Pass the Amazon Web Services AWS Certified Specialty SCS-C03 Questions and answers with CertsForce

AWS IAM supports identity federation by allowing external identity providers that use OpenID Connect (OIDC) to authenticate and assume IAM roles. According to the AWS Certified Security – Specialty documentation, IAM OIDC identity providers are the recommended approach for enabling third-party systems, such as external CI/CD pipelines or Git-based repositories, to securely obtain temporary AWS credentials without using long-term access keys.

By creating an OIDC identity provider in IAM and configuring the IAM role trust policy to trust the external IdP, the company enables secure, token-based authentication. The trust policy can include conditions that restrict which repositories, branches, or workflows are allowed to assume the role, enforcing least privilege. AWS Security Specialty guidance emphasizes that this method eliminates static credentials and relies on short-lived tokens issued by the OIDC provider.

Option B is incorrect because IAM Roles Anywhere is designed for workloads running outside AWS that use X.509 certificates, not OIDC. Option C is intended for workforce identity federation, not machine-to-machine authentication. Option D is invalid because AWS RAM does not provide identity federation or authentication capabilities.

This solution aligns with AWS best practices for secure, scalable, and low-overhead authentication for external workloads.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM OIDC Identity Providers

AWS IAM Role Trust Policies

AWS best practices require CloudFormation to assume a dedicated service role. This ensures consistent permissions regardless of the user. Users must have iam:PassRole permission to pass the role. Updating stacks to use the service role enforces uniform deployment behavior.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Roles

AWS Shield Advanced is the AWS-native managed service specifically designed to provide detection, mitigation, and visibility for Distributed Denial of Service (DDoS) attacks at both the network and application layers. Shield Advanced integrates directly with Amazon CloudWatch by publishing DDoS-related metrics such as DDoSDetected, AttackVolume, and AttackVector, which can be monitored using CloudWatch alarms to trigger alerts in near real time. This makes option D the correct and fully supported solution.

Amazon Macie focuses on discovering and protecting sensitive data (such as PII) in Amazon S3 using machine learning and does not provide DDoS detection capabilities, making option A incorrect. Amazon Inspector is a vulnerability management service that assesses EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure; it does not detect live DDoS attacks, so option B is incorrect. AWS Firewall Manager is a centralized management service for configuring AWS WAF, Shield Advanced, and security groups across accounts, but it does not emit native DDoS detection metrics for alerting, which eliminates option C.

According to AWS Security Specialty documentation, the recommended best practice for DDoS detection and alerting is to enable AWS Shield Advanced and configure Amazon CloudWatch alarms on Shield metrics, optionally integrating with Amazon SNS for notifications and AWS Incident Manager for response automation.

Amazon S3 Block Public Access configured at the AWS account level is the recommended and most effective approach to protect data stored in Amazon S3 while minimizing operational overhead. AWS Security Specialty documentation explains that S3 Block Public Access provides centralized, preventative controls designed to block public access to S3 buckets and objects regardless of individual bucket policies or object-level ACL configurations. When enabled at the account level, these controls automatically apply to all existing and newly created buckets, significantly reducing the risk of accidental exposure caused by misconfigured permissions.

The AWS Certified Security – Specialty Study Guide emphasizes that public access misconfiguration is a leading cause of data leaks in cloud environments. Account-level S3 Block Public Access acts as a guardrail by overriding any attempt to grant public permissions through bucket policies or ACLs. This eliminates the need to manage security settings on a per-bucket or per-object basis, thereby reducing administrative complexity and human error.

Configuring Block Public Access at the object level, as in option B, requires continuous monitoring and manual configuration, which increases operational overhead. Disabling ACLs alone, as described in option C, does not fully prevent public access because bucket policies can still allow public permissions. Using AWS PrivateLink, as in option D, controls network access but does not protect against public exposure through misconfigured S3 policies.

AWS security best practices explicitly recommend enabling S3 Block Public Access at the account level as the primary mechanism for preventing unintended public data exposure with minimal management effort.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Security Best Practices Documentation

Amazon S3 Block Public Access Overview

AWS Well-Architected Framework – Security Pillar

Amazon GuardDuty findings provide high-level detection of suspicious activity but are not designed for deep investigation on their own. The AWS Certified Security – Specialty documentation explains that Amazon Detective is purpose-built to support rapid investigations by automatically collecting, correlating, and visualizing data from GuardDuty, AWS CloudTrail, and VPC Flow Logs. Detective enables security engineers to analyze API calls, user behavior, and resource interactions in context without making any changes to the environment.

Using read-only credentials ensures that the investigation does not impact the production application. Amazon Detective allows investigators to pivot directly from a GuardDuty finding into a detailed activity graph, showing which IAM user made anomalous calls, what resources were accessed, and how behavior deviated from the baseline. This significantly accelerates incident investigation.

Options A and C involve applying DenyAll policies, which are containment actions and could affect application availability. Option D requires manual analysis and setup and is slower than using Amazon Detective, which is designed for immediate investigative workflows.

