Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Threat Detection and Incident Response practice sets

SCS-C02 Threat Detection and Incident Response • Complete Question Bank

SCS-C02 Threat Detection and Incident Response — All Questions With Answers

Complete SCS-C02 Threat Detection and Incident Response question bank — all 0 questions with answers and detailed explanations.

243
Questions
Free
No signup
Certifications/SCS-C02/Practice Test/Threat Detection and Incident Response/All Questions
Question 1easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring an AWS environment to detect and respond to potential security threats. Which AWS service can be used to automate the remediation of unwanted access to Amazon S3 buckets by invoking AWS Lambda functions?

Question 2mediummulti select
Read the full NAT/PAT explanation →

A security team suspects that an attacker has compromised an EC2 instance and is using it to launch outbound DDoS attacks. The team needs to quickly isolate the instance while preserving forensic data. Which combination of actions should the team take? (Choose TWO.)

Question 3hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident response, a security engineer needs to collect memory and disk forensics from a running EC2 Windows instance without causing the instance to crash. The engineer has AWS Systems Manager SSM Agent installed. Which method should the engineer use?

Question 4mediummulti select
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all API calls in the organization are logged and retained for at least one year. Which AWS services or features should be used to meet these requirements? (Choose TWO.)

Question 5hardmulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration incident. The engineer notices large volumes of data being transferred from an Amazon S3 bucket to an external IP address. Which AWS services can be used to detect and alert on such behavior? (Choose THREE.)

Question 6mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer reviews the CloudTrail log entry in the exhibit. The engineer notices that an EC2 instance was launched using an AdminRole. Which additional information would help determine if this is a legitimate action or a potential compromise?

Exhibit

Refer to the exhibit.

CloudTrail log entry (simplified):
{
  "eventSource": "ec2.amazonaws.com",
  "eventName": "RunInstances",
  "userIdentity": {
    "arn": "arn:aws:iam::123456789012:role/AdminRole",
    "accountId": "123456789012"
  },
  "requestParameters": {
    "instanceType": "m5.xlarge",
    "imageId": "ami-0abcdef1234567890",
    "securityGroupSet": [{"groupId": "sg-0123456789abcdef0"}]
  },
  "responseElements": {
    "instancesSet": {
      "items": [{"instanceId": "i-0a1b2c3d4e5f6g7h8"}]
    }
  },
  "sourceIPAddress": "203.0.113.50",
  "userAgent": "console.amazonaws.com",
  "eventTime": "2025-03-15T14:30:00Z"
}
Question 7easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is analyzing the VPC Flow Logs entry in the exhibit. The log shows traffic from an internal IP to an external IP. Which potential security concern should the engineer investigate?

Exhibit

Refer to the exhibit.

VPC Flow Logs entry:
2 123456789010 eni-1234567890abcdef 10.0.1.5 203.0.113.50 3389 443 6 10 840 1625097600 1625097660 ACCEPT OK
Question 8hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company has a security rule that all S3 buckets must have server access logging enabled. A security engineer uses AWS Config to evaluate compliance. The engineer configures a managed rule but notices that the rule does not evaluate all buckets. What is the most likely reason?

Question 9mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

During a security incident, a security engineer needs to verify whether an EC2 instance's security group allowed inbound SSH from a specific IP address at the time of the incident. Which AWS service or feature should the engineer use to obtain this historical information?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is implementing automated incident response. The engineer wants to use AWS Lambda to automatically remediate GuardDuty findings. What is the recommended pattern to trigger the Lambda function?

Question 11easymulti select
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager Patch Manager to patch EC2 instances. During a security incident, the security team needs to quickly patch a critical vulnerability across all Windows instances in a specific AWS region. Which steps should the team take? (Choose TWO.)

Question 12hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company runs a critical web application on a fleet of EC2 instances behind an Application Load Balancer (ALB). The application uses an Aurora MySQL database. The security team receives an alert from Amazon GuardDuty that a specific EC2 instance is exhibiting behavior consistent with a cryptocurrency mining attack, including outbound connections to known mining pools. The instance is part of an Auto Scaling group that uses a launch template with a security group that allows outbound HTTPS traffic to 0.0.0.0/0. The security engineer needs to contain the incident while minimizing downtime for the application. The engineer has already taken a forensic snapshot of the instance's EBS volume. Which course of action should the engineer take next?

Question 13mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential credential compromise. An IAM user's access key was used to launch EC2 instances in a region where the user has never operated before. The engineer wants to quickly identify all API calls made by this user in the last 24 hours, including the source IP addresses. Which AWS service or feature should be used?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with multiple accounts and has enabled AWS Security Hub in the management account. The security team wants to automatically remediate a specific finding type that appears in Security Hub. Which combination of services should be used to achieve this?

Question 15mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring an automated incident response workflow for Amazon GuardDuty findings. Which TWO actions should the engineer take to ensure that the response is triggered for all current and future GuardDuty findings?

Question 16easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is reviewing a CloudTrail log entry (exhibit). What is the most immediate security concern indicated by this event?

Exhibit

Refer to the exhibit.

```
{
  "Records": [
    {
      "eventVersion": "1.08",
      "userIdentity": {
        "type": "IAMUser",
        "arn": "arn:aws:iam::123456789012:user/JohnDoe",
        "accountId": "123456789012",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE"
      },
      "eventTime": "2024-08-01T12:34:56Z",
      "eventSource": "ec2.amazonaws.com",
      "eventName": "AuthorizeSecurityGroupIngress",
      "awsRegion": "us-east-1",
      "sourceIPAddress": "203.0.113.5",
      "userAgent": "console.amazonaws.com",
      "requestParameters": {
        "groupId": "sg-0123456789abcdef0",
        "ipPermissions": {
          "items": [
            {
              "ipProtocol": "tcp",
              "fromPort": 22,
              "toPort": 22,
              "ipRanges": [
                {
                  "cidrIp": "0.0.0.0/0"
                }
              ]
            }
          ]
        }
      }
    }
  ]
}
```
Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB) in a VPC. The security team uses Amazon GuardDuty and has enabled Amazon Detective. Recently, GuardDuty raised a 'Recon:EC2/PortProbeUnprotectedPort' finding for one of the instances. The security engineer verified that the ALB security group only allows inbound HTTP/HTTPS from the internet. However, the finding indicates that the instance is receiving probes on port 22 (SSH). Further investigation with Detective shows that the probes originate from multiple IP addresses and are reaching the instance's private IP address. The engineer suspects that the SSH port is exposed despite the security group configuration. What is the MOST likely cause of this exposure?

Question 18mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential compromise. An EC2 instance running Amazon Linux 2 is sending outbound traffic to a known malicious IP address. The engineer needs to capture the network traffic for analysis without alerting the attacker. Which solution meets these requirements?

Question 19mediumdrag order
Read the full Threat Detection and Incident Response explanation →

Drag and drop the steps to configure AWS WAF with rate-based rules in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 20mediumdrag order
Read the full Threat Detection and Incident Response explanation →

Drag and drop the steps to implement a secure CI/CD pipeline with AWS CodePipeline and IAM in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediummatching
Read the full Threat Detection and Incident Response explanation →

Match each AWS service to its primary security function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Web application firewall

DDoS protection

Key management and encryption

Identity and access management

Data discovery and classification

Question 22mediummatching
Read the full Threat Detection and Incident Response explanation →

Match each AWS IAM policy type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attached to a user, group, or role

Attached to a resource like S3 bucket

Maximum permissions for an identity

Used in AWS Organizations to restrict permissions

Question 23easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer notices that an IAM role used by an EC2 instance is generating a large number of API calls to an S3 bucket that is not part of the company's account. Which AWS service should be used to detect and alert on this suspicious activity?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A company has an AWS Lambda function that processes sensitive data. The security team wants to ensure that any errors or suspicious behavior are immediately investigated. Which combination of services should be used to send real-time notifications for anomalous function executions?

