It is the first line of defense is correct because the information security team is usually part of the operational functions that own and manage risk and that implement and operate controls.

The first line of defense includes business and operational teams that design, deploy, and maintain security controls on a day to day basis. Information security typically implements technical controls, runs monitoring and detection, and leads incident response so it functions as an operational control owner rather than an oversight or assurance body.

It is the second line of defense is incorrect because the second line provides oversight, policy, and risk management support rather than operating the controls. Risk, compliance, and governance functions usually sit in the second line and they guide and monitor the first line.

It is the third line of defense is incorrect because the third line is independent assurance such as internal audit. The third line evaluates and reports on the effectiveness of controls and governance rather than implementing those controls.

Full AWS Practitioner Certification Question