Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02DomainsThreat Detection and Incident Response
SCS-C02Free — No Signup

Threat Detection and Incident Response

Practice SCS-C02 Threat Detection and Incident Response questions with full explanations on every answer.

243questions

Start practicing

Threat Detection and Incident Response — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SCS-C02 Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice Threat Detection and Incident Response questions

10Q20Q30Q50Q

All SCS-C02 Threat Detection and Incident Response questions (243)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security engineer is configuring an AWS environment to detect and respond to potential security threats. Which AWS service can be used to automate the remediation of unwanted access to Amazon S3 buckets by invoking AWS Lambda functions?

2

A security team suspects that an attacker has compromised an EC2 instance and is using it to launch outbound DDoS attacks. The team needs to quickly isolate the instance while preserving forensic data. Which combination of actions should the team take? (Choose TWO.)

3

During an incident response, a security engineer needs to collect memory and disk forensics from a running EC2 Windows instance without causing the instance to crash. The engineer has AWS Systems Manager SSM Agent installed. Which method should the engineer use?

4

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all API calls in the organization are logged and retained for at least one year. Which AWS services or features should be used to meet these requirements? (Choose TWO.)

5

A security engineer is investigating a potential data exfiltration incident. The engineer notices large volumes of data being transferred from an Amazon S3 bucket to an external IP address. Which AWS services can be used to detect and alert on such behavior? (Choose THREE.)

6

A security engineer reviews the CloudTrail log entry in the exhibit. The engineer notices that an EC2 instance was launched using an AdminRole. Which additional information would help determine if this is a legitimate action or a potential compromise?

7

A security engineer is analyzing the VPC Flow Logs entry in the exhibit. The log shows traffic from an internal IP to an external IP. Which potential security concern should the engineer investigate?

8

A company has a security rule that all S3 buckets must have server access logging enabled. A security engineer uses AWS Config to evaluate compliance. The engineer configures a managed rule but notices that the rule does not evaluate all buckets. What is the most likely reason?

9

During a security incident, a security engineer needs to verify whether an EC2 instance's security group allowed inbound SSH from a specific IP address at the time of the incident. Which AWS service or feature should the engineer use to obtain this historical information?

10

A security engineer is implementing automated incident response. The engineer wants to use AWS Lambda to automatically remediate GuardDuty findings. What is the recommended pattern to trigger the Lambda function?

11

A company uses AWS Systems Manager Patch Manager to patch EC2 instances. During a security incident, the security team needs to quickly patch a critical vulnerability across all Windows instances in a specific AWS region. Which steps should the team take? (Choose TWO.)

12

A company runs a critical web application on a fleet of EC2 instances behind an Application Load Balancer (ALB). The application uses an Aurora MySQL database. The security team receives an alert from Amazon GuardDuty that a specific EC2 instance is exhibiting behavior consistent with a cryptocurrency mining attack, including outbound connections to known mining pools. The instance is part of an Auto Scaling group that uses a launch template with a security group that allows outbound HTTPS traffic to 0.0.0.0/0. The security engineer needs to contain the incident while minimizing downtime for the application. The engineer has already taken a forensic snapshot of the instance's EBS volume. Which course of action should the engineer take next?

13

A security engineer is investigating a potential credential compromise. An IAM user's access key was used to launch EC2 instances in a region where the user has never operated before. The engineer wants to quickly identify all API calls made by this user in the last 24 hours, including the source IP addresses. Which AWS service or feature should be used?

14

A company uses AWS Organizations with multiple accounts and has enabled AWS Security Hub in the management account. The security team wants to automatically remediate a specific finding type that appears in Security Hub. Which combination of services should be used to achieve this?

15

A security engineer is configuring an automated incident response workflow for Amazon GuardDuty findings. Which TWO actions should the engineer take to ensure that the response is triggered for all current and future GuardDuty findings?

16

A security engineer is reviewing a CloudTrail log entry (exhibit). What is the most immediate security concern indicated by this event?

17

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB) in a VPC. The security team uses Amazon GuardDuty and has enabled Amazon Detective. Recently, GuardDuty raised a 'Recon:EC2/PortProbeUnprotectedPort' finding for one of the instances. The security engineer verified that the ALB security group only allows inbound HTTP/HTTPS from the internet. However, the finding indicates that the instance is receiving probes on port 22 (SSH). Further investigation with Detective shows that the probes originate from multiple IP addresses and are reaching the instance's private IP address. The engineer suspects that the SSH port is exposed despite the security group configuration. What is the MOST likely cause of this exposure?

18

A security engineer is investigating a potential compromise. An EC2 instance running Amazon Linux 2 is sending outbound traffic to a known malicious IP address. The engineer needs to capture the network traffic for analysis without alerting the attacker. Which solution meets these requirements?

19

Drag and drop the steps to configure AWS WAF with rate-based rules in the correct order.

20

Drag and drop the steps to implement a secure CI/CD pipeline with AWS CodePipeline and IAM in the correct order.

21

Match each AWS service to its primary security function.

22

Match each AWS IAM policy type to its description.

23

A security engineer notices that an IAM role used by an EC2 instance is generating a large number of API calls to an S3 bucket that is not part of the company's account. Which AWS service should be used to detect and alert on this suspicious activity?

24

A company has an AWS Lambda function that processes sensitive data. The security team wants to ensure that any errors or suspicious behavior are immediately investigated. Which combination of services should be used to send real-time notifications for anomalous function executions?

25

During a security incident, a security engineer needs to preserve forensic evidence from an EC2 instance that may be compromised. The instance is running a critical application. Which approach minimizes data loss while ensuring the integrity of the evidence?

26

A company's security team wants to detect unauthorized S3 bucket access attempts in real time. Which service should they use to generate alerts when an IAM user attempts to access a bucket without proper permissions?

27

An organization uses AWS Organizations with multiple accounts. The security team needs a centralized location to collect and analyze security findings from GuardDuty, Inspector, and Macie. Which AWS service should they use?

28

A security engineer is investigating a potential compromise of an EC2 instance. The instance was launched from a custom AMI. The engineer needs to determine if the AMI itself contains malicious software. Which approach provides the most thorough analysis without risking the production environment?

29

A company wants to ensure that any deleted CloudTrail logs are detected and alerted within minutes. Which approach should they use?

30

A security team discovers that an IAM user's credentials are being used from an unusual geographic location. Which AWS service can provide automated response to revoke the user's access immediately?

