CCNA Threat Detection and Incident Response Questions

75 of 243 questions · Page 1/4 · Threat Detection and Incident Response · Answers revealed

1
Matchingmedium

Match each AWS service to its primary security function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Web application firewall

DDoS protection

Key management and encryption

Identity and access management

Data discovery and classification

Why these pairings

These are core AWS security services with distinct purposes.

2
MCQeasy

A security engineer is investigating a potential compromise of an S3 bucket. The engineer needs to determine if any objects were accessed by an unauthorized user. Which AWS service can provide detailed access logs for S3 objects?

A.AWS CloudTrail
B.S3 server access logs
C.AWS Config
D.Amazon Inspector
AnswerB

S3 server access logs record object-level access details.

Why this answer

S3 server access logs provide detailed records of requests made to an S3 bucket, including the requester, bucket name, request time, action, and response status. This granularity is essential for identifying unauthorized access to specific objects, as it logs every GET, PUT, DELETE, and HEAD request at the object level. AWS CloudTrail, while useful for management events, does not log data-level operations like object reads by default unless data events are explicitly enabled, and even then, it may not capture all object-level access details as comprehensively as server access logs.

Exam trap

The trap here is that candidates often assume AWS CloudTrail is sufficient for all logging needs, but the exam specifically tests the distinction between management events (CloudTrail default) and data-level object access logs (S3 server access logs), and that CloudTrail data events require explicit enablement and still lack the granularity of server access logs.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail primarily logs management events (e.g., bucket creation, policy changes) and, even when data events are enabled for S3, it logs object-level operations at a higher level (e.g., GetObject, PutObject) but does not provide the per-request detail (e.g., HTTP method, object key, response status) that S3 server access logs offer; relying solely on CloudTrail could miss unauthorized access patterns. Option C is wrong because AWS Config is a configuration auditing and compliance service that tracks resource configuration changes (e.g., bucket policies, lifecycle rules) and does not log individual object access requests; it cannot reveal who accessed an object or when. Option D is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container workloads for software vulnerabilities and network exposure; it has no capability to log or analyze S3 object access requests.

3
Multi-Selectmedium

Which THREE AWS services can be used to detect potentially compromised EC2 instances? (Choose 3.)

Select 3 answers
A.AWS WAF
B.VPC Flow Logs
C.AWS Shield
D.Amazon GuardDuty
E.Amazon Inspector
AnswersB, D, E

Flow Logs can reveal unusual network traffic indicating compromise.

Why this answer

VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol, packet/byte counts) for network interfaces in a VPC. By analyzing flow logs for anomalous patterns—such as unexpected outbound connections to known malicious IPs, port scanning, or data exfiltration attempts—you can detect potentially compromised EC2 instances. This makes VPC Flow Logs a key detective control for threat detection.

Exam trap

The trap here is that candidates often confuse AWS WAF (a web-layer filter) or AWS Shield (a DDoS mitigator) with detective services, when the question specifically asks for services that *detect* compromised instances—not prevent attacks or filter traffic.

4
Multi-Selecteasy

Which TWO AWS services can be used to detect anomalous behavior in an AWS environment?

Select 2 answers
A.AWS Config
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon Inspector
E.AWS Security Hub
AnswersB, E

GuardDuty detects anomalies using ML and threat intelligence.

Why this answer

Amazon GuardDuty and AWS Security Hub both provide anomaly detection. GuardDuty uses machine learning to detect threats. Security Hub aggregates findings and can detect anomalies through integrated services.

AWS Config is for compliance. AWS CloudTrail is logging. Amazon Inspector is for vulnerabilities.

5
MCQhard

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application processes sensitive customer data. The Security team has enabled VPC Flow Logs, CloudTrail, and GuardDuty. Recently, the team received a GuardDuty finding indicating a potential SSH brute force attack originating from an external IP address 203.0.113.50 targeting one of the EC2 instances. The Security Engineer needs to automatically isolate the affected instance and capture forensic evidence for analysis. The company has strict requirements: the instance must be isolated immediately, and a snapshot of the EBS volume must be taken before any remediation actions are taken. The instance is part of an Auto Scaling group, and the Security Engineer wants to minimize manual intervention. The Security Engineer has access to AWS Systems Manager and AWS Lambda. Which combination of steps should the Security Engineer implement to meet the requirements?

A.Use AWS Systems Manager to automatically connect to the instance via EC2 Instance Connect, run commands to capture forensic data, and then modify the security group to deny all inbound traffic.
B.Create a CloudWatch Logs metric filter on the VPC Flow Logs for the attacker IP. When the metric breaches a threshold, trigger an SNS topic that runs an AWS Systems Manager Automation document to isolate the instance and take an EBS snapshot.
C.Configure Amazon EventBridge to detect the GuardDuty finding and invoke an AWS Lambda function. The Lambda function first calls the EC2 CreateSnapshot API to capture a forensic snapshot of the instance's EBS volume. Then, it uses AWS Systems Manager Automation to run a pre-defined automation document that isolates the instance by modifying the instance's security group to only allow traffic from a trusted management IP, and then stops the instance.
D.Configure a CloudWatch Events rule to detect the GuardDuty finding and invoke an AWS Lambda function. The Lambda function terminates the EC2 instance and then takes a snapshot of the EBS volume for forensic analysis.
AnswerC

This correctly automates the response: EventBridge triggers on GuardDuty finding, Lambda takes a snapshot first for evidence, then Systems Manager Automation isolates and stops the instance.

Why this answer

Option D is correct because EventBridge can trigger a Lambda function on GuardDuty findings. The Lambda function takes an EBS snapshot for forensic analysis, then uses Systems Manager Automation to isolate the instance by modifying the security group and stopping the instance. This ensures isolation and evidence capture in an automated manner.

Option A is wrong because terminating the instance before taking a snapshot loses forensic data. Option B is wrong because EC2 Instance Connect is for direct access, not for automated isolation. Option C is wrong because CloudWatch Logs does not trigger on GuardDuty findings; EventBridge is the appropriate service.

6
MCQhard

A company uses Amazon GuardDuty and AWS Security Hub. The security team has configured a custom insight in Security Hub to track findings related to S3 bucket exposures. They want to automatically remediate these findings by applying an S3 bucket policy that blocks public access. The team has created a Lambda function that applies the bucket policy and configured Security Hub to send findings to the Lambda function via a custom action. However, when a new finding is generated, the Lambda function is invoked but fails to apply the policy because it does not have permission to modify the S3 bucket. The Lambda function's execution role has permissions to modify S3 bucket policies, but the function is in the same account as the bucket. What should the team check?

A.Add the Lambda function's execution role to the bucket's Access Control List (ACL).
B.Ensure that the Lambda function's execution role has a trust policy that allows Security Hub to assume it.
C.Check the S3 bucket policy for any explicit deny statements that might block the Lambda function's role.
D.Verify that the S3 bucket's block public access settings are not preventing the policy update.
AnswerC

An explicit deny in the bucket policy would prevent the role from modifying it.

Why this answer

Option C is correct because even if the function has permissions, the bucket policy may explicitly deny access to the Lambda function's role. Option A is wrong because the function is in the same account, so cross-account is not needed. Option B is wrong because S3 block public access settings are separate from bucket policies.

Option D is wrong because the function has permissions; the issue is likely at the bucket policy level.

7
Multi-Selecthard

A company uses AWS Organizations and wants to implement a centralized incident response process. Which THREE steps should be taken to ensure that security teams can respond to incidents across all accounts effectively?

Select 3 answers
A.Create IAM roles in each member account that grant incident responders cross-account access from the security account
B.Set up AWS Systems Manager Incident Manager in each account independently
C.Create a single CloudTrail trail in the management account to log events from all accounts
D.Configure a centralized S3 bucket to store CloudTrail logs from all accounts using an organization trail
E.Designate a delegated administrator account for Amazon GuardDuty to centralize threat detection findings
AnswersA, D, E

Allows responders to assume roles in affected accounts.

Why this answer

Option A (delegated administrator for GuardDuty) centralizes findings. Option C (centralized S3 bucket for CloudTrail logs) enables log analysis. Option D (cross-account IAM roles) allows incident responders to access affected accounts.

Option B (single CloudTrail trail in management account) is not sufficient; organization trail logs all accounts. Option E (separate Incident Manager per account) is not centralized.

8
MCQeasy

A security engineer is reviewing a CloudTrail log entry (exhibit). What is the most immediate security concern indicated by this event?

A.The source IP address 203.0.113.5 is from a known malicious IP range.
B.A security group rule was added allowing SSH access from any IP address.
C.The API call was made from the AWS CLI, which may indicate a compromised access key.
D.The user JohnDoe did not use multi-factor authentication (MFA) for this API call.
AnswerB

AuthorizeSecurityGroupIngress with 0.0.0.0/0 on port 22 is a common misconfiguration that exposes the instance to the internet.

Why this answer

The CloudTrail log shows an AuthorizeSecurityGroupIngress API call that added a security group rule with the CIDR 0.0.0.0/0 for port 22 (SSH). This effectively opens SSH access to the entire internet, creating a severe exposure that could allow any attacker to attempt brute-force or credential-stuffing attacks against any EC2 instance associated with that security group. This is the most immediate security concern because it directly introduces a wide-open attack surface.

Exam trap

The trap here is that candidates focus on the user identity or authentication details (like MFA or CLI usage) instead of recognizing that the actual API action—opening SSH to 0.0.0.0/0—is the most immediate and dangerous security concern.

How to eliminate wrong answers

Option A is wrong because the source IP 203.0.113.5 is a TEST-NET-1 address (RFC 5735) reserved for documentation and examples, not a known malicious IP range; real CloudTrail logs would show a routable IP. Option C is wrong because the event source is 'ec2.amazonaws.com' and the user agent indicates the AWS Management Console, not the AWS CLI; a CLI call would show 'aws-cli' or 'botocore' in the user agent field. Option D is wrong because while MFA is a best practice, the absence of MFA alone is not the most immediate concern—the critical issue is the actual security group rule change that opens SSH to the world, not the authentication method used for the API call.

9
MCQhard

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The engineer needs to quickly block all traffic to that IP while preserving the instance for forensic analysis. Which approach is the most effective?

A.Stop the instance immediately.
B.Modify the instance's security group to deny outbound traffic to the malicious IP.
C.Add a network ACL rule to deny outbound traffic from the instance's subnet to the malicious IP.
D.Modify the route table to route traffic to the malicious IP to a blackhole.
AnswerB

Security group rules can be updated quickly to block specific traffic.

Why this answer

Modifying the security group to deny outbound traffic to that IP is quick and reversible. Using NACLs is slower and affects subnets. Stopping the instance loses volatile data.

Route table modification is not effective for a single IP.

10
MCQeasy

A security team wants to detect unauthorized API calls in real time and automatically block the source IP address using network ACLs. Which AWS service should be used for detection?

A.Amazon GuardDuty
B.AWS CloudTrail
C.AWS WAF
D.AWS Config
AnswerA

GuardDuty uses machine learning to detect suspicious API activity.

Why this answer

Amazon GuardDuty is the correct choice because it is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, including API calls from unusual or known-bad IP addresses. It uses machine learning, anomaly detection, and integrated threat intelligence to generate findings that can trigger automated remediation, such as updating network ACLs via AWS Lambda and Amazon EventBridge. This aligns with the requirement for real-time detection and automated blocking of source IPs.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with real-time threat detection, overlooking that GuardDuty is specifically designed for proactive security monitoring and automated response, while CloudTrail is purely a logging and auditing service.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because it is an auditing service that records API call history for compliance and governance, but it does not perform real-time threat detection or generate alerts for unauthorized activity; it lacks built-in anomaly detection or threat intelligence. Option C (AWS WAF) is wrong because it is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting at the application layer, not for detecting unauthorized API calls or blocking IPs via network ACLs; it operates on HTTP/HTTPS traffic, not all API calls. Option D (AWS Config) is wrong because it is a configuration management and compliance service that evaluates resource configurations against rules, not a threat detection service; it cannot detect unauthorized API calls or trigger network ACL updates in real time.

11
MCQhard

Refer to the exhibit. A security engineer is reviewing a resource-based policy attached to an AWS Lambda function. The engineer notices that the policy allows any Lambda function in the account to invoke the function. Which security concern should the engineer address?

A.The policy grants excessive permissions by allowing all actions.
B.The policy does not specify a resource ARN, so it applies to all functions.
C.The policy allows invocation from any Lambda function across all AWS accounts.
D.The policy allows the Lambda service to modify the function code.
AnswerC

Without a source account condition, any Lambda service principal can invoke.

Why this answer

Option C is correct because the resource-based policy on the Lambda function uses a principal of `*` without any condition key (such as `aws:SourceAccount` or `aws:SourceArn`) to restrict invocation to only the same account. This means any Lambda function in any AWS account can invoke this function, which is a security concern as it allows cross-account invocation without authorization.

Exam trap

The trap here is that candidates often confuse a wildcard principal (`*`) with a wildcard resource (`*`), assuming that `*` in the principal field automatically restricts to the same account, but it actually allows cross-account access unless a condition key is used.

How to eliminate wrong answers

Option A is wrong because the policy does not grant excessive permissions by allowing all actions; it only specifies the `lambda:InvokeFunction` action, which is a single, specific action. Option B is wrong because the policy does specify a resource ARN (the function's own ARN), so it does not apply to all functions; the issue is the principal, not the resource. Option D is wrong because the policy only allows invocation (`lambda:InvokeFunction`), not modification of function code; modifying code would require `lambda:UpdateFunctionCode` or similar actions.