Question 25hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During a security incident, a security engineer needs to preserve forensic evidence from an EC2 instance that may be compromised. The instance is running a critical application. Which approach minimizes data loss while ensuring the integrity of the evidence?

Question 26easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company's security team wants to detect unauthorized S3 bucket access attempts in real time. Which service should they use to generate alerts when an IAM user attempts to access a bucket without proper permissions?

Question 27mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

An organization uses AWS Organizations with multiple accounts. The security team needs a centralized location to collect and analyze security findings from GuardDuty, Inspector, and Macie. Which AWS service should they use?

Question 28hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential compromise of an EC2 instance. The instance was launched from a custom AMI. The engineer needs to determine if the AMI itself contains malicious software. Which approach provides the most thorough analysis without risking the production environment?

Question 29easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company wants to ensure that any deleted CloudTrail logs are detected and alerted within minutes. Which approach should they use?

Question 30mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security team discovers that an IAM user's credentials are being used from an unusual geographic location. Which AWS service can provide automated response to revoke the user's access immediately?

Question 31hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During incident response, a security engineer needs to capture network traffic from an EC2 instance for forensic analysis. The instance is part of an Auto Scaling group. Which action preserves the most evidence while minimizing disruption?

Question 32mediummulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO actions should a security engineer take to investigate a potential AWS API credential leak? (Choose two.)

Question 33hardmulti select
Read the full Threat Detection and Incident Response explanation →

Which THREE services can be used to detect and alert on suspicious API activity across an AWS organization? (Choose three.)

Question 34easymulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO are best practices for securing an AWS account's root user? (Choose two.)

Question 35mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer needs to detect and alert on suspicious API calls made from a compromised EC2 instance. The instance is associated with an IAM role that has permissions to call various AWS APIs. Which AWS service should the engineer use to monitor API calls and trigger alerts?

Question 36hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company is using Amazon GuardDuty to detect threats. They notice that GuardDuty is generating a high volume of 'UnauthorizedAccess:EC2/SSHBruteForce' findings from an internal EC2 instance that is used for vulnerability scanning. The security team wants to reduce false positives without disabling GuardDuty entirely. What should they do?

Question 37easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential compromise of an S3 bucket. The engineer needs to determine if any objects were accessed by an unauthorized user. Which AWS service can provide detailed access logs for S3 objects?

Question 38mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze CloudTrail logs from all accounts in a single S3 bucket. What is the most efficient way to achieve this?

Question 39hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident response, a security engineer needs to capture a forensic image of an EC2 instance's root volume for analysis. The instance is running and cannot be stopped. What is the recommended approach to capture the volume without stopping the instance?

Question 40easymultiple choice
Read the full DNS explanation →

A company uses Amazon GuardDuty and receives a finding of type 'Backdoor:EC2/C&CActivity.B!DNS' for an EC2 instance. What does this finding indicate?

Question 41mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is setting up automated incident response for a compromised EC2 instance. The engineer wants to isolate the instance immediately upon detection of a GuardDuty finding. Which AWS service can be used to automatically trigger a Lambda function that modifies the instance's security group?

Question 42easymultiple choice
Read the full NAT/PAT explanation →

Which AWS service can be used to detect and alert on suspicious network traffic patterns within a VPC, such as port scanning or unusual outbound traffic?

Question 43hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident response, a security engineer needs to preserve the state of an EC2 instance for forensic analysis. The instance is running a production workload that cannot be interrupted. Which of the following actions should the engineer take FIRST to ensure data integrity?

Question 44mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring AWS CloudTrail to monitor data events for S3 objects. Which TWO of the following must be enabled to log object-level operations? (Select TWO.)

Question 45hardmulti select
Read the full Threat Detection and Incident Response explanation →

A company wants to implement automated remediation of security findings from Amazon GuardDuty. Which THREE AWS services can be used together to create an automated response workflow? (Select THREE.)

Question 46mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration incident. The engineer suspects that an EC2 instance is sending data to an external IP address. Which TWO AWS services can provide evidence of outbound data transfer? (Select TWO.)

Question 47easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration from an S3 bucket. Which AWS service should be used to analyze the VPC Flow Logs for the S3 bucket's endpoint?

Question 48mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident response, a security team needs to capture a memory dump of an Amazon EC2 instance running Linux. What is the recommended approach?

Question 49hardmultiple choice
Read the full NAT/PAT explanation →

A company has multiple AWS accounts in AWS Organizations. The security team wants to centralize threat detection and automate incident response. Which combination of services should they use?

Question 50easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer needs to ensure that all API calls in an AWS account are logged for incident response. Which AWS service should be enabled?

Question 51mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

An organization uses AWS Organizations and wants to centrally manage Amazon GuardDuty across multiple accounts. What is the correct architecture?

Question 52hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident, a security engineer needs to isolate a compromised Amazon EC2 instance without losing the ability to capture forensic data from its EBS volumes. What is the best course of action?

Question 53easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company is using AWS WAF to protect a web application. The security team wants to receive alerts when a specific rule block is triggered. Which AWS service should they use to achieve this?

Question 54mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to analyze large volumes of VPC Flow Logs stored in Amazon S3 to identify anomalous traffic patterns. Which approach is MOST cost-effective and scalable?

Question 55hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

An organization uses AWS Organizations with hundreds of accounts. The security team wants to automatically respond to a specific GuardDuty finding by isolating the affected EC2 instance. What is the recommended architecture?

Question 56easymulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO AWS services can be used to detect unauthorized access to an S3 bucket? (Select TWO.)

Question 57mediummulti select
Read the full Threat Detection and Incident Response explanation →

Which THREE actions should be taken when preserving forensic evidence from an EC2 instance during an incident? (Select THREE.)

Question 58hardmulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO AWS services can be used to automatically block malicious IP addresses at the network perimeter? (Select TWO.)

Question 59easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer needs to detect and respond to potential credential theft where an IAM user's access key is being used from an unusual geographic location. Which AWS service should be used to generate alerts based on this anomaly?

Question 60mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants a centralized view of all security alerts and findings from services like GuardDuty, Security Hub, and Inspector across all accounts. What is the MOST efficient way to achieve this?

Question 61hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring automated incident response for an Amazon EC2 instance that has been compromised. The engineer needs to isolate the instance while preserving forensic data. Which solution meets these requirements?

Question 62easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company has enabled AWS CloudTrail and wants to receive real-time notifications when specific API calls, such as DeleteTrail, are made. Which service should be used to trigger an alert based on CloudTrail log events?

Question 63mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

During a security review, a security engineer notices that an S3 bucket contains sensitive data but has a bucket policy that allows access from any principal in the account. The engineer needs to identify any unintended cross-account access to this bucket. Which AWS service should be used?

Question 64hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer suspects that an EC2 instance is communicating with a known malicious IP address. The engineer needs to capture the full network packets for analysis. Which approach should be taken?

Question 65easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company wants to automatically trigger a Lambda function when a new security finding is generated in AWS Security Hub. Which service should be used to invoke the Lambda function?

Question 66mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration from an S3 bucket that is configured to allow public access. The engineer wants to determine who accessed the bucket and from which IP addresses. Which AWS capability should be used?

Question 67hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager Patch Manager to apply patches to EC2 instances. The security team wants to ensure that instances are patched within 7 days of a patch release. Which service should be used to monitor and report compliance?

Question 68mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is designing a threat detection solution for a multi-account AWS environment. The engineer needs to detect and respond to suspicious API activity across all accounts. Which TWO services should be used together to achieve this? (Choose two.)

