AWS Certified Security - Specialty · Domain 1 · 16% of exam

Detection

Drill 20 practice questions focused entirely on Detection for the AWS SCS-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A company operates 45 AWS accounts managed under AWS Organizations. The security team wants a centralized way to view and prioritize GuardDuty threat findings, Inspector vulnerability findings, and misconfiguration findings from managed compliance standards across all accounts in one console. They also want new accounts to be automatically enrolled without manual configuration. Which approach best meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 2 of 20

A security engineer at a company with 40 AWS accounts under AWS Organizations wants to reduce the time analysts spend correlating logs during investigations. Analysts currently pull VPC Flow Logs, CloudTrail events, and GuardDuty findings manually from each account to understand the scope of suspicious activity. The engineer needs a service that automatically ingests these data sources across all member accounts and presents an interactive visualization showing relationships between entities such as IAM roles, IP addresses, and EC2 instances over time. Which approach meets this requirement with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 3 of 20

A security analyst receives a GuardDuty finding indicating that an EC2 instance in the production account is communicating with a known cryptocurrency-mining IP address. Before deciding whether to isolate the instance, the analyst needs to understand whether this behavior is new, which IAM entities and API calls were involved, and how the affected resource's activity has changed over the past several weeks. Which AWS service is purpose-built to help the analyst perform this root-cause investigation with the least setup effort?

Reviewed for accuracy · Report an issue
Question 4 of 20

A security analyst uses Amazon Detective in a delegated administrator account to investigate a GuardDuty finding indicating that an EC2 instance made connections to a known cryptocurrency mining domain. The analyst needs to quickly understand whether the same behavior appeared across other resources, identify the earliest occurrence of the activity, and gather evidence to support an incident report — without manually correlating data from CloudTrail and VPC Flow Logs. Which Detective capability best supports this need?

Reviewed for accuracy · Report an issue
Question 5 of 20

A security engineer at a fintech company enables Amazon GuardDuty in the organization's management account. Two weeks later, GuardDuty generates a finding indicating that an IAM user made API calls from an IP address in a country where the company has no operations, and the calls attempted to disable CloudTrail logging. The engineer wants to understand which data source GuardDuty analyzed to produce this specific behavioral finding, so the team can validate the detection strategy. Which GuardDuty foundational data source was used to generate this finding?

Reviewed for accuracy · Report an issue
Question 6 of 20

A security team manages several Amazon EKS clusters and wants GuardDuty to detect suspicious activity such as anonymous API access, privileged container launches, and use of exposed Kubernetes credentials by analyzing control-plane activity. They do not want to deploy any agents onto the worker nodes at this stage. Which GuardDuty capability should they enable to meet this requirement?

Reviewed for accuracy · Report an issue
Question 7 of 20

A company runs sensitive workloads on multiple Amazon EKS clusters. The security team wants to detect threats such as suspicious process executions, container escapes, and connections to known malicious IP addresses at the operating-system and container level inside the pods, in addition to the control-plane activity they already monitor. They want a managed solution that requires minimal ongoing agent maintenance. Which approach best meets these detection requirements?

Reviewed for accuracy · Report an issue
Question 8 of 20

A security team enables Amazon GuardDuty in their production account. They want to automatically trigger an isolation Lambda function only when GuardDuty reports an EC2 instance that is likely compromised and being used for cryptomining or command-and-control activity, while avoiding automated action on low-confidence reconnaissance findings. Which approach BEST accomplishes this without building custom parsing logic for every finding type?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services company runs a large serverless application built primarily on AWS Lambda functions that process transactions and make outbound network calls to third-party APIs. The security team is concerned that a compromised function could be used to communicate with attacker-controlled infrastructure or perform cryptocurrency mining, but they currently receive no threat detection signals from the Lambda environment. They already use Amazon GuardDuty for their EC2 and S3 workloads. Which action provides the MOST effective detection of malicious network activity originating from these Lambda functions with the least operational effort?

Reviewed for accuracy · Report an issue
Question 10 of 20

A security engineer at a financial services company wants Amazon GuardDuty to generate findings whenever EC2 instances communicate with a specific set of IP addresses that the company's own threat intelligence team has identified as malicious command-and-control servers. These IPs are not yet part of any AWS-managed threat list. The engineer needs GuardDuty to flag this traffic automatically going forward. What should the engineer do?

