AWS Certified Security - Specialty (SCS-C02)

Incorrect. AWS Batch is designed for queued, compute-intensive, longer-running jobs and introduces unnecessary infrastructure and latency for near-real-time security remediation. Forwarding findings through Batch to Lambda is an anti-pattern compared to direct EventBridge-to-Step Functions/Lambda integration. It also complicates cross-account operations and makes meeting the 5-minute notification SLA less deterministic.

Incorrect. CloudWatch metric filters operate on CloudWatch Logs log events, not on IAM Access Analyzer findings as first-class events. Even if findings were logged somewhere, using metric filters to trigger AWS Batch is indirect and brittle. EventBridge is the intended integration point for service events and provides better filtering, routing, and reliability for automated response.

Incorrect. SQS is a message queue and does not “forward a notification” to email recipients by itself. You would need a consumer (Lambda/EC2) to poll the queue and then send email via SNS/SES, adding complexity and potential delay. SQS can be useful for buffering, but it is not required here and does not directly meet the email requirement.

Removing or revoking the instance profile is not the most effective first containment step for a GuardDuty finding about unusual egress traffic volume. The suspicious traffic could be caused by malware, a compromised application process, or data exfiltration that does not depend on the instance profile credentials at all. In addition, changing or removing the IAM role from a running EC2 instance is not a direct network isolation mechanism and may not stop outbound connections immediately. AWS best practice for this type of finding is to isolate the instance's network access rather than focus first on credentials.

Changing the network ACLs for all three private subnets creates an unnecessarily large blast radius because NACLs apply to every resource in those subnets, not just the suspicious instance. That could interrupt unrelated workloads hosted in the same VPC and subnets, which directly conflicts with the requirement to minimize impact on the application and other resources. NACLs are also stateless, so implementing and maintaining precise deny rules is more error-prone than using a quarantine security group. For GuardDuty EC2 findings, AWS generally favors targeted instance isolation over broad subnet-level network changes.

Sending GuardDuty findings to an SNS topic for email notification provides alerting, but it does not perform any automated containment. The question explicitly requires an immediate initial response action, so manual triage by the security team is too slow and does not satisfy the automation requirement. This option also does nothing to reduce the suspicious egress traffic or isolate the potentially compromised instance. SNS can complement an automated workflow, but by itself it is insufficient for incident containment.

Incorrect. AWS Audit Manager is a compliance automation service that collects evidence for frameworks like PCI DSS (e.g., configuration snapshots, control mappings). It does not function as a near-real-time threat detection engine and does not generate or index GuardDuty-style security findings such as InstanceCredentialExfiltration. Relying on Audit Manager reports would be indirect and likely incapable of answering the specific question in the required time window.

Incorrect. Searching CloudTrail for GetSessionToken is not a reliable method to detect use of stolen instance profile credentials. Instance profile credentials are already temporary STS credentials and can be used directly to call AWS APIs; an attacker may never call GetSessionToken. Also, CloudTrail records the caller identity (access key, principal) and source IP, but “external AWS account” attribution is not guaranteed via a simple GetSessionToken query.

Incorrect. CloudWatch Logs here contain VPC Flow Logs, which are network flow records (5-tuple metadata) and do not include AWS API calls like GetSessionToken. Unless CloudTrail logs were explicitly delivered to CloudWatch Logs (not stated), CloudWatch Logs is the wrong data source for STS API event searches. Even if CloudTrail were in CloudWatch, the same limitation as option C applies: GetSessionToken is not the right indicator.

Incorrect. Security Hub custom actions are primarily for manual, analyst-driven workflows (e.g., selecting findings in the console and choosing a custom action) or explicit API invocation. They do not automatically fire when new findings are imported. While Systems Manager Automation can remediate, the triggering mechanism here would not meet the requirement for automatic execution within 60 seconds on import.

Incorrect. Like option B, a Security Hub custom action with Lambda is typically initiated by a user from the Security Hub console (or via explicit custom action API usage), not automatically on every imported finding. Therefore it does not satisfy the requirement to trigger remediation automatically when a new HIGH/CRITICAL finding is imported, even though Lambda itself is serverless and scalable.

