The correct answer is Ensuring the system is operated and maintained in compliance with security requirements.

A system owner is accountable for the security posture of a specific information system across its lifecycle. They must ensure security controls are implemented and maintained and that operational procedures preserve compliance with applicable requirements. This responsibility also includes coordinating with system administrators, information system security officers, and enterprise security teams to manage patches, configurations, monitoring, and risk acceptance.

Running penetration tests and vulnerability scans is typically a technical activity performed by security engineers or external assessors. The system owner may request or approve testing but they do not usually perform the hands on scans themselves.

Granting project IAM roles and keeping audit logs are operational tasks usually handled by IAM administrators and logging systems. The system owner defines access requirements and reviews audit evidence for compliance but they seldom perform routine role assignments or direct log collection.

Developing enterprise wide risk management policies is a governance responsibility for the chief information security officer or the enterprise risk management office. System owners implement and follow those policies for their systems and they may provide input, but they are not typically the authors of enterprise level policy.

Full AWS Practitioner Certification Question