31

During incident response, a security engineer needs to capture network traffic from an EC2 instance for forensic analysis. The instance is part of an Auto Scaling group. Which action preserves the most evidence while minimizing disruption?

32

Which TWO actions should a security engineer take to investigate a potential AWS API credential leak? (Choose two.)

33

Which THREE services can be used to detect and alert on suspicious API activity across an AWS organization? (Choose three.)

34

Which TWO are best practices for securing an AWS account's root user? (Choose two.)

35

A security engineer needs to detect and alert on suspicious API calls made from a compromised EC2 instance. The instance is associated with an IAM role that has permissions to call various AWS APIs. Which AWS service should the engineer use to monitor API calls and trigger alerts?

36

A company is using Amazon GuardDuty to detect threats. They notice that GuardDuty is generating a high volume of 'UnauthorizedAccess:EC2/SSHBruteForce' findings from an internal EC2 instance that is used for vulnerability scanning. The security team wants to reduce false positives without disabling GuardDuty entirely. What should they do?

37

A security engineer is investigating a potential compromise of an S3 bucket. The engineer needs to determine if any objects were accessed by an unauthorized user. Which AWS service can provide detailed access logs for S3 objects?

38

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze CloudTrail logs from all accounts in a single S3 bucket. What is the most efficient way to achieve this?

39

During an incident response, a security engineer needs to capture a forensic image of an EC2 instance's root volume for analysis. The instance is running and cannot be stopped. What is the recommended approach to capture the volume without stopping the instance?

40

A company uses Amazon GuardDuty and receives a finding of type 'Backdoor:EC2/C&CActivity.B!DNS' for an EC2 instance. What does this finding indicate?

41

A security engineer is setting up automated incident response for a compromised EC2 instance. The engineer wants to isolate the instance immediately upon detection of a GuardDuty finding. Which AWS service can be used to automatically trigger a Lambda function that modifies the instance's security group?

42

Which AWS service can be used to detect and alert on suspicious network traffic patterns within a VPC, such as port scanning or unusual outbound traffic?

43

During an incident response, a security engineer needs to preserve the state of an EC2 instance for forensic analysis. The instance is running a production workload that cannot be interrupted. Which of the following actions should the engineer take FIRST to ensure data integrity?

44

A security engineer is configuring AWS CloudTrail to monitor data events for S3 objects. Which TWO of the following must be enabled to log object-level operations? (Select TWO.)

45

A company wants to implement automated remediation of security findings from Amazon GuardDuty. Which THREE AWS services can be used together to create an automated response workflow? (Select THREE.)

46

A security engineer is investigating a potential data exfiltration incident. The engineer suspects that an EC2 instance is sending data to an external IP address. Which TWO AWS services can provide evidence of outbound data transfer? (Select TWO.)

47

A security engineer is investigating a potential data exfiltration from an S3 bucket. Which AWS service should be used to analyze the VPC Flow Logs for the S3 bucket's endpoint?

48

During an incident response, a security team needs to capture a memory dump of an Amazon EC2 instance running Linux. What is the recommended approach?

49

A company has multiple AWS accounts in AWS Organizations. The security team wants to centralize threat detection and automate incident response. Which combination of services should they use?

50

A security engineer needs to ensure that all API calls in an AWS account are logged for incident response. Which AWS service should be enabled?

51

An organization uses AWS Organizations and wants to centrally manage Amazon GuardDuty across multiple accounts. What is the correct architecture?

52

During an incident, a security engineer needs to isolate a compromised Amazon EC2 instance without losing the ability to capture forensic data from its EBS volumes. What is the best course of action?

53

A company is using AWS WAF to protect a web application. The security team wants to receive alerts when a specific rule block is triggered. Which AWS service should they use to achieve this?

54

A security engineer needs to analyze large volumes of VPC Flow Logs stored in Amazon S3 to identify anomalous traffic patterns. Which approach is MOST cost-effective and scalable?

55

An organization uses AWS Organizations with hundreds of accounts. The security team wants to automatically respond to a specific GuardDuty finding by isolating the affected EC2 instance. What is the recommended architecture?

56

Which TWO AWS services can be used to detect unauthorized access to an S3 bucket? (Select TWO.)

57

Which THREE actions should be taken when preserving forensic evidence from an EC2 instance during an incident? (Select THREE.)

58

Which TWO AWS services can be used to automatically block malicious IP addresses at the network perimeter? (Select TWO.)

59

A security engineer needs to detect and respond to potential credential theft where an IAM user's access key is being used from an unusual geographic location. Which AWS service should be used to generate alerts based on this anomaly?

60

A company uses AWS Organizations with multiple accounts. The security team wants a centralized view of all security alerts and findings from services like GuardDuty, Security Hub, and Inspector across all accounts. What is the MOST efficient way to achieve this?

61

A security engineer is configuring automated incident response for an Amazon EC2 instance that has been compromised. The engineer needs to isolate the instance while preserving forensic data. Which solution meets these requirements?

62

A company has enabled AWS CloudTrail and wants to receive real-time notifications when specific API calls, such as DeleteTrail, are made. Which service should be used to trigger an alert based on CloudTrail log events?

63

During a security review, a security engineer notices that an S3 bucket contains sensitive data but has a bucket policy that allows access from any principal in the account. The engineer needs to identify any unintended cross-account access to this bucket. Which AWS service should be used?

64

A security engineer suspects that an EC2 instance is communicating with a known malicious IP address. The engineer needs to capture the full network packets for analysis. Which approach should be taken?

65

A company wants to automatically trigger a Lambda function when a new security finding is generated in AWS Security Hub. Which service should be used to invoke the Lambda function?

66

A security engineer is investigating a potential data exfiltration from an S3 bucket that is configured to allow public access. The engineer wants to determine who accessed the bucket and from which IP addresses. Which AWS capability should be used?

67

A company uses AWS Systems Manager Patch Manager to apply patches to EC2 instances. The security team wants to ensure that instances are patched within 7 days of a patch release. Which service should be used to monitor and report compliance?

68

A security engineer is designing a threat detection solution for a multi-account AWS environment. The engineer needs to detect and respond to suspicious API activity across all accounts. Which TWO services should be used together to achieve this? (Choose two.)

69

A security engineer is investigating a security incident where an EC2 instance was used to launch an outbound denial-of-service (DoS) attack. The engineer needs to collect forensic evidence. Which THREE actions should the engineer take? (Choose three.)

70

A company wants to ensure that all API calls made to AWS are logged for security analysis. Which TWO services can be used to achieve this? (Choose two.)