12
Multi-Selecteasy

Which TWO AWS services can be used to detect anomalous API activity in an AWS account? (Choose two.)

Select 2 answers
A.Amazon GuardDuty
B.AWS CloudTrail
C.VPC Flow Logs
D.AWS Config
E.Amazon Inspector
AnswersA, B

GuardDuty detects anomalous API activity using ML.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior, including anomalous API activity. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze AWS CloudTrail management and data events, VPC Flow Logs, and DNS logs. When GuardDuty detects unusual API calls, such as a spike in failed authentication attempts or API calls from an unusual geographic location, it generates a security finding.

This makes GuardDuty a correct choice for detecting anomalous API activity.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail as a detection service, but CloudTrail is only the logging source that records API activity; it does not analyze or detect anomalies on its own—GuardDuty consumes those logs for detection.

13
Multi-Selecteasy

A company uses AWS Systems Manager Patch Manager to patch EC2 instances. During a security incident, the security team needs to quickly patch a critical vulnerability across all Windows instances in a specific AWS region. Which steps should the team take? (Choose TWO.)

Select 2 answers
A.Assign the patch baseline to the instances by specifying a patch group.
B.Tag all instances with 'PatchGroup=Critical' to include them in the patching.
C.Create a custom patch baseline that includes the required patch.
D.Use the AWS-provided default patch baseline for Windows.
E.Use SSM Run Command to execute a script that downloads and installs the patch.
AnswersA, C

Patch groups control which baseline is applied to which instances.

Why this answer

Option A is correct because assigning a custom patch baseline to instances via a patch group allows the security team to target specific Windows instances for patching. Patch Manager uses patch groups to associate instances with a specific patch baseline, ensuring only the desired instances receive the critical patch. This approach provides granular control over which instances are patched during an incident.

Exam trap

The trap here is that candidates often confuse tagging instances with a patch group (which is necessary for association) with the actual patching action, or they assume the default patch baseline will automatically include all critical patches, when in fact custom baselines are required for targeted incident response.

14
MCQeasy

A security engineer receives an alert that an EC2 instance is generating outbound traffic to a known malicious IP address. What is the FIRST step the engineer should take as part of the incident response process?

A.Analyze the network traffic logs to understand the scope.
B.Apply the latest security patches to the EC2 instance.
C.Isolate the EC2 instance by modifying the security group to deny all traffic.
D.Terminate the EC2 instance immediately.
AnswerC

Isolation contains the threat while preserving evidence.

Why this answer

Option C is correct because the first step in incident response for a compromised EC2 instance is containment. Modifying the security group to deny all inbound and outbound traffic immediately stops communication with the malicious IP and prevents further data exfiltration or lateral movement, while preserving the instance for forensic analysis. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

The trap here is that candidates often confuse the urgency of containment with the desire to gather evidence first, leading them to choose log analysis (Option A) instead of immediate isolation, but the exam emphasizes that containment is the priority to limit damage.

How to eliminate wrong answers

Option A is wrong because analyzing network traffic logs is a step in the identification and scoping phase, but it should not delay immediate containment; the engineer must first isolate the instance to stop active malicious traffic. Option B is wrong because applying security patches is part of the eradication and recovery phase, which occurs after containment; patching a currently compromised instance does not stop ongoing outbound traffic and may alert the attacker. Option D is wrong because terminating the EC2 instance destroys volatile data (e.g., memory, running processes, temporary files) that is critical for forensic investigation and root cause analysis; isolation preserves evidence.

15
MCQmedium

During an incident response, a security engineer needs to collect memory forensics from a running EC2 instance without shutting it down. The instance is running Amazon Linux 2. Which tool is MOST appropriate?

A.tcpdump
B.Volatility
C.LiME (Linux Memory Extractor)
D.dd command to capture /dev/mem
AnswerC

LiME captures memory.

Why this answer

LiME (Linux Memory Extractor) is the most appropriate tool for capturing volatile memory from a running Amazon Linux 2 EC2 instance without shutting it down. It is specifically designed to dump RAM contents to a file or over a network, minimizing the footprint on the target system and ensuring the integrity of the forensic acquisition.

Exam trap

The trap here is that candidates confuse memory acquisition tools (LiME) with memory analysis frameworks (Volatility), or mistakenly believe that dd /dev/mem still works on modern Linux kernels for full memory capture.

How to eliminate wrong answers

Option A is wrong because tcpdump is a network packet capture tool, not a memory forensics tool; it captures network traffic, not RAM contents. Option B is wrong because Volatility is a memory analysis framework used to examine memory dumps, not a tool to acquire memory from a live system. Option D is wrong because the dd command to capture /dev/mem is deprecated and restricted in modern Linux kernels (including Amazon Linux 2) due to security hardening; /dev/mem provides access to physical memory but is typically limited to the first 1 MB, making it unsuitable for full RAM acquisition.

16
MCQhard

A company has a security rule that all S3 buckets must have server access logging enabled. A security engineer uses AWS Config to evaluate compliance. The engineer configures a managed rule but notices that the rule does not evaluate all buckets. What is the most likely reason?

A.The rule only evaluates buckets in the us-east-1 region.
B.The rule only evaluates buckets that have a specific tag.
C.The rule excludes buckets that have a bucket policy denying access to AWS Config.
D.The rule requires the logging target bucket to be in the same account.
AnswerB

The managed rule 's3-bucket-logging-enabled' has an optional parameter 'TargetBucket' but does not require a specific tag. However, the most common reason for not evaluating all buckets is that the rule may be configured with a scope that includes only tagged resources, or the rule's trigger is set to configuration changes only, missing existing buckets. But among given, D is most plausible because many AWS Config rules can be scoped by tags.

Why this answer

Option B is correct because the AWS Config managed rule `s3-bucket-server-access-logging-enabled` can be configured with a `tag` parameter. When a tag is specified, the rule only evaluates S3 buckets that have that exact tag key-value pair. If the security engineer did not apply the required tag to all buckets, or if the rule was configured with a tag that does not match all buckets, some buckets will be excluded from evaluation, causing the observed behavior.

Exam trap

The trap here is that candidates often assume AWS Config managed rules evaluate all resources of a given type by default, overlooking the fact that many rules support optional tag-based filtering that can silently limit the scope of evaluation.

How to eliminate wrong answers

Option A is wrong because the managed rule `s3-bucket-server-access-logging-enabled` evaluates buckets across all regions where AWS Config is enabled, not just us-east-1; the rule is regional in scope but can be deployed in each region. Option C is wrong because bucket policies that deny access to AWS Config would cause the rule to report a non-compliant result (e.g., 'INSUFFICIENT_DATA' or 'NON_COMPLIANT') rather than silently skip evaluation; the rule still attempts to evaluate the bucket. Option D is wrong because the rule does not require the logging target bucket to be in the same account; cross-account logging is supported as long as the necessary permissions are in place, and the rule checks the bucket's logging configuration, not the target bucket's account.

17
MCQmedium

A company uses Amazon RDS for MySQL with automated backups enabled. The security team suspects that a database administrator (DBA) with full RDS access has exfiltrated data by creating a snapshot of the database and sharing it with an external AWS account. The team wants to detect such exfiltration in the future. Which step should the team take to detect and alert on snapshot sharing?

A.Use AWS Config to detect changes to RDS snapshot attributes.
B.Enable Amazon GuardDuty with RDS Protection.
C.Create an Amazon EventBridge rule that triggers on the `ModifyDBSnapshotAttribute` API call and sends an alert via Amazon SNS.
D.Enable AWS CloudTrail and review logs manually.
AnswerC

Automated detection and alerting.

Why this answer

Option C is correct because the `ModifyDBSnapshotAttribute` API call is the specific action used to share an RDS snapshot with an external AWS account. By creating an Amazon EventBridge rule that triggers on this API call, the team can immediately send an alert via Amazon SNS, enabling real-time detection and response to unauthorized snapshot sharing. This approach is automated, event-driven, and directly targets the exfiltration vector.

Exam trap

The trap here is that candidates often confuse AWS Config (which is configuration-aware but not real-time) with EventBridge (which is event-driven and real-time), or they mistakenly think GuardDuty RDS Protection covers all RDS-related threats, including data exfiltration via snapshot sharing, when it actually focuses on database-level threats like brute-force attacks or anomalous queries.

How to eliminate wrong answers

Option A is wrong because AWS Config can detect changes to RDS snapshot attributes, but it is a compliance-oriented service that evaluates resource configurations periodically (e.g., every 10 minutes) and does not provide real-time alerting on API calls; it would also require custom rules and lacks the immediate notification capability needed for security incidents. Option B is wrong because Amazon GuardDuty with RDS Protection focuses on detecting suspicious login attempts, anomalous access patterns, and potential compromise of the RDS instance itself, not on monitoring API-level actions like snapshot sharing. Option D is wrong because enabling AWS CloudTrail and manually reviewing logs is reactive, not proactive; it does not provide automated alerting and would be impractical for timely detection of exfiltration events.

18
MCQmedium

A company's AWS Lambda function that processes sensitive data is triggering unexpectedly. The security team wants to investigate using AWS CloudTrail. What should they look for?

A.`UpdateFunctionConfiguration` events in CloudTrail from the Lambda service.
B.`CreateFunction` events in CloudTrail from the Lambda service.
C.`Invoke` events in CloudTrail from the Lambda service.
D.`PutSubscriptionFilter` events in CloudTrail from CloudWatch Logs.
AnswerC

Each invocation generates an `Invoke` event.

Why this answer

Option C is correct because `Invoke` events in CloudTrail record every invocation of a Lambda function, including the source (e.g., AWS service, SDK, or console) and the identity that triggered it. By analyzing these events, the security team can identify unexpected triggers, such as unauthorized IAM users or roles invoking the function, or anomalous invocation patterns that indicate a potential security issue.

Exam trap

The trap here is that candidates may confuse configuration or creation events with invocation events, mistakenly thinking that `UpdateFunctionConfiguration` or `CreateFunction` would show who triggered the function, when in fact only `Invoke` events capture the actual execution requests.

How to eliminate wrong answers

Option A is wrong because `UpdateFunctionConfiguration` events record changes to the function's configuration (e.g., memory, timeout, environment variables), not the actual invocations that would reveal unexpected triggers. Option B is wrong because `CreateFunction` events record the creation of new Lambda functions, not the triggering of an existing function. Option D is wrong because `PutSubscriptionFilter` events from CloudWatch Logs are used to configure log subscription filters for streaming log data, not to capture Lambda invocation events.

19
MCQeasy

A company wants to automatically isolate an EC2 instance that is suspected to be compromised. What is the MOST effective AWS-native approach?

A.Terminate the instance immediately
B.Use Amazon GuardDuty to detect the compromise and automatically modify the instance's security group to deny all traffic
C.Use AWS Config to change the instance's IAM role
D.Use AWS Systems Manager to run a script that stops the instance
AnswerB

GuardDuty can trigger a Lambda to modify security group, isolating the instance.

Why this answer

Amazon GuardDuty can detect suspicious activity on an EC2 instance (e.g., cryptocurrency mining, unusual outbound traffic) and, when integrated with Amazon EventBridge and AWS Lambda, automatically modify the instance's security group to deny all traffic. This approach isolates the instance without terminating it, preserving forensic evidence and allowing further investigation. It is the most effective AWS-native approach because it combines threat detection with automated, least-privilege response actions.

Exam trap

The trap here is that candidates often choose termination (Option A) thinking it is the fastest way to stop the threat, but the exam emphasizes preserving forensic evidence and using automated, reversible isolation mechanisms like security group modification.

How to eliminate wrong answers

Option A is wrong because terminating the instance destroys volatile forensic data (memory, disk) and prevents post-incident analysis, which is contrary to incident response best practices. Option C is wrong because changing the instance's IAM role does not affect network traffic; the instance remains accessible over the network, so it does not isolate the compromised instance. Option D is wrong because using AWS Systems Manager to run a script that stops the instance still leaves the instance accessible until the stop completes, and stopping does not block network access immediately; additionally, Systems Manager requires the instance to have network connectivity to receive the command, which may not be reliable if the instance is already compromised.

20
MCQmedium

A company wants to detect and alert on suspicious IAM role usage, such as a role being assumed from an unusual geographic location. Which AWS service should be used to generate the alerts?

A.AWS IAM Access Analyzer
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon CloudWatch
AnswerB

GuardDuty uses anomaly detection on CloudTrail events to alert on unusual activity.

Why this answer

Amazon GuardDuty is the correct choice because it is a threat detection service that continuously monitors for suspicious activity, including unusual IAM role usage such as a role being assumed from an anomalous geographic location. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze CloudTrail management events and VPC flow logs, generating alerts (findings) for deviations from baseline behavior. This directly meets the requirement to detect and alert on suspicious role assumptions without needing to write custom rules.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with detection, assuming that because CloudTrail records the AssumeRole event, it can also alert on it, but CloudTrail requires an additional service like GuardDuty or CloudWatch with custom rules to generate alerts, whereas GuardDuty provides built-in, automated anomaly detection for this exact scenario.

How to eliminate wrong answers

Option A is wrong because AWS IAM Access Analyzer is designed to identify resources shared with external entities by analyzing resource-based policies, not to detect anomalous IAM role usage or generate real-time alerts based on geographic location. Option C is wrong because AWS CloudTrail is a logging service that records API activity but does not natively analyze logs for suspicious patterns or generate alerts; it requires additional services like CloudWatch Logs or GuardDuty to process and alert on the data. Option D is wrong because Amazon CloudWatch is a monitoring and observability service that can trigger alarms based on metrics or log patterns, but it lacks built-in anomaly detection for IAM role usage from unusual locations and would require custom metric filters and manual threshold configuration, making it less effective and more complex than GuardDuty's purpose-built capabilities.

