CCNA Threat Detection and Incident Response Questions

75 of 243 questions · Page 2/4 · Threat Detection and Incident Response · Answers revealed

76
MCQmedium

A security engineer is investigating an AWS CloudTrail log entry that shows an unauthorized API call to delete an S3 bucket. Which service should the engineer use to analyze the log data for patterns of similar malicious activity?

A.AWS Config
B.Amazon CloudWatch Logs Insights
C.AWS Artifact
D.Amazon GuardDuty
AnswerD

GuardDuty is purpose-built for threat detection using CloudTrail, VPC Flow Logs, and DNS logs.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts for malicious activity, including unauthorized API calls like the S3 bucket deletion attempt. It uses machine learning and integrated threat intelligence to analyze CloudTrail management events, VPC flow logs, and DNS logs, enabling it to identify patterns of similar malicious behavior across your environment. This makes GuardDuty the correct choice for detecting and alerting on patterns of unauthorized activity, rather than just logging or compliance checks.

Exam trap

The trap here is that candidates confuse CloudWatch Logs Insights, which can query logs, with GuardDuty's automated threat detection, overlooking that GuardDuty is purpose-built for identifying patterns of malicious activity without requiring manual log analysis.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating resource configurations and compliance against rules, not for analyzing CloudTrail log patterns for malicious activity; it lacks threat detection capabilities. Option B is wrong because Amazon CloudWatch Logs Insights is a query tool for searching and analyzing log data, but it does not provide automated threat detection or pattern recognition for malicious activity; it requires manual querying and lacks built-in threat intelligence. Option C is wrong because AWS Artifact is a self-service portal for downloading AWS compliance reports and agreements, with no capability to analyze CloudTrail logs or detect unauthorized activity.

77
MCQmedium

An organization uses AWS Organizations with multiple accounts. The security team needs a centralized location to collect and analyze security findings from GuardDuty, Inspector, and Macie. Which AWS service should they use?

A.Amazon Detective
B.AWS Security Hub
C.Amazon CloudWatch
D.AWS Config
AnswerB

Security Hub centralizes security alerts across accounts and services.

Why this answer

AWS Security Hub is the correct service because it provides a centralized view of security alerts and compliance status across multiple AWS accounts. It aggregates findings from GuardDuty, Inspector, and Macie, normalizing them into the AWS Security Finding Format (ASFF), enabling the security team to analyze and prioritize threats in a single dashboard.

Exam trap

The trap here is that candidates confuse Amazon Detective’s investigative capabilities with Security Hub’s aggregation role, assuming Detective can centralize findings, when in fact Detective is a post-finding analysis tool that requires Security Hub or GuardDuty to provide the initial findings.

How to eliminate wrong answers

Option A is wrong because Amazon Detective is designed for in-depth investigation of security findings by analyzing VPC Flow Logs, CloudTrail, and GuardDuty data, but it does not aggregate findings from multiple services like Inspector and Macie into a single location. Option C is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, not a security findings aggregator; it lacks the native integration to collect and normalize findings from GuardDuty, Inspector, and Macie into a unified format. Option D is wrong because AWS Config is a resource inventory and compliance auditing service that tracks configuration changes, not a centralized hub for security findings from threat detection services.

78
Multi-Selecthard

A company wants to implement automated remediation of security findings from Amazon GuardDuty. Which THREE AWS services can be used together to create an automated response workflow? (Select THREE.)

Select 3 answers
A.Amazon CloudWatch Events (EventBridge)
B.AWS Lambda
C.AWS Step Functions
D.Amazon SQS
E.AWS Config
AnswersA, B, C

Receives GuardDuty findings and triggers Lambda or Step Functions.

Why this answer

Amazon GuardDuty sends findings to Amazon CloudWatch Events (EventBridge) as events. You can configure an EventBridge rule to match specific GuardDuty findings and trigger an AWS Lambda function for automated remediation. AWS Step Functions can orchestrate complex remediation workflows involving multiple Lambda functions or other AWS services, providing retry logic and error handling.

Exam trap

The trap here is that candidates often select Amazon SQS or AWS Config because they are associated with event-driven architectures or compliance, but they are not the core services used in the standard GuardDuty automated remediation pattern, which relies on EventBridge, Lambda, and Step Functions.

79
MCQmedium

Refer to the exhibit. A security engineer runs the AWS CLI command to look up console login events. The output shows two successful login events for user1 within 5 minutes. What should the engineer suspect?

A.The user created a new access key.
B.The user's credentials may be compromised.
C.The user's account is being used by multiple users.
D.The user has disabled multi-factor authentication (MFA).
AnswerB

Multiple logins in a short time from the same user could indicate credential theft.

Why this answer

Two successful console login events for the same user within 5 minutes, especially from different source IP addresses or user agents, is a strong indicator of credential compromise. An attacker who has obtained the user's password can log in while the legitimate user is also active, creating overlapping sessions. AWS CloudTrail records the `ConsoleLogin` event with details like `sourceIPAddress` and `userAgent`, which the engineer should examine to confirm whether the logins originated from different locations or devices.

Exam trap

The trap here is that candidates may assume multiple logins are due to shared credentials or MFA misconfiguration, but the key indicator of compromise is the temporal proximity of two successful logins, which strongly suggests an attacker is using the same credentials concurrently.

How to eliminate wrong answers

Option A is wrong because creating a new access key does not generate console login events; access key creation is recorded as `CreateAccessKey` in CloudTrail, not as a `ConsoleLogin` event. Option C is wrong because while multiple users could theoretically share an account, AWS Identity and Access Management (IAM) best practices prohibit sharing credentials, and the overlapping logins more likely indicate an attacker using stolen credentials rather than legitimate sharing. Option D is wrong because disabling MFA does not cause multiple login events within a short timeframe; MFA status changes are recorded as `DeactivateMFADevice` events, and the absence of MFA would not explain two rapid successive logins.

80
MCQmedium

A security engineer is investigating a potential data exfiltration incident. The engineer notices that an EC2 instance with an attached IAM role has been making API calls to an S3 bucket in another AWS account. The engineer wants to identify the source of the API calls and determine if the calls are malicious. Which AWS service should the engineer use to view the API calls made by the IAM role?

A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail records API calls made by IAM roles and provides details such as source IP, user agent, and request parameters.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made by IAM roles, including the source IP address, user agent, and the specific actions performed. In this scenario, CloudTrail logs will show the exact API calls made by the EC2 instance's IAM role to the S3 bucket in another account, enabling the security engineer to identify the source and determine if the calls are malicious.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (which show network traffic) with CloudTrail (which shows API calls), or they assume GuardDuty provides raw logs instead of just alerts, leading them to pick a service that cannot directly answer the question of viewing the specific API calls made by the IAM role.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log AWS API calls or IAM role activity. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes CloudTrail, VPC Flow Logs, and DNS logs for anomalies, but it does not directly provide the raw API call logs needed to view the specific actions taken by the IAM role. Option C is wrong because AWS Config records resource configuration changes and compliance, not the API calls made by IAM roles.

81
MCQhard

A company has a multi-account strategy and wants to ensure that all API calls from member accounts are logged to a centralized S3 bucket in the security account. Which configuration is required?

A.Use Amazon Kinesis Data Streams to stream CloudTrail events from all accounts to the central S3 bucket
B.Create an organization trail in the management account that logs all accounts
C.Create a CloudTrail trail in each member account and specify the same S3 bucket
D.Enable AWS Security Hub in the security account and configure it to collect CloudTrail logs
AnswerB

Organization trail logs all accounts and delivers to a single S3 bucket.

Why this answer

Option B is correct because AWS Organizations allows you to create an organization trail in the management account that automatically applies to all member accounts. This ensures that CloudTrail logs from every account in the organization are delivered to a single, centralized S3 bucket in the security account without needing per-account configuration. The organization trail uses the management account’s CloudTrail configuration to enable logging across the entire organization, and the S3 bucket policy must grant the necessary permissions for CloudTrail to write logs from all accounts.

Exam trap

The trap here is that candidates often assume creating separate trails per account (Option C) is simpler or more reliable, but they overlook the AWS Organizations integration that allows a single organization trail to automatically cover all accounts, reducing administrative overhead and ensuring consistent log delivery.

