AWS incident response best practices emphasize immediate containment, preservation of evidence, and safe forensic investigation. According to the AWS Certified Security – Specialty Study Guide, when an EC2 instance is suspected of compromise, security teams should avoid logging in to the instance or installing additional tools, as these actions can alter evidence and increase risk.

Terminating the compromised instance after ensuring that its Amazon EBS volumes are preserved prevents further malicious activity immediately. By setting the EBS volumes to not delete on termination, all disk data is retained for forensic analysis. Launching a new, clean EC2 instance in a different subnet or Availability Zone with preinstalled diagnostic tools allows investigators to safely attach and analyze the compromised volumes without executing potentially malicious code.

Option A introduces significant risk by logging in to the compromised instance and modifying security controls during active compromise. Option B delays containment and allows continued outbound traffic during investigation steps. Option D is invalid because AWS WAF cannot be attached directly to Amazon EC2 instances and does not control outbound traffic.

AWS documentation strongly recommends isolating or terminating compromised resources and performing offline analysis using detached storage volumes. This approach ensures immediate mitigation, preserves forensic integrity, and aligns with AWS incident response frameworks.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Incident Response Best Practices

Amazon EC2 and EBS Forensics Guidance

AWS Well-Architected Framework – Security Pillar

Amazon SQS is a regional service that supports AWS PrivateLink through interface VPC endpoints. According to AWS Certified Security – Specialty documentation, the most secure and compliant way to restrict access to AWS services is by using VPC endpoints combined with resource-based policies.

By creating interface VPC endpoints for Amazon SQS in all VPCs, traffic to SQS remains on the AWS network and does not traverse the public internet. Using the aws:SourceVpce condition in the SQS queue policy ensures that only requests originating from approved VPC endpoints can access the queue. Adding the aws:PrincipalOrgId condition further restricts access to principals that belong to the same AWS Organization.

Security groups and network ACLs do not apply to SQS because SQS is not deployed inside a VPC. Third-party CASB tools add cost and operational overhead.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

Amazon SQS Security and VPC Endpoints

AWS Organizations Condition Keys

GuardDuty supports “Trusted IP lists” to suppress findings that would otherwise be generated for activity originating from known safe IP addresses (for example, corporate NAT egress IPs, security scanners, or monitoring systems). To use a trusted IP list, you create aplain textfile that contains the IP addresses (typically one per line or in supported list form) and store it inAmazon S3. You then configure GuardDuty to reference that S3 object as a trusted IP list. GuardDuty periodically retrieves the file from S3 and uses it to adjust finding generation accordingly.

That maps directly to Option A (create a plaintext file) and Option D (upload to S3 and create a trusted IP list in GuardDuty pointing to the file).

Options B and E are incorrect because GuardDuty trusted IP lists are not configured by pasting JSON into the console; they are sourced from an S3-hosted text list. Option C is not supported because GuardDuty does not accept direct file uploads into the service as the configuration source; S3 is the expected integration point for IP lists and threat intel lists.

An RPO of1 hourmeans the company must be able to restore data with at most60 minutes of loss. Option A directly meets this by usingAWS Backupto takehourly backupsof both the compute layer (EC2) and the data layer (S3). AWS Backup provides centralized policy-based scheduling, retention, and (when configured) immutable protections such as Backup Vault Lock to help defend backups from tampering—important in ransomware recovery scenarios. Backing up the S3 buckets hourly also addresses recovery of critical objects such as images and music that users rely on.

In addition, recovery to “normal operations” is not only about data restoration; it also requires rapidly re-creating infrastructure reliably. UsingAWS CloudFormation templatesstored in aversion-controlled Git repositorysupports consistent, repeatable rebuilds of the ALB, EC2 fleet configuration, IAM roles, security groups, and related components. This infrastructure-as-code approach reduces human error under incident pressure and accelerates disaster recovery execution.

Option B fails the RPO because daily backups can lose up to 24 hours of data. Option C focuses on logging/governance rather than backups and does not establish a 1-hour recovery point. Option D also fails the RPO (4-hour snapshots) and is reactive to a specific finding type rather than a comprehensive DR plan for EC2 and S3.

Option A satisfies all requirements with the most direct, purpose-built AWS logging workflow. By using the CloudWatch Agent (or fluent-bit / unified logging configuration) on each EC2 instance—regardless of whether it is On-Demand or Spot—the application logs can be centralized into asingle Amazon CloudWatch Logs log group. Centralization ensures the logs remain available even as Spot Instances are interrupted and replaced. Access control is handled withIAM policies(and optionally resource policies/KMS encryption) so that only a specific set of users can read/query the log group.

For analysis,CloudWatch Logs Insightsprovides an interactive query language that is SQL-like and commonly treated as “SQL queries” for troubleshooting. It enables fast filtering, aggregation, and pattern detection across large log volumes without building a separate data lake pipeline. This supports event-pattern analysis and root cause investigation directly from the centralized log group.

Option B is incorrect because Logs Insights queries CloudWatch Logs data, not arbitrary log files sitting in S3. Option C is inefficient (many log groups) and Athena cannot directly query CloudWatch log groups as a native data source. Option D is incorrect because Amazon Detective is for security investigations across supported data sources and is not the primary service for ad-hoc SQL-style querying of application logs.

