services. Lambda-based solutions increase cost and management overhead. Intelligent-Tiering manages storage cost, not data deletion.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon S3 Lifecycle Management
A
Explanation:
Amazon S3 Lifecycle rules are the native and most efficient way to enforce data retention policies. AWS Certified Security C Specialty documentation recommends lifecycle rules over custom automation to reduce operational complexity and failure risk.
Lifecycle rules automatically and reliably delete objects after a specified age, ensuring compliance without additional compute services. Lambda-based solutions increase cost and management overhead. Intelligent-Tiering manages storage cost, not data deletion.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon S3 Lifecycle Management
Question #13
A company stores infrastructure and application code in web-based, third-party, Git-compatible code repositories outside of AWS. The company wants to give the code repositories the ability to securely authenticate and assume an existing IAM role within the company’s AWS account by using OpenID Connect (OIDC).
Which solution will meet these requirements?
- A . Create an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM) federation. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.
- B . Use AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor that uses OIDC. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.
- C . Set up an account instance of AWS IAM Identity Center. Configure access to the code repositories as a customer managed OIDC application. Grant the application access to the IAM role.
- D . Use AWS Resource Access Manager (AWS RAM) to create a new resource share that uses OIDC. Limit the resource share to the specified code repositories. Grant the IAM role access to the resource share.
Correct Answer: A
A
Explanation:
AWS IAM supports identity federation by allowing external identity providers that use OpenID Connect (OIDC) to authenticate and assume IAM roles. According to the AWS Certified Security C Specialty documentation, IAM OIDC identity providers are the recommended approach for enabling third-party systems, such as external CI/CD pipelines or Git-based repositories, to securely obtain temporary AWS credentials without using long-term access keys.
By creating an OIDC identity provider in IAM and configuring the IAM role trust policy to trust the external IdP, the company enables secure, token-based authentication. The trust policy can include conditions that restrict which repositories, branches, or workflows are allowed to assume the role, enforcing least privilege. AWS Security Specialty guidance emphasizes that this method eliminates static credentials and relies on short-lived tokens issued by the OIDC provider.
Option B is incorrect because IAM Roles Anywhere is designed for workloads running outside AWS that use X.509 certificates, not OIDC.
Option C is intended for workforce identity federation, not machine-to-machine authentication.
Option D is invalid because AWS RAM does not provide identity federation or authentication capabilities.
This solution aligns with AWS best practices for secure, scalable, and low-overhead authentication for external workloads.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM OIDC Identity Providers
AWS IAM Role Trust Policies
A
Explanation:
AWS IAM supports identity federation by allowing external identity providers that use OpenID Connect (OIDC) to authenticate and assume IAM roles. According to the AWS Certified Security C Specialty documentation, IAM OIDC identity providers are the recommended approach for enabling third-party systems, such as external CI/CD pipelines or Git-based repositories, to securely obtain temporary AWS credentials without using long-term access keys.
By creating an OIDC identity provider in IAM and configuring the IAM role trust policy to trust the external IdP, the company enables secure, token-based authentication. The trust policy can include conditions that restrict which repositories, branches, or workflows are allowed to assume the role, enforcing least privilege. AWS Security Specialty guidance emphasizes that this method eliminates static credentials and relies on short-lived tokens issued by the OIDC provider.
Option B is incorrect because IAM Roles Anywhere is designed for workloads running outside AWS that use X.509 certificates, not OIDC.
Option C is intended for workforce identity federation, not machine-to-machine authentication.
Option D is invalid because AWS RAM does not provide identity federation or authentication capabilities.
This solution aligns with AWS best practices for secure, scalable, and low-overhead authentication for external workloads.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM OIDC Identity Providers
AWS IAM Role Trust Policies
Question #14
A company creates AWS Lambda functions from container images that are stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to identify any software vulnerabilities in the container images and any code vulnerabilities in the Lambda functions.
Which solution will meet these requirements?
- A . Enable Amazon GuardDuty. Configure Amazon ECR scanning and Lambda code scanning in GuardDuty.
- B . Enable Amazon GuardDuty. Configure Runtime Monitoring and Lambda Protection in GuardDuty.
- C . Enable Amazon Inspector. Configure Amazon ECR enhanced scanning and Lambda code scanning in Amazon Inspector.
- D . Enable AWS Security Hub. Configure Runtime Monitoring and Lambda Protection in Security Hub.
Correct Answer: C
C
Explanation:
Amazon Inspector is the AWS service designed specifically for vulnerability management across compute workloads, including Amazon ECR container images and AWS Lambda functions. According to the AWS Certified Security C Specialty documentation, Amazon Inspector provides automated vulnerability assessments for container images stored in ECR by performing enhanced image scanning that identifies common vulnerabilities and exposures (CVEs) in operating systems and application dependencies.