How to eliminate wrong answers

Option A is wrong because Amazon Kinesis Data Streams is a real-time data streaming service, not a logging destination for CloudTrail; CloudTrail can deliver logs to S3 or CloudWatch Logs, but Kinesis Data Streams is not a native CloudTrail destination for centralized logging. Option C is wrong because creating a separate trail in each member account and specifying the same S3 bucket requires manual configuration per account, does not scale, and does not leverage AWS Organizations for automatic management; additionally, each member account would need its own bucket policy to allow writes, which is error-prone. Option D is wrong because AWS Security Hub is a security posture management service that aggregates findings from various AWS services, but it does not collect or store CloudTrail logs; it can ingest CloudTrail events as a data source for findings, but it does not replace the need for a centralized S3 bucket for log storage.

82
MCQhard

A company runs a web application on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The application stores user session data in an ElastiCache Redis cluster. The security team receives an alert from GuardDuty that one of the EC2 instances is communicating with a known command-and-control (C2) IP address. The instance ID is i-0a1b2c3d4e5f. The security engineer needs to contain the threat immediately while preserving the instance for forensic analysis. Which course of action should the security engineer take?

A.Apply a new security group that denies all inbound and outbound traffic to the instance.
B.Remove the security group from the Auto Scaling group to isolate the instance.
C.Terminate the EC2 instance immediately to stop the communication.
D.Create an AMI of the instance for forensic analysis and then terminate the instance.
AnswerA

This instantly isolates the instance from the network, stopping the C2 traffic while preserving the instance for forensic investigation.

Why this answer

Option A is correct because applying a new security group that denies all inbound and outbound traffic immediately stops the C2 communication at the network layer without destroying the instance. This preserves the instance for forensic analysis (e.g., memory dump, disk imaging) while containing the threat. The security group acts as a virtual firewall, and changing it is a non-destructive, reversible action that can be applied directly to the instance even if it is part of an Auto Scaling group.

Exam trap

The trap here is that candidates often choose to terminate the instance (Option C) thinking it is the fastest containment, but they overlook the critical requirement to preserve the instance for forensic analysis, which termination destroys.

How to eliminate wrong answers

Option B is wrong because removing the security group from the Auto Scaling group does not isolate the instance; the instance retains its existing security group(s) and continues to communicate. Option C is wrong because terminating the instance destroys the forensic evidence (e.g., volatile memory, running processes, disk state) and prevents further analysis. Option D is wrong because creating an AMI takes time and does not immediately stop the C2 communication; the instance remains active and can continue exfiltrating data or receiving commands during the AMI creation process.

83
MCQhard

A security engineer is configuring AWS CloudWatch Logs to monitor for suspicious activity. They want to create a metric filter that detects when an IAM user calls the `iam:CreateAccessKey` API. The engineer writes the following filter pattern: `{ ($.eventName = "CreateAccessKey") }`. After testing, the filter does not trigger. What is the most likely reason?

A.The filter pattern syntax is incorrect; it should use square brackets.
B.The metric filter is not associated with the correct log group.
C.CloudWatch Logs does not support metric filters for CloudTrail logs.
D.The filter pattern does not include the eventSource field, so it might match events from other services.
AnswerD

Including eventSource ensures the filter only matches IAM events.

Why this answer

CloudTrail logs are JSON objects. The filter pattern must match the JSON structure. The correct pattern should include the eventSource or use the proper path.

Typically, the pattern should be `{ ($.eventSource = "iam.amazonaws.com") && ($.eventName = "CreateAccessKey") }`. Without eventSource, the filter may match other services with the same event name.

84
MCQmedium

A security engineer notices that an EC2 instance is sending outbound traffic to a known malicious IP address. The instance is part of an Auto Scaling group behind an Application Load Balancer. The engineer needs to immediately stop the exfiltration while preserving forensic evidence. What is the BEST course of action?

A.Detach the EBS volume from the instance.
B.Terminate the EC2 instance immediately.
C.Shut down the instance from within the OS.
D.Remove the instance from the target group and apply a security group that denies all traffic.
AnswerD

Stops traffic and preserves the instance for investigation.

Why this answer

Option D is correct because removing the instance from the target group immediately stops new traffic from the Application Load Balancer to the instance, while applying a security group that denies all outbound traffic (e.g., a custom security group with no outbound rules) halts any ongoing exfiltration without destroying the instance or its attached EBS volumes. This preserves the forensic evidence (memory, disk, logs) for later analysis, unlike termination or shutdown which could lose volatile data.

Exam trap

The trap here is that candidates often choose 'Terminate the EC2 instance immediately' (Option B) thinking it stops the exfiltration fastest, but they overlook the need to preserve forensic evidence and the fact that termination destroys the instance and its associated data, making post-incident analysis impossible.

How to eliminate wrong answers

Option A is wrong because detaching the EBS volume does not stop the instance from sending outbound traffic over the network; the instance continues running and can still exfiltrate data via network interfaces. Option B is wrong because terminating the instance immediately destroys the instance, its attached EBS volumes (unless termination protection is enabled and the 'Delete on Termination' flag is set to false), and any volatile forensic evidence (e.g., memory contents, running processes). Option C is wrong because shutting down the instance from within the OS (e.g., via 'shutdown -h now') stops the instance but does not guarantee that the OS will complete the shutdown cleanly; more importantly, it does not isolate the instance from the network first, allowing continued exfiltration during the shutdown process, and it may trigger Auto Scaling to launch a replacement instance before forensic capture.

85
MCQmedium

During an incident response, a security engineer needs to preserve the state of an EC2 instance's root volume for forensic analysis. The instance is still running. Which action should be taken to ensure the data is preserved without altering it?

A.Stop the instance and then create an AMI.
B.Create a snapshot of the root volume.
C.Use dd if=/dev/xvda over SSH to copy the volume.
D.Detach the root volume and attach it to a forensics instance.
AnswerB

Snapshot captures the current state without altering data.

Why this answer

Creating a snapshot of the root volume is the correct action because it captures a point-in-time, crash-consistent copy of the volume's data without requiring the instance to be stopped or the volume to be detached. This preserves the current state of the running instance for forensic analysis while ensuring the data is not altered by the snapshot process itself, as AWS snapshots are read-only and do not modify the source volume.

Exam trap

The trap here is that candidates may think stopping the instance (Option A) is necessary to ensure data consistency, but they overlook that stopping alters the system state and that a snapshot of a running instance is still a valid, unaltered point-in-time copy for forensic purposes.

How to eliminate wrong answers

Option A is wrong because stopping the instance changes its state (e.g., flushes memory, stops processes) and may alter or lose volatile data that is critical for forensic analysis; creating an AMI from a stopped instance also introduces additional metadata and is not a direct, unaltered copy of the root volume. Option C is wrong because using dd over SSH to copy the root device (/dev/xvda) while the instance is running will result in an inconsistent copy due to ongoing writes, and it modifies the source volume by reading it, potentially triggering forensic concerns about data integrity and chain of custody. Option D is wrong because detaching the root volume from a running instance forces an immediate stop of the instance (since the root volume is required for operation), which alters the system state and may cause data loss or corruption; attaching it to a forensics instance then introduces the risk of write operations to the volume.

86
MCQmedium

A security engineer is setting up automated incident response for a compromised EC2 instance. The engineer wants to isolate the instance immediately upon detection of a GuardDuty finding. Which AWS service can be used to automatically trigger a Lambda function that modifies the instance's security group?

A.AWS Step Functions
B.Amazon Inspector
C.Amazon CloudWatch Events
D.AWS Config
AnswerC

CloudWatch Events can match GuardDuty findings and invoke Lambda functions.

Why this answer

Amazon CloudWatch Events (now part of Amazon EventBridge) can be configured with a rule that matches specific GuardDuty finding events. When a finding is detected, the rule triggers a Lambda function that can modify the EC2 instance's security group to isolate it, for example by removing all inbound rules or replacing the group with a restrictive one. This provides the automated, event-driven response required.

Exam trap

The trap here is that candidates may confuse Amazon Inspector (a vulnerability scanner) with GuardDuty (a threat detection service), or assume AWS Config's compliance rules can react to security findings, when in fact only CloudWatch Events/EventBridge provides the direct event-driven trigger for GuardDuty findings.

How to eliminate wrong answers

Option A is wrong because AWS Step Functions is a workflow orchestration service that coordinates multiple AWS services, but it is not directly triggered by GuardDuty findings; it would require an intermediary like CloudWatch Events to start the workflow. Option B is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and network exposure, not a real-time event trigger for incident response actions. Option D is wrong because AWS Config is a service for evaluating resource configurations against desired policies and tracking changes, but it cannot directly trigger a Lambda function in response to a GuardDuty finding; it uses rules that evaluate configuration changes, not security findings.