21
MCQmedium

A security engineer reviews the CloudTrail log entry in the exhibit. The engineer notices that an EC2 instance was launched using an AdminRole. Which additional information would help determine if this is a legitimate action or a potential compromise?

A.The AMI ID ami-0abcdef1234567890 is not a standard Amazon-provided AMI.
B.The source IP address 203.0.113.50 is from an unexpected geographic location not associated with the company.
C.The instance type m5.xlarge is unusually large compared to previous launches.
D.The security group sg-0123456789abcdef0 allows inbound SSH from 0.0.0.0/0.
AnswerB

Anomalous source IP is a common indicator of compromise.

Why this answer

The source IP address 203.0.113.50 is from an unexpected geographic location not associated with the company. In CloudTrail, the `sourceIPAddress` field records the originating IP of the API call. If an AdminRole is used from an IP outside the company's known CIDR ranges or geographic regions, it strongly indicates a potential compromise—such as stolen credentials or an attacker using the role from an unauthorized network.

This is a key indicator of anomalous behavior in threat detection.

Exam trap

The trap here is that candidates focus on technical misconfigurations (like open security groups or unusual AMIs) rather than the behavioral anomaly of an administrative action originating from an unexpected IP, which is the most direct indicator of a potential compromise in CloudTrail logs.

How to eliminate wrong answers

Option A is wrong because an AMI ID that is not a standard Amazon-provided AMI could be a custom or marketplace AMI, which is common in legitimate environments; it does not alone indicate compromise. Option B is correct as explained. Option C is wrong because an instance type like m5.xlarge may be larger than usual but could be legitimate for a specific workload; size alone is not a reliable indicator of compromise without context like cost anomalies or unusual launch patterns.

Option D is wrong because a security group allowing inbound SSH from 0.0.0.0/0 is a misconfiguration that increases risk, but it does not directly indicate that the launch action itself was unauthorized or compromised—it is a separate security issue.

22
MCQeasy

A security engineer receives an AWS GuardDuty finding for 'UnauthorizedAccess:EC2/SSHBruteForce'. The affected EC2 instance has a public IP and is in a public subnet. What is the IMMEDIATE step to contain the threat?

A.Stop the EC2 instance to stop the brute force attempts.
B.Change the security group name to 'Quarantine' and remove all rules.
C.Modify the network ACL to deny all inbound traffic from the attacker's IP address range.
D.Update the security group to deny inbound SSH from the attacker's IP address.
AnswerD

Immediately blocks the attacker while allowing other traffic.

Why this answer

Option D is correct because updating the security group to deny inbound SSH from the attacker's IP address immediately blocks the brute force attempts at the instance level without disrupting legitimate traffic from other sources. Security groups are stateful and act as a virtual firewall for EC2 instances, so denying the specific attacker IP for port 22 (SSH) stops the attack while preserving the instance's availability and other services.

Exam trap

The trap here is that candidates often confuse security groups (stateful, instance-level) with network ACLs (stateless, subnet-level) and choose option C, thinking a subnet-wide block is more effective, but it is slower and impacts all instances in the subnet, whereas a security group update is immediate and targeted.

How to eliminate wrong answers

Option A is wrong because stopping the EC2 instance halts all services and may cause data loss or downtime, which is not the immediate containment step—it is a last resort. Option B is wrong because changing the security group name to 'Quarantine' and removing all rules would block all inbound and outbound traffic, effectively isolating the instance and breaking legitimate connectivity, which is too aggressive for immediate containment. Option C is wrong because modifying the network ACL to deny all inbound traffic from the attacker's IP address range is a subnet-level control that is stateless, meaning it would require also allowing return traffic explicitly; additionally, it affects all instances in the subnet, not just the targeted one, and is slower to implement than a security group update.

23
MCQmedium

A security engineer is investigating a potential data exfiltration from an S3 bucket that is configured to allow public access. The engineer wants to determine who accessed the bucket and from which IP addresses. Which AWS capability should be used?

A.Amazon S3 server access logs
B.AWS IAM Access Analyzer
C.AWS CloudTrail data events for S3
D.Amazon VPC Flow Logs
AnswerC

CloudTrail data events log S3 object-level operations with source IP and user identity.

Why this answer

AWS CloudTrail data events for S3 capture detailed API activity at the object level, including GetObject, PutObject, and DeleteObject calls. This allows the security engineer to identify exactly who accessed the bucket (via the user identity) and from which IP address (via the sourceIPAddress field in the CloudTrail event). Unlike management events, data events must be explicitly enabled and provide the granularity needed for this investigation.

Exam trap

The trap here is that candidates often confuse S3 server access logs (which also log IPs and request details) with CloudTrail data events, but server access logs lack IAM user identity information and are not integrated with AWS CloudTrail's centralized audit trail, making CloudTrail the correct choice for identity-aware investigation.

How to eliminate wrong answers

Option A is wrong because Amazon S3 server access logs provide detailed records of requests made to a bucket, including IP addresses and requester information, but they are delivered as log files to a target bucket and are not real-time; they also do not capture IAM user identity details as comprehensively as CloudTrail. Option B is wrong because AWS IAM Access Analyzer is used to identify resources shared with external entities by analyzing resource-based policies, not to track who accessed a bucket or from which IP addresses. Option D is wrong because Amazon VPC Flow Logs capture IP traffic metadata at the network interface level, but they do not log S3 API operations or the identity of the requester; S3 access via the internet or AWS PrivateLink may not even traverse a VPC flow log.

24
MCQeasy

A company uses AWS CloudTrail to log API calls in all accounts. The security team wants to be notified immediately when an IAM user creates a new access key for another user. Which combination of services should the team use?

A.AWS Config and Amazon Simple Email Service (SES).
B.Amazon GuardDuty and Amazon Simple Notification Service (SNS).
C.Amazon Macie and AWS Lambda.
D.AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (SNS).
AnswerD

CloudTrail logs events; CloudWatch Logs metric filter and alarm trigger SNS notification.

Why this answer

Option D is correct because it uses CloudTrail to capture the CreateAccessKey API call, sends those logs to CloudWatch Logs, and then triggers a CloudWatch alarm that publishes to an SNS topic for immediate notification. This combination provides real-time alerting on the specific IAM event without requiring additional services.

Exam trap

The trap here is that candidates often confuse AWS Config (which is reactive and compliance-focused) with CloudTrail (which is event-driven and real-time), leading them to choose Option A instead of the correct CloudTrail + CloudWatch Logs + SNS combination.

How to eliminate wrong answers

Option A is wrong because AWS Config is designed for resource compliance and configuration history, not real-time event-driven notification; SES is an email service that lacks the push notification capabilities needed for immediate alerts. Option B is wrong because GuardDuty focuses on threat detection using anomaly detection and threat intelligence feeds, not on monitoring specific IAM API calls like CreateAccessKey. Option C is wrong because Macie is a data security service that discovers and protects sensitive data in S3, not a service for monitoring IAM user activity or API calls.

25
MCQhard

During an incident response, a security engineer needs to capture a memory image of a compromised Amazon EC2 instance running Linux. The instance is in a production Auto Scaling group. Which approach is BEST?

A.Use AWS CloudFormation to create a new stack with a forensic instance and copy the compromised instance's data.
B.Terminate the instance immediately to prevent further damage and launch a replacement.
C.Detach the instance from the Auto Scaling group, isolate it by changing security groups, and use AWS Systems Manager Run Command to execute a memory acquisition tool.
D.Take a snapshot of the EBS volumes and attach them to a forensic instance to analyze memory.
AnswerC

Preserves memory and allows forensic collection.

Why this answer

Option C is correct because it preserves the volatile memory evidence by detaching the instance from the Auto Scaling group (preventing replacement) and isolating it via security group changes, then using AWS Systems Manager Run Command to execute a memory acquisition tool like LiME or AVML. This approach captures the memory image without shutting down the instance, which would destroy the evidence, and avoids the risk of the Auto Scaling group automatically terminating or replacing the instance during the investigation.

Exam trap

The trap here is that candidates confuse disk forensics (EBS snapshots) with memory forensics, assuming a snapshot captures RAM, or they prioritize immediate containment (termination) over evidence preservation, which violates the core incident response principle of 'preserve before remediate'.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation is an infrastructure-as-code service for provisioning resources, not a forensic tool; copying data from a compromised instance does not capture volatile memory, which is lost when the instance is stopped or terminated. Option B is wrong because terminating the instance immediately destroys the memory image and other volatile evidence, making forensic analysis impossible; incident response requires preserving evidence before remediation. Option D is wrong because an EBS snapshot captures only the persistent disk state (file system and storage), not the contents of RAM; memory analysis requires a dedicated memory acquisition tool executed on the running instance.

26
Multi-Selecthard

A security team is designing an automated incident response system. The system must meet the following requirements: (1) automatically respond to GuardDuty findings, (2) ensure that response actions are logged and immutable, and (3) allow for human approval before destructive actions. Which services should the team use? (Select THREE.)

Select 3 answers
A.Amazon EventBridge
B.AWS CloudTrail
C.AWS Step Functions
D.AWS Lambda
E.Amazon Simple Notification Service (SNS)
AnswersA, B, C

EventBridge receives GuardDuty findings and triggers workflow.

Why this answer

Amazon EventBridge (A) is correct because it can receive GuardDuty findings in near real-time and route them to downstream targets for automated response. This enables the first requirement by triggering workflows directly from GuardDuty events without custom polling.

Exam trap

The trap here is that candidates often select Lambda as the sole compute service, overlooking that Step Functions is required to orchestrate the human approval step and that CloudTrail is needed for immutable logging, not just EventBridge and Lambda alone.

27
MCQhard

A company has a requirement to detect and respond to threats in near real-time by analyzing VPC Flow Logs. The logs are generated in a VPC and sent to CloudWatch Logs. What is the MOST efficient way to analyze these logs for suspicious patterns and trigger automated responses?

A.Stream logs to Amazon Elasticsearch Service and use Kibana alerts
B.Use S3 event notifications to trigger Lambda functions on new log files
C.Export logs to S3 and use Amazon Athena queries with scheduled rules
D.Use Amazon Kinesis Data Analytics for real-time analysis and AWS Lambda for automated response
AnswerD

Kinesis Data Analytics can process streaming data and trigger Lambda for immediate action.

Why this answer

Amazon Kinesis Data Analytics can process streaming VPC Flow Logs from CloudWatch Logs in near real-time using SQL or Apache Flink, enabling immediate detection of suspicious patterns. AWS Lambda can then be triggered to automate incident response actions, such as updating security groups or isolating instances, making this the most efficient solution for near real-time threat detection and response.

Exam trap

The trap here is that candidates often choose batch-oriented solutions like Athena or S3 event notifications, overlooking the explicit 'near real-time' requirement in the question, which demands a streaming analytics approach.

How to eliminate wrong answers

Option A is wrong because streaming logs to Amazon Elasticsearch Service (now OpenSearch Service) and using Kibana alerts introduces significant latency due to indexing and query overhead, and it is not designed for near real-time automated response. Option B is wrong because S3 event notifications trigger Lambda functions on new objects, but VPC Flow Logs are sent to CloudWatch Logs, not directly to S3, and this approach would require an additional export step, breaking near real-time analysis. Option C is wrong because exporting logs to S3 and using Athena with scheduled rules is a batch-oriented process that incurs minutes of delay, failing the near real-time requirement.

28
Multi-Selecteasy

Which TWO actions are best practices for securing an AWS account's root user? (Choose 2.)

Select 2 answers
A.Share the root user password with the team for emergency access
B.Use a strong password and store it securely
C.Enable multi-factor authentication (MFA) on the root user
D.Use the root user for daily administrative tasks
E.Create access keys for the root user for programmatic access
AnswersB, C

Strong password is a basic security measure.

Why this answer

Option B is correct because the root user has unrestricted access to all AWS resources and services, so a strong, complex password (e.g., at least 14 characters with mixed case, numbers, and symbols) is essential to prevent brute-force or credential-stuffing attacks. Storing this password securely—such as in a password manager with restricted access or a physical safe—ensures it is available only to authorized personnel for emergency break-glass scenarios, aligning with the principle of least privilege and the AWS Well-Architected Framework's security pillar.

Exam trap

The trap here is that candidates often think sharing the root password with the team (Option A) is a valid emergency access strategy, but AWS explicitly recommends using IAM roles with a break-glass process (e.g., AWS Systems Manager Incident Manager) instead, as shared passwords create auditability and credential rotation issues.

29
Drag & Dropmedium

Drag and drop the steps to implement a secure CI/CD pipeline with AWS CodePipeline and IAM in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Secure pipeline requires encrypted artifact bucket, IAM roles, source repo, build project with security scanning, and pipeline.

30
MCQeasy

A security engineer discovers an Amazon GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce' for an EC2 instance. The instance is part of an Auto Scaling group and has a public IP address. What is the MOST effective immediate step to mitigate the threat?

A.Modify the network ACL to block SSH traffic from the attacker's IP.
B.Terminate the instance without detaching it from the Auto Scaling group.
C.Update the security group to restrict SSH access to known IP addresses.
D.Detach the instance from the Auto Scaling group and terminate it.
AnswerD

This stops the attack and prevents the Auto Scaling group from automatically launching a new instance.