AWS incident response guidance recommends using Detective for rapid, non-intrusive analysis after GuardDuty findings.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty and Amazon Detective Integration

AWS Incident Response Investigation Best Practices

AWS Service Catalog is designed to allow organizations to create and manage approved sets of CloudFormation templates, known as products, and make them available to specific accounts or organizational units (OUs). According to the AWS Certified Security – Specialty Study Guide, Service Catalog is the preferred governance mechanism for enforcing standardized infrastructure deployments while maintaining strong access controls.

By creating a Service Catalog portfolio in the management account and sharing it with a specific OU, the security engineer ensures that only accounts within that OU can deploy the approved CloudFormation template. This guarantees that third-party developers can deploy infrastructure only in accordance with the company’s predefined deployment plan, without modifying or directly accessing the template itself.

Option B and D use CloudFormation modules, which are intended for reusable resource definitions but do not provide the same level of deployment governance, access control, and lifecycle management as Service Catalog. Option C introduces unnecessary cross-account IAM roles, increasing the attack surface and operational complexity, which violates the “most secure” requirement.

AWS documentation explicitly states that Service Catalog is the recommended service for distributing standardized CloudFormation templates across AWS Organizations, while controlling who can deploy them and where.

AWS Certified Security – Specialty Official Study Guide

AWS Service Catalog Administrator Guide

AWS Organizations Best Practices

AWS Well-Architected Framework – Security Pillar

AWS CloudTrail organization trails are specifically designed to provide centralized, organization-wide logging with minimal operational effort. According to the AWS Certified Security – Specialty Official Study Guide, an organization trail records all management events for all member accounts and delivers them to a single Amazon S3 bucket.

To ensure that logs cannot be altered or deleted, Amazon S3 Object Lock in compliance mode must be used. Compliance mode enforces write-once-read-many (WORM) protection, meaning no user, including the root user, can delete or modify objects before the retention period expires. This directly satisfies the requirement that no changes or deletions are allowed for 2 years.

The S3 bucket must reside in the dedicated security account to provide isolation and strong security boundaries. Granting write permissions to the organization’s management account (Option A) aligns with AWS best practices, because the management account owns and manages the organization trail and centrally delivers logs on behalf of all member accounts.

Option B increases attack surface by allowing all member accounts to write directly. Option C does not meet immutability requirements because lifecycle policies do not prevent deletion. Option E introduces unnecessary services and operational complexity.

AWS documentation explicitly identifies the combination of CloudTrail organization trails + S3 Object Lock (compliance mode) as the recommended, lowest-overhead solution for long-term, immutable audit log retention.

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Organization Trail Documentation

Amazon S3 Object Lock Documentation

AWS Well-Architected Framework – Security Pillar

AWS CloudTrail data event logging is the correct solution because it is specifically designed to capture detailed, structured, and near–real-time API activity for Amazon S3 object-level operations. When S3 data events are enabled, CloudTrail records actions such as GetObject, PutObject, and DeleteObject, along with critical context including the IAM principal, source IP address, event time, request parameters, and response elements. These logs are delivered in JSON format, making them highly structured and suitable for security analysis, SIEM integration, and automated detection workflows.

Amazon S3 server access logging (option A) provides basic request-level information but does not include full IAM identity context and is delivered with a significant delay, which does not meet the near–real-time requirement. AWS Config (option C) focuses on resource configuration changes and compliance evaluation; it does not log object-level access events. Amazon Macie (option D) is a data security service that uses machine learning to discover and classify sensitive data in S3 and generate findings for anomalous access patterns, but it is not a comprehensive access logging solution.

AWS Security Specialty documentation clearly states that CloudTrail data events are the authoritative mechanism for auditing S3 object-level access with identity attribution and precise timestamps, making option B the correct and best-practice answer

To enforce encryption in transit for Amazon S3, AWS best practice is to require HTTPS (TLS) by using a bucket policy condition that denies any request where aws:SecureTransport is false. The requirement includes both existing buckets and future buckets, so the control must continuously evaluate configuration drift and automatically remediate. AWS Config is the service intended for continuous configuration compliance monitoring across resources, and AWS Config managed rules provide standardized checks with low operational overhead. The s3-bucket-ssl-requests-only managed rule evaluates whether S3 buckets enforce SSL-only requests, aligning directly with enforcing encryption in transit. Setting the trigger type to Hybrid ensures evaluation both on configuration changes and periodically. Automatic remediation with an AWS Systems Manager Automation runbook allows the organization to apply or correct the bucket policy consistently at scale without manual work. This approach also supports governance by maintaining a measurable compliance status while actively fixing noncompliance. Option A is not the best fit because a “proactive” custom policy rule does not by itself remediate existing buckets and “block resource creation” is not how AWS Config enforces controls. Option C is incorrect because Amazon Inspector is a vulnerability management service and does not govern S3 bucket transport policies. Option D is inefficient and indirect because CloudTrail data events are not a compliance engine and would require custom processing.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Config Managed Rules for S3 Compliance

Amazon S3 Security Best Practices for SSL-only Access

EventBridge natively consumes CloudTrail management events and provides near-real-time notifications.