Question 69hardmulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a security incident where an EC2 instance was used to launch an outbound denial-of-service (DoS) attack. The engineer needs to collect forensic evidence. Which THREE actions should the engineer take? (Choose three.)

Question 70easymulti select
Read the full Threat Detection and Incident Response explanation →

A company wants to ensure that all API calls made to AWS are logged for security analysis. Which TWO services can be used to achieve this? (Choose two.)

Question 71mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

Refer to the exhibit. A security engineer reviews an S3 bucket policy that is intended to allow the root user of account 123456789012 to get objects only from the 10.0.0.0/24 IP range. However, the policy is not working as expected. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/24"
        }
      }
    }
  ]
}
Question 72hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

Refer to the exhibit. A security engineer is analyzing a CloudTrail log entry for an EC2 RunInstances call. The engineer needs to determine if the instance launch was authorized by an IAM policy. Which field should the engineer check to identify the IAM policy that was used to authorize the action?

Exhibit

Refer to the exhibit.

{  "sourceIP": "192.0.2.1",  "userIdentity": {    "arn": "arn:aws:iam::111111111111:user/JohnDoe",    "type": "IAMUser"  },  "eventTime": "2024-08-15T12:34:56Z",  "eventSource": "ec2.amazonaws.com",  "eventName": "RunInstances",  "awsRegion": "us-east-1",  "requestParameters": {    "instanceType": "t2.micro",    "imageId": "ami-0abcdef1234567890"  },  "responseElements": {    "instancesSet": {      "items": [        { "instanceId": "i-0a1b2c3d4e5f67890" }      ]    }  }}
Question 73easymultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security engineer is analyzing VPC Flow Logs and notices a pattern of outbound traffic from an EC2 instance to an external IP on port 22 (SSH). The engineer wants to identify which instances are initiating SSH connections to the internet. Which field in the flow log record indicates the source of the connection?

Exhibit

Refer to the exhibit.

2019-10-15T10:30:00Z 192.0.2.1 54321 10.0.0.1 443 6 10 1000 10 1000 ACCEPT OK
2019-10-15T10:30:05Z 192.0.2.1 54322 10.0.0.2 22 6 20 2000 10 1000 ACCEPT OK
2019-10-15T10:30:10Z 10.0.0.3 22 192.0.2.1 54323 6 15 1500 5 500 REJECT OK
Question 74mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The engineer needs to immediately block the traffic and capture a packet capture for forensic analysis. Which combination of actions should the engineer take?

Question 75hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all CloudTrail trails are enabled and logging to a central S3 bucket. They need to detect any account that disables or modifies its CloudTrail trail. Which approach meets these requirements with the least operational overhead?

Question 76easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential compromise of an EC2 instance. The engineer wants to capture memory and disk forensics without shutting down the instance. Which service should the engineer use?

Question 77mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses Amazon GuardDuty and AWS Security Hub. The security team wants to automatically remediate high-severity GuardDuty findings that indicate an EC2 instance is communicating with a known command and control (C&C) server. The remediation should isolate the instance by modifying the security group to deny all inbound and outbound traffic. Which solution is the most efficient?

Question 78hardmultiple choice
Review the full subnetting walkthrough →

During an incident response, a security engineer needs to collect volatile data from an EC2 instance running Linux. The instance is in a private subnet with no direct internet access. The engineer has IAM permissions to use AWS Systems Manager Session Manager. Which command should the engineer use to capture memory and process information?

Question 79easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer needs to detect suspicious API calls across multiple AWS accounts. The engineer has enabled AWS CloudTrail in each account and is sending logs to a central S3 bucket. Which additional step should the engineer take to analyze the logs for potential threats?

Question 80mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company's security policy requires that all S3 bucket access logs be delivered to a central S3 bucket in the security account. A security engineer notices that some buckets are not delivering logs. The engineer needs to identify which buckets are not logging and ensure compliance. Which service should the engineer use to continuously monitor and report on S3 bucket logging?

Question 81hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is designing an incident response plan for a containerized application running on Amazon ECS with Fargate. The engineer needs to ensure that if a container is compromised, the incident response team can capture a memory dump and disk snapshot for forensic analysis. The containers are stateless and use ephemeral storage. Which approach provides the necessary forensic data?

Question 82easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data breach. The engineer needs to identify which IAM user accessed a specific S3 object and when. Which AWS service should the engineer use?

Question 83hardmulti select
Read the full Threat Detection and Incident Response explanation →

A company uses Amazon GuardDuty and has enabled EKS audit logs as a data source. The security team wants to detect potential container escape attempts. Which TWO findings would indicate a container escape attempt? (Choose TWO.)

Question 84mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring automated incident response for Amazon GuardDuty findings. The engineer wants to isolate a compromised EC2 instance by changing its security group and stopping the instance. Which THREE services should the engineer use together to achieve this? (Choose THREE.)

Question 85easymulti select
Read the full Threat Detection and Incident Response explanation →

A company wants to detect and respond to potential security threats in near real-time. Which TWO services should the company use together to achieve this? (Choose TWO.)

Question 86hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

Refer to the exhibit. A security engineer is reviewing a resource-based policy attached to an AWS Lambda function. The engineer notices that the policy allows any Lambda function in the account to invoke the function. Which security concern should the engineer address?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowLambdaInvocation",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
    }
  ]
}
```
Question 87mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

Refer to the exhibit. A security engineer runs the AWS CLI command to look up console login events. The output shows two successful login events for user1 within 5 minutes. What should the engineer suspect?

Network Topology
aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2024-01-01T00:00:00Zend-time 2024-01-02T00:00:00ZRefer to the exhibit.```"Events": ["EventId": "example-event-id-1","EventName": "ConsoleLogin","ReadOnly": "False","Username": "user1","EventTime": "2024-01-01T10:00:00Z","CloudTrailEvent": "{\"userIdentity\":{\"type\":\"IAMUser\",\"arn\":\"arn:aws:iam::123456789012:user/user1\"},\"responseElements\":{\"ConsoleLogin\":\"Success\"}}"},"EventId": "example-event-id-2","EventTime": "2024-01-01T10:05:00Z",
Question 88easymultiple choice
Read the full Threat Detection and Incident Response explanation →

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. The policy is intended to allow access only from the corporate network (10.0.0.0/8). What is a potential security issue with this policy?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
```
Question 89easymultiple choice
Read the full NAT/PAT explanation →

A security engineer is reviewing CloudTrail logs and notices API calls from an unknown IP address. The engineer needs to immediately block the IP address and receive alerts for any future suspicious activity. Which combination of actions should the engineer take?

Question 90mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations and has enabled GuardDuty in the management account. The security team wants to view GuardDuty findings for all member accounts from a single delegated administrator account. Which configuration step is required?

Question 91hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During a security incident, a security engineer needs to capture network traffic between an EC2 instance and an attacker's IP address for forensic analysis. The engineer has already identified the attacker's IP from CloudTrail logs. Which action captures the traffic without affecting the instance?

Question 92easymultiple choice
Read the full DNS explanation →

A company has a serverless application using AWS Lambda functions that process sensitive data. The security team wants to detect potential data exfiltration via DNS queries from the Lambda functions. Which service should be enabled to monitor DNS requests?

Question 93mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential compromise of an IAM user. The engineer sees that the user's access keys were used from an IP address outside the company's allowed geography. Which AWS service can provide the most immediate notification of such anomalous API calls?

Question 94hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to ensure that all security findings from GuardDuty, Security Hub, and Detective are centrally collected and correlated. Which architecture is the MOST scalable and cost-effective?

Question 95easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring an automated response to a GuardDuty finding that indicates a compromised EC2 instance. The engineer wants to isolate the instance by changing its security group to a 'quarantine' group. Which AWS service is BEST suited to automate this response?