Why this answer

Option D is correct because the instance is compromised and part of an Auto Scaling group. Detaching it first prevents the Auto Scaling group from immediately replacing it with a new instance that might inherit the same vulnerability, allowing for forensic analysis. Terminating it after detachment stops the SSH brute force attack at its source without risking automatic re-provisioning of a similarly exposed instance.

Exam trap

The trap here is that candidates assume terminating the instance directly (Option B) is sufficient, failing to recognize that Auto Scaling groups automatically replace terminated instances, which can immediately re-expose the environment to the same threat.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and modifying them to block only the attacker's IP is ineffective against distributed brute force attacks; also, this does not address the compromised instance itself. Option B is wrong because terminating an instance that is part of an Auto Scaling group triggers the group to launch a replacement instance immediately, potentially recreating the same vulnerability if the underlying AMI or configuration is unchanged. Option C is wrong because updating the security group to restrict SSH access to known IPs is a preventive measure, not an immediate incident response step; it does not stop the ongoing attack on the already compromised instance.

31
MCQhard

During a security incident, a security engineer needs to capture network traffic between an EC2 instance and an attacker's IP address for forensic analysis. The engineer has already identified the attacker's IP from CloudTrail logs. Which action captures the traffic without affecting the instance?

A.Update the network ACL to log all traffic to and from the attacker's IP.
B.Enable VPC Flow Logs on the subnet and query logs for the attacker's IP.
C.SSH into the instance and run tcpdump with a filter for the attacker's IP.
D.Create a VPC Traffic Mirroring session targeting the instance's ENI and mirror the traffic to a Network Load Balancer for capture.
AnswerD

Captures traffic without affecting the instance.

Why this answer

Option D is correct because VPC Traffic Mirroring captures all network traffic at the Elastic Network Interface (ENI) level without any performance impact or configuration change on the EC2 instance itself. It copies the traffic to a Network Load Balancer (NLB) or another target for capture and analysis, making it ideal for forensic investigation without disrupting the running instance.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (which only provide metadata) with full packet capture capabilities, or they assume that SSHing into the instance is acceptable despite the risk of altering the instance state during an active incident.

How to eliminate wrong answers

Option A is wrong because network ACLs do not log traffic; they only allow or deny traffic based on rules, and they operate at the subnet level, not per-instance. Option B is wrong because VPC Flow Logs capture metadata (source/destination IP, ports, protocol, packets) but not the actual packet payload, so they cannot provide the full network traffic needed for deep forensic analysis. Option C is wrong because SSHing into the instance and running tcpdump would alter the instance's state (e.g., by installing or running a process) and could interfere with the incident or be blocked if the instance is compromised.

32
Multi-Selecteasy

A company wants to detect and respond to potential security threats in near real-time. Which TWO services should the company use together to achieve this? (Choose TWO.)

Select 2 answers
A.AWS Config
B.Amazon Inspector
C.AWS CloudTrail
D.AWS Security Hub
E.Amazon GuardDuty
AnswersD, E

Security Hub aggregates findings and can automate responses.

Why this answer

AWS Security Hub (D) aggregates security findings from multiple AWS services, including Amazon GuardDuty, and provides a comprehensive view of security alerts and compliance status. Amazon GuardDuty (E) is a threat detection service that continuously monitors for malicious activity and unauthorized behavior using machine learning and integrated threat intelligence. Together, they enable near real-time detection and response by centralizing findings from GuardDuty in Security Hub, which can trigger automated remediation workflows via Amazon EventBridge.

Exam trap

The trap here is that candidates often confuse AWS Config or CloudTrail as threat detection services, but they are primarily configuration auditing and API logging tools, respectively, and lack the real-time threat analysis capabilities of GuardDuty and Security Hub.

33
MCQhard

Refer to the exhibit. A security engineer is analyzing a CloudTrail log entry for an EC2 RunInstances call. The engineer needs to determine if the instance launch was authorized by an IAM policy. Which field should the engineer check to identify the IAM policy that was used to authorize the action?

A.The 'vpcEndpointId' field to see if the call came through a VPC endpoint.
B.The 'sourceIP' field to identify the IP address.
C.The 'eventType' field to determine the type of event.
D.The 'userIdentity' field to identify the IAM user or role that made the call.
AnswerD

The userIdentity shows who made the call; then you can review the attached policies.

Why this answer

The 'userIdentity' field in a CloudTrail log entry contains details about the IAM user or role that made the API call, including the ARN and the access key ID. To identify the specific IAM policy that authorized the action, the security engineer must first know the identity (user/role) from the 'userIdentity' field, then cross-reference that identity with the IAM policies attached to it. The policy itself is not directly listed in the log entry, but the identity is the key to tracing authorization.

Exam trap

The trap here is that candidates may think the 'eventType' or 'sourceIP' fields directly reveal authorization details, but CloudTrail does not log the specific policy that was evaluated; instead, the 'userIdentity' field is the critical link to identify the IAM entity whose policies were applied.

How to eliminate wrong answers

Option A is wrong because the 'vpcEndpointId' field indicates whether the call originated from a VPC endpoint, which is relevant for network-level logging and VPC endpoint policies, not for identifying the IAM policy that authorized the RunInstances action. Option B is wrong because the 'sourceIP' field shows the IP address from which the call was made, which is used for network-level analysis or source IP conditions in policies, but does not directly identify the IAM policy that authorized the action. Option C is wrong because the 'eventType' field indicates whether the event is an API call (AwsApiCall), a console login, or a service event, but it provides no information about the specific IAM policy used for authorization.

34
MCQeasy

A security engineer is reviewing AWS CloudTrail logs and notices repeated `CreateTrail` API calls from an IAM user that is not authorized to create trails. What is the MOST likely cause of these log entries?

A.The IAM user attempted to create a trail but was denied due to lack of permissions.
B.AWS GuardDuty is generating simulated events.
C.S3 server access logs are enabled for the trail's S3 bucket.
D.CloudTrail is configured to log only data events.
AnswerA

CloudTrail records all API calls, including denied attempts.

Why this answer

The repeated `CreateTrail` API calls in CloudTrail logs indicate that an IAM user is attempting to create a trail. Since the user lacks the required `cloudtrail:CreateTrail` permission, the API call is recorded as an attempted action that was denied by AWS Identity and Access Management (IAM) policy evaluation. CloudTrail logs all API calls, including those that fail due to insufficient permissions, which is why these entries appear in the logs.

Exam trap

The trap here is that candidates may think CloudTrail only logs successful API calls, but in reality, it logs all API calls, including those that are denied, which is why the repeated `CreateTrail` entries appear even though the user is not authorized.

How to eliminate wrong answers

Option B is wrong because AWS GuardDuty generates security findings and simulated events related to threats, not CloudTrail `CreateTrail` API calls; GuardDuty does not produce CloudTrail log entries. Option C is wrong because S3 server access logs record requests made to an S3 bucket, such as GET or PUT operations, not CloudTrail API calls like `CreateTrail`. Option D is wrong because CloudTrail's data events configuration controls which data plane operations are logged (e.g., S3 object-level events), but it does not affect the logging of management events like `CreateTrail`; the API call would still be logged regardless of data event settings.

35
Multi-Selectmedium

A security engineer is investigating a potential data exfiltration from an AWS account. Which TWO CloudTrail events would be MOST indicative of data exfiltration via S3?

Select 2 answers
A.`PutObject` API calls from a known internal IP.
B.`CopyObject` API calls from a production bucket to a bucket in another AWS account.
C.`ListObjects` API calls from an EC2 instance in the same VPC.
D.`GetObject` API calls from an IP address in an unfamiliar geographic region.
E.`DeleteObject` API calls from the root user.
AnswersB, D

Copying data to an external account is a common exfiltration technique.

Why this answer

Option B is correct because `CopyObject` API calls from a production bucket to a bucket in another AWS account indicate data being replicated or moved across account boundaries, which is a strong signal of potential data exfiltration. This action bypasses typical network controls and can transfer large volumes of data without requiring a download, making it a common exfiltration technique.

Exam trap

The trap here is that candidates often focus on `GetObject` as the primary exfiltration vector, but `CopyObject` is equally dangerous because it can move data directly to another account without leaving a network egress trail.

36
MCQhard

During a security incident, a security engineer needs to preserve forensic evidence from an EC2 instance that may be compromised. The instance is running a critical application. Which approach minimizes data loss while ensuring the integrity of the evidence?

A.Create an EBS snapshot, then isolate the instance by modifying the security group and removing it from the load balancer.
B.Immediately terminate the instance to stop any ongoing malicious activity.
C.SSH into the instance and run forensic tools to capture memory.
D.Detach the instance from the Auto Scaling group and leave it running without changes.
AnswerA

Snapshot preserves data; isolation prevents lateral movement.

Why this answer

Option A is correct because creating an EBS snapshot preserves the disk state at the point of the incident, capturing forensic evidence without altering the running instance. Isolating the instance by modifying the security group (e.g., removing all inbound/outbound rules) and removing it from the load balancer stops network traffic and prevents further compromise, minimizing data loss while maintaining the integrity of the evidence for later analysis.

Exam trap

The trap here is that candidates may think terminating the instance is the safest way to stop malicious activity, but they overlook the irreversible loss of forensic evidence and the need to preserve the disk state for investigation.

How to eliminate wrong answers

Option B is wrong because immediately terminating the instance destroys volatile data (e.g., memory, running processes) and the disk state, losing critical forensic evidence and preventing root cause analysis. Option C is wrong because SSH-ing into a potentially compromised instance risks alerting the attacker, altering evidence, or allowing the attacker to cover tracks; forensic memory capture should be done via hypervisor-level tools (e.g., AWS Nitro System's memory capture) or by attaching a forensic instance to the EBS volume. Option D is wrong because leaving the instance running without changes allows ongoing malicious activity to continue, potentially corrupting evidence or causing further damage; isolation (via security group and load balancer removal) is necessary to preserve the state.

37
MCQmedium

A company uses Amazon GuardDuty and AWS Security Hub in a single AWS account. The security team has created a custom action in Security Hub to send findings to a custom Lambda function for automated response. The Lambda function is designed to take remediation actions based on the finding type. During testing, the team notices that the Lambda function is not being invoked when new findings are generated. The Lambda function's resource-based policy allows invocations from Security Hub, and the function's execution role has necessary permissions. What is the most likely reason for the failure?

A.No Amazon EventBridge rule is configured to send Security Hub findings to the Lambda function.
B.GuardDuty is not enabled for all required resource types.
C.The Lambda function's execution role does not have permission to access GuardDuty.
D.The Lambda function's resource-based policy does not include Security Hub as a principal.
AnswerA

Custom actions in Security Hub rely on EventBridge rules to target Lambda.

Why this answer

Option C is correct because Security Hub custom actions require an EventBridge rule to route findings to the Lambda function. Without the rule, Security Hub cannot invoke Lambda directly. Option A is wrong because the function's execution role permissions are for accessing other AWS resources, not for being invoked.

Option B is wrong because Security Hub findings are generated even if GuardDuty is enabled. Option D is wrong because the Lambda function's resource-based policy allows invocation from Security Hub, but Security Hub does not directly invoke Lambda; it uses EventBridge.

38
MCQeasy

A company has a serverless application using AWS Lambda functions that process sensitive data. The security team wants to detect potential data exfiltration via DNS queries from the Lambda functions. Which service should be enabled to monitor DNS requests?

A.Amazon Route 53 Resolver DNS Firewall
B.AWS WAF
C.Amazon CloudWatch Logs
D.AWS GuardDuty
AnswerA

DNS Firewall logs and filters DNS queries.

Why this answer

Amazon Route 53 Resolver DNS Firewall is the correct choice because it provides DNS-layer filtering for outbound DNS queries from VPCs, including those made by Lambda functions. It can log and block DNS requests to known malicious domains, enabling detection of data exfiltration attempts that use DNS tunneling or command-and-control (C2) communication. This service integrates with VPC flow logs and CloudWatch to monitor DNS query patterns specifically.

Exam trap

The trap here is that candidates often confuse AWS WAF (web application firewall) with DNS-layer filtering, or assume GuardDuty natively monitors DNS queries without realizing it requires Route 53 Resolver DNS Firewall as a prerequisite data source.

How to eliminate wrong answers

Option B (AWS WAF) is wrong because it operates at the application layer (HTTP/HTTPS) to protect web applications from common exploits, not at the DNS layer, and cannot inspect or log DNS queries. Option C (Amazon CloudWatch Logs) is wrong because it is a log storage and monitoring service, not a DNS-specific monitoring tool; it can store logs from other services but does not natively capture or analyze DNS queries from Lambda. Option D (AWS GuardDuty) is wrong because while it uses threat intelligence to detect malicious activity, it relies on DNS logs from Route 53 Resolver DNS Firewall or VPC DNS logs as a data source; it does not directly monitor or log DNS queries itself.

39
MCQmedium

A company has a serverless application using AWS Lambda, API Gateway, and DynamoDB. The security team wants to detect and respond to potential SQL injection attempts in API requests. They have enabled AWS WAF on the API Gateway and created a rule to block SQL injection. However, they also want to capture the blocked requests for analysis and store them in an S3 bucket. The team has configured WAF to send logs to Amazon Kinesis Data Firehose, which delivers to an S3 bucket. After testing, the team notices that the logs are not being delivered. The Firehose delivery stream is in the same AWS account, and the S3 bucket policy allows the Firehose service to write. What is the most likely cause?

