Pass the Amazon Web Services AWS Certified Specialty SCS-C03 Questions and answers with CertsForce

Amazon Inspector is the AWS service designed specifically for vulnerability management across compute workloads, including Amazon ECR container images and AWS Lambda functions. According to the AWS Certified Security – Specialty documentation, Amazon Inspector provides automated vulnerability assessments for container images stored in ECR by performing enhanced image scanning that identifies common vulnerabilities and exposures (CVEs) in operating systems and application dependencies.

Inspector also supports Lambda code scanning to analyze function packages and container-based Lambda images for known software vulnerabilities. Findings include severity ratings and remediation guidance, allowing security teams to identify and prioritize risks efficiently.

Amazon GuardDuty focuses on threat detection using behavioral analysis and does not perform static vulnerability scanning of container images or Lambda code. AWS Security Hub aggregates findings from other services but does not perform scanning itself.

AWS best practices recommend Amazon Inspector for vulnerability detection in container images and serverless workloads.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Inspector for ECR and Lambda

AWS Vulnerability Management Best Practices

Amazon S3 Lifecycle configuration rules are the native, automated mechanism for managing object retention and deletion. According to AWS Certified Security – Specialty documentation, lifecycle rules can be configured to expire objects based on the number of days since object creation. Once the expiration time is reached, Amazon S3 permanently deletes the objects without manual intervention.

This solution directly enforces a maximum retention period of 72 hours and ensures compliance regardless of whether the vendor downloads the data or not. Lifecycle rules are evaluated continuously by Amazon S3 and do not require scripts, cron jobs, or additional services, making them the most operationally efficient and cost-effective solution.

S3 Versioning controls versions but does not enforce object deletion timelines. S3 Intelligent-Tiering optimizes storage cost but does not delete objects. Presigned URLs only control access duration and do not remove objects from storage.

AWS explicitly recommends lifecycle policies for automated data retention enforcement.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Lifecycle Management

AWS CloudFormation supports dynamic references to AWS Secrets Manager, which allow sensitive values to be retrieved securely at stack runtime. According to AWS Certified Security – Specialty guidance, dynamic references prevent secrets from being stored in plaintext in templates, stack metadata, or logs.

Using dynamic references ensures that secrets remain encrypted at rest and are accessed only when required. CloudFormation does not support SecureString parameters for Secrets Manager references, and encrypting templates does not prevent exposure during execution.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Dynamic References

AWS Secrets Manager Best Practices

AWS Lambda automatically sends function execution logs to Amazon CloudWatch Logs when logging is enabled in the function code. However, this logging capability depends on the Lambda execution role having the appropriate permissions. According to the AWS Certified Security – Specialty Study Guide, the execution role must include permissions such as logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.

If these permissions are missing, Lambda cannot create log groups or streams, and no execution logs will appear in CloudWatch Logs—even though the function was successfully invoked. This is the most common reason Lambda logs are unavailable during forensic investigations.

Option B is incorrect because Lambda logs are stored in CloudWatch Logs regardless of whether the invocation source is API Gateway, EventBridge, or another AWS service. Option C is incorrect because CloudWatch Logs does not require direct S3 permissions from the Lambda execution role. Option D is irrelevant because Lambda versions do not affect logging behavior.

AWS documentation emphasizes verifying execution role permissions as a first step when Lambda logs are missing.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Lambda Execution Roles

Amazon CloudWatch Logs Integration with Lambda

Amazon RDS supports point-in-time recovery (PITR) using automated backups within the configured retention window. According to the AWS Certified Security – Specialty Study Guide, PITR allows recovery to any second within the retention period, making it the most precise recovery method following a security incident.

By restoring the database cluster to a point just before the attack occurred, such as 3:14 PM, the security engineer ensures that the restored database reflects the last known good state without including malicious changes. This method is more accurate than restoring from snapshots, which are created at fixed intervals and may not align with the exact recovery time.

Options B and C rely on snapshot timing and may reintroduce compromised data. Option D restores to an arbitrary time and does not meet the requirement to recover to the last known good version.