87
MCQhard

A company uses AWS CloudTrail to log all API calls. During an incident investigation, the security team needs to identify who deleted an S3 bucket. CloudTrail logs are stored in a centralized S3 bucket with server-side encryption using AWS KMS. Which additional step is required to ensure the CloudTrail logs can be queried quickly for this investigation?

A.Enable CloudTrail Lake
B.Stream logs to CloudWatch Logs and use CloudWatch Logs Insights
C.Use Amazon Athena with a table defined over the S3 bucket
D.Enable Amazon GuardDuty
AnswerC

Athena can query CloudTrail logs stored in S3 using standard SQL.

Why this answer

Option D is correct because CloudTrail logs are JSON files, and Athena can query them directly using DDL and DML. Option A is wrong because CloudTrail Lake is a managed query service but not necessary if logs are in S3; Athena is more direct. Option B is wrong because CloudWatch Logs Insights queries CloudWatch Logs, not S3 objects.

Option C is wrong because GuardDuty is for threat detection, not log query.

88
MCQhard

During incident response, a security engineer needs to capture network traffic from an EC2 instance for forensic analysis. The instance is part of an Auto Scaling group. Which action preserves the most evidence while minimizing disruption?

A.Enable VPC Flow Logs for the subnet and analyze the logs.
B.Take an EBS snapshot and analyze network logs from the snapshot.
C.Use AWS Traffic Mirroring to mirror traffic to a monitoring appliance.
D.Terminate the instance and launch a new one to capture network logs.
AnswerA

Flow logs capture network metadata without performance impact.

Why this answer

Option A is correct because VPC Flow Logs capture metadata (IP addresses, ports, protocols, packet sizes) of all traffic to/from the EC2 instance at the subnet level, preserving a forensic record without any disruption to the running instance or Auto Scaling group. This approach avoids stopping, terminating, or modifying the instance, ensuring the incident environment remains intact for further investigation.

Exam trap

The trap here is that candidates confuse 'capturing network traffic' with needing packet-level inspection (e.g., Traffic Mirroring) and overlook that VPC Flow Logs provide sufficient forensic metadata for most incident response scenarios without disrupting the instance.

How to eliminate wrong answers

Option B is wrong because an EBS snapshot captures disk state, not network traffic; analyzing network logs from a snapshot is impossible since network logs are not stored on the volume by default. Option C is wrong because AWS Traffic Mirroring requires stopping the instance to attach a mirror target or may introduce latency, and it disrupts the production traffic flow by duplicating packets, which can alter the incident environment. Option D is wrong because terminating the instance destroys volatile evidence (e.g., running processes, memory, active network connections) and disrupts the Auto Scaling group, potentially losing critical forensic data.

89
MCQeasy

A security engineer is investigating a potential data breach. The engineer needs to identify which IAM user accessed a specific S3 object and when. Which AWS service should the engineer use?

A.AWS Config
B.Amazon S3 server access logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerC

CloudTrail records API calls with user identity, including S3 data events.

Why this answer

AWS CloudTrail is the correct service because it records API activity for all AWS services, including S3 object-level operations such as GetObject, PutObject, and DeleteObject. By enabling data events on the specific S3 bucket, CloudTrail logs the IAM user, source IP, timestamp, and the exact object key accessed, providing the precise identity and time needed for breach investigation.

Exam trap

The trap here is that candidates confuse S3 server access logs (which show HTTP-level requests but lack IAM user identity) with CloudTrail (which captures the full IAM user context via the AWS API), leading them to incorrectly select Amazon S3 server access logs.

How to eliminate wrong answers

Option A is wrong because AWS Config evaluates resource configurations and compliance rules, not API-level access logs; it cannot show which user accessed a specific S3 object or when. Option B is wrong because Amazon S3 server access logs record HTTP requests to the bucket at the object level, but they log the requester's AWS account ID or anonymous identifier, not the IAM user ARN, making it impossible to tie the access to a specific IAM user. Option D is wrong because Amazon CloudWatch Logs is a centralized log storage and monitoring service, not a source of API activity logs; it can ingest CloudTrail logs but does not generate the access records itself.

90
Multi-Selectmedium

A security engineer is investigating a potential data exfiltration incident. The engineer suspects that an EC2 instance is sending data to an external IP address. Which TWO AWS services can provide evidence of outbound data transfer? (Select TWO.)

Select 2 answers
A.S3 server access logs
B.AWS Config
C.VPC Flow Logs
D.AWS CloudTrail
E.AWS Trusted Advisor
AnswersA, C

If data is exfiltrated from S3, server access logs show object access details.

Why this answer

S3 server access logs provide detailed records of requests made to an S3 bucket, including the source IP address, request type, and bytes transferred. If the EC2 instance is exfiltrating data to an external IP by first uploading it to an S3 bucket, these logs can reveal the instance's private or public IP, the amount of data sent, and the target bucket. This makes them a valid source of evidence for outbound data transfer from the EC2 instance to S3.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with VPC Flow Logs (which log network traffic), leading them to incorrectly select CloudTrail as a source for evidence of data transfer.

91
MCQeasy

A security engineer notices that an IAM role used by an EC2 instance is generating a large number of API calls to an S3 bucket that is not part of the company's account. Which AWS service should be used to detect and alert on this suspicious activity?

A.AWS CloudTrail
B.Amazon Inspector
C.AWS Config
D.Amazon GuardDuty
AnswerD

GuardDuty uses machine learning to detect unusual API activity across accounts.

Why this answer

Amazon GuardDuty is the correct service because it uses machine learning and anomaly detection to analyze AWS CloudTrail management and data events, VPC Flow Logs, and DNS logs. It can detect unusual API calls, such as an EC2 instance role making a high volume of requests to an S3 bucket outside the company's account, which is a classic indicator of compromised credentials or data exfiltration. GuardDuty generates findings and can integrate with Amazon CloudWatch Events to trigger alerts or automated remediation.

Exam trap

The trap here is that candidates often confuse CloudTrail (which logs the activity) with GuardDuty (which analyzes and alerts on the activity), leading them to select CloudTrail because they think logging alone is sufficient for detection, but GuardDuty is the service specifically designed for threat detection and alerting.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail is a logging service that records API calls, but it does not perform real-time detection, analysis, or alerting on suspicious activity; it only provides raw logs that require separate monitoring and analysis. Option B is wrong because Amazon Inspector is a vulnerability management service that assesses EC2 instances for software vulnerabilities and unintended network exposure, not for detecting anomalous API call patterns or cross-account data access. Option C is wrong because AWS Config is a resource inventory and compliance service that evaluates resource configurations against rules, but it does not analyze API call patterns or detect anomalous behavior like unusual S3 access from an IAM role.

92
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team wants to centralize threat detection across all accounts. They enable Amazon GuardDuty in the management account and intend to use delegated administrator functionality. However, they find that GuardDuty is not detecting threats in member accounts. What is the most likely cause?

A.GuardDuty requires an S3 bucket in each account to store findings.
B.GuardDuty is not enabled in the member accounts. The security team must invite member accounts or use the delegated administrator to enable GuardDuty in all accounts.
C.GuardDuty only monitors the management account's resources, not member accounts.
D.GuardDuty does not support delegated administrator for AWS Organizations.
AnswerB

GuardDuty must be enabled in each account. The delegated administrator can enable it for all accounts, but it requires explicit action.

Why this answer

Option B is correct because Amazon GuardDuty must be enabled in each member account to detect threats in those accounts. When using the delegated administrator model, the security team can enable GuardDuty across all accounts programmatically via the delegated administrator API, but they must explicitly perform this action. Simply enabling GuardDuty in the management account does not automatically activate it in member accounts, which is why no threats are detected in those accounts.

Exam trap

The trap here is that candidates assume enabling GuardDuty in the management account automatically propagates to all member accounts, but AWS requires an explicit delegated administrator action to enable the service across the organization.

How to eliminate wrong answers

Option A is wrong because GuardDuty does not require an S3 bucket in each account to store findings; findings are stored centrally in the GuardDuty service and can be exported to a single S3 bucket if configured. Option C is wrong because GuardDuty, when properly enabled via delegated administrator, monitors resources across all member accounts, not just the management account. Option D is wrong because GuardDuty fully supports delegated administrator for AWS Organizations, allowing a designated account to manage GuardDuty across the organization.

