Download Latest SCS-C03 Questions

Network ACLs arestatelessand are evaluated in order based on rule number, with lower rule numbers taking precedence. According to AWS Certified Security – Specialty incident response guidance, network ACLs can be used toimmediately block traffic at the subnet levelwithout restarting instances or modifying their runtime state.

By adding a deny rule with alower priority number (10)that explicitly denies TCP traffic on port 22 from the offending IP address (10.0.1.5), the unauthorized SSH session is immediately interrupted. This approach satisfies the requirement to keep the instance running and to preserve memory for forensic analysis.

Option A violates the requirement because restarting the instance clears memory. Option C would disrupt all legitimate SSH access, not just the unauthorized session. Option D would block all internet access and could cause widespread service disruption.

AWS documentation emphasizes usingnetwork ACL deny rules for rapid, targeted containmentwhen immediate interruption is required without altering instance state.

AWS Certified Security – Specialty Official Study Guide

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

AWS Secrets Manager is a regional service that is accessed through private AWS endpoints. In a VPC without internet access, AWS recommends using AWS PrivateLink through interface VPC endpoints to enable secure, private connectivity to supported AWS services. According to AWS Certified Security – Specialty documentation, interface VPC endpoints allow resources within a VPC to communicate with AWS services without traversing the public internet, NAT devices, or internet gateways.

An interface VPC endpoint for Secrets Manager creates elastic network interfaces (ENIs) within the VPC subnets and assigns private IP addresses that route traffic directly to the Secrets Manager service. Because the VPC has private DNS enabled, the standard Secrets Manager DNS hostname resolves to the private IP addresses of the interface endpoint, allowing the Lambda rotation function to communicate securely and transparently.

Option A introduces unnecessary complexity and expands the attack surface by allowing outbound internet access. Option B is incorrect because gateway VPC endpoints are supported only for Amazon S3 and Amazon DynamoDB. Option D violates the security requirement by exposing the VPC to the internet.

AWS security best practices explicitly recommend interface VPC endpoints as the most secure connectivity method for private VPC workloads accessing AWS managed services.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Secrets Manager Security Architecture

AWS PrivateLink and Interface VPC Endpoints Documentation

In IAM Identity Center, users see accounts and permission sets in the AWS access portal based onassignments. Here, the new permission set was assigned to theDevOps groupfor a specific member account. Sinceall developers except onecan see the permission set, the permission set itself and the account assignment are working correctly. The most likely cause is that the remaining developer isnot actually a memberof the DevOps group in the identity source (AWS Directory Service / Active Directory), or their group membership is not reflected due to missing/incorrect directory group assignment.

The least disruptive fix is to ensure the developer’s identity is correctly included in theDevOpsgroup within the directory. Once the user is a member of the assigned group (and after normal identity sync/refresh behavior), IAM Identity Center will evaluate the user as entitled to that permission set, and it will appear in the access portal.

Option B is unnecessary because the assignment is already effective for others. Option C is unrelated; service-linked roles for Organizations do not determine portal entitlements. Option D would not explain why only one user cannot see the permission set; if console access were misconfigured, it would affect all users assigned that permission set.

Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security – Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.

By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.

Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC. Third-party CASB tools add cost and operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security and VPC Endpoints

AWS Organizations Condition Keys