Scope Overreach — AWS Security Specialty (SCS-C03)
You solved a broader problem than what was asked. The scenario had specific constraints — you addressed requirements that weren't there.
The Scenario Doesn't Need What You're Reaching For
Scope overreach is easiest to commit on security exams, where 'more coverage' feels like better security. The scenario asks for threat detection across a single-account workload. AWS Security Hub with GuardDuty satisfies that. AWS Control Tower with Service Control Policies is a multi-account governance tool — it's a different scope, a different problem. Identify the narrowest service that fully satisfies the stated requirement.
The Scenario
A company needs to encrypt data at rest in an S3 bucket used for internal analytics reports. You recommend AWS CloudHSM with a custom key store, customer-managed KMS key with automatic rotation, and a key policy restricting access to specific IAM roles. The correct answer is SSE-S3 (Amazon S3-managed keys) — one setting, zero key management, meets the requirement. The scenario said "encrypt at rest." It did not say "FIPS 140-2 Level 3 compliance," "customer-managed key lifecycle," or "cross-account key sharing." CloudHSM is for organizations with regulatory requirements to control their own hardware security modules. You answered a compliance question that was not asked.
How to Spot It
- •Encryption at rest has three levels on S3: SSE-S3 (zero management), SSE-KMS (key policies and rotation control), SSE-C/client-side (you manage everything). The exam gives you a simple encryption requirement and tests whether you select the simplest option. Only escalate to KMS or CloudHSM when the scenario mentions compliance, audit requirements, or cross-account key access.
- •When your answer includes services the scenario never mentioned (CloudTrail for auditing, Config for compliance checking, GuardDuty for threat detection), verify the scenario asked for those capabilities. Solving adjacent problems is over-reaching.
- •VPC endpoints come in two types: Gateway (free, for S3 and DynamoDB) and Interface (costs $0.01/hour per AZ, for everything else). If the scenario asks for private access to S3, a Gateway endpoint is free. Recommending PrivateLink Interface endpoints for S3 is scope overreach and adds unnecessary cost.
Decision Rules
Fix the cross-account log delivery failure by correcting the precise policy layer blocking delivery — either the CloudWatch Logs destination resource policy missing the workload account's delivery principal, or the IAM role trust policy that no longer permits the CloudTrail service principal to assume the role — rather than broadening the IAM role's identity-based policies to compensate for the gap.
Whether to sequence containment first — isolating the instance and capturing an EBS snapshot before any eradication — or to prioritise operational speed by terminating and rebuilding, which destroys volatile memory and disk evidence and violates the chain-of-custody governance boundary.
Whether intra-VPC east-west L7 inspection is satisfied by a Network Firewall endpoint inserted into the VPC routing path, or requires a Transit Gateway hub-and-spoke centralized inspection architecture — hinging on scope boundary (single VPC vs. multi-VPC) as the disqualifying dimension.
Whether Shield Advanced is required when the stated threat model is limited to L7 application-layer exploits and the compliance requirement is geo-restriction plus per-request audit logging — not volumetric DDoS protection or DRT SLA coverage.
Whether native stateful VPC security group rules satisfy the intra-VPC east-west zero-trust micro-segmentation requirement, making centralized AWS Network Firewall deployment unnecessary scope overreach given the explicit prohibition on centralized routing overhead.
Whether to attach WAF managed rules plus Shield Advanced directly to the CloudFront distribution or to overreach by routing WAF policy management through Firewall Manager, which is architecturally correct only for multi-account or multi-region governance and introduces unjustified operational complexity in a single-account deployment.
Whether to enforce the vulnerability control at build time via EC2 Image Builder and Inspector pipeline integration, or to overreach into runtime threat detection (GuardDuty) or post-deployment patching (SSM Patch Manager), given that the explicit constraint is a pre-deployment gate before any instance is launched.
Whether intra-VPC east-west L7 inspection is satisfied by deploying AWS Network Firewall in a dedicated subnet within the existing VPC via route table steering, or requires a Transit Gateway-based centralized inspection VPC.
Domain Coverage
Difficulty Breakdown
Related Patterns