71

Refer to the exhibit. A security engineer reviews an S3 bucket policy that is intended to allow the root user of account 123456789012 to get objects only from the 10.0.0.0/24 IP range. However, the policy is not working as expected. What is the MOST likely reason?

72

Refer to the exhibit. A security engineer is analyzing a CloudTrail log entry for an EC2 RunInstances call. The engineer needs to determine if the instance launch was authorized by an IAM policy. Which field should the engineer check to identify the IAM policy that was used to authorize the action?

73

Refer to the exhibit. A security engineer is analyzing VPC Flow Logs and notices a pattern of outbound traffic from an EC2 instance to an external IP on port 22 (SSH). The engineer wants to identify which instances are initiating SSH connections to the internet. Which field in the flow log record indicates the source of the connection?

74

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The engineer needs to immediately block the traffic and capture a packet capture for forensic analysis. Which combination of actions should the engineer take?

75

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all CloudTrail trails are enabled and logging to a central S3 bucket. They need to detect any account that disables or modifies its CloudTrail trail. Which approach meets these requirements with the least operational overhead?

76

A security engineer is investigating a potential compromise of an EC2 instance. The engineer wants to capture memory and disk forensics without shutting down the instance. Which service should the engineer use?

77

A company uses Amazon GuardDuty and AWS Security Hub. The security team wants to automatically remediate high-severity GuardDuty findings that indicate an EC2 instance is communicating with a known command and control (C&C) server. The remediation should isolate the instance by modifying the security group to deny all inbound and outbound traffic. Which solution is the most efficient?

78

During an incident response, a security engineer needs to collect volatile data from an EC2 instance running Linux. The instance is in a private subnet with no direct internet access. The engineer has IAM permissions to use AWS Systems Manager Session Manager. Which command should the engineer use to capture memory and process information?

79

A security engineer needs to detect suspicious API calls across multiple AWS accounts. The engineer has enabled AWS CloudTrail in each account and is sending logs to a central S3 bucket. Which additional step should the engineer take to analyze the logs for potential threats?

80

A company's security policy requires that all S3 bucket access logs be delivered to a central S3 bucket in the security account. A security engineer notices that some buckets are not delivering logs. The engineer needs to identify which buckets are not logging and ensure compliance. Which service should the engineer use to continuously monitor and report on S3 bucket logging?

81

A security engineer is designing an incident response plan for a containerized application running on Amazon ECS with Fargate. The engineer needs to ensure that if a container is compromised, the incident response team can capture a memory dump and disk snapshot for forensic analysis. The containers are stateless and use ephemeral storage. Which approach provides the necessary forensic data?

82

A security engineer is investigating a potential data breach. The engineer needs to identify which IAM user accessed a specific S3 object and when. Which AWS service should the engineer use?

83

A company uses Amazon GuardDuty and has enabled EKS audit logs as a data source. The security team wants to detect potential container escape attempts. Which TWO findings would indicate a container escape attempt? (Choose TWO.)

84

A security engineer is configuring automated incident response for Amazon GuardDuty findings. The engineer wants to isolate a compromised EC2 instance by changing its security group and stopping the instance. Which THREE services should the engineer use together to achieve this? (Choose THREE.)

85

A company wants to detect and respond to potential security threats in near real-time. Which TWO services should the company use together to achieve this? (Choose TWO.)

86

Refer to the exhibit. A security engineer is reviewing a resource-based policy attached to an AWS Lambda function. The engineer notices that the policy allows any Lambda function in the account to invoke the function. Which security concern should the engineer address?

87

Refer to the exhibit. A security engineer runs the AWS CLI command to look up console login events. The output shows two successful login events for user1 within 5 minutes. What should the engineer suspect?

88

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. The policy is intended to allow access only from the corporate network (10.0.0.0/8). What is a potential security issue with this policy?

89

A security engineer is reviewing CloudTrail logs and notices API calls from an unknown IP address. The engineer needs to immediately block the IP address and receive alerts for any future suspicious activity. Which combination of actions should the engineer take?

90

A company uses AWS Organizations and has enabled GuardDuty in the management account. The security team wants to view GuardDuty findings for all member accounts from a single delegated administrator account. Which configuration step is required?

91

During a security incident, a security engineer needs to capture network traffic between an EC2 instance and an attacker's IP address for forensic analysis. The engineer has already identified the attacker's IP from CloudTrail logs. Which action captures the traffic without affecting the instance?

92

A company has a serverless application using AWS Lambda functions that process sensitive data. The security team wants to detect potential data exfiltration via DNS queries from the Lambda functions. Which service should be enabled to monitor DNS requests?

93

A security engineer is investigating a potential compromise of an IAM user. The engineer sees that the user's access keys were used from an IP address outside the company's allowed geography. Which AWS service can provide the most immediate notification of such anomalous API calls?

94

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to ensure that all security findings from GuardDuty, Security Hub, and Detective are centrally collected and correlated. Which architecture is the MOST scalable and cost-effective?

95

A security engineer is configuring an automated response to a GuardDuty finding that indicates a compromised EC2 instance. The engineer wants to isolate the instance by changing its security group to a 'quarantine' group. Which AWS service is BEST suited to automate this response?

96

During an incident response, a security engineer needs to collect memory forensics from a running EC2 instance without shutting it down. The instance is running Amazon Linux 2. Which tool is MOST appropriate?

97

A company uses AWS Organizations and has GuardDuty enabled in all accounts. The security team wants to suppress low-severity findings that are known false positives for a specific member account. How can this be achieved with minimal administrative overhead?

98

A security engineer is designing an incident response plan for a compromised S3 bucket. Which TWO actions should be taken to contain the incident? (Choose TWO.)

99

An organization is using Amazon EKS for container workloads. The security team wants to detect container escape attempts. Which THREE AWS services or features should be enabled? (Choose THREE.)

100

A security engineer needs to detect and respond to malware on an EC2 instance. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

101

A security engineer receives an Amazon GuardDuty finding for 'UnauthorizedAccess:EC2/SSHBruteForce'. The engineer needs to automatically isolate the compromised EC2 instance and then perform forensic analysis. Which solution meets these requirements with the LEAST operational overhead?

102

A company uses AWS CloudTrail to log API calls in all accounts. The security team wants to be notified immediately when an IAM user creates a new access key for another user. Which combination of services should the team use?

103

A company has a multi-account AWS environment using AWS Organizations. The security team uses AWS Security Hub to consolidate findings. They notice that a critical finding in the production account is not being aggregated in Security Hub. The finding is generated by Amazon GuardDuty. What is the MOST likely cause?