Question 96mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident response, a security engineer needs to collect memory forensics from a running EC2 instance without shutting it down. The instance is running Amazon Linux 2. Which tool is MOST appropriate?

Question 97hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations and has GuardDuty enabled in all accounts. The security team wants to suppress low-severity findings that are known false positives for a specific member account. How can this be achieved with minimal administrative overhead?

Question 98mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is designing an incident response plan for a compromised S3 bucket. Which TWO actions should be taken to contain the incident? (Choose TWO.)

Question 99hardmulti select
Read the full Threat Detection and Incident Response explanation →

An organization is using Amazon EKS for container workloads. The security team wants to detect container escape attempts. Which THREE AWS services or features should be enabled? (Choose THREE.)

Question 100easymulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer needs to detect and respond to malware on an EC2 instance. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Question 101mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer receives an Amazon GuardDuty finding for 'UnauthorizedAccess:EC2/SSHBruteForce'. The engineer needs to automatically isolate the compromised EC2 instance and then perform forensic analysis. Which solution meets these requirements with the LEAST operational overhead?

Question 102easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CloudTrail to log API calls in all accounts. The security team wants to be notified immediately when an IAM user creates a new access key for another user. Which combination of services should the team use?

Question 103hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team uses AWS Security Hub to consolidate findings. They notice that a critical finding in the production account is not being aggregated in Security Hub. The finding is generated by Amazon GuardDuty. What is the MOST likely cause?

Question 104easymultiple choice
Read the full NAT/PAT explanation →

A security engineer is investigating a potential data exfiltration incident. The engineer suspects that an attacker is using an Amazon S3 bucket to exfiltrate data. Which AWS service can be used to analyze S3 access logs and detect anomalous patterns?

Question 105hardmultiple choice
Read the full NAT/PAT explanation →

A company's security team is designing an incident response plan for AWS resources. They want to ensure that when a security incident is detected in a production account, a pre-defined runbook is executed automatically. The runbook includes steps to isolate the compromised resource and collect forensic evidence. Which combination of services should the team use to implement this automation?

Question 106mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS CloudTrail to log all API activity. The security team needs to retain the logs for 7 years and ensure they are tamper-proof. Additionally, the team must be able to query the logs for investigations. Which solution meets these requirements?

Question 107mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is analyzing a potential security incident involving an Amazon RDS for MySQL database. The engineer suspects that a SQL injection attack was successful. Which AWS service can the engineer use to review the actual SQL queries that were executed against the database?

Question 108easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses Amazon GuardDuty to detect threats. The security team wants to be alerted when GuardDuty generates a finding with a severity level of HIGH or CRITICAL. Which AWS service should the team use to send notifications based on GuardDuty findings?

Question 109hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company's incident response team is using AWS Systems Manager to run commands on EC2 instances for forensic analysis. The team needs to ensure that the commands are run with minimal latency and that the results are stored securely. Which Systems Manager capability should the team use?

Question 110mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential compromise of an EC2 instance. The engineer wants to capture volatile memory data and create a forensic image of the instance's EBS volumes. Which TWO actions should the engineer take? (Choose 2.)

Question 111hardmulti select
Read the full Threat Detection and Incident Response explanation →

A company's security team is configuring Amazon GuardDuty to detect crypto-mining activities on EC2 instances. Which THREE indicators should the team monitor? (Choose 3.)

Question 112easymulti select
Read the full Threat Detection and Incident Response explanation →

A company is designing an incident response plan for AWS. The plan must include the ability to collect forensic data from EC2 instances without requiring SSH key pairs. Which TWO AWS services can be used to acquire forensic data from EC2 instances without remote access? (Choose 2.)

Question 113mediummultiple choice
Read the full NAT/PAT explanation →

Your company has a single AWS account with a production VPC that contains several EC2 instances running a web application. The security team has enabled Amazon GuardDuty and AWS CloudTrail. Recently, GuardDuty reported a finding 'UnauthorizedAccess:EC2/TorClient' for one of the instances. The finding indicates that the instance is making connections to Tor exit nodes. You need to investigate and contain the incident. The instance is critical to the application and cannot be terminated. You have a forensic analysis instance in a separate security group. What should you do FIRST?

Question 114hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

Your organization uses AWS Organizations with 50 member accounts. You are the security administrator for the root account. You have enabled AWS CloudTrail in all accounts and centralized the logs in an S3 bucket in the root account. You also enabled Amazon GuardDuty in the root account and have delegated an administrator account. Recently, you received an alert from GuardDuty about a potential credential compromise in a member account. The finding indicates that an IAM user in that account made an API call from an unusual IP address. You need to quickly gather all CloudTrail events for that user from the last 30 days across all accounts. The logs are stored in a single S3 bucket with a prefix structure like 'AWSLogs/<account-id>/CloudTrail/<region>/<year>/<month>/<day>'. What is the MOST efficient way to query these logs?

Question 115easymultiple choice
Read the full Threat Detection and Incident Response explanation →

Your company has a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The security team enabled AWS CloudTrail and Amazon GuardDuty. GuardDuty generates a finding 'Recon:EC2/PortProbeUnprotectedPort' for an EC2 instance that does not exist in the account. Upon investigation, you realize that the finding is triggered by a misconfigured Network Load Balancer (NLB) that is exposing a port to the internet. The NLB is used by the API Gateway. You need to reduce false positives for this specific finding. What should you do?

Question 116mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The instance is part of an Auto Scaling group behind an Application Load Balancer. The engineer needs to immediately stop the exfiltration while preserving forensic evidence. What is the BEST course of action?

Question 117hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS CloudTrail to log all API calls. The security team notices a series of `UpdateTrail` API calls from a user in the Security account, disabling logging on a multi-region trail. The user has a policy that allows `cloudtrail:UpdateTrail` only on trails with a specific tag. However, the trail does not have that tag. What is the MOST likely reason the call succeeded?

Question 118easymultiple choice
Read the full NAT/PAT explanation →

A security analyst needs to detect and alert on suspicious API calls in real time. Which combination of AWS services should be used?

Question 119mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze VPC Flow Logs from all accounts. What is the MOST efficient way to achieve this?

Question 120hardmulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential compromise. The engineer has captured a memory dump from an EC2 instance and needs to analyze it for malware. Which TWO actions should the engineer take to preserve the chain of custody? (Choose TWO.)

Question 121easymulti select
Read the full Threat Detection and Incident Response explanation →

A company wants to detect anomalous behavior in their AWS environment. Which THREE AWS services can be used for threat detection? (Choose THREE.)

Question 122mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security team is setting up incident response automation. Which TWO steps should be taken to ensure that a compromised EC2 instance is isolated while preserving forensic data? (Choose TWO.)

Question 123hardmulti select
Read the full Threat Detection and Incident Response explanation →

An organization uses AWS CloudTrail with a multi-region trail. The security team suspects that an attacker has deleted logs. Which THREE findings would indicate that log deletion occurred? (Choose THREE.)

Question 124mediummultiple choice
Read the full Ansible explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team receives an alert from Amazon GuardDuty that one of the EC2 instances is generating outbound traffic to a known command-and-control (C2) IP address. The instance is part of an Auto Scaling group (ASG) with a minimum of 2 and maximum of 10 instances. The security incident response playbook instructs the team to isolate the compromised instance without affecting the application's availability. The team needs to preserve the instance for forensic analysis. Which action should the team take first?

