AWS Security Specialty (SCS-C03) trap evaluation

The right service applied at the wrong scope

Security Specialty questions are engineered so that the service name is rarely the discriminator. KMS, CloudTrail, Config, GuardDuty, and IAM all appear as both correct and incorrect answer choices for adjacent scenarios, depending on which layer the control is applied to. A frequent failure is choosing KMS where the scenario calls for Secrets Manager, or reaching for IAM policies where resource-based policies are what the access path requires. A separate consistent trap is detection-versus-enforcement confusion: CloudTrail for detective purposes and Config for compliance posture serve different roles, and questions are written to test whether candidates understand which role fits the described failure mode. Applying the right service with the wrong trust boundary or the wrong policy scope is the most common answer-key miss.