Free SCS-C03 Amazon Web Services Updates

EC2 Instance Connect can performserver/host authenticity checksby validating the instance’s SSHhost keyagainst atrusted host keyssource. When you rotate the instance’s host keys, the host presents anewfingerprint. If the trusted host keys source still contains theoldhost key, connections that enforce host key verification will fail with ahost key validationerror. The fix is to update the trusted host key record so the new host key fingerprint is recognized as valid. Therefore, the correct action is toupload the new host keyto the trusted host keys database used for EC2 Instance Connect host key verification.

Option A is unrelated: AWS KMS does not store or manage SSH host keys for EC2 Instance Connect validation. Option C is for AWS Systems Manager managed instances and has no effect on SSH host key validation. Option D rotatesuser/client authentication keys(SSH key pair used to log in) but does not resolve a failure that occurs specifically because theserver host keychanged and is no longer trusted. Updating the trusted host keys database restores the expected trust chain and allows Instance Connect to work again with the rotated host keys.

Amazon Inspector provides native CI/CD integration capabilities that allow security checks to occur before container images are pushed to Amazon ECR. According to AWS Certified Security – Specialty documentation, Inspector does not block image pushes automatically. Instead, prevention must occur inside the CI/CD pipeline itself.

By generating a Software Bill of Materials (SBOM) using the Amazon Inspector SBOM generator and submitting it to Inspector for scanning, the pipeline can detect critical vulnerabilities before the image is uploaded. If vulnerabilities exceed policy thresholds, the pipeline fails, preventing deployment.

Post-push scanning solutions only detect vulnerabilities after exposure. Event-driven blocking does not prevent the initial risk.

AWS best practices require “shift-left” security controls to prevent vulnerable artifacts from entering production.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Inspector CI/CD Integration

AWS CloudTrail provides authoritative records of KMS key creation, origin, and usage. Enabling log file validation ensures tamper detection. S3 Object Lock in compliance mode enforces immutability, which is a core audit requirement cited in AWS Certified Security – Specialty materials.

CloudWatch and DynamoDB do not provide immutable storage guarantees suitable for compliance evidence.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Log File Validation

Amazon S3 Object Lock

Amazon WorkSpaces is a fully managed desktop-as-a-service solution designed to minimize infrastructure and operational overhead. According to AWS Certified Security – Specialty documentation, WorkSpaces supports device trust by using client certificates to restrict access to approved devices.

By deploying client certificates only to company-managed devices and enforcing restricted access at the directory level, the organization ensures that only trusted endpoints can authenticate. This approach avoids the cost and complexity of building and maintaining a custom VDI or managing individual EC2 instances.

Option A and B significantly increase management overhead. Option C is incorrect because IAM does not manage WorkSpaces authentication gateway policies or device trust.

AWS best practices highlight Amazon WorkSpaces with certificate-based device trust as the most efficient solution for secure, managed desktops.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon WorkSpaces Security Controls

Amazon WorkSpaces Device Trust