Near-Right Architecture — AWS Security Specialty (SCS-C03)
Two options were architecturally valid — you picked the one that violates a constraint buried in the scenario. Read constraints before evaluating answers.
Technically Valid Doesn't Mean Professionally Correct
The scenario gives you a governing constraint — least privilege, cost optimization, operational simplicity, or compliance posture. The distractor satisfies the functional requirement but ignores that constraint. An architecture that works is not the same as an architecture that's right. On the SCS-C03, the professional constraint is the deciding variable. Identify it before you evaluate any answer option.
The Scenario
A company needs a real-time analytics dashboard querying petabytes of log data. The question offers Athena with S3 and Redshift Serverless. Both query structured data at scale. But the scenario says "sub-second response times for repeated queries" — Athena scans S3 on every query (seconds to minutes), while Redshift caches results and returns sub-second on repeats. The constraint is latency on repeated queries, not raw query capability. You picked Athena because it is serverless and cheaper per query, but the access pattern eliminates it.
How to Spot It
- •When both answers use real AWS services that address the primary use case, re-read for the performance constraint. "Sub-second," "real-time," "single-digit millisecond" each eliminate different services. Athena is not sub-second. DynamoDB is not for complex joins. Aurora is not for petabyte-scale analytics.
- •Look for protocol-level constraints. If the scenario says TCP traffic with client IP preservation, that eliminates CloudFront (HTTP/HTTPS only) and points to Global Accelerator + NLB. If it says HTTP with caching, that eliminates Global Accelerator.
- •If you find yourself thinking "both could work," the exam is testing constraint reading. Check for: latency target, protocol, data volume, ordering requirement, or compliance region restriction.
Decision Rules
Choose AWS Organizations Resource Control Policies (RCPs) rather than Service Control Policies (SCPs) to prevent external principals from accessing organization-managed S3 resources, because SCPs constrain what IAM principals inside the organization are permitted to do while RCPs constrain what any principal — including external accounts — is permitted to do on organization-owned resources, regardless of what resource-based policies grant.
Whether the organizational compliance monitoring requirement — detecting configuration drift against a named framework across all accounts — is satisfied by a threat-detection service (GuardDuty) or by a configuration-compliance aggregation service (AWS Config feeding Security Hub standards with a delegated administrator).
Choose between AWS Step Functions (parallel-state orchestration with built-in audit trail satisfying simultaneous containment + evidence-preservation within MTTR) versus AWS Systems Manager Automation (sequential runbook execution that cannot natively parallelize isolation and snapshot steps, risking evidence loss or MTTR breach).
Whether the identity population is the organization's own workforce or an external third party determines whether IAM Identity Center or Cognito (User Pools + Identity Pools) is the correct managed service for MFA-enforced temporary credential issuance — the two services overlap on capabilities but diverge sharply on intended identity population boundary.
Whether to use IAM Identity Center permission sets (centralized RBAC provisioned automatically per assignment) or IAM ABAC with tag-based conditions when the access pattern is role-static and role proliferation must be minimized — ABAC is the near-right architecture because it reduces role count in the general case but adds tag-governance overhead that provides zero least-privilege improvement when no resource-attribute variance exists.
When a compliance mandate simultaneously imposes FIPS 140-2 Level 3 key custody AND automated rotation, CloudHSM satisfies both constraints; KMS with imported key material satisfies the custody cue but is disqualified by the rotation-automation-requirement because imported keys cannot be automatically rotated in KMS and require manual re-import on every cycle.
Which combination of named ELB security policy and backend pod certificate mechanism enforces TLS 1.2 as the hard minimum on both connection legs, rather than selecting a policy that permits TLS 1.2 alongside lower negotiable versions.
Whether the centralized logging architecture spans all three visibility layers — identity (CloudTrail), application (CloudWatch), and network (VPC Flow Logs and Route 53 Resolver DNS logs) — or satisfies only the API retention compliance requirement while leaving east-west lateral movement invisible.
Evidence capture and instance isolation must be sequenced before any destructive or mutating eradication action; an automated runbook that quarantines or stops the instance before acquiring a memory dump and EBS snapshot crosses the chain-of-custody governance boundary even if it reduces blast radius faster.
Whether L7 exploit mitigation, geo-restriction enforcement, and DDoS cost-protection SLA eligibility all require CloudFront edge placement, because geo-restriction and Shield Advanced cost-protection SLAs are exclusively available at edge PoPs and cannot be satisfied by controls applied at the VPC or ALB layer.
Whether build-time vulnerability scanning via Inspector integrated with EC2 Image Builder, or runtime threat detection via GuardDuty, satisfies the pre-deployment AMI gate constraint under least-privilege compute governance.
When a scenario requires both L7 application-layer threat mitigation (OWASP Top 10) AND an SLA-backed DDoS cost-protection guarantee with DRT access, CloudFront + WAF alone is near-right because WAF covers L7 but does not provide volumetric DDoS cost absorption or DRT escalation; Shield Advanced must be added to satisfy the stated SLA and response-team constraint.
Domain Coverage
Difficulty Breakdown
Related Patterns