SCS-C03 Exam Questions Tutorials

AWS CloudFormationdynamic referencesprovide a secure mechanism for retrieving sensitive values from AWS Secrets Manager at stack creation or update time. According to the AWS Certified Security – Specialty documentation, dynamic references ensure that sensitive data such as database credentials arenever stored in plaintextin CloudFormation templates, parameters, stack metadata, or logs.

When a dynamic reference to Secrets Manager is used, CloudFormation retrieves the secret value at runtime and passes it securely to the resource that requires it. The secret value is not exposed to users who view the template, stack, or change sets.

Option B is insecure because parameters can be exposed through the CloudFormation console and APIs. Option C is incorrect because SecureString parameters are a feature of AWS Systems Manager Parameter Store, not Secrets Manager. Option D is invalid because KMS encrypts data but does not store secrets or manage secret rotation.

AWS best practices clearly state thatCloudFormation dynamic references to Secrets Managerare the recommended solution for securely handling sensitive configuration values.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Security Best Practices

AWS Secrets Manager Documentation

For centralized, organization-wide user access to AWS services and supported applications, AWS best practice is to useAWS IAM Identity Center(successor to AWS SSO). IAM Identity Center provides a single place to manage workforce identities, permission sets, and account assignments across AWS Organizations. Amazon Q Developer is integrated for centralized access using IAM Identity Center, where you can assign the relevant permissions to users and groups and enable access consistently across multiple AWS accounts. Setting Amazon Q Developer up as anAWS managed applicationaligns with IAM Identity Center’s model for centrally provisioning and controlling access with minimal operational overhead.

Amazon Cognito is primarily intended forcustomer identity and application sign-up/sign-inscenarios, not for workforce access to AWS managed developer tools across multiple AWS accounts. “Identity pools” are a Cognito concept for exchanging identities for AWS credentials, which adds unnecessary complexity and is not the standard approach for centrally granting employees access to Amazon Q Developer in an organization. Therefore, enabling IAM Identity Center and configuring Amazon Q Developer as an AWS managed application is the correct solution.

AWS Secrets Manageris the AWS service designed to store secrets securely and to supportautomatic rotationon a schedule—commonly used for Amazon RDS credentials. Storing credentials in Secrets Manager removes them from source code, enables fine-grained access control, and supports auditability of secret retrieval through CloudTrail. Rotation can be configured to periodically change the database password and update the stored secret automatically, minimizing operational overhead compared to manual rotation processes.

To ensure the credentials are accessibleonly to the application, the correct ECS pattern is to useIAM roles for tasks. A task role can be scoped to allow only secretsmanager:GetSecretValue (and related actions if needed) for the specific secret ARN. Only tasks running with that role can retrieve the secret at runtime, which prevents broad access. This also helps reduce the risk of database administrators sharing plaintext credentials, because the recommended operational model is that humans should not need direct access; the application retrieves the secret programmatically, and access can be limited to break-glass workflows if required.

Systems Manager Parameter Store can store encrypted parameters, but Secrets Manager provides stronger native secret lifecycle features (notably rotation) for databases. Inline policies (Option B) are not necessary; managed or attached policies on the task role achieve the same goal with cleaner administration.

AWS KMS access control is primarily enforced through key policies (and optionally grants), and AWS recommends using key policy condition keys to restrict how keys can be used. The kms:ViaService condition key is specifically designed to restrict KMS API usage to requests that come through a particular AWS service endpoint in a specific Region. This is the most robust way to ensure a key can be used only via AWS Lambda (for example, lambda. < region > .amazonaws.com) and not via Amazon EC2 (ec2. < region > .amazonaws.com), even if IAM permissions exist elsewhere. By writing a key policy that uses the Lambda execution role as the principal and conditions on kms:ViaService, the company can tightly bind key usage to Lambda-originated cryptographic operations while preventing use through EC2 service paths. Option A is weaker because EC2 is not the only way an IAM principal might use KMS, and relying on attaching explicit deny policies broadly is harder to manage and can miss principals. Option C is incorrect because aws:AuthorizedService is not the typical mechanism for KMS service restriction, and SourceIp is unreliable for service-to-service calls. Option D is not ideal because SCPs do not provide fine-grained service-path restrictions for KMS usage and cannot “allow” beyond IAM; key policy controls still apply.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS KMS Key Policies and Condition Keys

AWS KMS Best Practices for Service-Scoped Key Usage