Question 125hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A financial services company uses AWS Organizations with over 100 accounts. The security team uses AWS CloudTrail to log all API calls to a central S3 bucket in the security account. The bucket policy enables cross-account log delivery from all member accounts. The team notices that some API calls from a specific member account are not appearing in the central bucket. The CloudTrail trail in that member account is configured to deliver logs to the central bucket. The IAM role used by CloudTrail in the member account has permissions to write to the central bucket. The security team has verified that the bucket policy allows the member account to write. What is the MOST likely cause of the missing logs?

Question 126easymultiple choice
Review the full subnetting walkthrough →

A startup uses a single AWS account for development. The security engineer wants to detect if any EC2 instances have been compromised and are performing reconnaissance by probing open ports on other internal instances. The engineer has enabled VPC Flow Logs for all subnets. What is the most cost-effective way to detect this behavior?

Question 127hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Lambda functions to process sensitive data. The security team wants to ensure that if a Lambda function is compromised, the attacker cannot use the function's IAM role to access other AWS resources. The team has implemented the principle of least privilege by restricting the IAM role's permissions. However, they are concerned about a scenario where an attacker could use the Lambda function to execute AWS API calls that are not intended by the application. What additional measure should the team implement to reduce the risk of such lateral movement?

Question 128mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses Amazon RDS for MySQL with automated backups enabled. The security team suspects that a database administrator (DBA) with full RDS access has exfiltrated data by creating a snapshot of the database and sharing it with an external AWS account. The team wants to detect such exfiltration in the future. Which step should the team take to detect and alert on snapshot sharing?

Question 129easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS CloudFormation to deploy infrastructure. During a security incident, the security team needs to quickly capture a point-in-time snapshot of the entire environment for forensic analysis. The environment includes EC2 instances, RDS databases, and EBS volumes. What is the fastest way to preserve the state of the environment?

Question 130mediummultiple choice
Read the full VPN explanation →

A company uses a hybrid architecture with on-premises servers and AWS. The company uses AWS Site-to-Site VPN to connect to a VPC. The security team suspects that a VPN tunnel has been compromised and an attacker is intercepting traffic. The team needs to verify the integrity of the VPN connection. What is the MOST effective way to detect if traffic is being intercepted?

Question 131hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company runs a web application on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The application stores user session data in an ElastiCache Redis cluster. The security team receives an alert from GuardDuty that one of the EC2 instances is communicating with a known command-and-control (C2) IP address. The instance ID is i-0a1b2c3d4e5f. The security engineer needs to contain the threat immediately while preserving the instance for forensic analysis. Which course of action should the security engineer take?

Question 132easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration incident where an EC2 instance is sending large volumes of data to an unknown IP address. Which AWS service should the engineer use to capture and analyze the network traffic for evidence?

Question 133mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to detect and automatically respond to suspicious API calls across all accounts. Which solution is the MOST efficient and scalable?

Question 134hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident investigation, a security analyst finds that an IAM user 'JohnDoe' has been using an access key that was last rotated over 2 years ago. The analyst needs to determine if this key has been compromised. Which approach provides the MOST definitive evidence?

Question 135easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. What is the MOST efficient way to enable GuardDuty for all accounts?

Question 136mediummultiple choice
Read the full DNS explanation →

A company has a security requirement to capture all DNS queries made by EC2 instances for threat analysis. Which AWS service can provide this capability with minimal configuration?

Question 137hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst notices an IAM role 'AdminRole' is being assumed from an IP address outside the company's allowed network. The analyst wants to receive real-time alerts when this role is assumed from unauthorized locations. Which combination of services should be used?

Question 138easymultiple choice
Read the full NAT/PAT explanation →

A company wants to automatically isolate an EC2 instance that is suspected to be compromised. What is the MOST effective AWS-native approach?

Question 139mediummultiple choice
Read the full NAT/PAT explanation →

A security team needs to analyze historical CloudTrail logs across multiple AWS accounts to detect patterns of suspicious activity. Which solution provides the MOST cost-effective and scalable analysis?

Question 140hardmultiple choice
Read the full NAT/PAT explanation →

A company has a requirement to detect and respond to threats in near real-time by analyzing VPC Flow Logs. The logs are generated in a VPC and sent to CloudWatch Logs. What is the MOST efficient way to analyze these logs for suspicious patterns and trigger automated responses?

Question 141easymulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO actions are best practices for securing an AWS account's root user? (Choose 2.)

Question 142mediummulti select
Read the full Threat Detection and Incident Response explanation →

Which THREE AWS services can be used to detect potentially compromised EC2 instances? (Choose 3.)

Question 143hardmulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO steps should a security engineer take when responding to a confirmed security incident involving a compromised EC2 instance? (Choose 2.)

Question 144easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is reviewing AWS CloudTrail logs and notices repeated `CreateTrail` API calls from an IAM user that is not authorized to create trails. What is the MOST likely cause of these log entries?

Question 145mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centrally aggregate and analyze VPC Flow Logs from all accounts. Which solution is MOST efficient and scalable?

Question 146hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident response, a security engineer needs to capture a memory image of a compromised Amazon EC2 instance running Linux. The instance is in a production Auto Scaling group. Which approach is BEST?

Question 147easymultiple choice
Review the full subnetting walkthrough →

A security engineer receives an AWS GuardDuty finding for 'UnauthorizedAccess:EC2/SSHBruteForce'. The affected EC2 instance has a public IP and is in a public subnet. What is the IMMEDIATE step to contain the threat?

Question 148mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company's AWS Lambda function that processes sensitive data is triggering unexpectedly. The security team wants to investigate using AWS CloudTrail. What should they look for?

Question 149hardmultiple choice
Read the full NAT/PAT explanation →

During a security incident, a security engineer needs to collect EBS snapshots of multiple EC2 instances across different accounts in AWS Organizations. The snapshots must be copied to a central forensics account. Which combination of steps is MOST efficient?

Question 150easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is reviewing AWS CloudTrail and notices `AssumeRole` API calls to a role that should not be assumed by the source identity. What is the FIRST step in the incident response process?

Question 151mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon S3 to store sensitive data. The security team wants to detect and alert on public read access to S3 buckets. Which combination of AWS services is MOST appropriate?

Question 152hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During incident response, a security engineer needs to preserve the state of a running EC2 instance for forensic analysis without losing volatile data. The instance is in an Auto Scaling group. Which action should the engineer take FIRST?

Question 153mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration from an AWS account. Which TWO CloudTrail events would be MOST indicative of data exfiltration via S3?

Question 154hardmulti select
Read the full Threat Detection and Incident Response explanation →

A security team is implementing automated response to AWS GuardDuty findings. Which THREE actions should be taken to ensure proper incident response?

Question 155easymulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO AWS services can be used to detect anomalous API calls in an AWS account?