Reviewed for accuracy · Report an issue
Question 11 of 20

A company runs a fleet of EC2 instances processing user-uploaded files. The security team wants to detect the presence of malware on the EBS volumes attached to instances whenever GuardDuty already generates a suspicious behavior finding (such as a communication with a known command-and-control domain) for that instance, without deploying any third-party antivirus agents on the instances. Which approach meets this requirement with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 12 of 20

A financial services company runs several Amazon Aurora PostgreSQL and Aurora MySQL clusters that contain sensitive customer data. The security team wants to detect suspicious login behavior against these databases, such as logins from unusual locations or brute-force attempts, without deploying agents or modifying the database engine. They already use GuardDuty for their EC2 and S3 workloads. What is the MOST appropriate way to meet this requirement?

Reviewed for accuracy · Report an issue
Question 13 of 20

A financial services company stores customer documents in an Amazon S3 bucket that receives uploads from an internet-facing web application. Security engineers want to be automatically alerted when GuardDuty detects that credentials associated with the EC2 instances behind the application are being used from an unusual location or when large volumes of objects are being retrieved in an anomalous pattern that could indicate data exfiltration. Which GuardDuty capability should the team rely on to surface these specific S3-related threats?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security engineer manages GuardDuty for a production account. A vulnerability scanning tool the company owns runs weekly from an EC2 instance, generating recurring Recon:EC2/Portscan findings that are known and authorized. The security team wants to stop these specific benign findings from cluttering the console and from being forwarded to their SIEM via EventBridge, while ensuring GuardDuty continues to detect and report all other threats. What is the MOST appropriate action?

Reviewed for accuracy · Report an issue
Question 15 of 20

A security team wants continuous, automated vulnerability assessment across their EC2 instances, container images in Amazon ECR, and Lambda functions without deploying and managing separate scanning agents on a schedule. They need findings that reflect newly disclosed CVEs shortly after they are published, and the ability to prioritize based on a contextual severity score. Which approach meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 16 of 20

A security engineer uses Amazon Inspector to continuously scan a fleet of internet-facing and internal EC2 instances. Inspector reports thousands of package vulnerabilities, overwhelming the remediation team. Leadership wants the team to focus first on vulnerabilities that are both severe AND actually exploitable from the internet. Which Inspector capability should the engineer rely on to identify these highest-priority findings?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company runs hundreds of AWS Lambda functions written in Python and Node.js. The security team already uses Amazon Inspector to scan the Lambda execution environments for vulnerable third-party package dependencies. During a recent penetration test, the team discovered hardcoded database credentials and injection flaws embedded directly in the function source code that Inspector had not reported. Which action will enable Inspector to detect these types of issues in the function code itself?

Reviewed for accuracy · Report an issue
Question 18 of 20

A security engineer manages a Security Hub administrator account that aggregates findings from 40 member accounts across an AWS Organization. The security operations team is overwhelmed by low-severity findings, and they want findings from a specific set of sandbox accounts to be automatically set to a workflow status of SUPPRESSED, while findings with a severity of CRITICAL from production accounts should have their severity label elevated and be routed for immediate triage. The team wants this handled centrally and consistently without writing custom Lambda functions. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 19 of 20

A security engineer manages an AWS Organization with 40 member accounts operating in five AWS Regions. Leadership wants a single pane of glass where all Security Hub findings from every account and Region are viewable and prioritized in one place, and they want new standards and controls to be enabled consistently as accounts and Regions are added, without manual per-account configuration. Which approach meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 20 of 20

A security team manages a single AWS account that runs EC2 instances and container workloads. They have enabled Amazon Inspector for vulnerability scanning and AWS Config with several managed rules for misconfiguration detection. Leadership wants a single dashboard that ingests both the Inspector vulnerability findings and the Config compliance results, normalizes them into a common format, and lets the team assign a severity-based priority for remediation. Which approach best meets these requirements with the least custom development?

Reviewed for accuracy · Report an issue

More SCS-C03 practice

Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.

← Back to SCS-C03 overview