104

A security engineer is investigating a potential data exfiltration incident. The engineer suspects that an attacker is using an Amazon S3 bucket to exfiltrate data. Which AWS service can be used to analyze S3 access logs and detect anomalous patterns?

105

A company's security team is designing an incident response plan for AWS resources. They want to ensure that when a security incident is detected in a production account, a pre-defined runbook is executed automatically. The runbook includes steps to isolate the compromised resource and collect forensic evidence. Which combination of services should the team use to implement this automation?

106

A company uses AWS CloudTrail to log all API activity. The security team needs to retain the logs for 7 years and ensure they are tamper-proof. Additionally, the team must be able to query the logs for investigations. Which solution meets these requirements?

107

A security engineer is analyzing a potential security incident involving an Amazon RDS for MySQL database. The engineer suspects that a SQL injection attack was successful. Which AWS service can the engineer use to review the actual SQL queries that were executed against the database?

108

A company uses Amazon GuardDuty to detect threats. The security team wants to be alerted when GuardDuty generates a finding with a severity level of HIGH or CRITICAL. Which AWS service should the team use to send notifications based on GuardDuty findings?

109

A company's incident response team is using AWS Systems Manager to run commands on EC2 instances for forensic analysis. The team needs to ensure that the commands are run with minimal latency and that the results are stored securely. Which Systems Manager capability should the team use?

110

A security engineer is investigating a potential compromise of an EC2 instance. The engineer wants to capture volatile memory data and create a forensic image of the instance's EBS volumes. Which TWO actions should the engineer take? (Choose 2.)

111

A company's security team is configuring Amazon GuardDuty to detect crypto-mining activities on EC2 instances. Which THREE indicators should the team monitor? (Choose 3.)

112

A company is designing an incident response plan for AWS. The plan must include the ability to collect forensic data from EC2 instances without requiring SSH key pairs. Which TWO AWS services can be used to acquire forensic data from EC2 instances without remote access? (Choose 2.)

113

Your company has a single AWS account with a production VPC that contains several EC2 instances running a web application. The security team has enabled Amazon GuardDuty and AWS CloudTrail. Recently, GuardDuty reported a finding 'UnauthorizedAccess:EC2/TorClient' for one of the instances. The finding indicates that the instance is making connections to Tor exit nodes. You need to investigate and contain the incident. The instance is critical to the application and cannot be terminated. You have a forensic analysis instance in a separate security group. What should you do FIRST?

114

Your organization uses AWS Organizations with 50 member accounts. You are the security administrator for the root account. You have enabled AWS CloudTrail in all accounts and centralized the logs in an S3 bucket in the root account. You also enabled Amazon GuardDuty in the root account and have delegated an administrator account. Recently, you received an alert from GuardDuty about a potential credential compromise in a member account. The finding indicates that an IAM user in that account made an API call from an unusual IP address. You need to quickly gather all CloudTrail events for that user from the last 30 days across all accounts. The logs are stored in a single S3 bucket with a prefix structure like 'AWSLogs/<account-id>/CloudTrail/<region>/<year>/<month>/<day>'. What is the MOST efficient way to query these logs?

115

Your company has a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The security team enabled AWS CloudTrail and Amazon GuardDuty. GuardDuty generates a finding 'Recon:EC2/PortProbeUnprotectedPort' for an EC2 instance that does not exist in the account. Upon investigation, you realize that the finding is triggered by a misconfigured Network Load Balancer (NLB) that is exposing a port to the internet. The NLB is used by the API Gateway. You need to reduce false positives for this specific finding. What should you do?

116

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The instance is part of an Auto Scaling group behind an Application Load Balancer. The engineer needs to immediately stop the exfiltration while preserving forensic evidence. What is the BEST course of action?

117

A company uses AWS CloudTrail to log all API calls. The security team notices a series of `UpdateTrail` API calls from a user in the Security account, disabling logging on a multi-region trail. The user has a policy that allows `cloudtrail:UpdateTrail` only on trails with a specific tag. However, the trail does not have that tag. What is the MOST likely reason the call succeeded?

118

A security analyst needs to detect and alert on suspicious API calls in real time. Which combination of AWS services should be used?

119

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze VPC Flow Logs from all accounts. What is the MOST efficient way to achieve this?

120

A security engineer is investigating a potential compromise. The engineer has captured a memory dump from an EC2 instance and needs to analyze it for malware. Which TWO actions should the engineer take to preserve the chain of custody? (Choose TWO.)

121

A company wants to detect anomalous behavior in their AWS environment. Which THREE AWS services can be used for threat detection? (Choose THREE.)

122

A security team is setting up incident response automation. Which TWO steps should be taken to ensure that a compromised EC2 instance is isolated while preserving forensic data? (Choose TWO.)

123

An organization uses AWS CloudTrail with a multi-region trail. The security team suspects that an attacker has deleted logs. Which THREE findings would indicate that log deletion occurred? (Choose THREE.)

124

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team receives an alert from Amazon GuardDuty that one of the EC2 instances is generating outbound traffic to a known command-and-control (C2) IP address. The instance is part of an Auto Scaling group (ASG) with a minimum of 2 and maximum of 10 instances. The security incident response playbook instructs the team to isolate the compromised instance without affecting the application's availability. The team needs to preserve the instance for forensic analysis. Which action should the team take first?

125

A financial services company uses AWS Organizations with over 100 accounts. The security team uses AWS CloudTrail to log all API calls to a central S3 bucket in the security account. The bucket policy enables cross-account log delivery from all member accounts. The team notices that some API calls from a specific member account are not appearing in the central bucket. The CloudTrail trail in that member account is configured to deliver logs to the central bucket. The IAM role used by CloudTrail in the member account has permissions to write to the central bucket. The security team has verified that the bucket policy allows the member account to write. What is the MOST likely cause of the missing logs?

126

A startup uses a single AWS account for development. The security engineer wants to detect if any EC2 instances have been compromised and are performing reconnaissance by probing open ports on other internal instances. The engineer has enabled VPC Flow Logs for all subnets. What is the most cost-effective way to detect this behavior?

127

A company uses AWS Lambda functions to process sensitive data. The security team wants to ensure that if a Lambda function is compromised, the attacker cannot use the function's IAM role to access other AWS resources. The team has implemented the principle of least privilege by restricting the IAM role's permissions. However, they are concerned about a scenario where an attacker could use the Lambda function to execute AWS API calls that are not intended by the application. What additional measure should the team implement to reduce the risk of such lateral movement?