Question 156easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer finds this IAM policy attached to a user. The user is able to create CloudTrail trails but cannot start logging. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudtrail:CreateTrail",
        "cloudtrail:UpdateTrail",
        "cloudtrail:PutEventSelectors",
        "cloudtrail:StartLogging"
      ],
      "Resource": "*"
    }
  ]
}
```
Question 157mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is analyzing VPC Flow Logs and sees the entry above. The source IP 203.0.113.5 is flagged as suspicious. What additional information would help determine if this is malicious?

Exhibit

Refer to the exhibit.
```
2024-03-15T10:30:00Z us-east-1 123456789012 ENI eni-0a1b2c3d4e5f67890 src 203.0.113.5 dst 10.0.1.5 port 443 proto 6 packets 10 bytes 1200 start 2024-03-15T10:30:00Z end 2024-03-15T10:30:05Z action ACCEPT log-status OK
```
Question 158hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer creates an Amazon CloudWatch Events rule with this event pattern to trigger an AWS Lambda function for automated response to GuardDuty findings. However, the Lambda function is not triggered for new findings. What is the MOST likely cause?

Exhibit

Refer to the exhibit.
```
{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "resources": ["arn:aws:ec2:us-east-1:123456789012:instance/i-0a1b2c3d4e5f67890"]
}
```
Question 159easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration from an S3 bucket. The engineer needs to identify which IAM role or user accessed the bucket and from which IP address. Which AWS service should the engineer use to obtain this information?

Question 160mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is designing an automated incident response workflow for an Amazon EC2 instance that is compromised. The workflow must isolate the instance by removing it from the security group that allows SSH access. The engineer wants to use AWS Systems Manager Automation to run a document. What is the most secure way to grant the automation the necessary permissions to modify the security group?

Question 161hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze VPC Flow Logs from all accounts. The team has set up a central logging account with an S3 bucket that has a bucket policy allowing cross-account writes. However, VPC Flow Logs from member accounts are not appearing. What is the most likely cause?

Question 162easymultiple choice
Read the full NAT/PAT explanation →

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to designate a delegated administrator account to manage GuardDuty for all member accounts. Which AWS service must be used to enable GuardDuty for all accounts?

Question 163mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer notices suspicious API calls from an EC2 instance that has an IAM role attached. The engineer wants to quickly determine if the instance's credentials have been compromised and are being used from an external IP address. What is the most efficient way to detect this?

Question 164hardmultiple choice
Read the full NAT/PAT explanation →

A company has a security requirement to automatically isolate an Amazon EC2 instance that is generating high network traffic to a known malicious IP address. The company uses Amazon GuardDuty and AWS Lambda. Which combination of services and configurations should be used to achieve the isolation?

Question 165easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential security incident involving an Amazon RDS database. The engineer needs to determine if someone attempted to access the database with incorrect credentials. Which AWS service should the engineer use to view authentication failures?

Question 166mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is setting up automated incident response for a compromised IAM user. The engineer wants to automatically revoke the user's access keys and attach a deny-all policy when a GuardDuty finding of type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' is generated. Which services should be used to achieve this automation?

Question 167hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS CloudTrail to log all API calls. The security team wants to be alerted when an IAM user creates a new access key for another IAM user (an action that could indicate privilege escalation). What is the most effective way to detect this specific API call?

Question 168easymulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO AWS services can be used to detect anomalous API activity in an AWS account? (Choose two.)

Question 169mediummulti select
Read the full Threat Detection and Incident Response explanation →

Which THREE steps should a security engineer take to ensure that an incident response plan for an AWS environment is effective? (Choose three.)

Question 170hardmulti select
Read the full DNS explanation →

A security engineer is investigating a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B!DNS'. Which TWO actions should the engineer take as part of the initial response? (Choose two.)

Question 171easymultiple choice
Read the full VPN explanation →

Refer to the exhibit. A security engineer is reviewing this IAM policy attached to an IAM user. The user reports being unable to download objects from the S3 bucket when connecting from a VPN with IP address 10.0.1.45. What is the most likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 172mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

Refer to the exhibit. A security engineer runs this AWS CLI command to investigate root user logins. The output shows a successful ConsoleLogin event. What should the engineer do next to improve security?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2023-01-01T00:00:00Zend-time 2023-01-02T00:00:00Zquery 'Events[?UserIdentity.Type=="Root"]'Refer to the exhibit."EventId": "example1","EventName": "ConsoleLogin","ReadOnly": "False","Username": "root","EventTime": "2023-01-01T12:00:00Z","CloudTrailEvent": "{\"userIdentity\":{\"type\":\"Root\",\"arn\":\"arn:aws:iam::123456789012:root\"},\"responseElements\":{\"ConsoleLogin\":\"Success\"}}"
Question 173hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

Refer to the exhibit. A security engineer reviews this CloudFormation template. The bucket is intended to be private. What is the security issue in the configuration?

Exhibit

Refer to the exhibit.

Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-secure-bucket
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketPolicy:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: "*"
            Action: s3:GetObject
            Resource: !Sub "${MyBucket.Arn}/*"
Question 174mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is investigating an AWS CloudTrail log entry that shows an unauthorized API call to delete an S3 bucket. Which service should the engineer use to analyze the log data for patterns of similar malicious activity?

Question 175hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team needs a centralized solution to automatically initiate incident response runbooks across all accounts when a threat is detected. Which approach meets these requirements?

Question 176easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer receives an alert that an EC2 instance is generating outbound traffic to a known malicious IP address. What is the FIRST step the engineer should take as part of the incident response process?

Question 177mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company wants to detect and alert on suspicious IAM role usage, such as a role being assumed from an unusual geographic location. Which AWS service should be used to generate the alerts?

Question 178hardmultiple choice
Read the full NAT/PAT explanation →

During a security incident, a security engineer needs to capture network traffic from an EC2 instance for forensic analysis. The instance is part of an Auto Scaling group and may be terminated. What is the MOST efficient way to capture the traffic without affecting the instance's performance?

Question 179easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security team wants to automatically revoke public access to an S3 bucket when Amazon GuardDuty detects a suspicious API call from a known malicious IP address. Which AWS service should be used to orchestrate this automated response?

Question 180mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company has enabled Amazon GuardDuty in all accounts within AWS Organizations. The security team wants to view aggregated findings from all accounts in a single dashboard. Which service should the team use?

Question 181hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is configuring an automated incident response workflow. When a GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce' is generated, the workflow should isolate the EC2 instance and snapshot its EBS volume. Which AWS service can coordinate these actions?

Question 182easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company has a requirement to detect and alert on S3 objects that contain personally identifiable information (PII) being shared publicly. Which AWS service should be used?

Question 183mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential security incident involving an Amazon RDS database. The engineer needs to identify which of the following actions should be taken during the forensic analysis phase? (Select TWO.)

Question 184hardmulti select
Read the full Threat Detection and Incident Response explanation →

A security team is designing an automated incident response system. The system must meet the following requirements: (1) automatically respond to GuardDuty findings, (2) ensure that response actions are logged and immutable, and (3) allow for human approval before destructive actions. Which services should the team use? (Select THREE.)

Question 185mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring Amazon GuardDuty to generate alerts for specific threat types. The engineer wants to ensure that alerts are sent to the security team's email distribution list and also trigger an automated Lambda function for immediate response. Which two actions should the engineer take? (Select TWO.)

Question 186mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration incident. The engineer notices that an EC2 instance with an attached IAM role has been making API calls to an S3 bucket in another AWS account. The engineer wants to identify the source of the API calls and determine if the calls are malicious. Which AWS service should the engineer use to view the API calls made by the IAM role?

Question 187hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to centralize threat detection across all accounts. They enable Amazon GuardDuty in the management account and intend to use delegated administrator functionality. However, they find that GuardDuty is not detecting threats in member accounts. What is the most likely cause?

Question 188easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company has an incident response (IR) process that includes isolating compromised EC2 instances. During a security incident, the IR team needs to block all traffic to and from a compromised instance while preserving the instance for forensic analysis. Which approach should the team take?

