Get Amazon SCS-C03 Exam Practice Questions - Real and Updated

Answer : B

AWS CloudTrail data event logging is the correct solution because it is specifically designed to capture detailed, structured, and near--real-time API activity for Amazon S3 object-level operations. When S3 data events are enabled, CloudTrail records actions such as GetObject, PutObject, and DeleteObject, along with critical context including the IAM principal, source IP address, event time, request parameters, and response elements. These logs are delivered in JSON format, making them highly structured and suitable for security analysis, SIEM integration, and automated detection workflows.

Amazon S3 server access logging (option A) provides basic request-level information but does not include full IAM identity context and is delivered with a significant delay, which does not meet the near--real-time requirement. AWS Config (option C) focuses on resource configuration changes and compliance evaluation; it does not log object-level access events. Amazon Macie (option D) is a data security service that uses machine learning to discover and classify sensitive data in S3 and generate findings for anomalous access patterns, but it is not a comprehensive access logging solution.

AWS Security Specialty documentation clearly states that CloudTrail data events are the authoritative mechanism for auditing S3 object-level access with identity attribution and precise timestamps, making option B the correct and best-practice answer

Answer : B, E

To minimize downtime during future DDoS events, the company should use services that provideactive DDoS protection and rapid mitigationat scale.AWS Shield Advanced(Option B) is designed for enhanced DDoS protection for internet-facing applications. It provides expanded detection and mitigation capabilities, cost protection in certain cases, and---critically---access to theAWS DDoS Response Team (DRT)through AWS Support so the company can engage experts during an attack to reduce impact and restore availability faster.

In addition,AWS WAF(Option E) helps mitigateapplication-layer (Layer 7)attacks that often accompany DDoS events (such as HTTP floods, bot-driven abuse, and known exploit patterns). WAF can block or challenge suspicious requests, apply rate-based controls, and use managed rule groups to reduce malicious traffic before it reaches the origin, improving resilience and availability.

Option A is incorrect because GuardDuty is a detection service; it does not automatically block traffic. Option C (Flow Logs + Lambda + SG blocks) is slow and brittle for DDoS because attackers are often distributed across many IPs and can change rapidly; security group updates are not an effective DDoS mitigation strategy. Option D is more about configuration governance and remediation, not real-time DDoS traffic mitigation.

Answer : B

AWS Systems ManagerSession Managerprovides interactive shell access to managed instanceswithout inbound SSH,without bastion hosts, andwithout managing SSH keys. Access is controlled through IAM policies, and every session can be logged to CloudWatch Logs/S3 for auditability. This directly satisfies the ''no SSH keys'' requirement and reduces the network exposure surface because you can keep port 22 closed and still obtain shell access when needed.

To meet the isolation requirement, the instances can be placed in private subnets with no inbound access, and you can use Systems Manager connectivity (via SSM endpoints/agents) for administrative sessions only when required. On-premises servers can also be managed by Systems Manager by registering them as managed instances (hybrid activations), allowing the same no-SSH-key operational model across EC2 and on-prem environments.

Options A and D still require network paths and do not eliminate key management; a bastion host is additional infrastructure that must be secured and maintained. CloudShell (Option C) is an AWS-managed shell environment but does not provide a direct, managed, keyless session channel into arbitrary EC2/on-prem hosts by itself. Therefore, Session Manager is the best solution.

Answer : A

The fastest, least-effort way to mitigate SQL injection at the edge---without modifying legacy application code---is to place the application behind a component that supportsAWS WAFand applymanaged SQL injection protections. AnApplication Load Balancerintegrates directly with AWS WAF, allowing the security engineer to deploy a web ACL (including AWS Managed Rules for SQL injection and custom patterns based on the provided samples) and immediately start blocking malicious payloads before they reach the EC2 instances and the database.

Option A also preserves normal operations during rollout: you can create the ALB, register the existing EC2 instances as targets, validate health checks and traffic behavior, apply WAF protections, and then shift Route 53 weighted records to the ALB with minimal downtime. Finally, tightening the EC2 security groups to prevent direct internet access ensures all inbound web traffic is forced through the ALB + WAF inspection point, reducing exposure quickly.

Option B is risky because it uses only one EC2 origin (reducing availability) and adds CloudFront origin configuration complexity under a 24-hour deadline. Option C requires code changes on unsupported software and is unlikely to be safely delivered in time. Option D is invalid because AWS WAF cannot be attached directly to EC2 instances, and changing DB-port exposure doesn't address SQL injection on the web layer.

Answer : A

Amazon Cognito threat protection is purpose-built to detect and mitigate malicious authentication activity such as credential stuffing and bot traffic. It uses adaptive risk-based analysis without disrupting legitimate users.

AWS WAF cannot be directly associated with Cognito user pools.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

Amazon Cognito Threat Protection