128

A company uses Amazon RDS for MySQL with automated backups enabled. The security team suspects that a database administrator (DBA) with full RDS access has exfiltrated data by creating a snapshot of the database and sharing it with an external AWS account. The team wants to detect such exfiltration in the future. Which step should the team take to detect and alert on snapshot sharing?

129

A company uses AWS CloudFormation to deploy infrastructure. During a security incident, the security team needs to quickly capture a point-in-time snapshot of the entire environment for forensic analysis. The environment includes EC2 instances, RDS databases, and EBS volumes. What is the fastest way to preserve the state of the environment?

130

A company uses a hybrid architecture with on-premises servers and AWS. The company uses AWS Site-to-Site VPN to connect to a VPC. The security team suspects that a VPN tunnel has been compromised and an attacker is intercepting traffic. The team needs to verify the integrity of the VPN connection. What is the MOST effective way to detect if traffic is being intercepted?

131

A company runs a web application on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The application stores user session data in an ElastiCache Redis cluster. The security team receives an alert from GuardDuty that one of the EC2 instances is communicating with a known command-and-control (C2) IP address. The instance ID is i-0a1b2c3d4e5f. The security engineer needs to contain the threat immediately while preserving the instance for forensic analysis. Which course of action should the security engineer take?

132

A security engineer is investigating a potential data exfiltration incident where an EC2 instance is sending large volumes of data to an unknown IP address. Which AWS service should the engineer use to capture and analyze the network traffic for evidence?

133

A company uses AWS Organizations with multiple accounts. The security team wants to detect and automatically respond to suspicious API calls across all accounts. Which solution is the MOST efficient and scalable?

134

During an incident investigation, a security analyst finds that an IAM user 'JohnDoe' has been using an access key that was last rotated over 2 years ago. The analyst needs to determine if this key has been compromised. Which approach provides the MOST definitive evidence?

135

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. What is the MOST efficient way to enable GuardDuty for all accounts?

136

A company has a security requirement to capture all DNS queries made by EC2 instances for threat analysis. Which AWS service can provide this capability with minimal configuration?

137

A security analyst notices an IAM role 'AdminRole' is being assumed from an IP address outside the company's allowed network. The analyst wants to receive real-time alerts when this role is assumed from unauthorized locations. Which combination of services should be used?

138

A company wants to automatically isolate an EC2 instance that is suspected to be compromised. What is the MOST effective AWS-native approach?

139

A security team needs to analyze historical CloudTrail logs across multiple AWS accounts to detect patterns of suspicious activity. Which solution provides the MOST cost-effective and scalable analysis?

140

A company has a requirement to detect and respond to threats in near real-time by analyzing VPC Flow Logs. The logs are generated in a VPC and sent to CloudWatch Logs. What is the MOST efficient way to analyze these logs for suspicious patterns and trigger automated responses?

141

Which TWO actions are best practices for securing an AWS account's root user? (Choose 2.)

142

Which THREE AWS services can be used to detect potentially compromised EC2 instances? (Choose 3.)

143

Which TWO steps should a security engineer take when responding to a confirmed security incident involving a compromised EC2 instance? (Choose 2.)

144

A security engineer is reviewing AWS CloudTrail logs and notices repeated `CreateTrail` API calls from an IAM user that is not authorized to create trails. What is the MOST likely cause of these log entries?

145

A company uses AWS Organizations with multiple accounts. The security team wants to centrally aggregate and analyze VPC Flow Logs from all accounts. Which solution is MOST efficient and scalable?

146

During an incident response, a security engineer needs to capture a memory image of a compromised Amazon EC2 instance running Linux. The instance is in a production Auto Scaling group. Which approach is BEST?

147

A security engineer receives an AWS GuardDuty finding for 'UnauthorizedAccess:EC2/SSHBruteForce'. The affected EC2 instance has a public IP and is in a public subnet. What is the IMMEDIATE step to contain the threat?

148

A company's AWS Lambda function that processes sensitive data is triggering unexpectedly. The security team wants to investigate using AWS CloudTrail. What should they look for?

149

During a security incident, a security engineer needs to collect EBS snapshots of multiple EC2 instances across different accounts in AWS Organizations. The snapshots must be copied to a central forensics account. Which combination of steps is MOST efficient?

150

A security engineer is reviewing AWS CloudTrail and notices `AssumeRole` API calls to a role that should not be assumed by the source identity. What is the FIRST step in the incident response process?

151

A company uses Amazon S3 to store sensitive data. The security team wants to detect and alert on public read access to S3 buckets. Which combination of AWS services is MOST appropriate?

152

During incident response, a security engineer needs to preserve the state of a running EC2 instance for forensic analysis without losing volatile data. The instance is in an Auto Scaling group. Which action should the engineer take FIRST?

153

A security engineer is investigating a potential data exfiltration from an AWS account. Which TWO CloudTrail events would be MOST indicative of data exfiltration via S3?

154

A security team is implementing automated response to AWS GuardDuty findings. Which THREE actions should be taken to ensure proper incident response?

155

Which TWO AWS services can be used to detect anomalous API calls in an AWS account?

156

A security engineer finds this IAM policy attached to a user. The user is able to create CloudTrail trails but cannot start logging. What is the MOST likely reason?

157

A security engineer is analyzing VPC Flow Logs and sees the entry above. The source IP 203.0.113.5 is flagged as suspicious. What additional information would help determine if this is malicious?

158

A security engineer creates an Amazon CloudWatch Events rule with this event pattern to trigger an AWS Lambda function for automated response to GuardDuty findings. However, the Lambda function is not triggered for new findings. What is the MOST likely cause?

159

A security engineer is investigating a potential data exfiltration from an S3 bucket. The engineer needs to identify which IAM role or user accessed the bucket and from which IP address. Which AWS service should the engineer use to obtain this information?

160

A security engineer is designing an automated incident response workflow for an Amazon EC2 instance that is compromised. The workflow must isolate the instance by removing it from the security group that allows SSH access. The engineer wants to use AWS Systems Manager Automation to run a document. What is the most secure way to grant the automation the necessary permissions to modify the security group?

161

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze VPC Flow Logs from all accounts. The team has set up a central logging account with an S3 bucket that has a bucket policy allowing cross-account writes. However, VPC Flow Logs from member accounts are not appearing. What is the most likely cause?

162

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to designate a delegated administrator account to manage GuardDuty for all member accounts. Which AWS service must be used to enable GuardDuty for all accounts?

