Penetration testing or ethical hacking is correct.

Penetration testing emulates an attacker by actively attempting to exploit vulnerabilities to determine whether security controls can be bypassed and to demonstrate real world impact. This method uses a mix of manual techniques and targeted tools to validate exploitability and to show attack chains that could lead to access or privilege escalation. Penetration tests are authorized engagements and they provide evidence of exploit paths that help prioritize remediation.

Vulnerability scanning is incorrect because scanners are automated tools that discover known weaknesses and missing patches but they do not usually attempt to exploit findings or chain them together to prove a breach. Scans are useful for broad detection and continuous monitoring but they do not simulate an attacker.

Cloud Security Command Center is incorrect because it is a cloud security management and visibility service rather than an assessment technique. It aggregates findings and monitors configurations and threats in Google Cloud but it does not perform attacker emulation or active exploitation.

Risk assessment is incorrect because it is a process to evaluate likelihood and impact of threats and to prioritize controls rather than an active test that tries to breach systems. A risk assessment helps decide what to test but it does not itself demonstrate exploitability through simulated attacks.

Full AWS Practitioner Certification Question