SCS-C03 Exam Dumps - AWS Certified Security – Specialty

Amazon SQS is an AWS-managed service and does not operate within customer VPCs. Therefore, security groups and network ACLs cannot be used to control access to SQS, making options A and B invalid. According to AWS Certified Security – Specialty documentation, the recommended approach to securely access AWS services from within a VPC is throughinterface VPC endpoints (AWS PrivateLink).

By creatinginterface VPC endpoints for Amazon SQS, the company ensures that traffic to SQS stays within the AWS network and does not traverse the public internet. Adding anSQS resource policywith the aws:SourceVpce condition restricts access so that only requests originating from the specified VPC endpoint are allowed. Additionally, using the aws:PrincipalOrgId condition ensures that only principals belonging to the same AWS Organization can access the queue.

Option D introduces an external tool, increasing cost and compliance complexity, which directly violates the requirement to minimize investment outside AWS.

AWS documentation clearly identifiesVPC endpoints combined with IAM condition keysas a best practice for securing service access in multi-account environments.

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security Best Practices

AWS Organizations Documentation

AWS PrivateLink User Guide

AWS WAFrate-based rulesare specifically designed to protect applications from traffic floods and distributed attacks that originate from large numbers of IP addresses. According to the AWS Certified Security – Specialty Official Study Guide, rate-based rules automatically track the number of requests coming from individual IP addresses and temporarily block IPs that exceed a defined threshold.

In this scenario, the malicious traffic originates fromhundreds of IP addresses across two countries, mixed with legitimate user traffic. A rate-based rule allows the security engineer tolimit excessive request rates without fully blocking access from entire geographic regions, ensuring that legitimate users can still access the application.

Option B is incorrect because geographic match rules blockalltraffic from selected countries, which would deny access to legitimate users and violate the stated requirement. Option C is invalid because security groups do not support geographic filtering. Option D is not scalable, as manually blocking hundreds of IP addresses is operationally inefficient and ineffective against rapidly changing attacker IPs.

AWS documentation emphasizes thatrate-based rules are the recommended first-line mitigationfor sudden traffic spikes and potential application-layer DDoS attacks when business continuity must be preserved.

AWS Certified Security – Specialty Official Study Guide

AWS WAF Developer Guide – Rate-Based Rules

AWS DDoS Resiliency Best Practices

Cross-account access for an external auditor typically usesSTS AssumeRoleinto a role that exists in each target account. Three common failure points are: (1) therole ARNbeing wrong or missing, (2) the auditor lacking permission to callsts:AssumeRoleon that role, and (3) anexternal IDmismatch when the role trust policy requires it. Theexternal IDis a best practice for third-party access to mitigate the confused-deputy problem; if the trust policy includes an sts:ExternalId condition, the auditor must supply the exact expected value. If it’s absent or incorrect, AssumeRole will be denied.

The auditor must also be authorized on their side (IAM user/role policy) to call sts:AssumeRole (permission), and the destination role’strust policymust trust the auditor principal. If either side is misconfigured, the assume operation fails. Finally, the auditor must reference the correctrole ARNfor each account; using an incorrect ARN (wrong account ID/role name/path) is a frequent reason only “some accounts” fail.

Incorrect password (B) is irrelevant if the auditor is using API/STS federation rather than console password auth, and EC2 instance roles (D) are not required for an external auditor. Missing/incorrect secret key (E) is possible for API auth, but the question centers on cross-account role access issues; the canonical causes are external ID, AssumeRole permission, and role ARN.

Amazon Cognito identity pools provide temporary AWS credentials by exchanging web identity tokens with AWS STS using AssumeRoleWithWebIdentity. According to AWS Certified Security – Specialty documentation, this is the correct mechanism for granting applications AWS credentials.

User pools authenticate users but do not issue AWS credentials. Identity pools integrate with IAM roles and STS, enabling secure, temporary access to AWS services.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon Cognito Identity Pools

AWS STS Web Identity Federation

In IAM Identity Center, users see accounts and permission sets in the AWS access portal based onassignments. Here, the new permission set was assigned to theDevOps groupfor a specific member account. Sinceall developers except onecan see the permission set, the permission set itself and the account assignment are working correctly. The most likely cause is that the remaining developer isnot actually a memberof the DevOps group in the identity source (AWS Directory Service / Active Directory), or their group membership is not reflected due to missing/incorrect directory group assignment.

The least disruptive fix is to ensure the developer’s identity is correctly included in theDevOpsgroup within the directory. Once the user is a member of the assigned group (and after normal identity sync/refresh behavior), IAM Identity Center will evaluate the user as entitled to that permission set, and it will appear in the access portal.

Option B is unnecessary because the assignment is already effective for others. Option C is unrelated; service-linked roles for Organizations do not determine portal entitlements. Option D would not explain why only one user cannot see the permission set; if console access were misconfigured, it would affect all users assigned that permission set.