Question 189hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is configuring AWS CloudWatch Logs to monitor for suspicious activity. They want to create a metric filter that detects when an IAM user calls the `iam:CreateAccessKey` API. The engineer writes the following filter pattern: `{ ($.eventName = "CreateAccessKey") }`. After testing, the filter does not trigger. What is the most likely reason?

Question 190mediummultiple choice
Read the full NAT/PAT explanation →

A company is using AWS Lambda functions to process sensitive data. The security team wants to detect when a Lambda function is invoked with an unexpected payload that may indicate an injection attack. Which AWS service should the team use to inspect the function's input for malicious patterns?

Question 191easymultiple choice
Study the full ACL explanation →

A company wants to automate the response to a specific GuardDuty finding. When GuardDuty detects a finding of type `UnauthorizedAccess:EC2/SSHBruteForce`, they want to automatically block the offending IP address using a network ACL. Which AWS service can they use to orchestrate this response?

Question 192hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is reviewing AWS CloudTrail logs and notices a large number of `DescribeInstances` API calls from a single IAM user in a short period. The engineer suspects a credential compromise. What is the most effective way to automatically revoke the compromised credentials and notify the security team?

Question 193mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company's security policy requires that all S3 buckets be encrypted at rest. An security engineer needs to detect any S3 bucket that does not have default encryption enabled. Which AWS service should the engineer use to continuously monitor and alert on non-compliant buckets?

Question 194easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses Amazon RDS for its database. The security team needs to detect when a database instance is started or stopped outside of maintenance windows. Which AWS service should the team use to monitor these API calls?

Question 195hardmulti select
Read the full Threat Detection and Incident Response explanation →

A company uses AWS CloudTrail to log all API activity. The security team wants to detect when an IAM user creates an access key for another user, which is a potential privilege escalation. Which TWO actions should the team take to set up this detection?

Question 196mediummulti select
Read the full Threat Detection and Incident Response explanation →

A company's security team is implementing an incident response plan for a potential ransomware attack on their EC2 instances. Which THREE steps should the team take to preserve forensic evidence while containing the incident?

Question 197mediummulti select
Read the full Threat Detection and Incident Response explanation →

A company wants to use AWS services to detect and respond to a potential DDoS attack on their web application hosted on EC2 instances behind an Application Load Balancer (ALB). Which TWO AWS services should the company use for detection and mitigation?

Question 198mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring automated response to a GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce'. The engineer needs to isolate the compromised instance by modifying the security group to deny all inbound traffic. Which AWS service should be used to orchestrate this response?

Question 199hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS CloudTrail to log all API calls. During an incident investigation, the security team needs to identify who deleted an S3 bucket. CloudTrail logs are stored in a centralized S3 bucket with server-side encryption using AWS KMS. Which additional step is required to ensure the CloudTrail logs can be queried quickly for this investigation?

Question 200easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security team wants to detect and alert on API calls that create or modify IAM roles in their AWS account. Which AWS service can be used to create a metric filter and alarm for these specific CloudTrail events?

Question 201mediummultiple choice
Read the full NAT/PAT explanation →

During a security incident, a security engineer suspects that an EC2 instance has been compromised and is exfiltrating data to an external IP address. Which AWS service can provide real-time network traffic analysis and alert on unusual outbound traffic patterns?

Question 202hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centralize threat detection and automatically remediate high-severity GuardDuty findings across all accounts. What is the MOST efficient way to achieve this?

Question 203easymultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to ensure that any changes to an S3 bucket's public access settings are immediately detected and an alert is sent. Which combination of AWS services should be used?

Question 204mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

During a security incident, a forensic investigator needs to capture the memory of a running EC2 instance without shutting it down. Which AWS feature should be used?

Question 205hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company has a multi-account strategy and wants to ensure that all API calls from member accounts are logged to a centralized S3 bucket in the security account. Which configuration is required?

Question 206easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security team detects that an IAM user's access keys are being used from an unusual geographic location. Which AWS service provides this type of anomaly detection?

Question 207mediummulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration incident where an attacker used a compromised EC2 instance to transfer data to an external IP. Which TWO AWS services can provide evidence of the network traffic and the API calls made from the instance?

Question 208hardmulti select
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations and wants to implement a centralized incident response process. Which THREE steps should be taken to ensure that security teams can respond to incidents across all accounts effectively?

Question 209easymulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer needs to detect and respond to suspicious activity on an Amazon RDS database. Which TWO services can be used together to monitor database activity and trigger automated remediation?

Question 210mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

The above IAM policy is attached to an AWS Lambda function. The function is failing to write logs to CloudWatch Logs. What is the likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/MyFunction:*"
    }
  ]
}
Question 211hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer runs the above AWS CLI command to search for CreateKey events in CloudTrail. The command returns no events, but the security engineer knows that a KMS key was created in us-east-1 on January 1, 2023. What is the most likely reason for the empty result?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2023-01-01T00:00:00Zend-time 2023-01-02T00:00:00Zregion us-east-1Refer to the exhibit.Output:"Events": []
Question 212mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

The above condition is added to an S3 bucket policy to restrict access to a specific VPC endpoint. An EC2 instance in the same VPC is unable to access the bucket. What is the most likely reason?

Exhibit

Refer to the exhibit.

Resource: "arn:aws:ec2:us-east-1:123456789012:instance/*"
Condition: {
  "StringEquals": {
    "aws:SourceVpce": "vpce-0a1b2c3d4e5f67890"
  }
}
Question 213easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential compromise of an EC2 instance. The engineer needs to capture network traffic to and from the instance for forensic analysis. Which AWS service should be used to capture this traffic?

Question 214mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to automatically receive alerts when an IAM user attempts to access resources they do not have permissions for, across all accounts. Which combination of services should be used?

Question 215hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident response, a security engineer needs to collect volatile memory from a compromised EC2 instance without affecting the running system. The instance is critical and cannot be stopped. Which approach is most appropriate?

Question 216easymultiple choice
Study the full ACL explanation →

A security team wants to detect unauthorized API calls in real time and automatically block the source IP address using network ACLs. Which AWS service should be used for detection?

Question 217mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company is designing an automated incident response workflow. When a high-severity GuardDuty finding is generated, the security team wants to automatically isolate the affected EC2 instance by modifying its security group to deny all traffic. Which service should orchestrate this response?

Question 218hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data exfiltration from an S3 bucket. The engineer has enabled S3 server access logs and CloudTrail data events. Which log source would provide the most granular details about the request, including the requester's IP address and user agent?

Question 219easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company needs to ensure that all API calls in their AWS account are logged and monitored for suspicious activity. Which service should be enabled first?

Question 220mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

During an incident response, a security engineer needs to preserve the state of an EC2 instance's root volume for forensic analysis. The instance is still running. Which action should be taken to ensure the data is preserved without altering it?

Question 221hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The engineer needs to quickly block all traffic to that IP while preserving the instance for forensic analysis. Which approach is the most effective?

Question 222easymulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO AWS services can be used to detect anomalous behavior in an AWS environment?

Question 223mediummulti select
Read the full Threat Detection and Incident Response explanation →

Which THREE actions should be taken when preparing an incident response plan for AWS?

Question 224hardmulti select
Read the full Threat Detection and Incident Response explanation →

Which TWO steps are part of the forensic acquisition process for an EC2 instance suspected of being compromised?

Question 225mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. The policy is intended to allow read access to objects in the bucket only from the corporate network (203.0.113.0/24). However, users outside the network can still access the bucket. What is the most likely reason?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 226hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

