Incident Response
Drill 20 practice questions focused entirely on Incident Response for the AWS SCS-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A security engineer is performing root cause analysis for an incident that spanned three AWS accounts and two Regions. CloudTrail logs are delivered to a central S3 bucket in a dedicated log-archive account, partitioned by account, Region, and date. The engineer needs to run ad hoc SQL queries across all accounts and Regions to reconstruct the attacker's API activity timeline, while keeping query costs low and avoiding data movement. Which approach best meets these requirements?
During an incident investigation, a security engineer suspects that an attacker with administrative credentials may have altered or deleted CloudTrail logs to hide their activity. The organization needs to guarantee that going forward, historical CloudTrail log files can be proven unaltered and retained for forensic and legal purposes, even against an actor with account-level admin privileges. Which combination of controls BEST ensures the tamper-evidence and long-term integrity of the logs?
A financial services company runs a critical application on EC2 that writes structured application logs to Amazon CloudWatch Logs. The incident response team wants near-real-time detection: whenever a log entry contains the string "AuthorizationFailure" more than a threshold number of times within a short window, an automated containment workflow must be triggered within seconds. The solution must not rely on polling and must scale to high log volume without dropping events. Which approach best meets these requirements?
A security analyst is performing forensic acquisition on a compromised EC2 instance that is still running and suspected of active data exfiltration. Company policy requires that both volatile and non-volatile evidence be preserved while minimizing the risk of tipping off the attacker or corrupting evidence. Which sequence of actions BEST preserves forensic integrity?
A security team discovers that a containerized application running on Amazon ECS with the Fargate launch type has been compromised. The task is actively communicating with a known command-and-control server. The team must contain the specific task for later forensic analysis while minimizing disruption to other healthy tasks in the same service, and they need to preserve as much volatile evidence as possible. Which containment approach best meets these requirements?
During an active incident, a security engineer confirms that a single pod running in an Amazon EKS cluster has been compromised and is attempting lateral movement to other pods and out to the internet. The forensics team needs the pod preserved for investigation, but all network communication to and from the pod must be stopped immediately with minimal disruption to other workloads on the same node. Which action provides the fastest, most surgical containment while preserving the pod for analysis?
During an incident, the security team confirms that an attacker obtained the master database credentials for a production Amazon Aurora cluster after gaining temporary access to an application server. The credentials are stored in AWS Secrets Manager and consumed by several ECS tasks. The team has already contained the attacker's access to the application server. For the eradication phase, they must rotate the compromised credentials with minimal application downtime and ensure the running tasks pick up the new secret automatically. Which approach best meets these requirements?
A security team operates workloads in three AWS Regions within a single account. GuardDuty is enabled in all three Regions. The team wants a centralized incident-response automation that, whenever a high-severity GuardDuty finding is generated in ANY of the three Regions, invokes a single Lambda function (deployed in the primary Region) to isolate the affected resource and open a ticket. What is the correct way to route these findings to the centralized Lambda function with the least operational overhead?
A security team wants automated containment when GuardDuty reports an UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding indicating that EC2 instance role credentials are being used from an external IP. The finding must trigger an automated action within seconds, but the team is concerned that a single Lambda invocation might fail silently and leave credentials active. They also want the response to be auditable and to avoid deleting the IAM role, since it is shared by an Auto Scaling group of healthy instances. Which approach BEST meets these requirements?
A financial services company runs a fleet of EC2 instances behind an Application Load Balancer. The security team wants a fully automated containment workflow: when GuardDuty reports a high-severity finding indicating an instance is communicating with a known command-and-control server, the instance must be immediately isolated from the network while preserving all volatile and disk state for later forensic analysis, and the security team must be notified. The team wants to minimize manual steps and human error during initial containment. Which approach BEST meets these requirements?
