Black box testing is correct. It evaluates the public facing web applications and APIs from an external perspective and does not rely on any internal knowledge.

Black box testing simulates what an outside attacker can discover and exploit by using external reconnaissance, dynamic testing, and manual penetration techniques. This approach focuses on runtime behavior and the exposed interfaces of web apps and APIs so it will reveal authentication and session issues, input validation flaws, misconfigured endpoints, and API logic problems that an external user could leverage.

Gray box testing is not ideal because it assumes the tester has some internal knowledge or credentials. That mixed-knowledge approach is useful for certain assessments but it does not represent a purely external, unauthenticated attacker.

Automated vulnerability scanning can quickly find many known issues on public endpoints, but scanners often miss complex authentication bypasses and business logic flaws. Scanning is a helpful supplement but it does not replace a full external black box evaluation.

White box testing involves full access to source code, design, and internal architecture and it focuses on code level defects. That makes it less appropriate when the primary goal is to measure external exposure from the perspective of an outsider.

Full AWS Practitioner Certification Question