A.The WAF web ACL is not configured to log blocked requests.
B.The Kinesis Data Firehose delivery stream does not have an IAM role with permissions to write to the S3 bucket.
C.The S3 bucket policy does not grant write permissions to the Firehose delivery stream's IAM role.
D.Kinesis Data Firehose delivers logs in batches every 5 minutes, so the team should wait longer.
AnswerB

The delivery stream must have an IAM role with s3:PutObject permissions on the bucket.

Why this answer

Option D is correct because Kinesis Data Firehose requires an IAM role to write to S3, and the role must have the necessary permissions. Even if the bucket policy allows, the delivery stream's IAM role must be configured. Option A is wrong because WAF logs are delivered in near real time, not in batch.

Option B is wrong because the bucket policy allows Firehose, but the role is separate. Option C is wrong because WAF is enabled and blocking requests, so it should generate logs.

40
Multi-Selectmedium

A security engineer is investigating a potential security incident involving an Amazon RDS database. The engineer needs to identify which of the following actions should be taken during the forensic analysis phase? (Select TWO.)

Select 2 answers
A.Enable automatic backups if not already enabled.
B.Disable deletion protection to allow cleanup.
C.Modify the security group to restrict database access.
D.Take a manual snapshot of the RDS instance.
E.Review AWS CloudTrail logs for API calls related to the RDS instance.
AnswersD, E

A manual snapshot preserves the database state for analysis.

Why this answer

Option D is correct because taking a manual snapshot preserves a point-in-time, immutable copy of the RDS instance for offline forensic analysis without altering the live database. This ensures that evidence is captured before any changes occur during the investigation, and the snapshot can be restored to a separate instance for safe examination.

Exam trap

The trap here is confusing containment actions (like modifying security groups) with forensic preservation actions, leading candidates to select Option C instead of recognizing that the first step in forensic analysis is to capture immutable evidence via a snapshot and review CloudTrail logs.

41
Multi-Selecthard

An organization uses AWS CloudTrail with a multi-region trail. The security team suspects that an attacker has deleted logs. Which THREE findings would indicate that log deletion occurred? (Choose THREE.)

Select 3 answers
A.An S3 bucket with MFA Delete enabled.
B.A `StopLogging` API call from an unknown IP address.
C.A gap in CloudTrail logs for a period of time.
D.Multiple `StartLogging` API calls in the logs.
E.A `DeleteTrail` API call.
AnswersB, C, E

Suspicious if unauthorized.

Why this answer

Option B is correct because a `StopLogging` API call from an unknown IP address indicates that logging was deliberately disabled, which an attacker could do to cover their tracks. CloudTrail records all `StopLogging` events, and an unexpected source IP is a strong indicator of unauthorized activity. This directly suggests log deletion or suppression, as stopping the trail prevents further log delivery.

Exam trap

The trap here is that candidates may confuse a security control (MFA Delete) with an indicator of compromise, or think that `StartLogging` calls imply deletion, when in fact they are normal operational events that do not directly signal log tampering.

42
MCQeasy

A security engineer is investigating a potential data exfiltration from an S3 bucket. The engineer needs to identify which IAM role or user accessed the bucket and from which IP address. Which AWS service should the engineer use to obtain this information?

A.AWS CloudTrail
B.AWS Config
C.VPC Flow Logs
D.Amazon GuardDuty
AnswerA

CloudTrail logs all API calls to S3, including IAM principal and source IP.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to S3, including the IAM role or user identity (via the `userIdentity` field) and the source IP address (via the `sourceIPAddress` field). For data exfiltration investigation, you need these specific details from management events or data events (e.g., `GetObject`, `PutObject`), which CloudTrail captures. Other services either lack identity-level detail or focus on network-level traffic without user attribution.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which show network traffic but not user identity) with CloudTrail (which shows API calls with identity), leading them to select VPC Flow Logs for IP-based investigation without realizing they need the IAM role or user context.

How to eliminate wrong answers

Option B (AWS Config) is wrong because it evaluates resource configuration compliance and records configuration changes, not API-level access logs with user identity and source IP. Option C (VPC Flow Logs) is wrong because it captures network traffic metadata (IPs, ports, protocols) at the VPC level but does not include IAM user or role identity, nor does it log S3 API operations. Option D (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to identify anomalies; it does not directly provide raw access logs with user identity and source IP for forensic investigation.

43
MCQhard

A company has a security requirement to automatically isolate an Amazon EC2 instance that is generating high network traffic to a known malicious IP address. The company uses Amazon GuardDuty and AWS Lambda. Which combination of services and configurations should be used to achieve the isolation?

A.Use VPC Flow Logs to send logs to CloudWatch Logs, then create a metric filter that triggers a Lambda function.
B.Use Amazon GuardDuty to send findings to AWS Systems Manager Automation to run a document that isolates the instance.
C.Use Amazon GuardDuty to send findings to Amazon CloudWatch Events, which triggers an AWS Lambda function that modifies the security group to remove the instance.
D.Use AWS Config rules to detect the traffic and invoke a Lambda function to change the security group.
AnswerC

This is a standard pattern for automated response.

Why this answer

Option C is correct because Amazon GuardDuty generates findings for threats like communication with known malicious IPs, and these findings can be sent to Amazon CloudWatch Events (now Amazon EventBridge). CloudWatch Events can then trigger an AWS Lambda function that modifies the security group associated with the EC2 instance to remove its inbound/outbound rules, effectively isolating the instance. This automated workflow meets the security requirement without manual intervention.

Exam trap

The trap here is that candidates may think GuardDuty can directly trigger Systems Manager Automation (Option B) without the intermediate CloudWatch Events step, or they may confuse AWS Config's compliance evaluation with real-time network threat detection (Option D).

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs are used for network traffic analysis and logging, not for real-time threat detection; creating a metric filter to trigger a Lambda function would require custom logic to identify malicious IPs and would not leverage GuardDuty's built-in threat intelligence. Option B is wrong because while AWS Systems Manager Automation can run documents to isolate instances, GuardDuty does not natively send findings directly to Systems Manager Automation; it sends findings to CloudWatch Events, which can then trigger Systems Manager Automation, but the option omits the necessary CloudWatch Events integration. Option D is wrong because AWS Config rules are designed for compliance and resource configuration changes, not for detecting network traffic patterns or malicious IP communication; they cannot evaluate VPC Flow Logs or network traffic in real time.

44
Multi-Selecteasy

Which TWO AWS services can be used to detect anomalous API calls in an AWS account?

Select 2 answers
A.AWS CloudTrail with Amazon CloudWatch Logs metric filters.
B.AWS Shield Advanced.
C.Amazon GuardDuty.
D.AWS Config with managed rules.
E.AWS WAF.
AnswersA, C

Can detect patterns like multiple failed API calls.

Why this answer

AWS CloudTrail with Amazon CloudWatch Logs metric filters is correct because CloudTrail records all API calls, and you can create metric filters on CloudWatch Logs to match patterns indicative of anomalous activity (e.g., unauthorized API calls, root user activity). When the filter triggers a threshold, it can send an alarm via Amazon SNS, enabling detection of anomalous API calls in near real-time.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation (which checks resource configurations) with API call monitoring, leading them to select AWS Config instead of recognizing that only CloudTrail and GuardDuty (which uses CloudTrail logs and VPC Flow Logs for anomaly detection) can detect anomalous API calls.

45
MCQmedium

A security engineer is setting up automated incident response for a compromised IAM user. The engineer wants to automatically revoke the user's access keys and attach a deny-all policy when a GuardDuty finding of type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' is generated. Which services should be used to achieve this automation?

A.Amazon Simple Notification Service (SNS) and AWS Lambda
B.AWS Config and AWS Lambda
C.Amazon CloudWatch Events and AWS Lambda
D.AWS Systems Manager Automation and AWS Lambda
AnswerC

CloudWatch Events can match GuardDuty findings and invoke Lambda.

Why this answer

Amazon CloudWatch Events (now part of Amazon EventBridge) can capture GuardDuty findings in real-time and trigger a Lambda function to revoke IAM user access keys and attach a deny-all policy. This is the native, event-driven pattern for automated incident response to GuardDuty findings, as CloudWatch Events directly supports GuardDuty as an event source.

Exam trap

The trap here is that candidates often confuse CloudWatch Events with SNS or Config, not realizing that CloudWatch Events is the only service that natively integrates with GuardDuty as an event source for real-time, automated remediation workflows.

How to eliminate wrong answers

Option A is wrong because Amazon SNS alone cannot trigger a Lambda function in response to GuardDuty findings; SNS requires a subscription and does not natively filter GuardDuty events. Option B is wrong because AWS Config is designed for resource compliance and configuration history, not for real-time event-driven response to security findings like GuardDuty. Option D is wrong because AWS Systems Manager Automation is intended for managing EC2 instances and on-premises servers, not for revoking IAM user credentials or attaching IAM policies.

46
MCQmedium

A security engineer is designing an automated incident response workflow for an Amazon EC2 instance that is compromised. The workflow must isolate the instance by removing it from the security group that allows SSH access. The engineer wants to use AWS Systems Manager Automation to run a document. What is the most secure way to grant the automation the necessary permissions to modify the security group?

A.Create a Systems Manager Automation service role with a least-privilege policy that includes ec2:ModifySecurityGroupRules and use that role in the automation.
B.Create an AWS Lambda function with permissions to modify the security group and call it from the automation.
C.Use the IAM user's permissions that trigger the automation.
D.Attach an IAM policy to the EC2 instance's instance profile that allows ec2:ModifySecurityGroupRules.
AnswerA

This is the recommended approach for least privilege.

Why this answer

Option A is correct because Systems Manager Automation can assume a dedicated service role with a least-privilege IAM policy that includes the specific action `ec2:ModifySecurityGroupRules`. This follows the security best practice of granting only the permissions required for the automation to modify the security group, without exposing broader privileges or relying on user or instance credentials.

Exam trap

The trap here is that candidates often confuse the instance profile role (used for the EC2 instance's own actions) with the automation service role (used for the Systems Manager service to perform actions on behalf of the engineer), leading them to incorrectly choose Option D.

How to eliminate wrong answers

Option B is wrong because introducing an AWS Lambda function adds unnecessary complexity and an additional attack surface; the automation can directly modify the security group via an assumed role without needing a middleman. Option C is wrong because using the IAM user's permissions violates the principle of least privilege and creates a security risk if the user has more permissions than needed; the automation should use a dedicated role, not inherit user credentials. Option D is wrong because attaching a policy to the EC2 instance profile grants permissions to the instance itself, not to the Systems Manager Automation service; the automation runs independently of the compromised instance and should not rely on the instance's role for incident response actions.

47
MCQeasy

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. The policy is intended to allow access only from the corporate network (10.0.0.0/8). What is a potential security issue with this policy?

A.The policy allows anonymous access from the specified IP range.
B.The policy grants access to all actions, not just GetObject.
C.The policy resource is incorrect; it should be the bucket ARN without the /*.
D.The policy does not include a condition to require MFA.
AnswerA

Principal "*" means anyone (anonymous) can access if they meet the IP condition.

Why this answer

Option A is correct because the policy's `Principal: "*"` element allows anonymous access from any IP address, and the `Condition` block only restricts the source IP to 10.0.0.0/8. This means any unauthenticated request originating from within the corporate network (10.0.0.0/8) is permitted, effectively granting anonymous access to the S3 bucket. The intended goal of restricting access to authenticated corporate users is not achieved, as no `aws:userid` or `aws:username` condition is enforced.

Exam trap

The trap here is that candidates assume an IP address condition in a bucket policy automatically implies authenticated access, but AWS explicitly allows anonymous access when `Principal: "*"` is used, even with IP restrictions.

How to eliminate wrong answers

Option B is wrong because the policy uses `Action: "s3:GetObject"` which is a specific read action, not all actions; the issue is about authentication, not action scope. Option C is wrong because the resource ARN `arn:aws:s3:::example-bucket/*` is correct for object-level operations like GetObject; the bucket ARN without `/*` would be needed for bucket-level operations (e.g., ListBucket). Option D is wrong because MFA is not required by the scenario; the policy's flaw is allowing anonymous access, not the absence of MFA, and MFA is typically enforced via a separate condition key (`aws:MultiFactorAuthPresent`).

48
Multi-Selecthard

A company uses AWS CloudTrail to log all API activity. The security team wants to detect when an IAM user creates an access key for another user, which is a potential privilege escalation. Which TWO actions should the team take to set up this detection?

Select 3 answers
A.Create an AWS Config managed rule to detect CreateAccessKey calls.
B.Create a CloudWatch alarm based on the metric filter.
C.Create a CloudWatch Logs metric filter that matches the event CreateAccessKey.
D.Use Amazon EventBridge to create a rule that matches the CloudTrail event and triggers an AWS Lambda function.
E.Enable Amazon GuardDuty and create a custom threat list.
AnswersB, C, D

The alarm can send notifications when the filter matches.

Why this answer

Option B is correct because a CloudWatch alarm based on a metric filter allows the security team to monitor CloudTrail logs in real time and trigger an alert when a specific API call (CreateAccessKey) is made by an IAM user for another user. The metric filter extracts the event from CloudTrail logs stored in CloudWatch Logs, and the alarm evaluates the metric against a threshold to notify the team of potential privilege escalation.

Exam trap

The trap here is that candidates often confuse AWS Config managed rules (which evaluate resource state) with CloudTrail event detection (which requires log-based monitoring), leading them to select Option A instead of the correct combination of metric filters and alarms or EventBridge rules.