163

A security engineer notices suspicious API calls from an EC2 instance that has an IAM role attached. The engineer wants to quickly determine if the instance's credentials have been compromised and are being used from an external IP address. What is the most efficient way to detect this?

164

A company has a security requirement to automatically isolate an Amazon EC2 instance that is generating high network traffic to a known malicious IP address. The company uses Amazon GuardDuty and AWS Lambda. Which combination of services and configurations should be used to achieve the isolation?

165

A security engineer is investigating a potential security incident involving an Amazon RDS database. The engineer needs to determine if someone attempted to access the database with incorrect credentials. Which AWS service should the engineer use to view authentication failures?

166

A security engineer is setting up automated incident response for a compromised IAM user. The engineer wants to automatically revoke the user's access keys and attach a deny-all policy when a GuardDuty finding of type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' is generated. Which services should be used to achieve this automation?

167

A company uses AWS CloudTrail to log all API calls. The security team wants to be alerted when an IAM user creates a new access key for another IAM user (an action that could indicate privilege escalation). What is the most effective way to detect this specific API call?

168

Which TWO AWS services can be used to detect anomalous API activity in an AWS account? (Choose two.)

169

Which THREE steps should a security engineer take to ensure that an incident response plan for an AWS environment is effective? (Choose three.)

170

A security engineer is investigating a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B!DNS'. Which TWO actions should the engineer take as part of the initial response? (Choose two.)

171

Refer to the exhibit. A security engineer is reviewing this IAM policy attached to an IAM user. The user reports being unable to download objects from the S3 bucket when connecting from a VPN with IP address 10.0.1.45. What is the most likely reason for the failure?

172

Refer to the exhibit. A security engineer runs this AWS CLI command to investigate root user logins. The output shows a successful ConsoleLogin event. What should the engineer do next to improve security?

173

Refer to the exhibit. A security engineer reviews this CloudFormation template. The bucket is intended to be private. What is the security issue in the configuration?

174

A security engineer is investigating an AWS CloudTrail log entry that shows an unauthorized API call to delete an S3 bucket. Which service should the engineer use to analyze the log data for patterns of similar malicious activity?

175

A company uses AWS Organizations with multiple accounts. The security team needs a centralized solution to automatically initiate incident response runbooks across all accounts when a threat is detected. Which approach meets these requirements?

176

A security engineer receives an alert that an EC2 instance is generating outbound traffic to a known malicious IP address. What is the FIRST step the engineer should take as part of the incident response process?

177

A company wants to detect and alert on suspicious IAM role usage, such as a role being assumed from an unusual geographic location. Which AWS service should be used to generate the alerts?

178

During a security incident, a security engineer needs to capture network traffic from an EC2 instance for forensic analysis. The instance is part of an Auto Scaling group and may be terminated. What is the MOST efficient way to capture the traffic without affecting the instance's performance?

179

A security team wants to automatically revoke public access to an S3 bucket when Amazon GuardDuty detects a suspicious API call from a known malicious IP address. Which AWS service should be used to orchestrate this automated response?

180

A company has enabled Amazon GuardDuty in all accounts within AWS Organizations. The security team wants to view aggregated findings from all accounts in a single dashboard. Which service should the team use?

181

A security engineer is configuring an automated incident response workflow. When a GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce' is generated, the workflow should isolate the EC2 instance and snapshot its EBS volume. Which AWS service can coordinate these actions?

182

A company has a requirement to detect and alert on S3 objects that contain personally identifiable information (PII) being shared publicly. Which AWS service should be used?

183

A security engineer is investigating a potential security incident involving an Amazon RDS database. The engineer needs to identify which of the following actions should be taken during the forensic analysis phase? (Select TWO.)

184

A security team is designing an automated incident response system. The system must meet the following requirements: (1) automatically respond to GuardDuty findings, (2) ensure that response actions are logged and immutable, and (3) allow for human approval before destructive actions. Which services should the team use? (Select THREE.)

185

A security engineer is configuring Amazon GuardDuty to generate alerts for specific threat types. The engineer wants to ensure that alerts are sent to the security team's email distribution list and also trigger an automated Lambda function for immediate response. Which two actions should the engineer take? (Select TWO.)

186

A security engineer is investigating a potential data exfiltration incident. The engineer notices that an EC2 instance with an attached IAM role has been making API calls to an S3 bucket in another AWS account. The engineer wants to identify the source of the API calls and determine if the calls are malicious. Which AWS service should the engineer use to view the API calls made by the IAM role?

187

A company uses AWS Organizations to manage multiple accounts. The security team wants to centralize threat detection across all accounts. They enable Amazon GuardDuty in the management account and intend to use delegated administrator functionality. However, they find that GuardDuty is not detecting threats in member accounts. What is the most likely cause?

188

A company has an incident response (IR) process that includes isolating compromised EC2 instances. During a security incident, the IR team needs to block all traffic to and from a compromised instance while preserving the instance for forensic analysis. Which approach should the team take?

189

A security engineer is configuring AWS CloudWatch Logs to monitor for suspicious activity. They want to create a metric filter that detects when an IAM user calls the `iam:CreateAccessKey` API. The engineer writes the following filter pattern: `{ ($.eventName = "CreateAccessKey") }`. After testing, the filter does not trigger. What is the most likely reason?

190

A company is using AWS Lambda functions to process sensitive data. The security team wants to detect when a Lambda function is invoked with an unexpected payload that may indicate an injection attack. Which AWS service should the team use to inspect the function's input for malicious patterns?

191

A company wants to automate the response to a specific GuardDuty finding. When GuardDuty detects a finding of type `UnauthorizedAccess:EC2/SSHBruteForce`, they want to automatically block the offending IP address using a network ACL. Which AWS service can they use to orchestrate this response?

192

A security engineer is reviewing AWS CloudTrail logs and notices a large number of `DescribeInstances` API calls from a single IAM user in a short period. The engineer suspects a credential compromise. What is the most effective way to automatically revoke the compromised credentials and notify the security team?

193

A company's security policy requires that all S3 buckets be encrypted at rest. An security engineer needs to detect any S3 bucket that does not have default encryption enabled. Which AWS service should the engineer use to continuously monitor and alert on non-compliant buckets?

194

A company uses Amazon RDS for its database. The security team needs to detect when a database instance is started or stopped outside of maintenance windows. Which AWS service should the team use to monitor these API calls?

195

A company uses AWS CloudTrail to log all API activity. The security team wants to detect when an IAM user creates an access key for another user, which is a potential privilege escalation. Which TWO actions should the team take to set up this detection?