93
MCQmedium

During a security incident, a forensic investigator needs to capture the memory of a running EC2 instance without shutting it down. Which AWS feature should be used?

A.Amazon CloudWatch agent
B.EC2 Rescue for Linux or Systems Manager Run Command with a memory dump script
C.AWS CloudTrail
D.Amazon EBS snapshot
AnswerB

These tools can capture memory without stopping the instance.

Why this answer

Option B is correct because EC2 Rescue for Linux (via Systems Manager Run Command) includes a built-in script that can capture a full memory dump from a running EC2 instance without requiring a shutdown. This is essential for forensic analysis to preserve volatile data like running processes, network connections, and kernel structures. The script leverages the Linux 'vmcore' or 'LiME' (Linux Memory Extractor) tool to safely extract memory contents while the instance remains operational.

Exam trap

The trap here is that candidates often confuse capturing volatile memory with taking a disk snapshot (Option D), not realizing that memory is stored in RAM and is not preserved by EBS snapshots, which only capture persistent storage.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch Agent is designed for collecting metrics, logs, and performance data, not for capturing raw memory dumps; it cannot access or dump physical memory. Option C is wrong because AWS CloudTrail records API activity and management events, not the volatile memory state of an EC2 instance; it provides no mechanism for memory acquisition. Option D is wrong because an Amazon EBS snapshot captures the persistent disk state (block-level storage), not the contents of RAM; memory is volatile and not stored on EBS volumes.

94
Multi-Selecthard

Which TWO steps should a security engineer take when responding to a confirmed security incident involving a compromised EC2 instance? (Choose 2.)

Select 2 answers
A.Reimage the instance from a clean AMI immediately
B.Delete all CloudTrail logs related to the instance
C.Isolate the instance by changing its security group to deny all traffic
D.Take a snapshot of the instance's EBS volumes for forensic analysis
E.Immediately terminate the instance to stop the attack
AnswersC, D

Isolation prevents further damage while preserving the instance.

Why this answer

Preserving the instance (snapshot) and isolating it (security group change) are key steps. Terminating immediately destroys evidence. Deleting logs is wrong.

Reimaging without investigation destroys evidence.

95
MCQeasy

A company uses Amazon GuardDuty and receives a finding of type 'Backdoor:EC2/C&CActivity.B!DNS' for an EC2 instance. What does this finding indicate?

A.The instance is being targeted by an SSH brute force attack.
B.The instance is communicating with a known command and control server.
C.The instance is exfiltrating data to an S3 bucket.
D.The instance is being used in a DDoS attack.
AnswerB

The finding name indicates C&C activity detected via DNS.

Why this answer

The finding 'Backdoor:EC2/C&CActivity.B!DNS' indicates that GuardDuty has detected DNS queries from the EC2 instance to a domain associated with known command and control (C&C) infrastructure. This is based on GuardDuty's threat intelligence feeds that map DNS request patterns to known malicious domains, signaling that the instance may be compromised and communicating with an attacker's server.

Exam trap

The trap here is that candidates may confuse 'Backdoor:EC2/C&CActivity.B!DNS' with generic network anomalies or other attack types, but the key differentiator is the DNS-specific indicator that pinpoints communication with a known command and control server, not the attack vector or data exfiltration method.

How to eliminate wrong answers

Option A is wrong because SSH brute force attacks are detected by GuardDuty findings such as 'UnauthorizedAccess:EC2/SSHBruteForce', not by DNS-based C&C activity. Option C is wrong because data exfiltration to an S3 bucket would typically be detected by findings like 'Policy:IAMUser/RootCredentialUsage' or S3-specific findings, not by DNS query analysis for C&C domains. Option D is wrong because DDoS attack participation is indicated by findings such as 'Backdoor:EC2/DenialOfService' or 'Behavior:EC2/NetworkOutboundDenialOfService', which analyze traffic volume and patterns, not DNS queries to C&C servers.

96
MCQeasy

A security team wants to automatically revoke public access to an S3 bucket when Amazon GuardDuty detects a suspicious API call from a known malicious IP address. Which AWS service should be used to orchestrate this automated response?

A.AWS Config
B.AWS Lambda
C.AWS Systems Manager Automation
D.AWS CloudTrail
AnswerC

Systems Manager Automation runbooks can remediate S3 bucket policies.

Why this answer

AWS Systems Manager Automation can run a runbook to change the S3 bucket policy. GuardDuty can send findings to Amazon EventBridge, which triggers the automation. Option A (Lambda) is possible but Systems Manager is more structured for runbooks.

Option B (Config) is reactive. Option D (CloudTrail) is logging.

97
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team receives an alert from Amazon GuardDuty that one of the EC2 instances is generating outbound traffic to a known command-and-control (C2) IP address. The instance is part of an Auto Scaling group (ASG) with a minimum of 2 and maximum of 10 instances. The security incident response playbook instructs the team to isolate the compromised instance without affecting the application's availability. The team needs to preserve the instance for forensic analysis. Which action should the team take first?

A.Terminate the compromised EC2 instance and allow the ASG to launch a replacement.
B.Detach the EBS root volume from the instance and attach it to a forensic instance.
C.Shut down the instance from within the OS using AWS Systems Manager Run Command.
D.Remove the instance from the ALB target group and attach a security group that denies all traffic.
AnswerD

Isolates the instance while preserving it for forensics.

Why this answer

Option D is correct because removing the instance from the ALB target group immediately stops new traffic from reaching the application, while attaching a security group that denies all traffic (e.g., a custom security group with no inbound/outbound rules) effectively isolates the instance at the network layer. This preserves the instance for forensic analysis and does not affect application availability, as the ASG will not automatically terminate the instance (since it is still running and healthy from the ASG's perspective). The ALB will continue to route traffic to the remaining healthy instances in the target group, maintaining service continuity.

Exam trap

The trap here is that candidates may think terminating the instance (Option A) is the fastest way to stop the threat, but they overlook the requirement to preserve the instance for forensic analysis and the need to maintain application availability by not triggering an ASG replacement prematurely.

How to eliminate wrong answers

Option A is wrong because terminating the instance would destroy the forensic evidence (e.g., memory, disk, logs) and the ASG would launch a replacement, but the immediate isolation step should be network-level, not termination. Option B is wrong because detaching the EBS root volume requires the instance to be stopped first, which would take the instance out of service and potentially trigger an ASG replacement, and it does not address the immediate need to stop outbound C2 traffic. Option C is wrong because shutting down the instance from within the OS using Systems Manager Run Command would stop the instance, causing the ASG to launch a replacement (since the instance count drops below the minimum), and it does not preserve the instance for forensic analysis (the instance is stopped, not isolated).

98
Multi-Selecthard

A company's security team is configuring Amazon GuardDuty to detect crypto-mining activities on EC2 instances. Which THREE indicators should the team monitor? (Choose 3.)

Select 3 answers
A.Outbound connections to IP addresses on port 3333.
B.Unusually high CPU utilization on EC2 instances.
C.High volume of inbound network traffic.
D.DNS queries to known crypto-mining pools.
E.High disk I/O operations.
AnswersA, B, D

Port 3333 is commonly used by mining pools.

Why this answer

Option A is correct because crypto-mining malware often uses port 3333 for communication with mining pools or command-and-control servers. GuardDuty can detect outbound connections to known malicious IP addresses on this port as part of its threat intelligence feeds, which include indicators of compromise (IOCs) associated with crypto-mining activity.

Exam trap

The trap here is that candidates may confuse high inbound traffic with outbound traffic, or assume disk I/O is a primary indicator of crypto-mining, when in fact CPU utilization and DNS queries to mining pools are the key signals GuardDuty uses.

99
MCQeasy

A company wants to ensure that any deleted CloudTrail logs are detected and alerted within minutes. Which approach should they use?

A.Enable S3 event notifications on the CloudTrail bucket for DELETE events.
B.Configure CloudTrail to send logs to CloudWatch Logs, create a metric filter for DeleteTrail events, and set a CloudWatch alarm to send an SNS notification.
C.Use AWS Config to track CloudTrail configuration changes and trigger a Lambda function.
D.Enable Amazon GuardDuty to monitor CloudTrail management events.
AnswerB

Real-time detection via CloudWatch Logs metric filters.

