Record the flaw and notify the application owner so they can respond is correct.

Record the flaw and notify the application owner so they can respond is the appropriate next step because the reviewer must document the vulnerability and ensure the team responsible for the application can evaluate and remediate it. This preserves evidence and creates a clear handoff so that fixes can be tracked and verified.

Create a Security Command Center finding and mark it resolved is incorrect because logging a finding and then marking it resolved without the owner actually remediating and verifying the fix hides the risk and misrepresents the security posture. The reviewer should not mark remediation complete on behalf of the owner.

Try to exploit the vulnerability to measure its impact is incorrect because attempting exploitation without explicit authorization can cause harm and may be out of scope. Any further intrusive testing should be coordinated with the application owner and formally authorized before it is performed.

Ignore the finding and continue the assessment is incorrect because ignoring a discovered vulnerability leaves the system exposed and fails basic professional and ethical responsibilities. Vulnerabilities should be recorded and reported so they can be addressed promptly.

Full AWS Practitioner Certification Question