The correct option is Perform a comprehensive vendor security risk assessment.

A vendor security risk assessment is the right first action because it identifies which third parties pose the greatest cybersecurity and data risks to HarborLight and it informs subsequent decisions about controls and priorities. Conducting a vendor security risk assessment lets the organization map data flows, determine required protections, and decide which vendors need deeper due diligence or monitoring.

A structured vendor security risk assessment also produces evidence that helps shape contract language and tool selection so that obligations and monitoring match the actual risks discovered. Starting with assessment avoids wasting resources on blanket requirements or tools that may not address the highest risks.

Cloud Security Command Center is incorrect because it is a monitoring and security management tool and not the foundational step of identifying and prioritizing third party risks. Deploying such tooling can come later after assessment.

Include binding security requirements in supplier contracts is important but it is not the first action. Contract terms should be driven by the findings of a risk assessment so that requirements are targeted and enforceable.

Share all internal security policies with every third party is incorrect because sharing everything can expose internal details and is often unnecessary. HarborLight should share only the relevant requirements and controls that a vendor security risk assessment shows are needed for each supplier.

Full AWS Practitioner Certification Question