The correct option is Adding security requirements during the architecture and design phase.

Adding security requirements during the architecture and design phase is correct because embedding security goals and controls early lets teams perform threat modeling and select appropriate countermeasures before expensive rework is needed. Defining and maintaining those requirements throughout development ensures that design decisions, coding practices, and tests align with the identified risks and that risk management is continuous.

Conducting a risk assessment only after the project is completed is wrong because waiting until the end misses opportunities to design mitigations and makes fixes more costly and disruptive. Risk assessment should be done early and revisited as the project evolves.

Cloud Security Command Center is wrong because it is a specific tool and not a lifecycle practice that ensures security is addressed from design through delivery. Tools can assist detection and monitoring but they do not substitute for integrating security requirements into architecture and design.

Providing security training only after coding is finished is wrong because training developers after the code is written cannot prevent insecure design choices and implementation errors. Training is most effective when it is continuous and occurs before and during development.

Limiting security testing to the deployment stage is wrong because testing only at deployment finds issues late and increases remediation cost. Effective security testing spans design reviews, static and dynamic analysis, and continuous testing in the pipeline.

Full AWS Practitioner Certification Question