Why this answer

Option B is correct because CloudTrail management events (including DeleteTrail) are delivered to CloudWatch Logs, where a metric filter can match the exact event name. A CloudWatch alarm on that metric triggers an SNS notification within minutes, meeting the detection and alerting requirement. This approach directly monitors the CloudTrail API call that deletes the trail itself, not just the log files.

Exam trap

The trap here is that candidates confuse detecting deletion of log files (S3 events) with detecting deletion of the trail itself (CloudTrail API call), leading them to choose Option A instead of the correct CloudWatch-based approach.

How to eliminate wrong answers

Option A is wrong because S3 event notifications on the CloudTrail bucket detect deletion of log objects (e.g., individual log files), but they do not detect the deletion of the CloudTrail trail itself, which is a management API call. Option C is wrong because AWS Config evaluates configuration changes against rules, but its evaluation is not real-time; it typically runs every few minutes or on a config change, and it does not natively provide sub-minute alerting via SNS without additional custom logic. Option D is wrong because Amazon GuardDuty monitors for suspicious activity using CloudTrail management events as a data source, but it does not provide immediate, dedicated alerting for the specific DeleteTrail event; its findings are generated based on threat detection models and may have a delay.

100
MCQmedium

A company has an AWS Lambda function that processes sensitive data. The security team wants to ensure that any errors or suspicious behavior are immediately investigated. Which combination of services should be used to send real-time notifications for anomalous function executions?

A.CloudWatch Logs and SNS
B.CloudTrail and SNS
C.AWS Config and SQS
D.Amazon Detective and SES
AnswerA

CloudWatch Logs metric filters on error patterns can trigger alarms via SNS.

Why this answer

Option A is correct because CloudWatch Logs can capture Lambda function execution logs, and a CloudWatch Logs metric filter can be configured to detect patterns indicative of errors or suspicious behavior (e.g., 'ERROR', 'Exception', or custom anomaly patterns). When the metric filter triggers a CloudWatch alarm, it can publish a message directly to an Amazon SNS topic, which then sends real-time notifications (e.g., email, SMS, or HTTP endpoint) to the security team for immediate investigation.

Exam trap

The trap here is that candidates often confuse CloudTrail (which logs API calls) with CloudWatch Logs (which captures application-level execution output), leading them to choose CloudTrail for real-time error monitoring when it is actually designed for auditing and compliance, not for triggering on application errors.

How to eliminate wrong answers

Option B is wrong because AWS CloudTrail records API calls and management events (e.g., who invoked the Lambda function), not the function's execution logs or error output; it cannot trigger real-time notifications based on anomalous function behavior. Option C is wrong because AWS Config is designed for resource configuration compliance and change tracking, not for monitoring real-time execution errors or suspicious behavior; SQS is a message queue that requires a separate consumer to process notifications, adding latency and complexity. Option D is wrong because Amazon Detective is a post-incident investigation service that analyzes historical data to identify root causes of security findings, not a real-time notification service; SES is an email-sending service that requires custom integration and does not natively trigger from Lambda execution anomalies.

101
MCQhard

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB) in a VPC. The security team uses Amazon GuardDuty and has enabled Amazon Detective. Recently, GuardDuty raised a 'Recon:EC2/PortProbeUnprotectedPort' finding for one of the instances. The security engineer verified that the ALB security group only allows inbound HTTP/HTTPS from the internet. However, the finding indicates that the instance is receiving probes on port 22 (SSH). Further investigation with Detective shows that the probes originate from multiple IP addresses and are reaching the instance's private IP address. The engineer suspects that the SSH port is exposed despite the security group configuration. What is the MOST likely cause of this exposure?

A.The EC2 instance's security group allows inbound SSH from 0.0.0.0/0.
B.VPC Flow Logs are misconfigured and are inadvertently forwarding traffic to the instance.
C.AWS Shield Advanced is causing false positives by marking legitimate traffic as probes.
D.The ALB security group has an inbound rule that allows SSH from the internet.
AnswerA

If the instance's security group allows SSH from anywhere, the instance is exposed even if behind an ALB.

Why this answer

The GuardDuty finding 'Recon:EC2/PortProbeUnprotectedPort' indicates that an EC2 instance is receiving unsolicited probes on a port that should not be publicly accessible. Since the ALB security group only allows HTTP/HTTPS from the internet, but the probes are reaching the instance's private IP on port 22 (SSH), the most likely cause is that the instance's own security group has an inbound rule allowing SSH from 0.0.0.0/0. This bypasses the ALB's security group because the instance's security group is evaluated independently for direct traffic to the instance's private IP, and if it permits SSH from anywhere, the probes will reach the instance.

Exam trap

The trap here is that candidates assume the ALB's security group fully protects the backend instances, forgetting that instances have their own security groups that are evaluated independently for direct traffic to their private IPs.

How to eliminate wrong answers

Option B is wrong because VPC Flow Logs are a monitoring feature that captures metadata about IP traffic; they do not forward or route traffic to instances, so misconfiguration cannot cause exposure. Option C is wrong because AWS Shield Advanced is a DDoS protection service that does not generate false positives for port probes; GuardDuty findings are independent of Shield, and Shield does not mark legitimate traffic as probes. Option D is wrong because the ALB security group only allows HTTP/HTTPS from the internet, and even if it allowed SSH, that would only affect traffic to the ALB, not directly to the instance's private IP; the probes are reaching the instance directly, not through the ALB.

102
MCQhard

A security engineer runs the above AWS CLI command to search for CreateKey events in CloudTrail. The command returns no events, but the security engineer knows that a KMS key was created in us-east-1 on January 1, 2023. What is the most likely reason for the empty result?

A.The event name is incorrect; the correct event is 'CreateKey' but it is case-sensitive
B.The CloudTrail trail is not multi-region and is configured in a different region
C.The user does not have permission to view KMS events in CloudTrail
D.The time range specified is outside the retention period of CloudTrail
AnswerB

If the trail is single-region and in another region, us-east-1 events are not captured.

Why this answer

Option A is correct because the event name for creating a KMS key is 'CreateKey' but the correct API call is 'CreateKey' for KMS? Actually, the CloudTrail event name for creating a KMS key is 'CreateKey'. However, the issue might be that the event is logged under a different name? Wait, the correct event name is 'CreateKey' indeed. But the output is empty.

Option B: CloudTrail might not be logging KMS events? Option C: The time range might be wrong? Option D: The region might be wrong. The most likely reason is that the CloudTrail trail is not enabled in us-east-1 or the event was not captured due to trail configuration. Option A is plausible but not specific.

Actually, the command shows no events, but KMS key creation is a data event for KMS. CloudTrail by default only logs management events, not data events. KMS key creation is a management event? Actually, CreateKey is a management event.

So it should be logged. The most likely is that the trail is not configured to log management events in that region, or the trail is not multi-region. Option D: The correct event name might be 'CreateKey' but the API is 'CreateKey' for KMS; there is no other event name.

Option C: The time range is correct. Option A: The key was created but the event might be logged under a different event name? Not really. The most common cause is that the CloudTrail trail is only logging events for a specific region, not us-east-1.

So the correct answer is B? Let's think: The command specifies region us-east-1. If the trail is not multi-region and is in another region, the event will not be visible. So option B: The trail is not multi-region and is configured in a different region.

That makes sense. But the exhibit does not show trail configuration. Option D: The event name should be 'CreateKey' but maybe it's 'CreateKey'? Actually, it is correct.

So I'll go with B.

103
Multi-Selecthard

A security engineer is investigating a security incident where an EC2 instance was used to launch an outbound denial-of-service (DoS) attack. The engineer needs to collect forensic evidence. Which THREE actions should the engineer take? (Choose three.)

Select 2 answers
A.Reboot the instance to clear any malicious processes.
B.Delete the CloudTrail logs that show the instance's API calls.
C.Create an Amazon EBS snapshot of the instance's root volume.
D.Capture the instance's memory using a tool like LiME or Amazon EC2 instance memory capture.
E.Terminate the instance to stop the attack immediately.
AnswersC, D

EBS snapshots preserve disk state for offline analysis.

Why this answer

Option C is correct because creating an Amazon EBS snapshot of the instance's root volume preserves the file system, logs, binaries, and any persistent artifacts (e.g., malware scripts, modified configuration files) at the time of the incident. This snapshot can be used for offline forensic analysis without altering the original evidence, which is critical for incident response and potential legal proceedings.

Exam trap

The trap here is that candidates may confuse 'stopping the attack' (Option E) with 'preserving evidence,' forgetting that termination destroys volatile data and that forensic capture must occur before any disruptive action.

