Amazon Web Services SCS-C03 Exam Dumps - Actual Questions Answers

Option A satisfies all requirements with the most direct, purpose-built AWS logging workflow. By using the CloudWatch Agent (or fluent-bit / unified logging configuration) on each EC2 instance—regardless of whether it is On-Demand or Spot—the application logs can be centralized into asingle Amazon CloudWatch Logs log group. Centralization ensures the logs remain available even as Spot Instances are interrupted and replaced. Access control is handled withIAM policies(and optionally resource policies/KMS encryption) so that only a specific set of users can read/query the log group.

For analysis,CloudWatch Logs Insightsprovides an interactive query language that is SQL-like and commonly treated as “SQL queries” for troubleshooting. It enables fast filtering, aggregation, and pattern detection across large log volumes without building a separate data lake pipeline. This supports event-pattern analysis and root cause investigation directly from the centralized log group.

Option B is incorrect because Logs Insights queries CloudWatch Logs data, not arbitrary log files sitting in S3. Option C is inefficient (many log groups) and Athena cannot directly query CloudWatch log groups as a native data source. Option D is incorrect because Amazon Detective is for security investigations across supported data sources and is not the primary service for ad-hoc SQL-style querying of application logs.

AWS incident response guidance emphasizes immediate containment, credential invalidation, and removal of malicious resources. According to the AWS Certified Security – Specialty documentation, compromised credentials must be rotated or deleted immediately to prevent further unauthorized actions. Rotating or deleting access keys directly mitigates ongoing abuse.

Deleting unrecognized or unauthorized resources, such as the malicious S3 bucket, removes the active threat and limits further damage. Enabling Amazon GuardDuty provides continuous monitoring and helps identify additional compromised resources or malicious behavior that may not yet be visible.

Changing passwords for all IAM users is disruptive and unnecessary if compromise scope is limited. Encrypting CloudTrail logs does not reduce active impact. Taking EBS snapshots is primarily for forensic investigation, not immediate consequence minimization.

AWS best practices recommend GuardDuty activation, credential rotation, and removal of malicious resources as first-response actions.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon GuardDuty Threat Detection

Option C is the best fit because Amazon GuardDuty provides managed threat detection forEKSby analyzingEKS control plane audit logs(EKS Protection) and correlating those signals withruntime telemetry(Runtime Monitoring) that includesprocess/OS activity, network connections, and file activityon the worker nodes. This directly matches the requirement to monitor EKS audit logsin addition tooperating system, networking, and file events to detect Kubernetes security risks.

GuardDuty produces securityfindingsfor suspicious Kubernetes behavior and runtime indicators (for example, unexpected API calls, anomalous container activity, or known malicious behaviors). To notify the security team, anAmazon EventBridgerule can match GuardDuty findings and forward them to anSNS topic. SNS supportsemail subscriptions, so the team’s mailing list can receive near-real-time alerts without building a custom log parsing pipeline.

Option A (Security Hub) aggregates findings and maps to controls/standards but does not itself provide the combined audit-log + runtime event detection described. Option B combines unrelated services and still requires custom processing. Option D only alarms on “new audit logs generated,” which does not detect “security risks” and does not include OS/network/file threat detections.