Incorrect. AWS Config rules evaluate AWS resource configurations and compliance against desired state; they are not designed to react to third-party vulnerability findings imported into Security Hub. Config evaluations can be periodic or configuration-change triggered, but they won’t natively consume Security Hub imported findings as the event source. This approach also risks missing the 60-second requirement and is conceptually misaligned.

S3 + Glue + Athena can centralize and query logs, and it’s a valid DIY log lake pattern. However, it does not inherently normalize events across many AWS Marketplace partner tools or on-prem syslog/firewall sources; you would need to build and maintain custom ingestion, parsing, and schema mapping for each source. It also doesn’t provide OCSF normalization out of the box, making it less effective for a large fintech at this scale.

CloudWatch Logs subscription filters to OpenSearch supports near-real-time search and dashboards, but it’s typically expensive and operationally heavy for 400-day retention across 75 accounts plus on-prem logs. OpenSearch is optimized for indexed search, not low-cost long-term retention. It also doesn’t automatically normalize heterogeneous security/network events from multiple partner tools and custom sources into a common schema for consistent SQL analytics.

SCPs can deny or allow API actions but cannot “force” services to deliver logs to a specific S3 bucket across all services and accounts; configuration still must be implemented per service. Additionally, OpenSearch is not a direct SQL query engine over S3 log files (Athena is), and this option does not address normalization across AWS Marketplace tools and on-prem sources. It’s both technically inaccurate and incomplete for the requirements.

Incorrect. Amazon Macie is designed to discover and classify sensitive data (PII, credentials, etc.) primarily in Amazon S3 using managed data identifiers. It is not a log query engine for NGINX access logs and does not natively provide ad hoc aggregations like “count requests by IP and path.” Exporting logs to S3 also adds unnecessary steps and delays for a 7-day investigation.

Incorrect for “least effort.” A CloudWatch Logs subscription filter to OpenSearch is useful for near-real-time indexing and building dashboards, but it requires provisioning and operating an OpenSearch domain and configuring ingestion. It also does not automatically backfill the last 7 days of existing logs unless you perform additional export/replay steps. Overkill for a quick incident query.

Incorrect. Exporting to S3, running a Glue crawler, and using Glue to view results is significantly more operational work than necessary. Glue crawlers catalog schemas; they do not inherently “catalog only entries that contain the IP” without additional ETL/filtering logic. For simple counts and grouping over a 7-day window, CloudWatch Logs Insights is the intended tool.

Incorrect. AWS Systems Manager Change Manager is designed for controlled operational changes with approvals, scheduling, and governance workflows. It is not the primary service for continuously detecting configuration drift or automatically remediating security baseline violations across 120 accounts in near real time. Although SSM runbooks can be used for remediation, the detection and eventing requirements are better met by AWS Config, Security Hub, and EventBridge.

Incorrect. Security Hub custom actions are primarily used to let analysts manually trigger downstream workflows from the Security Hub console. They are not necessary for automatic remediation because EventBridge can already react directly to Security Hub findings without any analyst interaction. Including a custom action adds an extra manual-oriented construct that does not improve scalability or cost-effectiveness for the stated requirement of automated response.

Incorrect. Using Lambda to inspect API requests and generate custom findings replaces native AWS compliance and security services with a bespoke solution. API request inspection is typically based on CloudTrail events and does not reliably represent current configuration state, which is what matters for drift detection. This option is less scalable, more operationally complex, and inferior to AWS Config plus Security Hub for detecting public buckets or overly permissive security groups.

Amazon Macie primarily discovers and classifies sensitive data in Amazon S3 (and helps with findings/alerts). It does not provide an in-place mechanism to mask/redact email addresses in CloudWatch Logs so developers can still view the rest of the log event. Macie could identify that emails exist, but it won’t enforce “developers cannot view emails” in the CloudWatch Logs console/APIs.