49
MCQmedium

During a security review, a security engineer notices that an S3 bucket contains sensitive data but has a bucket policy that allows access from any principal in the account. The engineer needs to identify any unintended cross-account access to this bucket. Which AWS service should be used?

A.AWS Config
B.AWS IAM Access Analyzer
C.AWS Trusted Advisor
D.Amazon Macie
AnswerB

Access Analyzer reviews resource policies to identify external entities.

Why this answer

AWS IAM Access Analyzer helps identify resources that are shared with external principals by analyzing resource-based policies (like S3 bucket policies). In this scenario, the bucket policy allows access from any principal in the account, but IAM Access Analyzer can detect if the policy also grants access to principals outside the AWS account (cross-account access). It generates findings for any policy that allows access from an external entity, making it the correct service to identify unintended cross-account access.

Exam trap

The trap here is that candidates often confuse AWS Config (which can detect public S3 buckets) with IAM Access Analyzer (which specifically detects cross-account access), leading them to choose Config when the question explicitly asks for unintended cross-account access, not just public access.

How to eliminate wrong answers

Option A is wrong because AWS Config evaluates resource compliance against rules but does not specifically analyze bucket policies for cross-account access; it can detect public access but not granular cross-account sharing. Option C is wrong because AWS Trusted Advisor provides best-practice checks (including S3 bucket permissions) but only flags buckets that are publicly accessible or open to all authenticated AWS users, not specifically cross-account access from a specific external account. Option D is wrong because Amazon Macie discovers and classifies sensitive data using machine learning, but it does not analyze bucket policies for cross-account permissions; it focuses on data content, not access controls.

50
MCQeasy

A security engineer is investigating a potential data exfiltration incident. The engineer suspects that an attacker is using an Amazon S3 bucket to exfiltrate data. Which AWS service can be used to analyze S3 access logs and detect anomalous patterns?

A.Amazon CloudFront
B.Amazon Athena
C.AWS Shield
D.AWS WAF
AnswerB

Athena can query S3 access logs for analysis.

Why this answer

Amazon Athena is the correct choice because it allows you to run SQL queries directly against Amazon S3 access logs stored in S3, enabling you to analyze large volumes of log data for anomalous patterns such as unusual data transfer volumes, repeated access from unfamiliar IP ranges, or unexpected object reads. This serverless query service is purpose-built for ad-hoc analysis of structured and semi-structured data in S3 without needing to load data into a separate database, making it ideal for incident response investigations.

Exam trap

The trap here is that candidates often confuse AWS WAF or CloudFront as log analysis tools because they are associated with web traffic inspection, but neither provides the ability to query S3 access logs for data exfiltration patterns.

How to eliminate wrong answers

Option A is wrong because Amazon CloudFront is a content delivery network (CDN) that accelerates static and dynamic content delivery; it does not provide query capabilities for S3 access logs and cannot analyze log data for anomalies. Option C is wrong because AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards against network and transport layer attacks; it does not inspect or analyze S3 access logs for data exfiltration patterns. Option D is wrong because AWS WAF is a web application firewall that filters HTTP/HTTPS traffic based on rules to protect against common web exploits; it operates at the application layer and cannot query or analyze S3 access logs.

51
MCQmedium

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The engineer needs to immediately block the traffic and capture a packet capture for forensic analysis. Which combination of actions should the engineer take?

A.Use Amazon GuardDuty to block the IP and enable VPC Traffic Mirroring.
B.Add a network ACL deny rule for the malicious IP, and enable VPC Traffic Mirroring.
C.Stop the EC2 instance and enable VPC Flow Logs.
D.Modify the security group to deny outbound traffic to the IP, and enable VPC Flow Logs.
AnswerB

Network ACLs support deny rules and are stateless, allowing immediate blocking; Traffic Mirroring captures full packets.

Why this answer

Option B is correct because a network ACL (NACL) is a stateless firewall that operates at the subnet level, allowing immediate blocking of traffic to/from a specific IP address without affecting the instance's security group rules. Enabling VPC Traffic Mirroring captures a full packet-level copy of the traffic for forensic analysis, which is superior to VPC Flow Logs (which only capture metadata). This combination provides both rapid containment and deep forensic data.

Exam trap

The trap here is that candidates confuse security groups (stateful, allow-only) with network ACLs (stateless, allow/deny) and mistakenly think a security group can block a specific IP, or they assume VPC Flow Logs provide packet-level capture when they only provide metadata.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service, not a blocking mechanism; it cannot directly block traffic, and VPC Traffic Mirroring is not enabled via GuardDuty. Option C is wrong because stopping the EC2 instance halts all traffic but prevents capturing live malicious traffic for analysis, and VPC Flow Logs only provide metadata (source/destination IP, ports, protocol) not full packet payloads. Option D is wrong because security groups are stateful and cannot deny outbound traffic to a specific IP address; they only support allow rules, and VPC Flow Logs do not capture packet contents.

52
Multi-Selecteasy

A security engineer is configuring automated response to a specific GuardDuty finding type. The engineer wants to automatically block the offending IP address in the security group when a finding is generated. Which TWO AWS services should the engineer use together to achieve this? (Choose TWO.)

Select 2 answers
A.AWS Lambda
B.AWS Config
C.Amazon Simple Notification Service (SNS)
D.Amazon EventBridge
E.Amazon CloudWatch Logs
AnswersA, D

Lambda can run code to modify security groups based on the finding details.

Why this answer

AWS Lambda is correct because it can execute custom code to modify security group rules, such as removing an offending IP address. Amazon EventBridge is correct because it can capture GuardDuty findings as events and trigger the Lambda function in response to a specific finding type. Together, they enable automated, event-driven remediation without manual intervention.

Exam trap

The trap here is that candidates often choose SNS because it is commonly associated with GuardDuty alerts, but they overlook that SNS cannot perform API actions like modifying security groups—only Lambda or Step Functions can execute the remediation logic.

53
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze VPC Flow Logs from all accounts. What is the MOST efficient way to achieve this?

A.Use AWS Firewall Manager to deploy VPC Flow Logs and aggregate logs in a single account.
B.Configure VPC Flow Logs to deliver to a central CloudWatch Logs log group in the management account.
C.Configure VPC Flow Logs to deliver to a central S3 bucket in the security account, and use a bucket policy that grants the source accounts permission to write.
D.Set up VPC Flow Logs in each account to deliver to local S3 buckets, then use S3 replication to copy to a central bucket.
AnswerC

VPC Flow Logs can deliver directly to S3 cross-account using a bucket policy.

Why this answer

Option C is correct because it uses a central S3 bucket in the security account with a bucket policy that grants the PutObject permission to the VPC Flow Logs delivery service from each source account. This is the most efficient approach as it avoids per-account configuration overhead, eliminates the need for cross-account replication, and provides a single location for centralized analysis using services like Amazon Athena or Amazon QuickSight.

Exam trap

The trap here is that candidates assume Firewall Manager (Option A) handles log aggregation, but it only manages the configuration policy, not the actual log delivery destination; similarly, many mistakenly think CloudWatch Logs (Option B) supports cross-account delivery natively, which it does not.

How to eliminate wrong answers

Option A is wrong because AWS Firewall Manager can centrally deploy VPC Flow Logs configurations but does not aggregate the logs themselves; it only manages the policy, and logs still need to be delivered to a central destination. Option B is wrong because CloudWatch Logs log groups cannot be written to cross-account by default; VPC Flow Logs can only deliver to a CloudWatch Logs log group in the same account, and centralizing requires additional infrastructure like a subscription filter or Lambda to forward logs. Option D is wrong because it introduces unnecessary complexity and cost by requiring S3 replication, which adds latency and storage overhead, and is less efficient than direct cross-account delivery to a central bucket.

54
MCQeasy

A security engineer is investigating a potential data exfiltration incident where an EC2 instance is sending large volumes of data to an unknown IP address. Which AWS service should the engineer use to capture and analyze the network traffic for evidence?

A.AWS WAF
B.AWS Shield
C.Amazon Inspector
D.VPC Traffic Mirroring
AnswerD

VPC Traffic Mirroring can capture and inspect network traffic from EC2 instances.

Why this answer

VPC Traffic Mirroring is the correct choice because it allows you to capture and inspect network traffic from an EC2 instance by mirroring the traffic to a monitoring appliance or a security tool. This enables deep packet inspection to analyze the contents of the data being sent to the unknown IP address, providing evidence for data exfiltration. Unlike other services, Traffic Mirroring operates at the network level, copying all packets (including payloads) without affecting the source instance.

Exam trap

The trap here is that candidates often confuse VPC Traffic Mirroring with VPC Flow Logs, but Flow Logs only capture metadata (source/destination IP, ports, protocol, packet count) and not the actual packet payloads, making them insufficient for evidence of data exfiltration content.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that inspects HTTP/HTTPS traffic at the application layer (Layer 7) and cannot capture or analyze raw network packets or non-HTTP traffic. Option B is wrong because AWS Shield is a DDoS protection service that mitigates volumetric attacks but does not provide packet capture or forensic analysis of outbound traffic. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposure, not a tool for capturing or analyzing live network traffic.

55
MCQhard

During an incident response, a security engineer needs to collect volatile memory from a compromised EC2 instance without affecting the running system. The instance is critical and cannot be stopped. Which approach is most appropriate?

A.Stop the instance, detach the root volume, and attach it to a forensics instance for analysis.
B.Use AWS License Manager to create a snapshot of the instance memory.
C.Use Amazon EC2 Rescue to collect memory dump.
D.Use AWS Systems Manager Run Command to execute a memory capture utility.
AnswerD

Run Command can execute scripts without stopping the instance.

Why this answer

Option D is correct because AWS Systems Manager Run Command allows you to execute a memory capture utility (such as WinPmem or LiME) on the EC2 instance without stopping it, preserving volatile memory for forensic analysis. This approach uses the SSM Agent to run commands remotely, minimizing impact on the running system while collecting critical evidence like running processes, network connections, and kernel data.

Exam trap

The trap here is that candidates may think stopping the instance (Option A) is safe for forensics, but they forget that volatile memory is lost on shutdown, making it useless for memory analysis.

How to eliminate wrong answers

Option A is wrong because stopping the instance destroys volatile memory (RAM contents are lost on power-off), defeating the purpose of collecting a memory dump. Option B is wrong because AWS License Manager is a service for managing software licenses, not for capturing instance memory; it has no capability to snapshot RAM. Option C is wrong because Amazon EC2 Rescue is a tool for diagnosing and troubleshooting EC2 issues (e.g., collecting logs and configuration data), but it does not perform a full memory dump; it focuses on system health, not forensic memory acquisition.

56
MCQmedium

A security team discovers that an IAM user's credentials are being used from an unusual geographic location. Which AWS service can provide automated response to revoke the user's access immediately?

A.Amazon GuardDuty
B.AWS Systems Manager Automation
C.AWS Lambda
D.AWS Config
AnswerB

SSM Automation runbooks can execute actions like disabling access keys in response to events.

Why this answer

AWS Systems Manager Automation is correct because it can be triggered by Amazon GuardDuty findings (e.g., UnauthorizedAccess:IAMUser/AnomalousBehavior) via Amazon EventBridge to run an automation document that immediately revokes the IAM user's access keys and applies a deny-all policy. This provides a fully automated, low-latency response without requiring manual intervention or custom code.

Exam trap

The trap here is that candidates often pick Amazon GuardDuty because they associate it with threat detection, but they overlook that GuardDuty only detects and alerts—it requires a separate automation service like Systems Manager Automation to actually perform the revocation.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that identifies anomalous activity but does not have built-in capabilities to automatically revoke IAM user credentials; it relies on downstream services like Systems Manager Automation or Lambda for response. Option C is wrong because AWS Lambda is a compute service that can execute custom code to revoke credentials, but it is not a managed automated response service itself—it requires you to write and maintain the function, whereas Systems Manager Automation provides a pre-built, auditable runbook. Option D is wrong because AWS Config is a resource compliance and configuration tracking service; it cannot directly revoke IAM credentials or respond to real-time security events.

57
MCQeasy

A security engineer finds this IAM policy attached to a user. The user is able to create CloudTrail trails but cannot start logging. What is the MOST likely reason?

A.The user lacks `iam:PassRole` permission for the CloudTrail service role.
B.The `StartLogging` action is not listed in the policy.
C.The policy does not specify the `cloudtrail:StartLogging` action.
D.The user does not have permission to create CloudTrail trails.
AnswerA

Starting logging requires passing an IAM role to CloudTrail.

Why this answer

The user can create CloudTrail trails but cannot start logging because starting logging requires the `iam:PassRole` permission to pass the CloudTrail service role to the CloudTrail service. Without this permission, CloudTrail cannot assume the role needed to write logs to the S3 bucket and deliver them to CloudWatch Logs, even though the user has `cloudtrail:CreateTrail` and `cloudtrail:StartLogging` actions in the policy.

Exam trap

The trap here is that candidates focus on the missing `cloudtrail:StartLogging` action in the policy, but the real issue is the missing `iam:PassRole` permission, which is a common oversight when configuring CloudTrail permissions.

How to eliminate wrong answers

Option B is wrong because the `StartLogging` action is not a permission; it is an API call, and the policy likely includes `cloudtrail:StartLogging` as an action, but the issue is the missing `iam:PassRole`. Option C is wrong because the policy does not need to specify `cloudtrail:StartLogging` as a separate action if it is already included; the problem is the missing `iam:PassRole` permission, not the absence of the action. Option D is wrong because the user is able to create CloudTrail trails, which directly contradicts the claim that they lack permission to create trails.