104
Multi-Selectmedium

Which THREE actions should be taken when preparing an incident response plan for AWS?

Select 3 answers
A.Enable AWS CloudTrail in all regions.
B.Share the AWS account root user password with the incident response team.
C.Automate incident response using AWS Systems Manager Automation runbooks.
D.Disable VPC Flow Logs to reduce log volume.
E.Create IAM roles with limited permissions for incident responders.
AnswersA, C, E

CloudTrail provides a log of all API calls for investigation.

Why this answer

AWS CloudTrail must be enabled in all regions to ensure that all API calls across the entire AWS infrastructure are logged. This provides a comprehensive audit trail essential for forensic investigation and identifying the scope of a security incident. Without multi-region CloudTrail, an attacker could operate in an unmonitored region, leaving no trace for incident responders.

Exam trap

The trap here is that candidates may think sharing the root password is acceptable for emergency access, but AWS explicitly prohibits this and recommends using IAM roles with break-glass procedures instead.

105
MCQmedium

A security engineer notices suspicious API calls from an EC2 instance that has an IAM role attached. The engineer wants to quickly determine if the instance's credentials have been compromised and are being used from an external IP address. What is the most efficient way to detect this?

A.Check VPC Flow Logs for traffic from the instance to unusual destinations.
B.Review AWS CloudTrail logs for the instance's IAM role and look for source IP addresses outside the VPC.
C.Enable Amazon GuardDuty and look for the finding type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration'.
D.Use IAM Access Analyzer to review the trust policy of the instance's IAM role.
AnswerC

GuardDuty automatically detects credential exfiltration.

Why this answer

Option B is correct because GuardDuty has a finding type 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' that detects when EC2 instance credentials are used from an external IP. Option A is wrong because CloudTrail logs would show the calls but require manual analysis. Option C is wrong because VPC Flow Logs do not include IAM principal information.

Option D is wrong because IAM Access Analyzer focuses on resource policies, not credential misuse.

106
MCQhard

A company uses Amazon Detective to investigate security findings. The security team is analyzing a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B!DNS' for an EC2 instance. The team wants to use Detective to understand the full scope of the incident, including which other resources the instance communicated with and any IAM roles used. However, when the team opens the finding in Detective, they see no network activity data for the instance. The instance is in a VPC with VPC Flow Logs enabled, and Flow Logs are being published to CloudWatch Logs. What should the team do to enable Detective to display the network activity?

A.Re-enable the GuardDuty finding in Amazon Detective.
B.Enable GuardDuty EKS Audit Logs monitoring.
C.Ensure that VPC Flow Logs are enabled for the VPC and are being published to Amazon CloudWatch Logs in the same account and Region as Detective.
D.Install the Amazon Detective agent on the EC2 instance.
AnswerC

Detective ingests VPC Flow Logs from CloudWatch Logs to provide network activity data.

Why this answer

Option A is correct because Detective ingests VPC Flow Logs from CloudWatch Logs to analyze network traffic. The VPC Flow Logs must be in the correct format and delivered to CloudWatch Logs for Detective to consume. Option B is wrong because Detective does not need direct access to the instance.

Option C is wrong because the GuardDuty finding is already in Detective; the issue is network data. Option D is wrong because enabling more GuardDuty findings does not add network data.

107
Multi-Selectmedium

A company wants to use AWS services to detect and respond to a potential DDoS attack on their web application hosted on EC2 instances behind an Application Load Balancer (ALB). Which TWO AWS services should the company use for detection and mitigation?

Select 2 answers
A.AWS WAF
B.AWS Shield Advanced
C.Amazon Route 53
D.Amazon CloudFront
E.Amazon GuardDuty
AnswersA, B

WAF can create rate-based rules to block excessive requests.

Why this answer

AWS WAF is correct because it allows you to create web access control lists (web ACLs) to filter and monitor HTTP/HTTPS requests to your Application Load Balancer. By defining rate-based rules, you can automatically block IP addresses that exceed a threshold of requests per 5-minute window, mitigating layer 7 DDoS attacks such as HTTP floods or SQL injection attempts.

Exam trap

The trap here is that candidates often confuse AWS Shield Advanced (which provides network-layer DDoS detection and mitigation) with AWS WAF (which provides application-layer filtering), but the question requires both detection and mitigation, and Shield Advanced alone does not offer the granular application-layer rule customization that WAF provides for an ALB-based web application.

108
MCQeasy

A company wants to automatically trigger a Lambda function when a new security finding is generated in AWS Security Hub. Which service should be used to invoke the Lambda function?

A.Amazon Simple Notification Service (SNS)
B.AWS Security Hub itself
C.Amazon EventBridge
D.AWS CloudTrail
AnswerC

EventBridge can match Security Hub findings and invoke Lambda.

Why this answer

Amazon EventBridge is the correct service because AWS Security Hub automatically sends all findings to the default EventBridge bus as events. You can create an EventBridge rule that matches the 'Security Hub Findings - Imported' event pattern and targets a Lambda function for invocation. This is the native, recommended integration for event-driven responses to Security Hub findings.

Exam trap

The trap here is that candidates may think Security Hub can directly invoke Lambda or that SNS is the primary integration, but AWS explicitly designed EventBridge as the central event bus for all Security Hub findings to enable flexible, rule-based routing.

How to eliminate wrong answers

Option A is wrong because Amazon SNS is a pub/sub notification service that can be used as a target for EventBridge rules, but it is not the service that directly invokes Lambda in response to Security Hub findings; SNS would require a separate subscription and does not natively parse Security Hub event patterns. Option B is wrong because AWS Security Hub itself does not invoke Lambda functions directly; it only generates findings and sends them to EventBridge, CloudWatch, or S3 via integrations. Option D is wrong because AWS CloudTrail records API calls for auditing and does not provide real-time event-driven invocation of Lambda functions based on Security Hub findings.

109
Multi-Selecteasy

A security engineer needs to detect and respond to suspicious activity on an Amazon RDS database. Which TWO services can be used together to monitor database activity and trigger automated remediation?

Select 2 answers
A.Amazon Detective
B.Amazon RDS Enhanced Monitoring
C.AWS Lambda
D.Amazon RDS Performance Insights
E.Amazon GuardDuty
AnswersC, E

Lambda can be used to automate response actions.

Why this answer

Option B (RDS Enhanced Monitoring) provides OS-level metrics, not database queries. Option C (Amazon GuardDuty) does not monitor RDS data plane. Option D (Amazon Detective) analyzes findings but does not trigger remediation.

Option E (AWS Lambda) can execute remediation. Option A (Amazon RDS Performance Insights) monitors database load, but for security, use CloudWatch Logs with metric filters. Actually, correct combination: Amazon RDS for monitoring (CloudWatch Logs) and Lambda for response.

But the answer choices: Option A (Performance Insights) is for performance, not security. Option B (Enhanced Monitoring) is for OS metrics. Option C (GuardDuty) monitors RDS for suspicious behavior but does not trigger remediation directly.

Option D (Detective) is analysis. Option E (Lambda) can be used for response. The best two are: GuardDuty (detection) and Lambda (response).

However, GuardDuty does monitor RDS login events. So answer: C and E.

110
Multi-Selecthard

An organization is using Amazon EKS for container workloads. The security team wants to detect container escape attempts. Which THREE AWS services or features should be enabled? (Choose THREE.)

Select 3 answers
A.AWS WAF
B.AWS Security Hub
C.VPC Flow Logs
D.Amazon GuardDuty with EKS Runtime Monitoring
E.AWS CloudTrail
AnswersB, D, E

Aggregates findings from GuardDuty and others.

Why this answer

Amazon GuardDuty with EKS Runtime Monitoring (Option D) detects container escape attempts by monitoring Kubernetes audit logs and runtime behavior at the host and container level. AWS CloudTrail (Option E) records API calls to EKS, including suspicious actions like unauthorized pod creation or privilege escalation. AWS Security Hub (Option B) aggregates findings from GuardDuty and CloudTrail, providing a centralized view of container escape alerts and enabling automated incident response workflows.

Exam trap

The trap here is that candidates often confuse network-level monitoring (VPC Flow Logs) or web-layer protection (WAF) with the runtime and API-level visibility required to detect container escapes, leading them to select options that address different attack surfaces.

111
MCQeasy

A security engineer is investigating a potential data exfiltration from an S3 bucket. Which AWS service should be used to analyze the VPC Flow Logs for the S3 bucket's endpoint?