Encrypting the log group with a customer managed KMS key and denying developers access would prevent them from decrypting and reading the logs at all. The requirement is selective protection: developers must still troubleshoot and see all other fields, just not email addresses. KMS key policies and grants do not support field-level redaction within log events; they control access to the entire encrypted data.

A subscription filter to Lambda can parse and mask emails, but it requires forwarding to another destination (often another log group, S3, or OpenSearch). That effectively creates a duplicate sanitized copy, which the question explicitly disallows. It also introduces operational overhead and cost at high ingestion rates (18,000 events/min) and adds failure modes/latency compared to a native CloudWatch Logs feature.

Incorrect. You cannot simply “enable KMS encryption” on existing ECR repositories that were created with AES-256; ECR repository encryption settings are defined at creation and are not generally mutable to switch to a CMK. Also, installing the Amazon Inspector Agent on EC2 instances assesses host vulnerabilities, not container image CVEs triggered by an image push to ECR, so it does not meet the “report after next image push” requirement.

Incorrect. While recreating repositories with a CMK and enabling scanning aligns with the ECR requirements, installing the AWS Systems Manager (SSM) Agent and generating an inventory report does not provide container image CVE findings. SSM Inventory is for instance/software inventory and compliance metadata, not ECR image vulnerability scanning results tied to an image push event.

Incorrect. As with option A, you generally cannot change existing ECR repositories from AES-256 to CMK encryption in-place. Additionally, AWS Trusted Advisor does not provide container image CVE scanning or a vulnerability report after an image push; Trusted Advisor focuses on cost optimization, performance, fault tolerance, service limits, and some security checks, not ECR image CVE findings.

Incorrect. While Session Manager is the right remote access mechanism, generating and distributing SSH-RSA key pairs is unnecessary and violates the requirement to avoid distributing SSH key pairs. Session Manager does not require SSH keys at all. This option adds operational overhead and risk (key management/rotation) without providing any benefit for Session Manager-based access.

Incorrect. EC2 Instance Connect is primarily for SSH access to Linux instances and still requires network connectivity to port 22 (inbound allowed from the connecting source) and appropriate security group/NACL rules. It does not satisfy the requirement to avoid opening TCP 22, and it is not the standard unified approach for Windows Server administration at scale with centralized session logging to S3.

Incorrect. This option combines two mismatches: it requires generating/distributing SSH keys (explicitly disallowed) and relies on EC2 Instance Connect, which still uses SSH over port 22 and is not a comprehensive solution for Windows administration. It also does not inherently provide the same centralized session logging/auditing model as Session Manager with S3 logging.

Per-object signed URLs would work functionally, but it is not the simplest for CMAF. A 6–10 hour stream with ~10,800 segments would require the application to continuously generate and deliver signed URLs (and likely re-sign as new segments appear). This increases application complexity, can add playback latency, and complicates player logic. Signed URLs are better for a small set of files or one-off downloads.

JWT validation with Lambda@Edge can enforce custom authorization logic, but it adds moving parts: Lambda@Edge deployment/replication, per-request execution cost/latency, and operational complexity. It is unnecessary here because CloudFront already provides native private content controls (signed cookies/URLs) and the origin is already private behind CloudFront. Use Lambda@Edge only when you need logic beyond time/path/IP-based policies.

Encrypting the CloudFront distribution URL provides no real access control. Even if the app hides or decrypts the URL at runtime, the client ultimately receives requests that can be copied and replayed. Security through obscurity does not prevent unauthorized access, and KMS does not integrate with CloudFront request authorization in this manner. Proper control is done via CloudFront signed URLs/cookies and a private origin.

Incorrect for the stated population. The IAM account password policy applies only to IAM users in that AWS account (console password for IAM users). It does not affect SAML-federated employees authenticating in Okta, and it does not apply to Amazon Cognito user pool users. It could be useful only if the company also had IAM users with console passwords, which the scenario does not indicate.