58
MCQhard

A company uses a multi-account AWS Organizations setup with hundreds of accounts. The security team uses AWS Security Hub in the management account to aggregate findings from all accounts. They have configured Amazon GuardDuty in all accounts and enabled AWS Config with recording. Recently, they noticed that Security Hub is not displaying any findings from GuardDuty in member accounts, even though GuardDuty is generating sample findings. The security team has verified that the Security Hub integration with GuardDuty is enabled in the management account. What is the most likely reason for the missing findings?

A.The IAM role for Security Hub in the management account lacks permissions to read findings from member accounts.
B.AWS Security Hub is not enabled in the member accounts.
C.Amazon GuardDuty is not enabled in the member accounts.
D.The member accounts have not enabled the integration between GuardDuty and Security Hub.
AnswerD

Each member account must enable the integration to forward findings to Security Hub.

Why this answer

Option D is correct because in a multi-account AWS Organizations setup, Security Hub in the management account aggregates findings from member accounts only if each member account has explicitly enabled the integration between GuardDuty and Security Hub. Even if GuardDuty is generating sample findings in member accounts, Security Hub will not display those findings unless the member account has enabled the GuardDuty-to-SecurityHub integration (via the Security Hub console or API). The management account enabling the integration does not automatically propagate the integration to member accounts.

Exam trap

The trap here is that candidates assume enabling the integration in the management account automatically propagates to all member accounts, but AWS requires each member account to explicitly enable the GuardDuty-to-SecurityHub integration for findings to be forwarded.

How to eliminate wrong answers

Option A is wrong because Security Hub in the management account uses AWS Organizations' trusted access and the AWSServiceRoleForSecurityHub service-linked role to read findings from member accounts; no additional IAM role permissions are required for cross-account reading of findings. Option B is wrong because Security Hub must be enabled in member accounts to receive findings, but the question states that Security Hub is aggregating findings from all accounts, implying it is enabled in member accounts; the issue is specifically about GuardDuty findings not appearing. Option C is wrong because the question explicitly states that GuardDuty is generating sample findings in member accounts, confirming GuardDuty is enabled and functioning in those accounts.

59
MCQmedium

A security engineer is investigating a potential credential compromise. An IAM user's access key was used to launch EC2 instances in a region where the user has never operated before. The engineer wants to quickly identify all API calls made by this user in the last 24 hours, including the source IP addresses. Which AWS service or feature should be used?

A.AWS CloudTrail
B.VPC Flow Logs
C.AWS Trusted Advisor
D.Amazon CloudWatch Logs
AnswerA

CloudTrail records all management and data events, including API calls with user identity and source IP.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made by IAM users, including the source IP address, user identity, and request details. By querying CloudTrail logs for the specific IAM user's access key over the last 24 hours, the engineer can identify every EC2-related and other API call, along with the originating IP addresses, enabling rapid investigation of the potential credential compromise.

Exam trap

The trap here is that candidates may confuse VPC Flow Logs (network-level traffic) with CloudTrail (API-level activity), mistakenly thinking flow logs can identify which IAM user performed an action, when in fact flow logs only show IP addresses and ports without user identity.

How to eliminate wrong answers

Option B (VPC Flow Logs) is wrong because it captures network traffic metadata (IP addresses, ports, protocols) at the VPC level, not API calls made by IAM users; it cannot show which user or access key initiated an EC2 instance launch. Option C (AWS Trusted Advisor) is wrong because it provides best-practice checks and recommendations (e.g., security groups, cost optimization), not a record of API activity or source IPs for user actions. Option D (Amazon CloudWatch Logs) is wrong because it is a service for monitoring, storing, and accessing log files from various AWS resources (e.g., application logs, Lambda logs), but it does not natively capture IAM user API call history; CloudTrail logs can be sent to CloudWatch Logs, but CloudWatch Logs itself is not the source of API call records.

60
MCQmedium

A company has a security requirement to capture all DNS queries made by EC2 instances for threat analysis. Which AWS service can provide this capability with minimal configuration?

A.VPC Flow Logs
B.Amazon Inspector
C.Amazon Route 53 Resolver DNS Firewall
D.AWS CloudTrail
AnswerC

Route 53 Resolver DNS Firewall can log and filter DNS queries.

Why this answer

Amazon Route 53 Resolver DNS Firewall can capture and log all DNS queries made by EC2 instances by enabling DNS query logging to Amazon S3 or CloudWatch Logs. This requires minimal configuration because it integrates directly with the VPC's DNS resolver, automatically capturing outbound DNS traffic without needing agents or changes to instance configurations.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (which capture network traffic metadata) with DNS query logging, not realizing that DNS queries are application-layer (Layer 7) and require a DNS-specific logging mechanism like Route 53 Resolver DNS Firewall's query logging feature.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture IP traffic metadata (source/destination IPs, ports, protocols) but do not capture DNS query names or content; they operate at Layer 3/4, not Layer 7. Option B is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposure, not a DNS query logging or threat analysis tool. Option D is wrong because AWS CloudTrail records API calls made to AWS services (e.g., EC2 RunInstances), not network-level DNS queries from instances.

61
MCQhard

During an incident response, a security engineer needs to preserve the state of an EC2 instance for forensic analysis. The instance is running a production workload that cannot be interrupted. Which of the following actions should the engineer take FIRST to ensure data integrity?

A.Run the dd command to clone the root volume to another EBS volume.
B.Create an AMI from the instance while it is running.
C.Take a snapshot of the attached EBS volumes while the instance is running.
D.Use AWS Systems Manager Run Command to create a memory dump and store it in S3.
AnswerD

Memory dumps capture volatile data for forensic analysis without stopping the instance.

Why this answer

Option D is correct because during an incident response, preserving volatile data (such as memory contents) is critical before any other action that might alter the system state. AWS Systems Manager Run Command can execute a command (e.g., using `dd` or `LiME`) to capture a memory dump and store it in Amazon S3 without interrupting the production workload. This ensures that forensic artifacts like running processes, network connections, and encryption keys are preserved before any disk-level operations that could overwrite or modify evidence.

Exam trap

The trap here is that candidates often prioritize disk-level preservation (snapshots or AMIs) as the first step, forgetting that volatile memory contains critical evidence that is lost the moment the instance is stopped or snapshotted, and that AWS Systems Manager can capture this data without interrupting the workload.

How to eliminate wrong answers

Option A is wrong because running the `dd` command to clone the root volume to another EBS volume requires the volume to be unmounted or in a consistent state; doing so on a running production instance can cause data corruption or I/O errors, and it does not capture volatile memory. Option B is wrong because creating an AMI from a running instance without first freezing the filesystem (e.g., using `fsfreeze`) can result in an inconsistent image due to ongoing writes, and it does not capture memory contents. Option C is wrong because taking a snapshot of attached EBS volumes while the instance is running does not guarantee crash consistency unless all volumes are snapshotted simultaneously (multi-volume snapshot), and it still fails to preserve volatile memory data that is essential for forensic analysis.

62
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team notices a series of `UpdateTrail` API calls from a user in the Security account, disabling logging on a multi-region trail. The user has a policy that allows `cloudtrail:UpdateTrail` only on trails with a specific tag. However, the trail does not have that tag. What is the MOST likely reason the call succeeded?

A.The trail did not have the required tag at the time of the API call due to a race condition.
B.The trail had an explicit deny in the same policy that was overridden by a separate allow.
C.The user's permissions were granted through a service control policy (SCP) that allowed the action.
D.CloudTrail API calls are not logged and bypass IAM policies.
AnswerA

If the tag condition was not met, the call should have failed unless the user had other permissions.

Why this answer

Option A is correct because AWS IAM policies are evaluated based on the resource's tags at the time of the API call. If the `UpdateTrail` API call was made while the trail's tag was being removed or added, a race condition could cause the trail to temporarily lack the required tag, allowing the action to succeed despite the policy's intent. This is a known edge case in IAM tag-based authorization, where eventual consistency of tag changes can lead to unintended access.

Exam trap

The trap here is that candidates assume IAM tag-based conditions are strictly enforced in real-time, but AWS's eventual consistency model can create race conditions that allow actions to succeed even when tags are not present at the exact moment of the API call.

How to eliminate wrong answers

Option B is wrong because an explicit deny in the same policy would always override any allow, and the scenario states the policy only allows `cloudtrail:UpdateTrail` on tagged trails, not that there is an explicit deny. Option C is wrong because a service control policy (SCP) can only deny or allow actions at the account level, but it cannot override a resource-based condition like a tag requirement; if the SCP allowed the action, the user still needed the tag condition to be met. Option D is wrong because CloudTrail API calls are indeed logged by CloudTrail itself (as management events), and IAM policies are always evaluated for every API call, including those to CloudTrail.

63
Multi-Selectmedium

A security engineer is investigating a potential data exfiltration incident where an attacker used a compromised EC2 instance to transfer data to an external IP. Which TWO AWS services can provide evidence of the network traffic and the API calls made from the instance?

Select 2 answers
A.VPC Flow Logs
B.AWS Config
C.Amazon GuardDuty
D.Amazon Inspector
E.AWS CloudTrail
AnswersA, E

Captures IP traffic information.

Why this answer

VPC Flow Logs capture metadata about IP traffic going to and from network interfaces, including the source/destination IP, ports, protocol, and packet/byte counts. This provides direct evidence of data being transferred to an external IP address from the compromised EC2 instance. AWS CloudTrail records API calls made within the AWS environment, such as those executed by the EC2 instance's IAM role or the instance itself (e.g., via the AWS CLI or SDK), which can reveal actions like starting data transfers or modifying security groups to allow exfiltration.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty as a source of raw evidence (like logs) when it is actually a detection service that consumes logs from other services (VPC Flow Logs, CloudTrail, DNS logs) to generate alerts, not a storage or retrieval service for the underlying traffic or API data.

64
Multi-Selectmedium

Which THREE actions should be taken when preserving forensic evidence from an EC2 instance during an incident? (Select THREE.)

Select 3 answers
A.Reboot the instance to clear any malicious processes.
B.Create an EBS snapshot of all volumes.
C.Terminate the instance to prevent further compromise.
D.Capture a memory dump using a tool like LiME.
E.Detach the instance from the network by modifying the security group.
AnswersB, D, E

Snapshots preserve the disk state at a point in time.

Why this answer

Option B is correct because creating an EBS snapshot preserves the exact state of the volume at the time of the incident, including any malicious files, logs, or artifacts. This snapshot can be used for offline forensic analysis without altering the original evidence. AWS recommends this as a first step in forensic acquisition to maintain chain of custody.

Exam trap

Cisco often tests the misconception that rebooting or terminating an instance is a safe containment step, but in forensic contexts these actions destroy volatile evidence and should be avoided until after memory and disk acquisition.

65
MCQmedium

The above IAM policy is attached to an AWS Lambda function. The function is failing to write logs to CloudWatch Logs. What is the likely cause?

A.The resource ARN does not include the log group itself; only log streams
B.The actions list does not include logs:DescribeLogGroups
C.The policy is missing an explicit deny for other actions
D.The region in the ARN does not match the Lambda function's region
AnswerA

PutLogEvents requires access to the log group resource as well.

Why this answer

The IAM policy grants `logs:CreateLogStream` and `logs:PutLogEvents` but specifies a resource ARN that only covers log streams (`arn:aws:logs:us-east-1:123456789012:log-group:MyLogGroup:log-stream:*`). The Lambda function first needs to write to the log group itself (e.g., to create the log group or confirm its existence), which requires `logs:CreateLogGroup` or `logs:DescribeLogGroups` permissions on the log group resource ARN (`arn:aws:logs:us-east-1:123456789012:log-group:MyLogGroup`). Without that, the initial API call to the log group fails, preventing any log stream creation or log event delivery.

Exam trap

The trap here is that candidates focus on the actions (e.g., missing `logs:DescribeLogGroups`) rather than the resource ARN, which must include the log group itself (not just log streams) for the initial log group creation or access check.

How to eliminate wrong answers

Option B is wrong because `logs:DescribeLogGroups` is not required for writing logs; the Lambda execution role typically needs `logs:CreateLogGroup` on the log group resource to allow the function to create the log group if it doesn't exist, but the core issue is the resource ARN mismatch, not the missing action. Option C is wrong because an explicit deny is not needed; IAM defaults to an implicit deny for any action not explicitly allowed, so missing an explicit deny does not cause failures. Option D is wrong because the region in the ARN (`us-east-1`) matches the Lambda function's region in the scenario; the question does not indicate a region mismatch, and even if it did, the error would be a different one (e.g., cross-region access denied), not the specific failure to write logs.

66
MCQhard

A company uses AWS Organizations with multiple accounts and has enabled AWS Security Hub in the management account. The security team wants to automatically remediate a specific finding type that appears in Security Hub. Which combination of services should be used to achieve this?

A.Amazon EventBridge and AWS Lambda
B.AWS Config conformance packs and AWS Systems Manager Automation
C.Amazon Inspector and AWS Step Functions
D.Amazon GuardDuty and AWS Lambda
AnswerA

Security Hub sends findings to EventBridge, which can trigger a Lambda function for remediation.

Why this answer

Amazon EventBridge can capture Security Hub findings as events using an event rule that matches the specific finding type. When the rule triggers, it invokes an AWS Lambda function that contains the remediation logic, such as modifying security group rules or disabling access keys. This combination provides a serverless, event-driven architecture for automated response to Security Hub findings.