A.Amazon Macie
B.Amazon Inspector
C.Amazon GuardDuty
D.Amazon Detective
AnswerD

Detective analyzes VPC Flow Logs, CloudTrail, and other logs to investigate security events.

Why this answer

Amazon Detective is the correct service because it can ingest and analyze VPC Flow Logs, including those for a VPC endpoint used to access an S3 bucket. Detective uses machine learning, statistical analysis, and graph theory to identify the root cause of suspicious network traffic patterns, such as unusual data volumes or connections to external IPs, which are indicative of data exfiltration.

Exam trap

The trap here is that candidates confuse Amazon GuardDuty's alerting capability with Amazon Detective's investigative analysis, forgetting that GuardDuty generates findings but Detective is needed for deep forensic analysis of VPC Flow Logs to understand the full scope of an incident.

How to eliminate wrong answers

Option A is wrong because Amazon Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data stored in S3 buckets, but it does not analyze VPC Flow Logs or network traffic. Option B is wrong because Amazon Inspector is a vulnerability management service that scans EC2 instances and container workloads for software vulnerabilities and unintended network exposure, not for analyzing VPC Flow Logs. Option C is wrong because Amazon GuardDuty is a threat detection service that can monitor VPC Flow Logs for malicious activity, but it is a continuous monitoring and alerting service, not an investigative tool for deep analysis of historical flow log data; Detective is designed for post-breach root-cause analysis.

112
MCQeasy

A security engineer needs to ensure that all API calls in an AWS account are logged for incident response. Which AWS service should be enabled?

A.Amazon GuardDuty
B.VPC Flow Logs
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail logs all API calls for governance and audit.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made in an AWS account, including the identity of the caller, the time of the call, the source IP address, and the request parameters. This logging is essential for incident response to reconstruct events and identify unauthorized or malicious activity.

Exam trap

The trap here is that candidates confuse AWS Config with CloudTrail because both deal with 'logging' and 'compliance,' but Config tracks resource state changes over time, not the API calls that caused those changes.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes logs (like CloudTrail, VPC Flow Logs, and DNS logs) for malicious activity, but it does not itself generate or store API call logs. Option B is wrong because VPC Flow Logs capture metadata about network traffic (IP addresses, ports, protocols) at the elastic network interface level, not API calls to AWS services. Option C is wrong because AWS Config records resource configuration changes and evaluates compliance rules, but it does not log API calls; it relies on CloudTrail for API history.

113
MCQhard

A company's incident response team is using AWS Systems Manager to run commands on EC2 instances for forensic analysis. The team needs to ensure that the commands are run with minimal latency and that the results are stored securely. Which Systems Manager capability should the team use?

A.AWS Systems Manager Automation
B.AWS Systems Manager Session Manager
C.AWS Systems Manager Patch Manager
D.AWS Systems Manager Run Command
AnswerD

Run Command executes commands with low latency and can store output in S3.

Why this answer

AWS Systems Manager Run Command is the correct capability because it allows the incident response team to execute commands on EC2 instances with minimal latency by using the SSM Agent to run scripts or commands directly, and it can store command output in Amazon S3 or CloudWatch Logs for secure, durable storage. This meets the requirement for low-latency execution and secure result storage without requiring interactive sessions or complex automation workflows.

Exam trap

The trap here is that candidates often confuse Session Manager (interactive access) with Run Command (non-interactive execution), assuming that 'minimal latency' implies a live session, but Run Command is actually faster for scripted tasks because it avoids session setup overhead and can target multiple instances in parallel.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Automation is designed for multi-step, automated workflows (e.g., patching, AMI creation) and introduces orchestration overhead, not optimized for low-latency ad-hoc command execution. Option B is wrong because AWS Systems Manager Session Manager provides interactive shell or port forwarding access, not a mechanism to run commands with minimal latency and store results securely; it is for live sessions, not scripted execution. Option C is wrong because AWS Systems Manager Patch Manager is specifically for automating OS patching, not for running arbitrary forensic commands or storing results.

114
MCQhard

During an incident response, a security engineer needs to collect volatile data from an EC2 instance running Linux. The instance is in a private subnet with no direct internet access. The engineer has IAM permissions to use AWS Systems Manager Session Manager. Which command should the engineer use to capture memory and process information?

A.aws ec2 get-console-output --instance-id i-1234567890abcdef0
B.aws ssm send-command --instance-ids i-1234567890abcdef0 --document-name AWS-RunShellScript --parameters commands='volatility -f /dev/mem imageinfo'
C.aws ec2-instance-connect send-ssh-public-key --instance-id i-1234567890abcdef0 --instance-os-user ec2-user --ssh-public-key file://key.pub
D.aws ssm start-session --target i-1234567890abcdef0 --document-name AWS-StartInteractiveCommand
AnswerD

Session Manager allows interactive commands, enabling memory capture.

Why this answer

Option D is correct because AWS Systems Manager Session Manager with the AWS-StartInteractiveCommand document allows the security engineer to establish an interactive shell session to the EC2 instance without requiring direct internet access, SSH keys, or a bastion host. From this interactive session, the engineer can run native Linux commands like 'cat /proc/meminfo' or 'ps aux' to capture volatile memory and process information directly, which is the appropriate method for collecting volatile data during incident response.

Exam trap

The trap here is that candidates often confuse 'collecting volatile data' with running a forensic tool like Volatility via SSM Run Command, but they overlook that Volatility is not pre-installed, /dev/mem is restricted, and the correct approach is to use an interactive session (Session Manager) to run native OS commands for live data collection.

How to eliminate wrong answers

Option A is wrong because 'aws ec2 get-console-output' retrieves the instance's console log (text output from the system serial port), which does not provide access to live volatile memory or process information. Option B is wrong because it attempts to run the Volatility tool via AWS-RunShellScript, but Volatility is not installed by default on Linux instances, and the command 'volatility -f /dev/mem imageinfo' would fail as /dev/mem access is restricted by kernel protections (CONFIG_STRICT_DEVMEM) and requires root privileges not typically available via SSM Run Command. Option C is wrong because 'aws ec2-instance-connect send-ssh-public-key' pushes an SSH public key to the instance for SSH access, but the instance is in a private subnet with no direct internet access, and SSH would require a bastion host or VPN; moreover, this method does not provide a direct interactive session for volatile data collection.

115
MCQeasy

A security engineer is investigating a potential security incident involving an Amazon RDS database. The engineer needs to determine if someone attempted to access the database with incorrect credentials. Which AWS service should the engineer use to view authentication failures?

A.Amazon CloudWatch Logs
B.VPC Flow Logs
C.Amazon RDS database logs (error logs)
D.AWS CloudTrail
AnswerC

RDS database logs contain authentication failure entries.

Why this answer

Option C is correct because RDS database logs (such as error logs) contain authentication failure entries. Option A is wrong because CloudTrail logs API calls to RDS, not database-level authentication. Option B is wrong because VPC Flow Logs show network traffic but not authentication attempts.

Option D is wrong because CloudWatch Logs can store RDS logs but the source is the database logs.

116
Multi-Selectmedium

A company's security team is implementing an incident response plan for a potential ransomware attack on their EC2 instances. Which THREE steps should the team take to preserve forensic evidence while containing the incident?

Select 3 answers
A.Create an EBS snapshot of the root volume.
B.Create an Amazon Machine Image (AMI) of the compromised instance.
C.Isolate the instance by modifying the security group to deny all traffic.
D.Stop the instance to preserve its state.
E.Delete the compromised instance immediately.
AnswersA, B, C

A snapshot preserves the root volume data.

Why this answer

Option A is correct because creating an EBS snapshot of the root volume preserves the exact disk state at the time of the incident, including any ransomware artifacts, file system metadata, and encryption keys. This snapshot can be used for offline forensic analysis without altering the original evidence, as it captures the block-level data of the volume.

Exam trap

The trap here is that candidates often confuse 'stopping' an instance with 'preserving state,' but stopping triggers a graceful shutdown that can alter evidence, whereas an EBS snapshot captures the live disk state without halting the instance.

117
MCQeasy

Your company has a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The security team enabled AWS CloudTrail and Amazon GuardDuty. GuardDuty generates a finding 'Recon:EC2/PortProbeUnprotectedPort' for an EC2 instance that does not exist in the account. Upon investigation, you realize that the finding is triggered by a misconfigured Network Load Balancer (NLB) that is exposing a port to the internet. The NLB is used by the API Gateway. You need to reduce false positives for this specific finding. What should you do?