Incorrect. Service Control Policies in AWS Organizations restrict which AWS API actions principals can perform in member accounts; they do not provide a mechanism to enforce password length for IAM users, Cognito users, or external IdPs. SCPs cannot reach into Okta, and they cannot impose Cognito password policy settings. At most, SCPs could prevent changing certain configurations, not enforce password complexity.

Incorrect. IAM policies (including condition keys) control authorization to AWS API actions and resources; they do not validate or enforce password length rules for IAM user passwords, and they cannot apply to Cognito user pool passwords. Cognito password policies are configured on the user pool, not via IAM policy conditions. Similarly, federated users’ passwords are managed by the IdP, not AWS.

Incorrect. AmazonSSMManagedInstanceCore enables Systems Manager capabilities (SSM Agent, Session Manager, Run Command) and is unrelated to authorizing sts:AssumeRole. Attaching it might help manage or troubleshoot the instance, but it does not grant permission to assume CorpForensicsAccessRole and will not resolve an AssumeRole AccessDenied error.

Incorrect. WebForensicsRole’s trust policy should allow ec2.amazonaws.com to assume it (so the instance profile can deliver credentials), but the scenario states the application is already using the instance profile role to attempt AssumeRole. The failing operation is the cross-account AssumeRole into CorpForensicsAccessRole, which is governed by A and C, not by modifying WebForensicsRole’s trust policy.

Incorrect. Directing the call to a specific regional STS endpoint (such as us-east-1) is not the typical cause of an AccessDenied error. Endpoint selection issues usually manifest as network/endpoint errors, signature issues, or service unavailability. Authorization failures for AssumeRole are almost always due to missing caller permissions, missing/incorrect trust policy, or explicit denies/conditions.

An inline policy that allows DynamoDB access can grant the needed permissions today, but it does not prevent the user from gaining additional permissions later through group membership or other attached policies. If the user is later added to a group with AdministratorAccess, the user could access other services. Inline policies are not a guardrail; they are just one source of identity-based permissions.

Putting the user in a DynamoDB-only group is a common way to grant access, but it is not durable against future changes. If the user is later added to another group with broader permissions (for example, AdministratorAccess), the user’s effective permissions expand. Group-based permission management is additive and does not inherently enforce a maximum permission boundary.

A role with explicit denies could restrict what the role can do, but it relies on the vendor always assuming that role and using only those role credentials. It does not inherently prevent the underlying IAM user from using other permissions if they are later granted directly or via groups. The requirement is to constrain the IAM user’s effective permissions regardless of future attachments, which is better met by a permissions boundary.

AWS Directory Service for Microsoft AD can integrate with SAML/ADFS-style setups, but it is not the right control plane for centrally managing access to multiple AWS accounts via AWS Organizations. Also, you cannot attach IAM policies directly to directory users; authorization in AWS is done through IAM roles/policies. This option does not meet the centralized multi-account RBAC and SAML app assignment requirements cleanly.

Configuring SAML federation separately in each of the 20 accounts creates significant administrative overhead and inconsistent governance. It also undermines the requirement to manage access “from the management account” centrally across OUs. Additionally, federated users are not IAM users; you grant access by assuming roles, not by attaching policies directly to “federated users.” This approach does not scale well and is error-prone.

Amazon Cognito is designed mainly for customer-facing application authentication/authorization (web/mobile) and federation to social/SAML IdPs for app users. It is not the standard solution for workforce access to AWS accounts in an AWS Organizations environment, and it does not provide the same centralized multi-account permission-set model as IAM Identity Center. Managing AWS account access for 3,200 employees via Cognito would be atypical and complex.

Incorrect. S3 Object Lock in governance mode is not absolute WORM. Users with the s3:BypassGovernanceRetention permission (or equivalent privileged access) can override retention and delete/modify objects. That fails the requirement that “no user, including the root account,” can delete or modify footage during the retention period. Governance mode is intended for internal controls, not immutable compliance retention.