Inspector also supports Lambda code scanning to analyze function packages and container-based Lambda images for known software vulnerabilities. Findings include severity ratings and remediation guidance, allowing security teams to identify and prioritize risks efficiently.
Amazon GuardDuty focuses on threat detection using behavioral analysis and does not perform static vulnerability scanning of container images or Lambda code. AWS Security Hub aggregates findings from other services but does not perform scanning itself.
AWS best practices recommend Amazon Inspector for vulnerability detection in container images and serverless workloads.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Inspector for ECR and Lambda
AWS Vulnerability Management Best Practices
C
Explanation:
Amazon Inspector is the AWS service designed specifically for vulnerability management across compute workloads, including Amazon ECR container images and AWS Lambda functions. According to the AWS Certified Security C Specialty documentation, Amazon Inspector provides automated vulnerability assessments for container images stored in ECR by performing enhanced image scanning that identifies common vulnerabilities and exposures (CVEs) in operating systems and application dependencies.
Inspector also supports Lambda code scanning to analyze function packages and container-based Lambda images for known software vulnerabilities. Findings include severity ratings and remediation guidance, allowing security teams to identify and prioritize risks efficiently.
Amazon GuardDuty focuses on threat detection using behavioral analysis and does not perform static vulnerability scanning of container images or Lambda code. AWS Security Hub aggregates findings from other services but does not perform scanning itself.
AWS best practices recommend Amazon Inspector for vulnerability detection in container images and serverless workloads.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Inspector for ECR and Lambda
AWS Vulnerability Management Best Practices
Question #15
A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and management overhead.
Which solution will meet these requirements?
- A . Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.
- B . Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.
- C . Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).
- D . Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.
Correct Answer: D
D
Explanation:
Amazon WorkSpaces is a fully managed desktop-as-a-service solution designed to minimize infrastructure and operational overhead. According to AWS Certified Security C Specialty documentation, WorkSpaces supports device trust by using client certificates to restrict access to approved devices.
By deploying client certificates only to company-managed devices and enforcing restricted access at the directory level, the organization ensures that only trusted endpoints can authenticate. This approach avoids the cost and complexity of building and maintaining a custom VDI or managing individual EC2 instances.
Option A and B significantly increase management overhead.
Option C is incorrect because IAM does not manage WorkSpaces authentication gateway policies or device trust.
AWS best practices highlight Amazon WorkSpaces with certificate-based device trust as the most efficient solution for secure, managed desktops.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon WorkSpaces Security Controls
Amazon WorkSpaces Device Trust
D
Explanation:
Amazon WorkSpaces is a fully managed desktop-as-a-service solution designed to minimize infrastructure and operational overhead. According to AWS Certified Security C Specialty documentation, WorkSpaces supports device trust by using client certificates to restrict access to approved devices.
By deploying client certificates only to company-managed devices and enforcing restricted access at the directory level, the organization ensures that only trusted endpoints can authenticate. This approach avoids the cost and complexity of building and maintaining a custom VDI or managing individual EC2 instances.
Option A and B significantly increase management overhead.
Option C is incorrect because IAM does not manage WorkSpaces authentication gateway policies or device trust.
AWS best practices highlight Amazon WorkSpaces with certificate-based device trust as the most efficient solution for secure, managed desktops.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon WorkSpaces Security Controls
Amazon WorkSpaces Device Trust
Question #16
An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?
- A . The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
- B . The Lambda function was invoked by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.
- C . The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
- D . The version of the Lambda function that was invoked was not current.
Correct Answer: A
A
Explanation:
AWS Lambda automatically sends function execution logs to Amazon CloudWatch Logs when logging is enabled in the function code. However, this logging capability depends on the Lambda execution role having the appropriate permissions. According to the AWS Certified Security C Specialty Study Guide, the execution role must include permissions such as logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.
If these permissions are missing, Lambda cannot create log groups or streams, and no execution logs will appear in CloudWatch Logs―even though the function was successfully invoked. This is the most common reason Lambda logs are unavailable during forensic investigations.
Option B is incorrect because Lambda logs are stored in CloudWatch Logs regardless of whether the invocation source is API Gateway, EventBridge, or another AWS service.
Option C is incorrect because CloudWatch Logs does not require direct S3 permissions from the Lambda execution role.
Option D is irrelevant because Lambda versions do not affect logging behavior.