AWS documentation explicitly recommends point-in-time recovery for incident response scenarios that require precise restoration.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon RDS Automated Backups and PITR

AWS Incident Response and Recovery Guidance

AWS KMS keys are regional resources and cannot be used across Regions. According to AWS Certified Security – Specialty documentation, applications that are deployed in multiple Regions should use region-specific customer managed keys while referencing keys by alias instead of key ID.

By creating a new customer managed key in eu-north-1 and assigning it the same alias as the key in eu-west-1, the application code can continue to reference the alias without modification. Each Region resolves the alias to the correct local key, ensuring encryption continues to function correctly.

Option A is invalid because KMS keys are regional. Option B requires application changes. Option D introduces unsupported alias patterns.

AWS best practices recommend alias-based key references for multi-Region deployments.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Regional Keys and Aliases

AWS KMS Best Practices

AWS Secrets Manager is a regional service that is accessed through private AWS endpoints. In a VPC without internet access, AWS recommends using AWS PrivateLink through interface VPC endpoints to enable secure, private connectivity to supported AWS services. According to AWS Certified Security – Specialty documentation, interface VPC endpoints allow resources within a VPC to communicate with AWS services without traversing the public internet, NAT devices, or internet gateways.

An interface VPC endpoint for Secrets Manager creates elastic network interfaces (ENIs) within the VPC subnets and assigns private IP addresses that route traffic directly to the Secrets Manager service. Because the VPC has private DNS enabled, the standard Secrets Manager DNS hostname resolves to the private IP addresses of the interface endpoint, allowing the Lambda rotation function to communicate securely and transparently.

Option A introduces unnecessary complexity and expands the attack surface by allowing outbound internet access. Option B is incorrect because gateway VPC endpoints are supported only for Amazon S3 and Amazon DynamoDB. Option D violates the security requirement by exposing the VPC to the internet.

AWS security best practices explicitly recommend interface VPC endpoints as the most secure connectivity method for private VPC workloads accessing AWS managed services.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Secrets Manager Security Architecture

AWS PrivateLink and Interface VPC Endpoints Documentation

Password policies are enforced at the identity provider where authentication occurs. According to the AWS Certified Security – Specialty Study Guide, when IAM is federated with an external identity provider such as on-premises Active Directory, IAM does not manage or enforce password policies. Instead, password requirements such as minimum length must be enforced directly in Active Directory Group Policy Objects.

Amazon Cognito user pools maintain their own user directory and authentication logic. Cognito provides configurable password policies, including minimum length, complexity, and expiration. To enforce a minimum password length for application users, the Cognito user pool password policy must be updated.

IAM password policies apply only to IAM users that authenticate directly with IAM and do not affect federated users or Cognito users. SCPs and IAM policies cannot enforce password length requirements.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Federation and Password Policies

Amazon Cognito User Pool Security Settings

Amazon S3 Object Lock in compliance mode provides write-once-read-many (WORM) protection, which prevents objects from being modified or deleted for a specified retention period. According to the AWS Certified Security – Specialty Study Guide, compliance mode enforces immutability even for the root user and cannot be overridden.

Enabling S3 Object Lock requires S3 bucket versioning and ensures that once an object is written, it cannot be changed or removed until the retention period expires. This is the strongest protection against data modification and is commonly used for regulatory and legal retention requirements.

Option A can be bypassed by administrators. Option D only protects against deletions, not overwrites. Option C changes encryption but does not prevent modification.

AWS documentation explicitly identifies S3 Object Lock in compliance mode as the correct solution for immutable data storage.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Object Lock

Amazon S3 Data Protection and Compliance

Amazon Cognito identity pools provide temporary AWS credentials by exchanging web identity tokens with AWS STS using AssumeRoleWithWebIdentity. According to AWS Certified Security – Specialty documentation, this is the correct mechanism for granting applications AWS credentials.

User pools authenticate users but do not issue AWS credentials. Identity pools integrate with IAM roles and STS, enabling secure, temporary access to AWS services.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito Identity Pools

AWS STS Web Identity Federation