AWS Certified Specialty SCS-C03 Reddit Questions

AWS Systems Manager Run Command enables security engineers toremotely and securely execute scripts on EC2 instanceswithout requiring SSH or inbound network access. According to AWS Certified Security – Specialty incident response guidance, Run Command is a foundational tool forinstance quarantine and forensic preparation.

By configuring IAM permissions that allow the SSM Agent to execute a predefined Run Command document, the security engineer can rapidly deploy forensic tools, disable services, or modify system configurations across affected EC2 instances during an incident. This approach aligns with AWS best practices forcontainment and evidence preservation, while maintaining auditability through Systems Manager logs.

Option A only provides visibility, not quarantine capability. Option B restricts access but does not allow forensic tooling. Option C enables access to the script but does not execute it.

AWS documentation emphasizes thatSystems Manager Run Command is the recommended mechanism for incident response automation and quarantine actionson EC2 instances.

AWS Certified Security – Specialty Official Study Guide

AWS Systems Manager Run Command Documentation

AWS Incident Response Best Practices

AWS Service Catalog is specifically designed to help organizationsgovern and control how AWS resources are provisioned at scale. According to the AWS Certified Security – Specialty Official Study Guide, Service Catalog enables administrators to define approved CloudFormation templates asproductsand to control which accounts, users, or organizational units can deploy those products.

By creating a Service Catalog portfolio in the management account and sharing it with a specific OU, the security engineer ensures that only accounts within that OU can deploy the approved infrastructure. Third-party developers can deploy resources only by using the predefined CloudFormation template and cannot alter the deployment plan, which enforces consistency and compliance.

This approach also limits access to the deployment plan itself, because developers interact with the Service Catalog product rather than the raw template. No cross-account IAM roles or excessive permissions are required, which reduces the attack surface.

CloudFormation modules and extensions (Options B and D) provide reuse but do not enforce deployment governance or access control. Option C introduces unnecessary cross-account IAM roles, which is less secure than native Service Catalog sharing.

AWS documentation explicitly identifiesAWS Service Catalog + AWS Organizationsas the recommended pattern for secure, standardized multi-account deployments.

AWS Certified Security – Specialty Official Study Guide

AWS Service Catalog Administrator Guide

AWS Organizations Best Practices

AWS networking best practices require private subnets to access the internet only through NAT gateways located in public subnets. According to the AWS Certified Security – Specialty Study Guide, NAT gateways must be provisioned in public subnets and used as the default route for outbound traffic from private subnets.

Verifying NAT gateways in each Availability Zone ensures high availability and fault tolerance. Updating the private subnet route tables to send 0.0.0.0/0 traffic to the NAT gateway prevents direct internet access while allowing outbound connectivity.

Routing private subnet traffic directly to an internet gateway violates subnet isolation principles. NAT gateways must never be placed in private subnets.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Routing and NAT Gateways

AWS Network Segmentation Best Practices

AWS Organizations and CloudFormation StackSets provide an organizational deployment mechanism for consistent infrastructure across accounts. AWS Certified Security – Specialty guidance emphasizes minimizing use of the management account and using delegated administrator capabilities where available for centralized governance while reducing blast radius. By configuring a delegated administrator account for AWS CloudFormation, the company can create and manage StackSets without performing day-to-day deployment operations from the management account. Targeting the organization root ensures the StackSet deploys to all existing accounts. Enabling automatic deployment ensures that any future accounts that join the organization (or move into targeted OUs, depending on configuration) automatically receive the monitoring service without manual intervention. This directly meets the requirement to deploy to all existing and future accounts with minimal effort. Option A requires ongoing manual updates when accounts are added, increasing operational overhead. Options C and D rely on Systems Manager Automation, which can work but introduces additional operational complexity and is not the standard AWS mechanism for organization-wide infrastructure rollout compared to StackSets with auto-deployment. StackSets also provide consistent change control, drift detection, and centralized update mechanisms, which align with governance expectations for compliance tooling.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Delegated Administration

AWS CloudFormation StackSets for Multi-Account Governance