Practice Free SCS-C03 Exam Online Questions
Question #11
A company has several Amazon S3 buckets that do not enforce encryption in transit. A security engineer must implement a solution that enforces encryption in transit for all the company’s existing and future S3 buckets.
Which solution will meet these requirements?
- A . Enable AWS Config. Create a proactive AWS Config Custom Policy rule. Create a Guard clause to evaluate the S3 bucket policies to check for a value of True for the aws:SecureTransport condition key. If the AWS Config rule evaluates to NON_COMPLIANT, block resource creation.
- B . Enable AWS Config. Configure the s3-bucket-ssl-requests-only AWS Config managed rule and set the rule trigger type to Hybrid. Create an AWS Systems Manager Automation runbook that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False.
Configure automatic remediation. Set the runbook as the target of the rule. - C . Enable Amazon Inspector. Create a custom AWS Lambda rule. Create a Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Set the Lambda function as the target of the rule.
- D . Create an AWS CloudTrail trail. Enable S3 data events on the trail. Create an AWS Lambda function that applies a bucket policy to deny requests when the value of the aws:SecureTransport condition key is False. Configure the CloudTrail trail to invoke the Lambda function.
Correct Answer: B
B
Explanation:
To enforce encryption in transit for Amazon S3, AWS best practice is to require HTTPS (TLS) by using a bucket policy condition that denies any request where aws:SecureTransport is false. The requirement includes both existing buckets and future buckets, so the control must continuously evaluate configuration drift and automatically remediate. AWS Config is the service intended for continuous configuration compliance monitoring across resources, and AWS Config managed rules provide standardized checks with low operational overhead. The s3-bucket-ssl-requests-only managed rule evaluates whether S3 buckets enforce SSL-only requests, aligning directly with enforcing encryption in transit. Setting the trigger type to Hybrid ensures evaluation both on configuration changes and periodically. Automatic remediation with an AWS Systems Manager Automation runbook allows the organization to apply or correct the bucket policy consistently at scale without manual work. This approach also supports governance by maintaining a measurable compliance status while actively fixing noncompliance.
Option A is not the best fit because a “proactive” custom policy rule does not by itself remediate existing buckets and “block resource creation” is not how AWS Config enforces controls.
Option C is incorrect because Amazon Inspector is a vulnerability management service and does not govern S3 bucket transport policies.
Option D is inefficient and indirect because CloudTrail data events are not a compliance engine and would require custom processing.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Config Managed Rules for S3 Compliance
Amazon S3 Security Best Practices for SSL-only Access
B
Explanation:
To enforce encryption in transit for Amazon S3, AWS best practice is to require HTTPS (TLS) by using a bucket policy condition that denies any request where aws:SecureTransport is false. The requirement includes both existing buckets and future buckets, so the control must continuously evaluate configuration drift and automatically remediate. AWS Config is the service intended for continuous configuration compliance monitoring across resources, and AWS Config managed rules provide standardized checks with low operational overhead. The s3-bucket-ssl-requests-only managed rule evaluates whether S3 buckets enforce SSL-only requests, aligning directly with enforcing encryption in transit. Setting the trigger type to Hybrid ensures evaluation both on configuration changes and periodically. Automatic remediation with an AWS Systems Manager Automation runbook allows the organization to apply or correct the bucket policy consistently at scale without manual work. This approach also supports governance by maintaining a measurable compliance status while actively fixing noncompliance.
Option A is not the best fit because a “proactive” custom policy rule does not by itself remediate existing buckets and “block resource creation” is not how AWS Config enforces controls.
Option C is incorrect because Amazon Inspector is a vulnerability management service and does not govern S3 bucket transport policies.
Option D is inefficient and indirect because CloudTrail data events are not a compliance engine and would require custom processing.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Config Managed Rules for S3 Compliance
Amazon S3 Security Best Practices for SSL-only Access
Question #12
A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud. The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the ALB. The company stores AWS WAF logs in an Amazon S3 bucket.
The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests.
Which solution will meet this requirement?
- A . Enable VPC Flow Logs in the VPC where the ALB is deployed. Examine the source field to capture the client IP addresses.
- B . Inspect the X-Forwarded-For header in the AWS WAF logs to determine the original client IP addresses.
- C . Modify the CloudFront distribution to disable ALB connection reuse. Examine the clientIp field in
the AWS WAF logs to identify the original client IP addresses. - D . Configure CloudFront to add a custom header named Client-IP to origin requests that are sent to the ALB.