196

A company's security team is implementing an incident response plan for a potential ransomware attack on their EC2 instances. Which THREE steps should the team take to preserve forensic evidence while containing the incident?

197

A company wants to use AWS services to detect and respond to a potential DDoS attack on their web application hosted on EC2 instances behind an Application Load Balancer (ALB). Which TWO AWS services should the company use for detection and mitigation?

198

A security engineer is configuring automated response to a GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce'. The engineer needs to isolate the compromised instance by modifying the security group to deny all inbound traffic. Which AWS service should be used to orchestrate this response?

199

A company uses AWS CloudTrail to log all API calls. During an incident investigation, the security team needs to identify who deleted an S3 bucket. CloudTrail logs are stored in a centralized S3 bucket with server-side encryption using AWS KMS. Which additional step is required to ensure the CloudTrail logs can be queried quickly for this investigation?

200

A security team wants to detect and alert on API calls that create or modify IAM roles in their AWS account. Which AWS service can be used to create a metric filter and alarm for these specific CloudTrail events?

201

During a security incident, a security engineer suspects that an EC2 instance has been compromised and is exfiltrating data to an external IP address. Which AWS service can provide real-time network traffic analysis and alert on unusual outbound traffic patterns?

202

A company uses AWS Organizations with multiple accounts. The security team wants to centralize threat detection and automatically remediate high-severity GuardDuty findings across all accounts. What is the MOST efficient way to achieve this?

203

A security engineer needs to ensure that any changes to an S3 bucket's public access settings are immediately detected and an alert is sent. Which combination of AWS services should be used?

204

During a security incident, a forensic investigator needs to capture the memory of a running EC2 instance without shutting it down. Which AWS feature should be used?

205

A company has a multi-account strategy and wants to ensure that all API calls from member accounts are logged to a centralized S3 bucket in the security account. Which configuration is required?

206

A security team detects that an IAM user's access keys are being used from an unusual geographic location. Which AWS service provides this type of anomaly detection?

207

A security engineer is investigating a potential data exfiltration incident where an attacker used a compromised EC2 instance to transfer data to an external IP. Which TWO AWS services can provide evidence of the network traffic and the API calls made from the instance?

208

A company uses AWS Organizations and wants to implement a centralized incident response process. Which THREE steps should be taken to ensure that security teams can respond to incidents across all accounts effectively?

209

A security engineer needs to detect and respond to suspicious activity on an Amazon RDS database. Which TWO services can be used together to monitor database activity and trigger automated remediation?

210

The above IAM policy is attached to an AWS Lambda function. The function is failing to write logs to CloudWatch Logs. What is the likely cause?

211

A security engineer runs the above AWS CLI command to search for CreateKey events in CloudTrail. The command returns no events, but the security engineer knows that a KMS key was created in us-east-1 on January 1, 2023. What is the most likely reason for the empty result?

212

The above condition is added to an S3 bucket policy to restrict access to a specific VPC endpoint. An EC2 instance in the same VPC is unable to access the bucket. What is the most likely reason?

213

A security engineer is investigating a potential compromise of an EC2 instance. The engineer needs to capture network traffic to and from the instance for forensic analysis. Which AWS service should be used to capture this traffic?

214

A company uses AWS Organizations with multiple accounts. The security team wants to automatically receive alerts when an IAM user attempts to access resources they do not have permissions for, across all accounts. Which combination of services should be used?

215

During an incident response, a security engineer needs to collect volatile memory from a compromised EC2 instance without affecting the running system. The instance is critical and cannot be stopped. Which approach is most appropriate?

216

A security team wants to detect unauthorized API calls in real time and automatically block the source IP address using network ACLs. Which AWS service should be used for detection?

217

A company is designing an automated incident response workflow. When a high-severity GuardDuty finding is generated, the security team wants to automatically isolate the affected EC2 instance by modifying its security group to deny all traffic. Which service should orchestrate this response?

218

A security engineer is investigating a potential data exfiltration from an S3 bucket. The engineer has enabled S3 server access logs and CloudTrail data events. Which log source would provide the most granular details about the request, including the requester's IP address and user agent?

219

A company needs to ensure that all API calls in their AWS account are logged and monitored for suspicious activity. Which service should be enabled first?

220

During an incident response, a security engineer needs to preserve the state of an EC2 instance's root volume for forensic analysis. The instance is still running. Which action should be taken to ensure the data is preserved without altering it?

221

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The engineer needs to quickly block all traffic to that IP while preserving the instance for forensic analysis. Which approach is the most effective?

222

Which TWO AWS services can be used to detect anomalous behavior in an AWS environment?

223

Which THREE actions should be taken when preparing an incident response plan for AWS?

224

Which TWO steps are part of the forensic acquisition process for an EC2 instance suspected of being compromised?

225

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. The policy is intended to allow read access to objects in the bucket only from the corporate network (203.0.113.0/24). However, users outside the network can still access the bucket. What is the most likely reason?

226

Refer to the exhibit. A security engineer is analyzing a VPC Flow Logs entry for an EC2 instance with private IP 192.0.2.10. The log shows an accepted outbound connection from the instance to 203.0.113.50 on port 443. The instance is not expected to initiate outbound HTTPS connections. What should the engineer do next to investigate?

227

A company uses a multi-account AWS Organizations setup with hundreds of accounts. The security team uses AWS Security Hub in the management account to aggregate findings from all accounts. They have configured Amazon GuardDuty in all accounts and enabled AWS Config with recording. Recently, they noticed that Security Hub is not displaying any findings from GuardDuty in member accounts, even though GuardDuty is generating sample findings. The security team has verified that the Security Hub integration with GuardDuty is enabled in the management account. What is the most likely reason for the missing findings?

228

A security engineer is investigating a potential data breach. AWS CloudTrail logs show that an IAM user 'svc-backup' created an S3 bucket in the us-east-1 region and then uploaded a large number of objects. The engineer suspects that the user's credentials were compromised. What is the MOST efficient way to quickly identify the source IP address and user agent of the API calls made by this user?

229

A company uses AWS Organizations with multiple accounts. The security team wants to detect suspicious API activity across all accounts in real time. They have enabled AWS CloudTrail in all accounts and are sending logs to a centralized S3 bucket. However, they are receiving alerts only after a significant delay. What should the security team do to reduce the latency of threat detection?

230

A security engineer discovers an Amazon GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce' for an EC2 instance. The instance is part of an Auto Scaling group and has a public IP address. What is the MOST effective immediate step to mitigate the threat?

