AWS Certified Specialty SCS-C03 Exam Questions and Answers PDF

AWS WAF logs capturedetailed request-level information, including source IP address, request URI, headers, and rule evaluation results. According to the AWS Certified Security – Specialty documentation, AWS WAF logging is acritical detection controlwhen application-level attacks are suspected, especially when host-based logs are unreliable or can be erased by attackers.

By configuring the AWS WAF web ACL to send logs toAmazon Data Firehose, the company ensures that all future requests are centrally captured and delivered to a durable storage service such as Amazon S3. UsingAmazon Athena, the security team can query these logs to identify requests targeting specific application paths such as new-user-creation.php and extract the originating client IP addresses.

Option A is incorrect because VPC Flow Logs operate at the network layer and do not capture HTTP request paths. Option B is invalid because ALBs do not support CloudWatch agents. Option C is viable but introduces additional operational complexity and cost, making it less appropriate than the native WAF logging solution.

AWS documentation highlightsAWS WAF logging combined with Athenaas a best practice for forensic analysis and attacker identification.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Logging Documentation

Amazon Athena User Guide

AWS Detection and Monitoring Best Practices

AWS KMS provides condition keys that can be used to tightly scope how and where a customer managed key can be used. According to the AWS Certified Security – Specialty Study Guide, the kms:ViaService condition key is specifically designed to restrict key usage to requests that originate from a particular AWS service in a specific Region.

By configuring the key policy to allow KMS cryptographic operations only when kms:ViaService equals s3. < region > .amazonaws.com, the security engineer ensures that the key can be used exclusively by Amazon S3. Even if other IAM principals have permissions to use the key, the key cannot be used by other services such as Amazon EC2, Amazon RDS, or AWS Lambda.

Option A is incorrect because AWS services do not assume identities in key policies. Options C and D modify IAM role policies, which do not control how a KMS key is used by AWS services. AWS documentation clearly states that service-level restrictions must be enforced at the KMS key policy level using condition keys.

This approach enforces strong separation of duties and limits blast radius, which aligns with AWS security best practices.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Key Policy Condition Keys

AWS KMS Best Practices

AWS CloudTrail is a foundational security service that records API activity and account events. According to the AWS Certified Security – Specialty Official Study Guide,the only way to centrally and reliably prevent CloudTrail from being disabled across multiple AWS accounts is by using AWS Organizations service control policies (SCPs).

SCPs define themaximum available permissionsfor all accounts in an organization or organizational unit. By creating an SCP with an explicitDenyfor the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions and attaching it to theroot OU, the security engineer ensures thatno principal in any member account—including administrators—can stop or delete CloudTrail trails. Explicit denies in SCPs cannot be overridden by IAM permissions.

Option A is incorrect because log file integrity validation only detects tampering after logs are delivered and does not prevent CloudTrail from being disabled. Option B protects log data at rest but does not prevent trail deletion or logging suspension. Option D removes read-only permissions and does not affect the ability to stop or delete CloudTrail.

AWS documentation explicitly states thatSCPs are the recommended mechanism to enforce mandatory security controls such as CloudTrail logging across an organization, making this the correct and most secure solution.

AWS Certified Security – Specialty Official Study Guide

AWS Organizations SCP Documentation

AWS CloudTrail Security Best Practices

AWS KMS key grants are specifically designed to provide temporary, granular permissions to use customer managed keys without modifying key policies. According to the AWS Certified Security – Specialty Study Guide, grants are the preferred mechanism for delegating key usage permissions to AWS principals for short-term or programmatic access scenarios. Grants allow permissions such as Encrypt, Decrypt, or GenerateDataKey and can be created and revoked dynamically.

Using a key grant avoids the operational risk and overhead of editing key policies, which are long-term control mechanisms and should remain stable. AWS documentation emphasizes that frequent key policy changes increase the risk of misconfiguration and accidental privilege escalation. Grants can be revoked immediately when access is no longer required, ensuring strong adherence to the principle of least privilege.

Options A and D violate AWS security best practices because AWS KMS does not allow direct export of key material unless the key was explicitly created as an importable key, and exporting key material increases exposure risk. Option B requires manual policy changes and rollback, which introduces operational overhead and audit complexity.

AWS recommends key grants as the most efficient and secure way to provide temporary access to KMS keys for applications.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Key Policies and Grants Documentation

AWS KMS Best Practices