Refer to the exhibit. A security engineer is analyzing a VPC Flow Logs entry for an EC2 instance with private IP 192.0.2.10. The log shows an accepted outbound connection from the instance to 203.0.113.50 on port 443. The instance is not expected to initiate outbound HTTPS connections. What should the engineer do next to investigate?

Exhibit

2023-01-15T10:30:00Z 123456789012 ENI eni-0a1b2c3d4e5f67890 192.0.2.10 203.0.113.50 443 80 6 10 1000 1500 ACCEPT OK
Question 227hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses a multi-account AWS Organizations setup with hundreds of accounts. The security team uses AWS Security Hub in the management account to aggregate findings from all accounts. They have configured Amazon GuardDuty in all accounts and enabled AWS Config with recording. Recently, they noticed that Security Hub is not displaying any findings from GuardDuty in member accounts, even though GuardDuty is generating sample findings. The security team has verified that the Security Hub integration with GuardDuty is enabled in the management account. What is the most likely reason for the missing findings?

Question 228mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential data breach. AWS CloudTrail logs show that an IAM user 'svc-backup' created an S3 bucket in the us-east-1 region and then uploaded a large number of objects. The engineer suspects that the user's credentials were compromised. What is the MOST efficient way to quickly identify the source IP address and user agent of the API calls made by this user?

Question 229hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to detect suspicious API activity across all accounts in real time. They have enabled AWS CloudTrail in all accounts and are sending logs to a centralized S3 bucket. However, they are receiving alerts only after a significant delay. What should the security team do to reduce the latency of threat detection?

Question 230easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A security engineer discovers an Amazon GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce' for an EC2 instance. The instance is part of an Auto Scaling group and has a public IP address. What is the MOST effective immediate step to mitigate the threat?

Question 231mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Lambda functions that process sensitive data. The security team wants to ensure that any unauthorized invocation of the functions is detected and alerted. The team has enabled AWS CloudTrail and is monitoring for Lambda Invoke API calls. However, they are concerned about missing events that occur within the Lambda service itself (e.g., internal retries). What should the team do to capture all relevant events?

Question 232hardmulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is investigating a potential incident where an EC2 instance was compromised. The engineer has access to the following logs: CloudTrail, VPC Flow Logs, and OS-level logs from the instance. Which TWO log sources would be MOST useful to determine the initial attack vector? (Choose TWO.)

Question 233mediummulti select
Read the full Threat Detection and Incident Response explanation →

A company uses Amazon GuardDuty to monitor its AWS environment. The security team has received a GuardDuty finding of type 'Recon:EC2/PortProbeUnprotectedPort'. The finding indicates that an EC2 instance has an open SSH port that is being probed from the internet. The team wants to reduce the attack surface and prevent future probes. Which THREE actions should the team take? (Choose THREE.)

Question 234easymulti select
Read the full Threat Detection and Incident Response explanation →

A security engineer is configuring automated response to a specific GuardDuty finding type. The engineer wants to automatically block the offending IP address in the security group when a finding is generated. Which TWO AWS services should the engineer use together to achieve this? (Choose TWO.)

Question 235hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A financial services company uses a multi-account AWS organization with a centralized security account. The security team has enabled Amazon GuardDuty in all accounts and configured it to send findings to the security account via AWS Organizations. The team also uses AWS Security Hub in the security account to aggregate findings. They have set up automated response using AWS Systems Manager Automation documents to isolate compromised EC2 instances by applying a security group that denies all traffic. However, during a recent incident, the automation failed because the Systems Automation document did not have permission to modify the security group in the member account. The security team needs to design a solution that allows the security account to automatically isolate instances in any member account. What should they do?

Question 236mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses Amazon GuardDuty and AWS Security Hub in a single AWS account. The security team has created a custom action in Security Hub to send findings to a custom Lambda function for automated response. The Lambda function is designed to take remediation actions based on the finding type. During testing, the team notices that the Lambda function is not being invoked when new findings are generated. The Lambda function's resource-based policy allows invocations from Security Hub, and the function's execution role has necessary permissions. What is the most likely reason for the failure?

Question 237easymultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS CloudTrail to log all API activity. The security team wants to be alerted when an IAM user creates a new access key. They have created a CloudWatch metric filter on the CloudTrail log group for the event name 'CreateAccessKey' and set up a CloudWatch alarm that sends an email via Amazon SNS. However, the alarm is not triggering even though the team knows that access keys have been created. The metric filter has been tested and shows data points in CloudWatch. What should the security team check next?

Question 238mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company has a serverless application using AWS Lambda, API Gateway, and DynamoDB. The security team wants to detect and respond to potential SQL injection attempts in API requests. They have enabled AWS WAF on the API Gateway and created a rule to block SQL injection. However, they also want to capture the blocked requests for analysis and store them in an S3 bucket. The team has configured WAF to send logs to Amazon Kinesis Data Firehose, which delivers to an S3 bucket. After testing, the team notices that the logs are not being delivered. The Firehose delivery stream is in the same AWS account, and the S3 bucket policy allows the Firehose service to write. What is the most likely cause?

Question 239hardmultiple choice
Read the full DNS explanation →

A company uses Amazon Detective to investigate security findings. The security team is analyzing a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B!DNS' for an EC2 instance. The team wants to use Detective to understand the full scope of the incident, including which other resources the instance communicated with and any IAM roles used. However, when the team opens the finding in Detective, they see no network activity data for the instance. The instance is in a VPC with VPC Flow Logs enabled, and Flow Logs are being published to CloudWatch Logs. What should the team do to enable Detective to display the network activity?

Question 240easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CloudTrail to log all API activity. The security team wants to ensure that any changes to CloudTrail configuration (e.g., disabling the trail, deleting the trail, modifying the log delivery) are detected immediately. They have created a CloudWatch Events rule to capture the event 'StopLogging' and send an SNS notification. During testing, the team stops the trail and does not receive the notification. The CloudWatch Events rule is configured with the correct event pattern. What should the team check?

Question 241mediummultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses AWS Lambda functions to process data from an S3 bucket. The security team wants to detect any unauthorized attempts to invoke the Lambda function from outside the company's VPC. The Lambda function is configured to be VPC-enabled and is attached to a VPC with a security group. The team has enabled CloudTrail and VPC Flow Logs. However, they are not seeing any logs for the Lambda invocations in CloudTrail. The team has checked that CloudTrail is logging management events and that the Lambda function is being invoked. What is the most likely reason for the missing CloudTrail logs?

Question 242hardmultiple choice
Read the full Threat Detection and Incident Response explanation →

A company uses Amazon GuardDuty and AWS Security Hub. The security team has configured a custom insight in Security Hub to track findings related to S3 bucket exposures. They want to automatically remediate these findings by applying an S3 bucket policy that blocks public access. The team has created a Lambda function that applies the bucket policy and configured Security Hub to send findings to the Lambda function via a custom action. However, when a new finding is generated, the Lambda function is invoked but fails to apply the policy because it does not have permission to modify the S3 bucket. The Lambda function's execution role has permissions to modify S3 bucket policies, but the function is in the same account as the bucket. What should the team check?

Question 243hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes sensitive customer data. The Security team has enabled VPC Flow Logs, CloudTrail, and GuardDuty. Recently, the team received a GuardDuty finding indicating a potential SSH brute force attack originating from an external IP address 203.0.113.50 targeting one of the EC2 instances. The Security Engineer needs to automatically isolate the affected instance and capture forensic evidence for analysis. The company has strict requirements: the instance must be isolated immediately, and a snapshot of the EBS volume must be taken before any remediation actions are taken. The instance is part of an Auto Scaling group, and the Security Engineer wants to minimize manual intervention. The Security Engineer has access to AWS Systems Manager and AWS Lambda. Which combination of steps should the Security Engineer implement to meet the requirements?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SCS-C02 Practice Test 1 — 10 Questions→SCS-C02 Practice Test 2 — 10 Questions→SCS-C02 Practice Test 3 — 10 Questions→SCS-C02 Practice Test 4 — 10 Questions→SCS-C02 Practice Test 5 — 10 Questions→SCS-C02 Practice Exam 1 — 20 Questions→SCS-C02 Practice Exam 2 — 20 Questions→SCS-C02 Practice Exam 3 — 20 Questions→SCS-C02 Practice Exam 4 — 20 Questions→Free SCS-C02 Practice Test 1 — 30 Questions→Free SCS-C02 Practice Test 2 — 30 Questions→Free SCS-C02 Practice Test 3 — 30 Questions→SCS-C02 Practice Questions 1 — 50 Questions→SCS-C02 Practice Questions 2 — 50 Questions→SCS-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Threat Detection and Incident Response setsAll Threat Detection and Incident Response questionsSCS-C02 Practice Hub