231

A company uses AWS Lambda functions that process sensitive data. The security team wants to ensure that any unauthorized invocation of the functions is detected and alerted. The team has enabled AWS CloudTrail and is monitoring for Lambda Invoke API calls. However, they are concerned about missing events that occur within the Lambda service itself (e.g., internal retries). What should the team do to capture all relevant events?

232

A security engineer is investigating a potential incident where an EC2 instance was compromised. The engineer has access to the following logs: CloudTrail, VPC Flow Logs, and OS-level logs from the instance. Which TWO log sources would be MOST useful to determine the initial attack vector? (Choose TWO.)

233

A company uses Amazon GuardDuty to monitor its AWS environment. The security team has received a GuardDuty finding of type 'Recon:EC2/PortProbeUnprotectedPort'. The finding indicates that an EC2 instance has an open SSH port that is being probed from the internet. The team wants to reduce the attack surface and prevent future probes. Which THREE actions should the team take? (Choose THREE.)

234

A security engineer is configuring automated response to a specific GuardDuty finding type. The engineer wants to automatically block the offending IP address in the security group when a finding is generated. Which TWO AWS services should the engineer use together to achieve this? (Choose TWO.)

235

A financial services company uses a multi-account AWS organization with a centralized security account. The security team has enabled Amazon GuardDuty in all accounts and configured it to send findings to the security account via AWS Organizations. The team also uses AWS Security Hub in the security account to aggregate findings. They have set up automated response using AWS Systems Manager Automation documents to isolate compromised EC2 instances by applying a security group that denies all traffic. However, during a recent incident, the automation failed because the Systems Automation document did not have permission to modify the security group in the member account. The security team needs to design a solution that allows the security account to automatically isolate instances in any member account. What should they do?

236

A company uses Amazon GuardDuty and AWS Security Hub in a single AWS account. The security team has created a custom action in Security Hub to send findings to a custom Lambda function for automated response. The Lambda function is designed to take remediation actions based on the finding type. During testing, the team notices that the Lambda function is not being invoked when new findings are generated. The Lambda function's resource-based policy allows invocations from Security Hub, and the function's execution role has necessary permissions. What is the most likely reason for the failure?

237

A company uses AWS CloudTrail to log all API activity. The security team wants to be alerted when an IAM user creates a new access key. They have created a CloudWatch metric filter on the CloudTrail log group for the event name 'CreateAccessKey' and set up a CloudWatch alarm that sends an email via Amazon SNS. However, the alarm is not triggering even though the team knows that access keys have been created. The metric filter has been tested and shows data points in CloudWatch. What should the security team check next?

238

A company has a serverless application using AWS Lambda, API Gateway, and DynamoDB. The security team wants to detect and respond to potential SQL injection attempts in API requests. They have enabled AWS WAF on the API Gateway and created a rule to block SQL injection. However, they also want to capture the blocked requests for analysis and store them in an S3 bucket. The team has configured WAF to send logs to Amazon Kinesis Data Firehose, which delivers to an S3 bucket. After testing, the team notices that the logs are not being delivered. The Firehose delivery stream is in the same AWS account, and the S3 bucket policy allows the Firehose service to write. What is the most likely cause?

239

A company uses Amazon Detective to investigate security findings. The security team is analyzing a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B!DNS' for an EC2 instance. The team wants to use Detective to understand the full scope of the incident, including which other resources the instance communicated with and any IAM roles used. However, when the team opens the finding in Detective, they see no network activity data for the instance. The instance is in a VPC with VPC Flow Logs enabled, and Flow Logs are being published to CloudWatch Logs. What should the team do to enable Detective to display the network activity?

240

A company uses AWS CloudTrail to log all API activity. The security team wants to ensure that any changes to CloudTrail configuration (e.g., disabling the trail, deleting the trail, modifying the log delivery) are detected immediately. They have created a CloudWatch Events rule to capture the event 'StopLogging' and send an SNS notification. During testing, the team stops the trail and does not receive the notification. The CloudWatch Events rule is configured with the correct event pattern. What should the team check?

241

A company uses AWS Lambda functions to process data from an S3 bucket. The security team wants to detect any unauthorized attempts to invoke the Lambda function from outside the company's VPC. The Lambda function is configured to be VPC-enabled and is attached to a VPC with a security group. The team has enabled CloudTrail and VPC Flow Logs. However, they are not seeing any logs for the Lambda invocations in CloudTrail. The team has checked that CloudTrail is logging management events and that the Lambda function is being invoked. What is the most likely reason for the missing CloudTrail logs?

242

A company uses Amazon GuardDuty and AWS Security Hub. The security team has configured a custom insight in Security Hub to track findings related to S3 bucket exposures. They want to automatically remediate these findings by applying an S3 bucket policy that blocks public access. The team has created a Lambda function that applies the bucket policy and configured Security Hub to send findings to the Lambda function via a custom action. However, when a new finding is generated, the Lambda function is invoked but fails to apply the policy because it does not have permission to modify the S3 bucket. The Lambda function's execution role has permissions to modify S3 bucket policies, but the function is in the same account as the bucket. What should the team check?

243

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes sensitive customer data. The Security team has enabled VPC Flow Logs, CloudTrail, and GuardDuty. Recently, the team received a GuardDuty finding indicating a potential SSH brute force attack originating from an external IP address 203.0.113.50 targeting one of the EC2 instances. The Security Engineer needs to automatically isolate the affected instance and capture forensic evidence for analysis. The company has strict requirements: the instance must be isolated immediately, and a snapshot of the EBS volume must be taken before any remediation actions are taken. The instance is part of an Auto Scaling group, and the Security Engineer wants to minimize manual intervention. The Security Engineer has access to AWS Systems Manager and AWS Lambda. Which combination of steps should the Security Engineer implement to meet the requirements?

Practice all 243 Threat Detection and Incident Response questions

Other SCS-C02 exam domains

Security Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Frequently asked questions

What does the Threat Detection and Incident Response domain cover on the SCS-C02 exam?

The Threat Detection and Incident Response domain covers the key concepts tested in this area of the SCS-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SCS-C02 domains — no account required.

How many Threat Detection and Incident Response questions are in the SCS-C02 question bank?

The Courseiva SCS-C02 question bank contains 243 questions in the Threat Detection and Incident Response domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Threat Detection and Incident Response for SCS-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Threat Detection and Incident Response questions for SCS-C02?

Yes — the session launcher on this page draws questions exclusively from the Threat Detection and Incident Response domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SCS-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03SY0-701CISSP