Not the best answer for this scenario. S3 Glacier Vault Lock can enforce compliance controls on a Glacier vault, but it uses the legacy Glacier vault model and separate APIs, increasing operational overhead compared to S3. The question asks to minimize overhead and cost-effectively retain 4.5 PB; S3 with Object Lock plus lifecycle to Glacier Deep Archive typically provides simpler management and comparable or better cost optimization within one service.

Incorrect. You cannot apply S3 Glacier Vault Lock to objects that have been transitioned to S3 Glacier storage classes via S3 Lifecycle. Vault Lock applies to S3 Glacier vaults (legacy), not to S3 buckets or S3 Glacier/Deep Archive storage classes. For S3 objects, the correct immutability mechanism is S3 Object Lock (compliance mode) rather than Glacier Vault Lock.

Incorrect. Retrying every 2 minutes does not meet the application's requirement to encrypt within 100 ms after device registration. Although eventual consistency might resolve by then, this approach treats the symptom rather than using the KMS feature designed for immediate grant use. It would also introduce severe latency and operational inefficiency for a high-throughput workload.

Incorrect. This option describes a client-supplied token being passed into CreateGrant, but KMS grant tokens are not arbitrary user-provided values in this workflow. The relevant token is the grant token returned by the CreateGrant response, which is then supplied to subsequent KMS operations through GrantTokens. Therefore, this option misstates how KMS grant tokens are obtained and used.

Incorrect. A grant name is only an identifier for the grant and does not provide any authorization shortcut or consistency bypass. Supplying a grant name in an Encrypt request cannot make a newly created grant effective sooner, because KMS expects grant tokens in the GrantTokens parameter, not grant names. This option confuses metadata used to label a grant with the token used to activate immediate use of that grant.

Incorrect. AWS KMS does not allow PendingWindowInDays set to 0 for ScheduleKeyDeletion; the waiting period is enforced (minimum 7 days, up to 30). Even disabling a KMS key is not the same as immediate cryptographic erasure. Therefore, it cannot meet the stated revocation RTO of under 1 minute across the fleet.

Incorrect. CloudHSM provides customer-controlled HSMs, but EBS encryption integrates with AWS KMS, not directly with CloudHSM keys via PKCS#11 for EBS volume encryption. Using CloudHSM would add significant operational overhead (clusters, HA, backups, lifecycle) and does not satisfy the “transparent EBS encryption” integration requirement as cleanly as KMS.

Incorrect. Systems Manager Parameter Store is not designed to be a cryptographic key management system for EBS encryption. Storing keys in Parameter Store would require applications or developers to retrieve and handle key material, violating the requirement that developers never handle encryption keys. It also does not integrate with EBS encryption the way KMS does.

Preinstalling the agent in golden AMIs is a strong preventive measure for future instances, and restricting launches to approved AMIs can improve standardization. However, this does not continuously detect whether existing instances are missing the agent or whether the agent is later removed or becomes unhealthy. The requirement explicitly calls for automatic installation on instances that do not have the agent, including existing instances, without replacement. Tagging AMIs or instances does not itself provide compliance evaluation or remediation.

Systems Manager Patch Manager is designed for patch compliance and deployment based on patch baselines and maintenance schedules, including some application patching scenarios. However, it is fundamentally a scheduled process and does not provide the near-real-time, event-driven detect-and-remediate loop required to ensure the EDR agent is installed within 15 minutes of instance launch across all Regions. It also does not naturally target only newly noncompliant instances based on compliance events, so it is a weaker fit than a Config plus EventBridge plus SSM remediation pattern. Even if the agent package could be represented in a baseline, the option still fails the continuous automatic remediation requirement as stated.

Systems Manager Distributor is useful for packaging and distributing third-party software such as an EDR installer in a standardized way. But the option only describes selecting all instances and installing the package with Run Command, which is a one-time or manually initiated deployment approach rather than continuous compliance monitoring. It does not include any mechanism to detect when a new instance launches without the agent or when the agent is later missing. Without an automated compliance trigger and targeted remediation workflow, it does not meet the stated requirements.