AWS documentation emphasizes verifying execution role permissions as a first step when Lambda logs are missing.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Lambda Execution Roles
Amazon CloudWatch Logs Integration with Lambda
A
Explanation:
AWS Lambda automatically sends function execution logs to Amazon CloudWatch Logs when logging is enabled in the function code. However, this logging capability depends on the Lambda execution role having the appropriate permissions. According to the AWS Certified Security C Specialty Study Guide, the execution role must include permissions such as logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.
If these permissions are missing, Lambda cannot create log groups or streams, and no execution logs will appear in CloudWatch Logs―even though the function was successfully invoked. This is the most common reason Lambda logs are unavailable during forensic investigations.
Option B is incorrect because Lambda logs are stored in CloudWatch Logs regardless of whether the invocation source is API Gateway, EventBridge, or another AWS service.
Option C is incorrect because CloudWatch Logs does not require direct S3 permissions from the Lambda execution role.
Option D is irrelevant because Lambda versions do not affect logging behavior.
AWS documentation emphasizes verifying execution role permissions as a first step when Lambda logs are missing.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Lambda Execution Roles
Amazon CloudWatch Logs Integration with Lambda
Question #17
A security engineer wants to forward custom application-security logs from an Amazon EC2 instance to Amazon CloudWatch. The security engineer installs the CloudWatch agent on the EC2 instance and adds the path of the logs to the CloudWatch configuration file.
However, CloudWatch does not receive the logs. The security engineer verifies that the awslogs service is running on the EC2 instance.
What should the security engineer do next to resolve the issue?
- A . Add AWS CloudTrail to the trust policy of the EC2 instance. Send the custom logs to CloudTrail instead of CloudWatch.
- B . Add Amazon S3 to the trust policy of the EC2 instance. Configure the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs.
- C . Add Amazon Inspector to the trust policy of the EC2 instance. Use Amazon Inspector instead of the CloudWatch agent to collect the custom logs.
- D . Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.
Correct Answer: D
D
Explanation:
The Amazon CloudWatch agent requires explicit IAM permissions to create log groups, create log streams, and put log events into Amazon CloudWatch Logs. According to the AWS Certified Security C Specialty Study Guide, the most common cause of CloudWatch agent log delivery failures is missing
or insufficient IAM permissions on the EC2 instance role.
The CloudWatchAgentServerPolicy AWS managed policy provides the required permissions, including logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Attaching this policy to the EC2 instance role enables the CloudWatch agent to successfully deliver custom application logs without requiring changes to the application or logging configuration.
Options A, B, and C are incorrect because CloudTrail, Amazon S3, and Amazon Inspector are not designed to ingest custom application logs from EC2 instances in this manner. AWS documentation clearly states that IAM permissions must be granted to the EC2 role for CloudWatch Logs ingestion.
This approach aligns with AWS best practices for least privilege while ensuring reliable detection and monitoring capabilities.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon CloudWatch Logs Agent Configuration
AWS IAM Best Practices for Monitoring
D
Explanation:
The Amazon CloudWatch agent requires explicit IAM permissions to create log groups, create log streams, and put log events into Amazon CloudWatch Logs. According to the AWS Certified Security C Specialty Study Guide, the most common cause of CloudWatch agent log delivery failures is missing
or insufficient IAM permissions on the EC2 instance role.
The CloudWatchAgentServerPolicy AWS managed policy provides the required permissions, including logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents. Attaching this policy to the EC2 instance role enables the CloudWatch agent to successfully deliver custom application logs without requiring changes to the application or logging configuration.
Options A, B, and C are incorrect because CloudTrail, Amazon S3, and Amazon Inspector are not designed to ingest custom application logs from EC2 instances in this manner. AWS documentation clearly states that IAM permissions must be granted to the EC2 role for CloudWatch Logs ingestion.
This approach aligns with AWS best practices for least privilege while ensuring reliable detection and monitoring capabilities.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon CloudWatch Logs Agent Configuration
AWS IAM Best Practices for Monitoring
Question #18
A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.
Which solution will quarantine EC2 instances during a security incident?
- A . Track SSM Agent versions with AWS Config.
- B . Configure Session Manager to deny external connections.
- C . Store the script in Amazon S3 and grant read access.
- D . Configure IAM permissions for the SSM Agent to run the script as a Systems Manager Run Command document.
Correct Answer: D
D
Explanation:
AWS Systems Manager Run Command enables secure, remote execution of commands on EC2 instances without requiring network access or inbound ports. According to the AWS Certified Security C Specialty Study Guide, Run Command is a recommended mechanism for incident response actions such as installing forensic tools, collecting evidence, or applying quarantine controls.
By granting the SSM Agent permission to execute a predefined Run Command document, the security engineer can immediately run the quarantine script across affected instances. This approach supports automation, scalability, and auditability, all of which are critical during security incidents.