Correct Answer: B
B
Explanation:
When Amazon CloudFront is used in front of an Application Load Balancer, CloudFront becomes the immediate source of incoming requests to the ALB. As a result, AWS WAF logs record the CloudFront edge location IP addresses as the client IPs, not the original viewer IP addresses. This behavior is explicitly documented in the AWS Certified Security C Specialty Study Guide and the AWS WAF and CloudFront integration documentation.
To preserve the original client IP address, CloudFront automatically adds the X-Forwarded-For HTTP header, which contains the IP address of the originating client followed by any proxy addresses involved in forwarding the request. AWS WAF logs include this header, making it the authoritative source for identifying true client IP addresses when CloudFront is used.
Option A is incorrect because VPC Flow Logs capture network-level metadata and will only show CloudFront IP addresses, not the original client IPs.
Option C is incorrect because disabling connection reuse does not change how client IPs are logged in AWS WAF.
Option D is unnecessary and unsupported as a requirement because CloudFront already provides the required information through standard headers.
AWS documentation consistently states that X-Forwarded-For is the correct and supported mechanism for tracing client IPs in CloudFront-protected applications.
AWS Certified Security C Specialty Official Study Guide
AWS WAF Developer Guide C Logging
Amazon CloudFront Developer Guide C Request Headers
B
Explanation:
When Amazon CloudFront is used in front of an Application Load Balancer, CloudFront becomes the immediate source of incoming requests to the ALB. As a result, AWS WAF logs record the CloudFront edge location IP addresses as the client IPs, not the original viewer IP addresses. This behavior is explicitly documented in the AWS Certified Security C Specialty Study Guide and the AWS WAF and CloudFront integration documentation.
To preserve the original client IP address, CloudFront automatically adds the X-Forwarded-For HTTP header, which contains the IP address of the originating client followed by any proxy addresses involved in forwarding the request. AWS WAF logs include this header, making it the authoritative source for identifying true client IP addresses when CloudFront is used.
Option A is incorrect because VPC Flow Logs capture network-level metadata and will only show CloudFront IP addresses, not the original client IPs.
Option C is incorrect because disabling connection reuse does not change how client IPs are logged in AWS WAF.
Option D is unnecessary and unsupported as a requirement because CloudFront already provides the required information through standard headers.
AWS documentation consistently states that X-Forwarded-For is the correct and supported mechanism for tracing client IPs in CloudFront-protected applications.
AWS Certified Security C Specialty Official Study Guide
AWS WAF Developer Guide C Logging
Amazon CloudFront Developer Guide C Request Headers
Question #13
A company is planning to deploy a new log analysis environment. The company needs to analyze logs from multiple AWS services in near real time. The solution must provide the ability to search the logs and must send alerts to an existing Amazon Simple Notification Service (Amazon SNS) topic when specific logs match detection rules.
Which solution will meet these requirements?
- A . Analyze the logs by using Amazon OpenSearch Service. Search the logs from the OpenSearch API. Use OpenSearch Service Security Analytics to match logs with detection rules and to send alerts to the SNS topic.
- B . Analyze the logs by using AWS Security Hub. Search the logs from the Findings page in Security Hub. Create custom actions to match logs with detection rules and to send alerts to the SNS topic.
- C . Analyze the logs by using Amazon CloudWatch Logs. Use a subscription filter to match logs with detection rules and to send alerts to the SNS topic. Search the logs manually by using CloudWatch Logs Insights.
- D . Analyze the logs by using Amazon QuickSight. Search the logs by listing the query results in a dashboard. Run queries to match logs with detection rules and to send alerts to the SNS topic.
Correct Answer: A
A
Explanation:
Amazon OpenSearch Service is designed for near real-time log ingestion, indexing, and search across large volumes of data. According to the AWS Certified Security C Specialty Study Guide, OpenSearch supports advanced log analytics use cases and integrates with OpenSearch Security Analytics, which provides prebuilt and custom detection rules.
Security Analytics can continuously evaluate incoming logs from multiple AWS services and generate alerts when detection rules are matched. These alerts can be forwarded to Amazon SNS with minimal configuration. OpenSearch also provides powerful search and query capabilities through APIs and dashboards.
Option C supports detection but lacks advanced correlation and scalable search capabilities.
Option B is not a log analytics service.
Option D is a visualization service and does not support real-time detection.
