Threat Detection and Incident Response
Drill 20 practice questions focused entirely on Threat Detection and Incident Response for the AWS SCS-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A security analyst receives a GuardDuty finding indicating that an IAM user's credentials may have been used from an anomalous location (UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS). The analyst needs to quickly determine the full scope of activity associated with that IAM user over the past several weeks, including which API calls were made, from which IP addresses, and whether related resources were also accessed — all without manually querying and correlating large volumes of CloudTrail, VPC Flow Logs, and GuardDuty data. Which AWS service is purpose-built to accelerate this investigation?
A security analyst receives a GuardDuty finding indicating unusual API activity from an IAM role in a production account. Before deciding on containment, the analyst needs to understand whether this role's behavior deviates from its historical baseline over the past 45 days and which resources it has interacted with. The company already has GuardDuty, Security Hub, and Amazon Detective enabled across the organization. Which approach lets the analyst most efficiently establish this behavioral context?
A security team wants to fully automate the initial containment of any EC2 instance that GuardDuty flags with a high-severity finding. When a finding arrives, the workflow must: apply a quarantine security group, capture the instance's running memory and process list for later analysis, and record the actions in an audit trail — all without an analyst logging into the instance interactively. Which approach best meets these requirements?
A security engineer must perform forensic analysis on a compromised EC2 instance after a GuardDuty finding. The incident-response plan requires that all evidence be preserved in a legally defensible manner and that analysis occur without altering the original volumes. The compromised instance runs in a production account. Which approach best preserves forensic integrity while enabling investigation?
A security engineer receives a GuardDuty finding of type Stealth:IAMUser/CloudTrailLoggingDisabled indicating an attacker used compromised credentials to stop logging on the organization's primary CloudTrail trail. The engineer must restore audit visibility as quickly as possible and ensure logging cannot be trivially disabled again by the same technique. Which combination of actions BEST addresses both the immediate recovery and future prevention?
A security engineer receives a GuardDuty finding of type UnauthorizedAccess:EC2/MaliciousIPCaller.Custom for a production EC2 instance. The organization requires that suspected compromised instances be automatically isolated for forensic investigation while preserving all volatile and non-volatile data, and while allowing forensic tooling in a separate account to access the evidence. Which automated response best meets these requirements?
A security engineer receives a GuardDuty finding of type UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS. The finding indicates that credentials from an EC2 instance's IAM role were used from an IP address outside AWS. The instance itself is still running normally and serving production traffic, and the team cannot immediately terminate or isolate it without causing an outage. What is the MOST effective immediate containment action to stop the attacker from continuing to use the stolen credentials?
A security engineer at a fintech company runs several Amazon EKS clusters that host containerized payment workloads. Leadership wants Amazon GuardDuty to detect threats such as suspicious API calls to the Kubernetes control plane (e.g., anonymous access to sensitive resources) AND malicious process activity occurring inside running containers (e.g., a reverse shell spawned in a pod). The engineer has already enabled GuardDuty in the account. What must the engineer configure to satisfy BOTH detection requirements?
A security team manages a multi-account AWS Organization with workloads deployed across four Regions. They have enabled Amazon GuardDuty in all accounts and Regions via the organization delegated administrator. The compliance team now requires that all GuardDuty findings be automatically collected into a single account and Region for centralized correlation, long-term retention in S3, and cross-referencing during investigations, without writing custom polling code. Which approach best meets these requirements?
A security team enables GuardDuty Lambda Protection across their organization. GuardDuty raises a finding indicating one of the company's Lambda functions is generating network traffic to a known cryptomining domain. The function is triggered by an SQS queue that processes customer uploads. The team must contain the threat quickly while preserving the ability to investigate how the function was compromised. Which action best achieves immediate containment with minimal disruption to unrelated workloads?
A security team enables GuardDuty Malware Protection for EC2. GuardDuty generates an 'Execution:EC2/MaliciousFile' finding after scanning an EBS volume attached to a production instance and detecting a trojan. The team wants an automated, least-disruptive first response that preserves the ability to investigate while preventing the malware from spreading laterally, and they must ensure the finding and any related activity remain fully investigable afterward. Which approach best meets these requirements?
A financial services company runs a production Amazon Aurora MySQL cluster that stores customer account data. The security team recently enabled GuardDuty RDS Protection across the organization. GuardDuty generates a finding of type 'CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin' indicating a successful login to the Aurora cluster from an unusual location using a rarely used database user. The security team needs to confirm the scope of the activity and quickly contain the potentially compromised database credential while minimizing disruption to legitimate applications. Which combination of actions BEST addresses this incident?
A security engineer manages GuardDuty for a company. GuardDuty repeatedly generates 'Exfiltration:S3/AnomalousBehavior' and related S3 data-event findings for a specific S3 bucket that a nightly analytics job legitimately queries from an on-premises IP range. The engineer has confirmed the activity is benign and wants to stop these specific findings from cluttering the console and triggering downstream alerts, while continuing to receive all other GuardDuty findings normally. What is the MOST appropriate way to achieve this?
A security engineer manages a GuardDuty administrator account for 40 member accounts. A widely used vulnerability scanning vendor performs authorized port scans and reconnaissance against the company's EC2 fleet each night, generating hundreds of Recon:EC2/Portscan findings. The engineer wants to prevent these known-benign findings from appearing in the GuardDuty console and from being forwarded to Security Hub and downstream EventBridge automation, while still retaining the ability to review them later if needed. What is the most appropriate approach?
A security engineer discovers that Amazon GuardDuty was intentionally disabled in the production account three weeks ago by a departing administrator, leaving a detection gap. The incident-response team needs to restore threat detection and, as part of recovery, retroactively understand what malicious activity may have occurred during the blind period without waiting weeks for new findings to accumulate. Which approach best supports both re-enabling detection and analyzing the historical gap?
A security team at a financial services company is building a formal incident-response capability on AWS. They want to reduce mean time to respond and ensure responders can act during a real event without needing to manually create access or gather tools under pressure. The CISO asks the team to focus first on preparation activities as defined by the AWS incident-response lifecycle. Which combination of actions BEST reflects the 'preparation' phase for AWS incident response?
A company manages 60 accounts in AWS Organizations across three Regions. The security team wants a single place to enable Security Hub, turn on the AWS Foundational Security Best Practices standard, and automatically apply the same enabled/disabled control settings to all existing and future member accounts in all target Regions — without writing custom scripts to update each account individually. Which approach meets these requirements with the least ongoing operational overhead?
A security engineer at a large enterprise manages a multi-account AWS Organization. The security team wants a single dashboard that aggregates findings from GuardDuty, Amazon Inspector, and Amazon Macie across all member accounts and multiple Regions, with findings expressed in a common data format so they can build consistent EventBridge automation rules regardless of the originating service. What is the MOST appropriate way to meet these requirements with the least custom development?
A security team uses AWS Security Hub as the aggregation point for findings from GuardDuty, Amazon Inspector, and third-party partner products across a multi-account AWS Organizations environment. They want any finding with a severity label of CRITICAL to automatically create an incident ticket in their external ITSM system, while all other findings continue to be reviewed manually in the console. The solution must be fully event-driven, require no polling, and add no custom code to normalize the different finding formats from each source. Which approach best meets these requirements?
A financial services company aggregates findings in AWS Security Hub across a multi-account organization. Their security team wants a fully automated response when GuardDuty raises an 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS' finding: the exposed IAM user's access keys must be deactivated within seconds, and an incident record must be created, all without requiring an engineer to log in. Which approach best meets these requirements while keeping the automation centralized in the security account?
More SCS-C02 practice
Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.
← Back to SCS-C02 overview