Options A, B, and C do not directly enforce quarantine or execute response actions. Tracking versions and storing scripts alone do not trigger incident response.
AWS documentation highlights Systems Manager Run Command as a core capability for automated containment and investigation.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Systems Manager Run Command
AWS Incident Response Automation
D
Explanation:
AWS Systems Manager Run Command enables secure, remote execution of commands on EC2 instances without requiring network access or inbound ports. According to the AWS Certified Security C Specialty Study Guide, Run Command is a recommended mechanism for incident response actions such as installing forensic tools, collecting evidence, or applying quarantine controls.
By granting the SSM Agent permission to execute a predefined Run Command document, the security engineer can immediately run the quarantine script across affected instances. This approach supports automation, scalability, and auditability, all of which are critical during security incidents.
Options A, B, and C do not directly enforce quarantine or execute response actions. Tracking versions and storing scripts alone do not trigger incident response.
AWS documentation highlights Systems Manager Run Command as a core capability for automated containment and investigation.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Systems Manager Run Command
AWS Incident Response Automation
Question #19
A company runs a public web application on Amazon EKS behind Amazon CloudFront and an Application Load Balancer (ALB). A security engineer must send a notification to an existing Amazon SNS topic when the application receives 10,000 requests from the same end-user IP address within any 5-minute period.
Which solution will meet these requirements?
- A . Configure CloudFront standard logging and CloudWatch Logs metric filters.
- B . Configure VPC Flow Logs and CloudWatch Logs metric filters.
- C . Configure an AWS WAF web ACL with an ASN match rule and CloudWatch alarms.
- D . Configure an AWS WAF web ACL with a rate-based rule. Associate it with CloudFront. Create a CloudWatch alarm to notify SNS.
Correct Answer: D
D
Explanation:
AWS WAF rate-based rules are designed specifically to track the number of requests from a single IP address over a configurable time window. According to AWS Certified Security C Specialty guidance, rate-based rules integrate natively with CloudFront and emit CloudWatch metrics that can trigger alarms.
CloudFront logs and VPC Flow Logs are not real-time detection tools. ASN match rules do not count request rates.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS WAF Rate-Based Rules
CloudFront and AWS WAF Integration
D
Explanation:
AWS WAF rate-based rules are designed specifically to track the number of requests from a single IP address over a configurable time window. According to AWS Certified Security C Specialty guidance, rate-based rules integrate natively with CloudFront and emit CloudWatch metrics that can trigger alarms.
CloudFront logs and VPC Flow Logs are not real-time detection tools. ASN match rules do not count request rates.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS WAF Rate-Based Rules
CloudFront and AWS WAF Integration
Question #20
A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization’s management account.
Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)
- A . Grant least privilege access to the organization’s management account.
- B . Create a new IAM Identity Center directory in the organization’s management account.
- C . Set up a second AWS Region in the organization’s management account.
- D . Create permission sets for use only in the organization’s management account.
- E . Create IAM users for use only in the organization’s management account.
- F . Create user assignments only in the organization’s management account.
Correct Answer: B, D, F
B, D, F
Explanation:
AWS IAM Identity Center delegated administration requires foundational configuration to be completed in the organization’s management account before delegation. According to the AWS Certified Security C Specialty documentation, IAM Identity Center must be enabled with a directory in the management account before any delegation can occur.
Permission sets must be created in the management account because they define the permissions that will later be delegated to member accounts. Additionally, user assignments must initially exist in the management account to establish baseline access control before delegation is configured.
Option A is too generic and not a required prerequisite step.
Option C is unrelated to Identity Center delegation.
Option E is incorrect because IAM Identity Center uses identities from its directory or external IdPs, not IAM users.
AWS guidance clearly outlines directory creation, permission set definition, and initial user assignments as mandatory preparatory steps for delegated administration.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Identity Center Delegated Administration
AWS Organizations and Identity Center Integration
B, D, F
Explanation:
AWS IAM Identity Center delegated administration requires foundational configuration to be completed in the organization’s management account before delegation. According to the AWS Certified Security C Specialty documentation, IAM Identity Center must be enabled with a directory in the management account before any delegation can occur.
Permission sets must be created in the management account because they define the permissions that will later be delegated to member accounts. Additionally, user assignments must initially exist in the management account to establish baseline access control before delegation is configured.
Option A is too generic and not a required prerequisite step.
Option C is unrelated to Identity Center delegation.
Option E is incorrect because IAM Identity Center uses identities from its directory or external IdPs, not IAM users.
AWS guidance clearly outlines directory creation, permission set definition, and initial user assignments as mandatory preparatory steps for delegated administration.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Identity Center Delegated Administration
AWS Organizations and Identity Center Integration