Exam trap

The trap here is that candidates may confuse Security Hub's integration with other AWS security services (GuardDuty, Inspector) as the trigger mechanism, when in fact EventBridge is the standardized event bus that Security Hub uses to emit findings for automated response.

How to eliminate wrong answers

Option B is wrong because AWS Config conformance packs are used to evaluate resource compliance against rules, not to reactively remediate specific Security Hub findings; while Systems Manager Automation can run remediation, the integration with Security Hub is typically done via EventBridge, not directly through conformance packs. Option C is wrong because Amazon Inspector is a vulnerability assessment service that generates its own findings, not a service for remediating Security Hub findings; Step Functions could orchestrate remediation but the trigger from Security Hub still requires EventBridge. Option D is wrong because Amazon GuardDuty is a threat detection service that generates its own findings, not a service for remediating Security Hub findings; while Lambda can be used for remediation, the correct trigger for Security Hub findings is EventBridge, not GuardDuty.

67
MCQeasy

A security engineer needs to detect suspicious API calls across multiple AWS accounts. The engineer has enabled AWS CloudTrail in each account and is sending logs to a central S3 bucket. Which additional step should the engineer take to analyze the logs for potential threats?

A.Enable AWS Config rules to monitor CloudTrail configuration.
B.Enable AWS Trusted Advisor in the management account.
C.Enable Amazon GuardDuty in each account.
D.Enable VPC Flow Logs in each account.
AnswerC

GuardDuty analyzes CloudTrail logs for suspicious API activity.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, including suspicious API calls, by analyzing CloudTrail management and data events, VPC Flow Logs, and DNS logs. By enabling GuardDuty in each account, the security engineer can automatically detect potential threats across all accounts without manual log analysis. This directly addresses the need to analyze CloudTrail logs for suspicious API calls at scale.

Exam trap

The trap here is that candidates may confuse VPC Flow Logs (network traffic) with CloudTrail logs (API activity), or think that Config rules or Trusted Advisor can detect suspicious API calls, when in fact GuardDuty is the dedicated threat detection service for this purpose.

How to eliminate wrong answers

Option A is wrong because AWS Config rules monitor resource configuration compliance (e.g., ensuring CloudTrail is enabled), not the content of API calls for threat detection. Option B is wrong because AWS Trusted Advisor provides best-practice recommendations for cost, performance, and security, but does not analyze CloudTrail logs for suspicious API calls. Option D is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) and are useful for network-level threat detection, but they do not analyze CloudTrail API call logs for suspicious activity.

68
MCQhard

A security engineer is investigating a potential data exfiltration from an S3 bucket. The engineer has enabled S3 server access logs and CloudTrail data events. Which log source would provide the most granular details about the request, including the requester's IP address and user agent?

A.VPC Flow Logs
B.Amazon S3 server access logs
C.AWS CloudTrail data events
D.Amazon CloudWatch Logs
AnswerB

Server access logs include requester IP, user agent, and other details.

Why this answer

S3 server access logs provide detailed records of each request, including requester IP, user agent, and operation. CloudTrail data events also log S3 operations but may not include the user agent. VPC Flow Logs capture network traffic but not application-level details.

AWS CloudWatch Logs is not the source.

69
MCQmedium

A company's security policy requires that all S3 buckets be encrypted at rest. An security engineer needs to detect any S3 bucket that does not have default encryption enabled. Which AWS service should the engineer use to continuously monitor and alert on non-compliant buckets?

A.AWS CloudTrail
B.AWS Config
C.AWS Trusted Advisor
D.Amazon GuardDuty
AnswerB

Config can continuously evaluate resource configurations and trigger notifications for non-compliant resources.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of your AWS resource configurations against desired policies. You can create an AWS Config rule, such as the managed rule 's3-bucket-default-encryption-enabled', which automatically checks each S3 bucket for the presence of default encryption (SSE-S3 or SSE-KMS) and triggers an alert or remediation action for any non-compliant bucket. This aligns directly with the requirement to detect and alert on buckets lacking encryption at rest.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which evaluates resource configurations), leading them to choose CloudTrail for monitoring encryption settings when it only records the actions that change encryption, not the current state of encryption on each bucket.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity (e.g., PutBucketEncryption calls) but does not continuously evaluate the current configuration state of resources; it is an audit trail, not a compliance checker. Option C is wrong because AWS Trusted Advisor provides one-time or periodic checks for best practices (including S3 bucket permissions) but does not offer continuous, customizable monitoring or alerting for specific encryption settings like default encryption. Option D is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity; it does not evaluate resource configurations for compliance with encryption policies.

70
MCQhard

During incident response, a security engineer needs to preserve the state of a running EC2 instance for forensic analysis without losing volatile data. The instance is in an Auto Scaling group. Which action should the engineer take FIRST?

A.Detach the instance from the Auto Scaling group.
B.Stop the instance to preserve its EBS volumes.
C.Take an AMI of the instance immediately.
D.Suspend the `HealthCheck` and `ReplaceUnhealthy` processes on the Auto Scaling group.
AnswerD

Prevents Auto Scaling from interfering with the instance.

Why this answer

Option D is correct because suspending the `HealthCheck` and `ReplaceUnhealthy` processes on the Auto Scaling group prevents the group from detecting the instance as unhealthy and terminating it while the engineer preserves volatile data. This is the first step to ensure the instance remains running and accessible for forensic collection (e.g., memory dump) before any other actions that could alter its state.

Exam trap

The trap here is that candidates often choose to stop the instance or take an AMI first, not realizing that those actions destroy volatile data or require a stable state, whereas the correct first step is to prevent the Auto Scaling group from interfering with the running instance.

How to eliminate wrong answers

Option A is wrong because detaching the instance from the Auto Scaling group does not prevent the group from launching a replacement instance, but more critically, it does not protect the running instance from being terminated by other processes or manual actions; it also does not preserve volatile data. Option B is wrong because stopping the instance immediately loses volatile data (RAM, network connections, process state) which is critical for forensic analysis; the goal is to preserve the running state, not halt it. Option C is wrong because taking an AMI of the instance requires the instance to be in a stable state (often stopped or with consistent filesystem), and it does not capture volatile memory; it also takes time and could alter the instance state during the snapshot process.

71
MCQmedium

A company's security policy requires that all S3 bucket access logs be delivered to a central S3 bucket in the security account. A security engineer notices that some buckets are not delivering logs. The engineer needs to identify which buckets are not logging and ensure compliance. Which service should the engineer use to continuously monitor and report on S3 bucket logging?

A.Amazon Macie
B.Amazon S3 Inventory
C.AWS Config
D.AWS CloudTrail
AnswerC

AWS Config can evaluate whether S3 bucket logging is enabled.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of AWS resource configurations against desired policies. By using an AWS Config managed rule like `s3-bucket-logging-enabled`, the security engineer can automatically detect S3 buckets that do not have logging enabled and receive compliance notifications, ensuring ongoing adherence to the security policy.

Exam trap

The trap here is confusing AWS CloudTrail (which logs API calls) with AWS Config (which evaluates resource configurations), leading candidates to mistakenly choose CloudTrail for configuration compliance checks instead of Config.

How to eliminate wrong answers

Option A is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data in S3, not to monitor bucket logging configurations. Option B is wrong because Amazon S3 Inventory provides a list of objects and their metadata for auditing or lifecycle management, but it does not evaluate or report on the logging configuration of the buckets themselves. Option D is wrong because AWS CloudTrail records API activity for governance and auditing, but it does not continuously assess the configuration state of S3 bucket logging settings.

72
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze CloudTrail logs from all accounts in a single S3 bucket. What is the most efficient way to achieve this?

A.Create a CloudTrail trail in each account and configure the same S3 bucket as the destination.
B.Use CloudWatch Logs subscription filter to send logs from each account to a central account.
C.Create a single organization trail in the management account that logs all accounts.
D.Use S3 cross-region replication to copy logs from each account's bucket to a central bucket.
AnswerC

Organization trails automatically apply to all accounts in the organization.

Why this answer

Option C is correct because AWS Organizations supports creating a single organization trail in the management account that automatically logs CloudTrail events for all accounts in the organization. This centralizes log collection into one S3 bucket without needing to configure trails per account, making it the most efficient and scalable approach for multi-account environments.

Exam trap

The trap here is that candidates often assume each account must have its own trail (Option A) or that a streaming solution like CloudWatch Logs (Option B) is required, overlooking the native organization-level trail feature that simplifies centralization.

How to eliminate wrong answers

Option A is wrong because creating a trail in each account and pointing to the same S3 bucket requires manual setup per account, does not scale efficiently, and can lead to permission conflicts or log overwrites if bucket policies are not correctly configured. Option B is wrong because CloudWatch Logs subscription filters are designed to stream log data to a central account for real-time processing, but they are not the most efficient way to collect CloudTrail logs for long-term storage in S3; they add complexity and cost for a task that organization trails handle natively. Option D is wrong because S3 cross-region replication copies objects between buckets in different regions, but it does not centralize logs from multiple accounts into a single bucket; it requires each account to have its own bucket and replication rules, adding overhead and potential for configuration errors.

73
Multi-Selecthard

A company uses Amazon GuardDuty and has enabled EKS audit logs as a data source. The security team wants to detect potential container escape attempts. Which TWO findings would indicate a container escape attempt? (Choose TWO.)

Select 2 answers
A.Execution:ECS/SuspiciousCommand
B.UnauthorizedAccess:EC2/SSHBruteForce
C.CryptoCurrency:EC2/BitcoinTool.B
D.PrivilegeEscalation:EKS/KubernetesAPICallFromContainer
E.Persistence:EKS/ContainerWithSensitiveMount
AnswersD, E

Indicates a container making Kubernetes API calls, which could be used to escalate privileges.

Why this answer

Option D is correct because the PrivilegeEscalation:EKS/KubernetesAPICallFromContainer finding specifically detects when a container makes Kubernetes API calls that indicate an attempt to escalate privileges, such as creating pods with elevated permissions or accessing cluster-admin roles. This is a direct indicator of a container escape attempt, as the container is interacting with the Kubernetes control plane to gain unauthorized access to the host or other resources.

Exam trap

The trap here is that candidates may confuse ECS-specific findings (like SuspiciousCommand) with EKS findings, or mistake general EC2 threats (like SSH brute force or crypto mining) as indicators of container escape, when only findings directly tied to Kubernetes API calls or sensitive mounts are relevant.

74
MCQhard

A company uses AWS Organizations and has GuardDuty enabled in all accounts. The security team wants to suppress low-severity findings that are known false positives for a specific member account. How can this be achieved with minimal administrative overhead?

A.Disable GuardDuty for that member account and rely on other accounts.
B.In the member account, create a suppression rule in GuardDuty for the specific finding types.
C.Use AWS Security Hub insights to filter out those findings from the aggregated view.
D.Ask the delegated administrator to add a suppression rule in the GuardDuty console for that account.
AnswerB

Member accounts can create suppression rules.

Why this answer

Option B is correct because GuardDuty supports suppression rules that can be created at the member account level to automatically archive low-severity findings that are known false positives. This approach allows the member account to manage its own findings without requiring changes to the GuardDuty configuration in the management account or other accounts, minimizing administrative overhead.

Exam trap

The trap here is that candidates may assume the delegated administrator can centrally manage suppression rules for member accounts, but GuardDuty requires suppression rules to be created within the account that owns the findings, not from the administrator account.

How to eliminate wrong answers

Option A is wrong because disabling GuardDuty for the member account would stop all threat detection in that account, not just suppress false positives, and would create a security blind spot. Option C is wrong because AWS Security Hub insights can filter the aggregated view but do not suppress findings in GuardDuty itself; the findings would still exist and count toward quotas or alerts in GuardDuty. Option D is wrong because the delegated administrator cannot add a suppression rule directly for a specific member account from the administrator console; suppression rules must be created within the context of the account where the findings are generated, i.e., the member account itself.

75
MCQeasy

A company uses Amazon GuardDuty to detect threats. The security team wants to be alerted when GuardDuty generates a finding with a severity level of HIGH or CRITICAL. Which AWS service should the team use to send notifications based on GuardDuty findings?

A.Amazon Simple Queue Service (SQS)
B.Amazon EventBridge and Amazon Simple Notification Service (SNS)
C.AWS Lambda
D.Amazon CloudWatch Logs and Amazon Simple Notification Service (SNS)
AnswerB

EventBridge can filter findings and trigger SNS for alerts.

Why this answer

Amazon EventBridge can capture GuardDuty findings as events using a rule that matches the 'GuardDuty Finding' event type. The rule can then invoke an SNS topic to send email or SMS notifications. This is the recommended pattern because EventBridge provides native integration with GuardDuty and supports filtering by finding severity using event patterns, while SNS handles the actual notification delivery.

Exam trap

The trap here is that candidates often assume GuardDuty findings go directly to CloudWatch Logs or that Lambda is required for filtering, but the native integration with EventBridge eliminates the need for custom processing or intermediate services.

How to eliminate wrong answers

Option A is wrong because Amazon SQS is a message queue service for decoupling application components, not for sending notifications; it would require a separate consumer to poll and send alerts. Option C is wrong because AWS Lambda alone cannot send notifications; it would need to invoke SNS or another service, making it an unnecessary intermediate step when EventBridge can directly route to SNS. Option D is wrong because GuardDuty findings are not automatically sent to CloudWatch Logs; GuardDuty publishes events to EventBridge, not to CloudWatch Logs, so this option introduces an incorrect data flow.

Page 1 of 4 · 243 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Threat Detection and Incident Response questions.