AWS guidance recommends OpenSearch Service for centralized, near real-time log analysis and alerting.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon OpenSearch Service Security Analytics
AWS Logging and Monitoring Architecture
A
Explanation:
Amazon OpenSearch Service is designed for near real-time log ingestion, indexing, and search across large volumes of data. According to the AWS Certified Security C Specialty Study Guide, OpenSearch supports advanced log analytics use cases and integrates with OpenSearch Security Analytics, which provides prebuilt and custom detection rules.
Security Analytics can continuously evaluate incoming logs from multiple AWS services and generate alerts when detection rules are matched. These alerts can be forwarded to Amazon SNS with minimal configuration. OpenSearch also provides powerful search and query capabilities through APIs and dashboards.
Option C supports detection but lacks advanced correlation and scalable search capabilities.
Option B is not a log analytics service.
Option D is a visualization service and does not support real-time detection.
AWS guidance recommends OpenSearch Service for centralized, near real-time log analysis and alerting.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon OpenSearch Service Security Analytics
AWS Logging and Monitoring Architecture
Question #14
A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler.
The company needs to deploy the monitoring service in all existing and future accounts in the organization. The company must avoid using the organization’s management account when the management account is not required.
Which solution will meet these requirements?
- A . Create a CloudFormation stack set in the organization’s management account and manually add new accounts.
- B . Configure a delegated administrator account for AWS CloudFormation. Create a CloudFormation StackSet in the delegated administrator account targeting the organization root with automatic deployment enabled.
- C . Use Systems Manager delegated administration and Automation to deploy the Lambda function and schedule.
- D . Create a Systems Manager Automation runbook in the management account and share it to accounts.
Correct Answer: B
B
Explanation:
AWS Organizations and CloudFormation StackSets provide an organizational deployment mechanism for consistent infrastructure across accounts. AWS Certified Security C Specialty guidance emphasizes minimizing use of the management account and using delegated administrator capabilities where available for centralized governance while reducing blast radius. By configuring a delegated administrator account for AWS CloudFormation, the company can create and manage StackSets without performing day-to-day deployment operations from the management account. Targeting the organization root ensures the StackSet deploys to all existing accounts. Enabling automatic deployment ensures that any future accounts that join the organization (or move into targeted OUs, depending on configuration) automatically receive the monitoring service without manual intervention. This directly meets the requirement to deploy to all existing and future accounts with minimal effort.
Option A requires ongoing manual updates when accounts are added, increasing operational overhead. Options C and D rely on Systems Manager Automation, which can work but introduces additional operational complexity and is not the standard AWS mechanism for organization-wide infrastructure rollout compared to StackSets with auto-deployment. StackSets also provide consistent change control, drift detection, and centralized update mechanisms, which align with governance expectations for compliance tooling.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Organizations Delegated Administration
AWS CloudFormation StackSets for Multi-Account Governance
B
Explanation:
AWS Organizations and CloudFormation StackSets provide an organizational deployment mechanism for consistent infrastructure across accounts. AWS Certified Security C Specialty guidance emphasizes minimizing use of the management account and using delegated administrator capabilities where available for centralized governance while reducing blast radius. By configuring a delegated administrator account for AWS CloudFormation, the company can create and manage StackSets without performing day-to-day deployment operations from the management account. Targeting the organization root ensures the StackSet deploys to all existing accounts. Enabling automatic deployment ensures that any future accounts that join the organization (or move into targeted OUs, depending on configuration) automatically receive the monitoring service without manual intervention. This directly meets the requirement to deploy to all existing and future accounts with minimal effort.
Option A requires ongoing manual updates when accounts are added, increasing operational overhead. Options C and D rely on Systems Manager Automation, which can work but introduces additional operational complexity and is not the standard AWS mechanism for organization-wide infrastructure rollout compared to StackSets with auto-deployment. StackSets also provide consistent change control, drift detection, and centralized update mechanisms, which align with governance expectations for compliance tooling.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Organizations Delegated Administration
AWS CloudFormation StackSets for Multi-Account Governance
Question #15
A company is using AWS CloudTrail and Amazon CloudWatch to monitor resources in an AWS account. The company’s developers have been using an IAM role in the account for the last 3 months.
A security engineer needs to refine the customer managed IAM policy attached to the role to ensure that the role provides least privilege access.
Which solution will meet this requirement with the LEAST effort?
- A . Implement AWS IAM Access Analyzer policy generation on the role.