To performcustom validation at sign-upand explicitlyaccept or denyregistrations, Amazon Cognito providesLambda triggers. APre sign-up triggerruns synchronously during the sign-up flow (including the Hosted UI) and can implement custom checks (for example, IP reputation checks, email/domain validation, velocity checks, allow/deny lists, or geo checks using an external service). Based on the trigger logic, the function can allow the sign-up to proceed or reject it, meeting the “custom validation” and “accept/deny” requirement directly.

Because the observed fraud largely originatesoutside France, adding a front-door geographic control reduces unwanted traffic before it reaches Cognito.AWS WAFsupportsGeo matchconditions in a web ACL to allow/deny requests by country, which is a common mitigation for region-scoped applications. Associating a WAF web ACL to protect the Hosted UI endpoint helps block sign-up requests from non-French locations early, reducing fraud attempts and load.

The other options do not meet the requirement: Cognito user pools do not provide a native “geographic restriction setting” for sign-up (D), app client ID validation does not stop fraudulent sign-ups (C), and using a social IdP does not provide custom accept/deny validation for all sign-ups (E).

AWS CloudFormation supports the use of aservice role, which allows CloudFormation to assume a dedicated IAM role to create and manage resources on behalf of users. According to the AWS Certified Security – Specialty Study Guide, using a service role is themost secure and consistent wayto ensure predictable stack deployments when users have varying permission sets.

By creating a service role with cloudformation.amazonaws.com as the trusted service principal (Option B), CloudFormation—not individual users—assumes responsibility for resource creation. Updating each stack to explicitly use this service role (Option E) ensures that all deployments use the same permission set, eliminating inconsistencies.

Granting the team members permission to pass the service role via iam:PassRole (Option F) is required so that CloudFormation can assume the role during stack operations. This approach adheres to the principle of least privilege and prevents users from gaining direct access to elevated permissions.

Composite principals (Option A) are unnecessary and insecure. Referencing stack ARNs (Option C) does not solve the root cause. While Option D reflects good policy design, it is implicit in creating the service role and is not a required standalone step.

AWS documentation clearly identifiesCloudFormation service roles combined with iam:PassRoleas best practice for secure, consistent infrastructure deployments.

AWS Certified Security – Specialty Official Study Guide

AWS CloudFormation Service Role Documentation

AWS IAM Best Practices

The requirement is twofold:cross-Region replicationfor disaster recovery andimmutabilityso that even administrators cannot permanently delete data in the secondary Region. The S3-native feature designed to prevent deletion (including version deletion) for a defined retention period isS3 Object Lock. When Object Lock is configured incompliance mode,no user, including the root user and administrators, can remove Object Lock protections or permanently delete protected object versions before retention expires. This meets the “admins cannot permanently delete” requirement far better than policy-based controls.

To replicate the data for DR, the company can configureS3 replicationfrom the primary Region bucket to a bucket in the secondary Region. With Object Lock in place (and the destination bucket appropriately configured to support Object Lock and versioning), replicated objects can be retained immutably, providing a strongly protected copy for recovery.

Option D (versioning alone) prevents accidental overwrites but does not stop an admin from deleting all versions. Option C only blocks replication deletes; it does not prevent an admin from deleting objects directly in the secondary bucket. Option A uses AWS Backup vault lock ingovernancemode, which still allows privileged users with special permissions to override retention; it also creates backups rather than true object-level replication. Therefore, Object Lock in compliance mode combined with replication is the best match.

AWS Organizations tag policies are designed to standardize and govern tag keys and allowed values across accounts. AWS Certified Security – Specialty documentation describes tag policies as a governance mechanism that helps enforce consistent tagging by specifying required tag keys and permitted values. To ensure every resource has the CostCenter tag at creation time, an SCP can deny create actions when aws:RequestTag/CostCenter is missing (null). This prevents resources from being created without the required tag. Tag policies then define the three approved values and can be configured to enforce or report noncompliance depending on supported services, ensuring that tag values remain within the allowed set and preventing drift to unapproved values. Compared with custom Lambda-based enforcement, this approach minimizes operational overhead and keeps enforcement within AWS native governance services. Option A partially addresses allowed values at request time but does not address ongoing governance as cleanly across many services. Option B is not preventive because Lambda runs after events and cannot reliably block all creations. Option D still relies on custom logic and is not as operationally efficient as tag policies plus SCP guardrails.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS Organizations Tag Policies

AWS Organizations SCP Condition Keys for Tag Enforcement

AWS incident response best practices emphasizerapid containment with minimal blast radius. According to the AWS Certified Security – Specialty Official Study Guide, isolating a compromised resource while allowing the application to continue running is the preferred initial response.

By using Amazon EventBridge to detect GuardDuty findings related to anomalous traffic and invoking a Lambda function, the security engineer can automatically remove the affected EC2 instance from the Auto Scaling group and attach arestricted security group. This immediately isolates the instance while allowing Auto Scaling to launch a replacement instance, ensuring application availability.

Option A is invalid because EC2 instance profiles do not use long-term access keys. Option C affects the entire subnet and could disrupt unrelated workloads. Option D provides notification only and does not meet the requirement for automated response.

AWS documentation explicitly recommendsinstance-level isolation using security groupsas a best practice for initial incident containment.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide

AWS Incident Response Best Practices