SCS-C03 Exam Results

When AWS IAM Identity Center is used to manage user access across an AWS Organization, Identity Center is the authoritative control plane for enabling and disabling user access. According to the AWS Certified Security – Specialty Official Study Guide, disabling a user in IAM Identity Center immediately prevents that user from accessing any AWS account or role that is assigned through permission sets, satisfying the requirement to stop access organization-wide.

Disabling an IAM user in a single account or removing attached policies (Options A and B) does not prevent access through IAM Identity Center–managed roles in other accounts. Option C is incomplete because removing permission sets does not immediately disable authentication and still requires querying logs from an unsupported source.

For investigation and evidence collection, AWS CloudTrail organizational event data stores provide centralized, queryable access to all management and data events across all accounts in the organization. CloudTrail Lake enables security engineers to run SQL-based queries directly against event data without exporting logs to other services. This allows rapid collection of all actions that the compromised user performed during the last 7 days.

AWS documentation explicitly identifies the combination of IAM Identity Center for access revocation and CloudTrail Lake for organization-wide investigation as a best practice for identity-related incident response.

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Documentation

AWS CloudTrail Lake User Guide

AWS Incident Response Best Practices

The requirement includesremediating existing noncompliant bucketsand also handlingfuture noncompliant bucketsacross multiple accounts and Regions. Anorganization-wide AWS Config aggregatorprovides centralized visibility into compliance status across all member accounts/Regions. To remediate, AWS Config can trigger automation (commonly via EventBridge/SNS) that invokes anAWS Lambda function(or SSM Automation) to take corrective action—such as enabling default encryption, blocking public access, or applying required bucket policies—whenever a bucket is evaluated as noncompliant. This addresses both existing findings (by running remediation on current noncompliant resources) and new ones (by automatically reacting when new buckets appear or configurations drift).

Options C and D are insufficient because they scope only to “accounts and Regions the company currently uses,” which fails the multi-Region/multi-account organization requirement and would miss future expansion. Option B helps prevent creation of new noncompliant resources but does not remediate existing buckets, which is explicitly required. Therefore, the combination of an org-wide aggregator plus automated remediation on Config noncompliance is the best fit.

Amazon EC2 security groups arestateful, meaning that once a connection is established, return traffic is automatically allowed, even if the inbound rule that originally permitted the connection is later removed. According to the AWS Certified Security – Specialty Official Study Guide and Amazon EC2 security documentation,existing connections are not terminated when security group rules change. This explains why the SSH session remains active even after the security group rules were modified, while new traffic such as ICMP ping is blocked.

To immediately and fully isolate an EC2 instance during an incident response scenario, AWS recommends usingstateless network controls. Amazon VPC network ACLs (NACLs) arestateless, which means that every packet is evaluated against the ACL rules regardless of whether the traffic is part of an existing connection. When a deny rule is added,all traffic is immediately blocked, including active sessions.

By creating a network ACL and associating it with the subnet that contains the target instance, and by adding explicit deny rules with the lowest rule numbers for both inbound and outbound traffic, the security engineer ensures thatall network communication to and from the instance is immediately interrupted. This approach satisfies the requirement to isolate the instance while preserving its runtime state and memory for forensic analysis.

Other options fail to meet the requirement because security group modifications do not terminate existing sessions, Systems Manager does not enforce network isolation, and host-level firewall changes require instance-level access and do not provide immediate, network-enforced isolation.

AWS Certified Security – Specialty Official Study Guide

Amazon EC2 Security Groups Documentation

Amazon VPC Network ACL Documentation

AWS Incident Response Best Practices

AWS IAM Access Analyzer policy generation is specifically designed to help security engineers generate least-privilege IAM policies based on actual usage recorded in AWS CloudTrail. According to the AWS Certified Security – Specialty documentation, policy generation analyzes historical CloudTrail data to identify the exact API actions and resources that a role has accessed over a specified time period.

Because the role has been actively used for three months, there is sufficient CloudTrail data for IAM Access Analyzer to generate a refined customer managed policy automatically. This significantly reduces manual effort and eliminates the need to analyze logs or infer permissions. The generated policy can be reviewed and attached directly to the role, ensuring least privilege access with minimal engineering effort.

Option B only validates existing policies for security warnings and does not reduce permissions. Option C requires manual analysis of CloudWatch logs, which is time-consuming and error-prone. Option D does not analyze real usage and cannot generate role-specific least privilege policies.

AWS documentation explicitly recommends IAM Access Analyzer policy generation as the fastest and most accurate method to refine IAM permissions based on observed behavior.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Access Analyzer Policy Generation

AWS IAM Least Privilege Best Practices