- B . Implement AWS IAM Access Analyzer policy validation on the role.
- C . Search CloudWatch logs to determine the actions the role invoked and to evaluate the permissions.
- D . Use AWS Trusted Advisor to compare the policies assigned to the role against AWS best practices.
Correct Answer: A
A
Explanation:
AWS IAM Access Analyzer policy generation is specifically designed to help security engineers generate least-privilege IAM policies based on actual usage recorded in AWS CloudTrail. According to the AWS Certified Security C Specialty documentation, policy generation analyzes historical CloudTrail data to identify the exact API actions and resources that a role has accessed over a specified time period.
Because the role has been actively used for three months, there is sufficient CloudTrail data for IAM Access Analyzer to generate a refined customer managed policy automatically. This significantly reduces manual effort and eliminates the need to analyze logs or infer permissions. The generated policy can be reviewed and attached directly to the role, ensuring least privilege access with minimal engineering effort.
Option B only validates existing policies for security warnings and does not reduce permissions.
Option C requires manual analysis of CloudWatch logs, which is time-consuming and error-prone.
Option D does not analyze real usage and cannot generate role-specific least privilege policies.
AWS documentation explicitly recommends IAM Access Analyzer policy generation as the fastest and most accurate method to refine IAM permissions based on observed behavior.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Access Analyzer Policy Generation
AWS IAM Least Privilege Best Practices
A
Explanation:
AWS IAM Access Analyzer policy generation is specifically designed to help security engineers generate least-privilege IAM policies based on actual usage recorded in AWS CloudTrail. According to the AWS Certified Security C Specialty documentation, policy generation analyzes historical CloudTrail data to identify the exact API actions and resources that a role has accessed over a specified time period.
Because the role has been actively used for three months, there is sufficient CloudTrail data for IAM Access Analyzer to generate a refined customer managed policy automatically. This significantly reduces manual effort and eliminates the need to analyze logs or infer permissions. The generated policy can be reviewed and attached directly to the role, ensuring least privilege access with minimal engineering effort.
Option B only validates existing policies for security warnings and does not reduce permissions.
Option C requires manual analysis of CloudWatch logs, which is time-consuming and error-prone.
Option D does not analyze real usage and cannot generate role-specific least privilege policies.
AWS documentation explicitly recommends IAM Access Analyzer policy generation as the fastest and most accurate method to refine IAM permissions based on observed behavior.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Access Analyzer Policy Generation
AWS IAM Least Privilege Best Practices
Question #16
A company needs to identify the root cause of security findings and investigate IAM roles involved in those findings. The company has enabled VPC Flow Logs, Amazon GuardDuty, and AWS CloudTrail.
Which solution will meet these requirements?
- A . Use Amazon Detective to investigate IAM roles and visualize findings.
- B . Use Amazon Inspector and CloudWatch dashboards.
- C . Export GuardDuty findings to S3 and analyze with Athena.
- D . Use Security Hub custom actions to investigate IAM roles.
Correct Answer: A
A
Explanation:
Amazon Detective is specifically designed to help security teams investigate and visualize the root cause of security findings. According to AWS Certified Security C Specialty documentation, Detective automatically aggregates and correlates data from GuardDuty, CloudTrail, and VPC Flow Logs to provide interactive visualizations and timelines.
Detective enables investigators to pivot from GuardDuty findings to IAM roles, API calls, network traffic, and resource behavior. This makes it the most efficient tool for understanding how IAM roles were used during suspicious activity.
Amazon Inspector focuses on vulnerability assessment, not behavioral investigation. Security Hub aggregates findings but does not provide deep investigation graphs. Manual analysis with Athena requires significantly more effort.
AWS guidance explicitly recommends Amazon Detective for root cause analysis and visualization of security incidents.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Detective Investigation Capabilities
AWS Threat Detection and Analysis
A
Explanation:
Amazon Detective is specifically designed to help security teams investigate and visualize the root cause of security findings. According to AWS Certified Security C Specialty documentation, Detective automatically aggregates and correlates data from GuardDuty, CloudTrail, and VPC Flow Logs to provide interactive visualizations and timelines.
Detective enables investigators to pivot from GuardDuty findings to IAM roles, API calls, network traffic, and resource behavior. This makes it the most efficient tool for understanding how IAM roles were used during suspicious activity.
Amazon Inspector focuses on vulnerability assessment, not behavioral investigation. Security Hub aggregates findings but does not provide deep investigation graphs. Manual analysis with Athena requires significantly more effort.
