Sure Pass Exam SCS-C03 PDF

Amazon S3 Object Lock in compliance mode provides write-once-read-many (WORM) protection, which prevents objects from being modified or deleted for a specified retention period. According to the AWS Certified Security – Specialty Study Guide, compliance mode enforces immutability even for the root user and cannot be overridden.

Enabling S3 Object Lock requires S3 bucket versioning and ensures that once an object is written, it cannot be changed or removed until the retention period expires. This is the strongest protection against data modification and is commonly used for regulatory and legal retention requirements.

Option A can be bypassed by administrators. Option D only protects against deletions, not overwrites. Option C changes encryption but does not prevent modification.

AWS documentation explicitly identifies S3 Object Lock in compliance mode as the correct solution for immutable data storage.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon S3 Object Lock

Amazon S3 Data Protection and Compliance

The correct solution is option D because it effectively prevents direct access to the internet-facing ALB while allowing legitimate traffic that originates from Amazon CloudFront. By configuring CloudFront to include a custom HTTP header (such as X-Shared-Secret) in all origin requests, and then configuring ALB listener rules to only forward requests that contain the expected header value, the ALB will reject any requests that bypass CloudFront.

This approach is a documented AWS best practice when CloudFront is placed in front of an ALB and AWS WAF is associated with the CloudFront distribution. AWS WAF only evaluates traffic that flows through CloudFront; therefore, preventing direct access to the ALB is critical to ensure that all requests are inspected by the web ACL.

Option A is invalid because CloudFront does not support AWS PrivateLink endpoints as origins. Option B is incorrect because CloudFront cannot use an internal ALB as an origin; CloudFront requires a publicly reachable origin. Option C is not recommended because CloudFront IP ranges change frequently, making IP-based allow lists operationally complex and error-prone, and AWS does not provide a supported CloudFront prefix list for ALB listener rules.

AWS Security Specialty guidance explicitly recommends using custom origin headers to restrict ALB access to CloudFront-only traffic, making option D the correct and secure solution.

AWS WAF provides managed and custom rules that can immediately mitigate common web exploits such as SQL injection without modifying application code. According to AWS Certified Security – Specialty documentation, placing AWS WAF in front of an Application Load Balancer is a recommended rapid-response control for legacy applications with known vulnerabilities.

Creating an ALB in front of the existing EC2 instances allows seamless traffic migration. AWS WAF SQL injection rules can be deployed and tested without downtime. Updating Route 53 to point to the ALB preserves normal operations. Restricting EC2 security groups afterward prevents bypassing the WAF.

Option B introduces CloudFront changes and single-origin testing, increasing complexity. Option C cannot be completed within 24 hours and risks downtime. Option D is invalid because AWS WAF cannot be attached directly to EC2 instances.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS WAF Web ACL Architecture

AWS Application Load Balancer Security

AWS Config is purpose-built torecord resource configuration stateand track how that state changes over time. When multiple updates occur close together, AWS Config captures configuration items that represent the resource’scurrent recorded configuration, which is exactly what a compliance engineer needs to evaluate the final (cumulative) state after a burst of changes. AWS Config also integrates directly with compliance evaluation throughConfig rules, which can continuously assess whether the latest configuration meets required standards. This is the most operationally efficient approach because it avoids building custom log filtering, state reconstruction, or timing logic.

CloudTrail and CloudWatch-based approaches (Options A and C) captureAPI events, not authoritative “current configuration state.” Reconstructing the final configuration from a series of API calls can be error-prone, especially when changes are made by different services, via consoles, or through chained automation. CloudTrail is excellent for “who did what and when,” but AWS Config is the service that maintains thelatest configuration snapshotsuitable for compliance posture evaluation.

AWS Cloud Map (Option D) is for service discovery and naming, not compliance configuration history. Therefore, AWS Config is the correct and most efficient solution.