SCS-C03 Leak Questions

AWS Elastic Disaster Recovery (AWS DRS)is purpose-built for continuously replicatingphysical and virtual serversinto AWS with low RTO/RPO. It uses lightweight replication agents to stream block-level changes to a low-coststaging areain AWS, which helps optimize storage costs (only the staging resources run continuously) and reduces bandwidth usage through efficient replication mechanisms. In a disaster or test, AWS DRS can automatically launch recovery instances in AWS based on a defined blueprint (instance types, networking, security groups), enabling rapid failover workflows that commonly meetsub-hour RTOobjectives.

Option A is not the intended service model: AWS Backup protects AWS-native resources and does not “directly replicate” arbitrary on-prem servers as a continuous replication DR system. Option B (Storage Gateway Volume Gateway) can support backups of certain storage use cases via snapshots, but it is not a general continuous replication solution for diverse physical/virtual servers and may not meet the RTO requirement as directly as AWS DRS. Option D (Direct Connect + custom automation) can help with connectivity, but it does not provide continuous server replication by itself and would require significant custom engineering and ongoing operational effort.

Therefore, enabling AWS Elastic Disaster Recovery and configuring replication agents is the best automated, cost-optimized solution.

The correct Config rule for finding buckets that are not usingSSE-KMS by defaultiss3-default-encryption-kms. It evaluates the bucket’s default encryption settings and flags buckets that do not have KMS default encryption enabled. The s3-bucket-ssl-requests-only rule focuses on enforcing HTTPS-only requests and does not validate encryption-at-rest settings, so it cannot satisfy the “identify not encrypted with KMS” requirement.

For preventing uploads of objects that are not encrypted with KMS, an organization-wide control is needed. AnSCPcan restrict s3:PutObject so that uploads succeed only when the request specifiesSSE-KMS(and optionally a specific KMS key). This provides broad, low-touch enforcement across many accounts and buckets. While bucket policies can also enforce SSE-KMS, managing and verifying hundreds of bucket policies is more operationally heavy than a centrally managed SCP guardrail.

Option B enforcesSSE-S3, which does not meet the requirement forKMSencryption. Option D uses the wrong Config rule and relies on an “allow-only” pattern rather than explicit deny logic, making it an unreliable fit for the stated goal. Therefore, A is the best answer.

AWS CloudTrail provides a record of all API calls made in an AWS account, including calls initiated by AWS CloudFormation. According to the AWS Certified Security – Specialty Study Guide, CloudTrail is the primary source for troubleshooting authorization failures because it records denied actions and the policy type that caused the denial, including service control policies.

Reviewing CloudTrail logs allows a security engineer to identify which specific API calls failed during the CloudFormation deployment and whether the denial was caused by an SCP, an IAM policy, or a permission boundary. This evidence-based approach is the recommended first step before making any configuration changes.

Option B is unsafe and violates governance best practices by removing SCPs in production. Option C may be necessary later, but it does not identify whether SCPs are the root cause. Option D introduces unnecessary risk and bypasses the purpose of differentiated controls across OUs.

AWS documentation emphasizes observing and validating before modifying security controls, making CloudTrail log analysis the correct initial troubleshooting step.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Service Control Policies

AWS CloudTrail Authorization Failure Analysis

A rate-based rule in AWS WAF is designed to quickly mitigate spikes and potential layer 7 floods bytracking request rates per originating IPand temporarily blocking (or counting/challenging, depending on configuration) IPs that exceed a defined threshold within a 5-minute rolling window. In this scenario, the malicious traffic is distributed acrosshundreds of IPsin two countries, and the application still needs to remain available globally for legitimate users. A rate-based rule provides fast, targeted throttling that reduces abusive request patterns without permanently blocking entire geographies. This aligns with “quickly limit” while minimizing collateral impact.

Blocking both countries with a geo match rule (Option B) would likely block legitimate users located in those countries, which violates the requirement. Security groups (Options C and D) cannot natively enforcegeographicfiltering, and they are not well suited for large, rapidly changing sets of public source IPs at the application layer. Additionally, WAF operates at layer 7 with richer matching (rate limiting, URI/header patterns, bot controls), which is the appropriate control point when the ALB already has a web ACL associated. Therefore, implementing an AWS WAFrate-basedrule is the most effective and least disruptive immediate mitigation.