AWS guidance explicitly recommends Amazon Detective for root cause analysis and visualization of security incidents.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
Amazon Detective Investigation Capabilities
AWS Threat Detection and Analysis
Question #17
AWS Config cannot deliver configuration snapshots to Amazon S3.
Which TWO actions will remediate this issue?
- A . Verify the S3 bucket policy allows config.amazonaws.com.
- B . Verify the IAM role has s3:GetBucketAcl and s3:PutObject permissions.
- C . Verify the S3 bucket can assume the IAM role.
- D . Verify IAM policy allows AWS Config to write logs.
- E . Modify AWS Config API permissions.
Correct Answer: A, B
A, B
Explanation:
AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security C Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal to write objects. Additionally, the IAM role used by AWS Config must allow s3:GetBucketAcl and s3:PutObject.
If either permission is missing, AWS Config cannot deliver snapshots and will log delivery errors in CloudTrail. This dual-permission model ensures least privilege while maintaining secure delivery of compliance data.
Other options reference incorrect principals or irrelevant permissions.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Config Prerequisites
A, B
Explanation:
AWS Config requires permissions at two levels to deliver configuration data: the AWS Config service role and the S3 bucket policy. The AWS Certified Security C Specialty Study Guide states that the S3 bucket policy must explicitly allow the config.amazonaws.com service principal to write objects. Additionally, the IAM role used by AWS Config must allow s3:GetBucketAcl and s3:PutObject.
If either permission is missing, AWS Config cannot deliver snapshots and will log delivery errors in CloudTrail. This dual-permission model ensures least privilege while maintaining secure delivery of compliance data.
Other options reference incorrect principals or irrelevant permissions.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS Config Prerequisites
Question #18
A company stores infrastructure and application code in web-based, third-party, Git-compatible code repositories outside of AWS. The company wants to give the code repositories the ability to securely authenticate and assume an existing IAM role within the company’s AWS account by using OpenID Connect (OIDC).
Which solution will meet these requirements?
- A . Create an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM) federation. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.
- B . Use AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor that uses OIDC. Modify the trust policy of the IAM role to allow the code repositories to assume the IAM role.
- C . Set up an account instance of AWS IAM Identity Center. Configure access to the code repositories as a customer managed OIDC application. Grant the application access to the IAM role.
- D . Use AWS Resource Access Manager (AWS RAM) to create a new resource share that uses OIDC. Limit the resource share to the specified code repositories. Grant the IAM role access to the resource share.
Correct Answer: A
A
Explanation:
AWS IAM supports identity federation by allowing external identity providers that use OpenID Connect (OIDC) to authenticate and assume IAM roles. According to the AWS Certified Security C Specialty documentation, IAM OIDC identity providers are the recommended approach for enabling third-party systems, such as external CI/CD pipelines or Git-based repositories, to securely obtain temporary AWS credentials without using long-term access keys.
By creating an OIDC identity provider in IAM and configuring the IAM role trust policy to trust the external IdP, the company enables secure, token-based authentication. The trust policy can include conditions that restrict which repositories, branches, or workflows are allowed to assume the role, enforcing least privilege. AWS Security Specialty guidance emphasizes that this method eliminates static credentials and relies on short-lived tokens issued by the OIDC provider.
Option B is incorrect because IAM Roles Anywhere is designed for workloads running outside AWS that use X.509 certificates, not OIDC.
Option C is intended for workforce identity federation, not machine-to-machine authentication.
Option D is invalid because AWS RAM does not provide identity federation or authentication capabilities.
This solution aligns with AWS best practices for secure, scalable, and low-overhead authentication for external workloads.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM OIDC Identity Providers
AWS IAM Role Trust Policies
A
Explanation:
AWS IAM supports identity federation by allowing external identity providers that use OpenID Connect (OIDC) to authenticate and assume IAM roles. According to the AWS Certified Security C Specialty documentation, IAM OIDC identity providers are the recommended approach for enabling third-party systems, such as external CI/CD pipelines or Git-based repositories, to securely obtain temporary AWS credentials without using long-term access keys.
By creating an OIDC identity provider in IAM and configuring the IAM role trust policy to trust the external IdP, the company enables secure, token-based authentication. The trust policy can include conditions that restrict which repositories, branches, or workflows are allowed to assume the role, enforcing least privilege. AWS Security Specialty guidance emphasizes that this method eliminates static credentials and relies on short-lived tokens issued by the OIDC provider.