A security team receives an alert that an IAM user's long-term access key was accidentally committed to a public GitHub repository. AWS also automatically applied an AWSCompromisedKeyQuarantineV2 policy to the user. The team wants to build an automated response so that whenever a similar exposure is detected in the future (via a Health event indicating exposed credentials), the access key is immediately deactivated and the security team is notified—without any manual console interaction. Which approach best meets these requirements?
A security team runs a production workload across two AWS Regions. During a suspected compromise, responders discovered that their automated containment Lambda (triggered by EventBridge) failed to execute because the finding originated in the secondary Region, where no EventBridge rule or Lambda existed. The team wants to ensure that any GuardDuty finding in ANY Region reliably invokes a single centralized containment workflow, while minimizing ongoing operational overhead and duplicated code. Which approach best meets these requirements?
A security team runs a multi-account AWS Organization. When GuardDuty produces a HIGH or CRITICAL finding for an EC2 instance, the team wants automation to determine the incident-response path: production instances (tagged Environment=prod) must trigger a human approval step before any containment action, while non-production instances should be automatically isolated. All findings flow to a central security account via an EventBridge rule. Which design best meets these requirements while minimizing custom code and operational overhead?
A security team must preserve forensic evidence when an EC2 instance is quarantined during an incident. Their incident-response plan requires that EBS volume snapshots be captured and copied into a dedicated, isolated forensics account where only the IR team has access. The team wants this to happen automatically the moment an instance is tagged 'Quarantine=true', with minimal custom code and a durable, tamper-resistant chain of custody. Which approach best meets these requirements?
A security engineer receives a GuardDuty finding of type CryptoCurrency:EC2/BitcoinTool.B!DNS for a production EC2 instance in an Auto Scaling group. Forensic analysis confirms the instance was compromised through an unpatched application vulnerability that allowed remote code execution. The instance has already been isolated for forensics. The engineer must now perform eradication and recovery so that the Auto Scaling group returns to healthy capacity without reintroducing the same weakness. Which combination of actions BEST accomplishes eradication and recovery?
During an incident, an EC2 instance is confirmed compromised. Before terminating it, the IR team must ensure that any credentials issued through the instance's IAM role are rendered useless, while preserving the instance's EBS volumes and memory for forensic analysis. The instance runs a critical workload, so responders want to stop attacker use of the role credentials as quickly as possible without waiting for the temporary credentials to naturally expire. Which action most effectively invalidates already-issued temporary credentials from the instance role?
During an incident, a security analyst discovers that temporary credentials issued by an IAM role (used by a fleet of EC2 instances) were exfiltrated and are being used from an external IP to make API calls. The analyst has already identified the role. To immediately contain the threat and invalidate all currently active temporary sessions issued by this role — including those already handed out — while allowing legitimate instances to obtain new credentials after remediation, which action is MOST effective?
A financial services company has documented incident-response runbooks for handling compromised EC2 credentials, but during a recent real incident the on-call team discovered that the isolation Lambda function lacked the IAM permissions to modify security groups, delaying containment by several hours. The security lead wants to prevent this class of failure and ensure the response team is confident executing the plan. Which approach BEST addresses this gap as part of a mature incident-response program?
A security team detects that an EC2 instance in a production VPC has been compromised and is actively communicating with an external command-and-control server. The incident-response runbook requires that the instance be contained for forensic analysis without terminating it, and that all subsequent investigative steps be automated and repeatable across future incidents. Which sequence of actions BEST meets these containment and forensics requirements?
A security team built an automated incident-response pipeline: EventBridge routes GuardDuty findings to an SQS queue, and a Lambda function processes each message to isolate compromised instances. During a large-scale incident, GuardDuty generated thousands of findings simultaneously. The team discovered that one malformed finding caused the Lambda function to throw an exception repeatedly, and the same message was reprocessed continuously while valid isolation actions were delayed. What is the BEST way to prevent a single failing message from blocking processing of other findings?
More SCS-C03 practice
Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.
← Back to SCS-C03 overview