Option B is incorrect because IAM Roles Anywhere is designed for workloads running outside AWS that use X.509 certificates, not OIDC.
Option C is intended for workforce identity federation, not machine-to-machine authentication.
Option D is invalid because AWS RAM does not provide identity federation or authentication capabilities.
This solution aligns with AWS best practices for secure, scalable, and low-overhead authentication for external workloads.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM OIDC Identity Providers
AWS IAM Role Trust Policies
Question #19
A company uses AWS IAM Identity Center with SAML 2.0 federation. The company decides to change its federation source from one identity provider (IdP) to another. The underlying directory for both IdPs is Active Directory.
Which solution will meet this requirement?
- A . Disable all existing users and groups within IAM Identity Center that were part of the federation with the original IdP.
- B . Modify the attribute mappings within the IAM Identity Center trust relationship to match information that the new IdP sends.
- C . Reconfigure all existing IAM roles in the company’s AWS accounts to explicitly trust the new IdP as the principal.
- D . Confirm that the Network Time Protocol (NTP) clock skew is correctly set between IAM Identity Center and the new IdP endpoints.
Correct Answer: B
B
Explanation:
AWS IAM Identity Center relies on SAML assertions and attribute mappings to associate federated users with identities, groups, and permission sets. According to the AWS Certified Security C Specialty documentation, when changing identity providers while maintaining the same underlying directory, existing users and group identities can be preserved by updating attribute mappings to align with the new IdP’s SAML assertions.
By modifying the attribute mappings, IAM Identity Center can correctly interpret usernames, group memberships, and unique identifiers sent by the new IdP without requiring changes to AWS account roles or permission sets. This approach minimizes operational effort and avoids disruption to access management.
Option A unnecessarily disables identities and causes access outages.
Option C is incorrect because IAM Identity Center abstracts role trust relationships, and roles do not directly trust the IdP.
Option D is unrelated to federation source configuration and only affects authentication timing issues.
AWS best practices recommend updating attribute mappings when switching IdPs that share the same directory source.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Identity Center SAML Federation
AWS Identity Federation Best Practices
B
Explanation:
AWS IAM Identity Center relies on SAML assertions and attribute mappings to associate federated users with identities, groups, and permission sets. According to the AWS Certified Security C Specialty documentation, when changing identity providers while maintaining the same underlying directory, existing users and group identities can be preserved by updating attribute mappings to align with the new IdP’s SAML assertions.
By modifying the attribute mappings, IAM Identity Center can correctly interpret usernames, group memberships, and unique identifiers sent by the new IdP without requiring changes to AWS account roles or permission sets. This approach minimizes operational effort and avoids disruption to access management.
Option A unnecessarily disables identities and causes access outages.
Option C is incorrect because IAM Identity Center abstracts role trust relationships, and roles do not directly trust the IdP.
Option D is unrelated to federation source configuration and only affects authentication timing issues.
AWS best practices recommend updating attribute mappings when switching IdPs that share the same directory source.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
AWS IAM Identity Center SAML Federation
AWS Identity Federation Best Practices
Question #20
A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.
Which solution will prevent direct access to the ALB?
- A . Use AWS PrivateLink with the ALB.
- B . Replace the ALB with an internal ALB.
- C . Restrict ALB listener rules to CloudFront IP ranges.
- D . Require a custom header from CloudFront and validate it at the ALB.
Correct Answer: D
D
Explanation:
AWS best practices recommend using a shared secret header between CloudFront and ALB origins to prevent direct access. CloudFront injects a custom header, and the ALB listener rules validate its presence.
IP-based controls are brittle due to CloudFront IP changes. PrivateLink and internal ALBs are not supported as CloudFront origins. Header validation is the most reliable and widely recommended pattern.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
CloudFront Origin Protection
AWS WAF and ALB Integration
D
Explanation:
AWS best practices recommend using a shared secret header between CloudFront and ALB origins to prevent direct access. CloudFront injects a custom header, and the ALB listener rules validate its presence.
IP-based controls are brittle due to CloudFront IP changes. PrivateLink and internal ALBs are not supported as CloudFront origins. Header validation is the most reliable and widely recommended pattern.
Referenced AWS Specialty Documents:
AWS Certified Security C Specialty Official Study Guide
CloudFront Origin Protection
AWS WAF and ALB Integration