A.Change the NLB to an Application Load Balancer.
B.Enable AWS Shield Advanced to block the probes.
C.Disable GuardDuty for the account.
D.Create a suppression rule in GuardDuty to filter out findings for the NLB's public IP and port.
AnswerD

Suppression rules allow filtering of known false positives.

Why this answer

Option D is correct because GuardDuty suppression rules allow you to filter out findings that are known false positives based on specific criteria, such as the public IP and port of the NLB. Since the NLB is intentionally exposing a port for API Gateway, the port probe finding is expected behavior, not a real threat. Suppressing findings for that specific combination reduces noise without disabling GuardDuty for the entire account.

Exam trap

The trap here is that candidates may think changing the load balancer type or adding DDoS protection will stop the probes, but GuardDuty detects the probe activity itself, not the vulnerability—so only suppression rules can prevent the false positive without disabling the service.

How to eliminate wrong answers

Option A is wrong because changing the NLB to an Application Load Balancer does not address the root cause—the exposed port—and ALBs also have public IPs that can be probed, potentially generating similar findings. Option B is wrong because AWS Shield Advanced is a DDoS protection service that does not suppress or filter GuardDuty findings; it mitigates volumetric attacks but does not prevent port probe detections. Option C is wrong because disabling GuardDuty entirely would remove all threat detection capabilities for the account, which is an overreaction to a single false positive and violates security best practices.

118
Multi-Selecthard

Which TWO AWS services can be used to automatically block malicious IP addresses at the network perimeter? (Select TWO.)

Select 2 answers
A.Amazon Route 53
B.Security Groups
C.Network ACLs
D.AWS WAF
E.AWS Shield Advanced
AnswersC, D

Network ACLs can deny inbound traffic from specific IPs.

Why this answer

Network ACLs (NACLs) are stateless virtual firewalls that operate at the subnet level in a VPC. They can be configured with inbound and outbound rules to explicitly deny traffic from specific IP addresses, effectively blocking malicious IPs at the network perimeter before they reach the instances.

Exam trap

The trap here is that candidates often confuse Security Groups with Network ACLs, thinking Security Groups can block traffic at the network perimeter, but Security Groups are instance-level and cannot block traffic before it enters the subnet.

119
MCQmedium

A security engineer is implementing automated incident response. The engineer wants to use AWS Lambda to automatically remediate GuardDuty findings. What is the recommended pattern to trigger the Lambda function?

A.Configure an Amazon EventBridge rule to match GuardDuty findings and invoke the Lambda function.
B.Subscribe the Lambda function to an SNS topic that GuardDuty publishes findings to.
C.Use CloudWatch Logs subscription filter to trigger Lambda on GuardDuty log entries.
D.Have the Lambda function poll the EC2 instance metadata for threat indicators.
AnswerA

EventBridge is the recommended way to route GuardDuty findings to Lambda for automated remediation.

Why this answer

Amazon EventBridge is the recommended pattern because it natively integrates with AWS GuardDuty to receive all finding events in near real-time. By configuring an EventBridge rule that matches GuardDuty finding types (e.g., 'UnauthorizedAccess:EC2/SSHBruteForce'), you can directly invoke a Lambda function for automated remediation without polling or intermediate services. This pattern is serverless, event-driven, and follows AWS best practices for decoupled incident response.

Exam trap

The trap here is that candidates may assume GuardDuty uses SNS or CloudWatch Logs for output, similar to other AWS services, but GuardDuty exclusively emits findings as EventBridge events, making EventBridge the only native and recommended trigger pattern for Lambda remediation.

How to eliminate wrong answers

Option B is wrong because GuardDuty does not publish findings directly to SNS topics; it sends findings to EventBridge or can be configured to send to SNS via EventBridge, but direct subscription is not supported. Option C is wrong because GuardDuty does not write findings to CloudWatch Logs; findings are sent as events to EventBridge, not as log entries. Option D is wrong because EC2 instance metadata does not contain threat indicators from GuardDuty; it only provides instance-specific metadata like IP address or IAM role, and polling it would be an anti-pattern for event-driven remediation.

120
MCQeasy

A security analyst needs to detect and alert on suspicious API calls in real time. Which combination of AWS services should be used?

A.AWS CloudTrail, Amazon CloudWatch Logs, and Amazon EventBridge.
B.Amazon Inspector and AWS CloudTrail.
C.Amazon GuardDuty and AWS Lambda.
D.AWS Config and Amazon SNS.
AnswerA

Correct combination for real-time alerting on API calls.

Why this answer

AWS CloudTrail captures API calls and delivers log files to Amazon CloudWatch Logs, where you can define metric filters to detect suspicious patterns. Amazon EventBridge then consumes those filtered log events to trigger real-time alerts or automated remediation actions. This combination provides the end-to-end pipeline needed for real-time detection and alerting on API activity.

Exam trap

The trap here is that candidates often assume GuardDuty alone can provide real-time API call alerts, but GuardDuty findings are based on aggregated threat intelligence and behavioral analysis, not real-time per-API-call filtering, whereas CloudTrail plus CloudWatch Logs plus EventBridge gives you precise, real-time control over specific API actions.

How to eliminate wrong answers

Option B is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and network exposure, not a real-time API call detection service. Option C is wrong because while Amazon GuardDuty can detect suspicious API activity using threat intelligence and anomaly detection, it does not natively provide real-time alerting on specific API calls; it generates findings that are typically evaluated asynchronously, and AWS Lambda alone cannot capture or filter API calls without a source like CloudTrail. Option D is wrong because AWS Config is a resource inventory and compliance service that tracks configuration changes, not API calls, and Amazon SNS is a notification service that requires a source of events (like CloudTrail and CloudWatch Logs) to deliver alerts.

121
MCQhard

During an incident response, a security engineer needs to capture a forensic image of an EC2 instance's root volume for analysis. The instance is running and cannot be stopped. What is the recommended approach to capture the volume without stopping the instance?

A.Use the dd command via AWS Systems Manager to create a raw image and store it in S3.
B.Detach the volume from the instance, create a snapshot, and then attach it to a forensic analysis instance.
C.Create a snapshot while the volume is attached to the instance.
D.Use AWS Systems Manager to run a command that copies the volume content to S3.
AnswerB

Detaching ensures data consistency; snapshot captures the state for analysis.

Why this answer

Option B is correct because detaching the root volume from a running instance is not possible without stopping it first, but the recommended approach is to create a snapshot of the attached volume while the instance is running, then use that snapshot to create a new volume and attach it to a forensic analysis instance. This ensures a point-in-time copy without halting the instance, preserving volatile data and minimizing disruption.

Exam trap

The trap here is that candidates may think detaching the volume from a running instance is possible (it is not for root volumes without stopping the instance), or they may confuse creating a snapshot as the final step rather than the intermediate step to obtain a forensic copy.

How to eliminate wrong answers

Option A is wrong because the dd command via AWS Systems Manager would require the volume to be unmounted or the instance to be stopped to avoid data corruption from concurrent writes, and storing a raw image in S3 is inefficient and not a standard forensic practice. Option C is wrong because creating a snapshot while the volume is attached is actually the correct first step, but the question asks for the full recommended approach to capture the volume for analysis, which includes using the snapshot to create a new volume and attach it to a forensic instance—not just taking the snapshot. Option D is wrong because AWS Systems Manager cannot directly copy volume content to S3 without first creating a snapshot or using a tool like dd, which would require the volume to be unmounted or the instance to be stopped to ensure consistency.

122
MCQeasy

A company uses AWS CloudTrail to log all API activity. The security team wants to ensure that any changes to CloudTrail configuration (e.g., disabling the trail, deleting the trail, modifying the log delivery) are detected immediately. They have created a CloudWatch Events rule to capture the event 'StopLogging' and send an SNS notification. During testing, the team stops the trail and does not receive the notification. The CloudWatch Events rule is configured with the correct event pattern. What should the team check?

A.Verify that the CloudTrail trail is logging management events.
B.Ensure that the event pattern includes the correct source and detail-type.
C.Confirm that the SNS topic subscription is confirmed.
D.Check the IAM role associated with the CloudWatch Events rule to ensure it has permissions to publish to the SNS topic.
AnswerD

The rule must assume a role with sns:Publish permission on the topic.

Why this answer

Option B is correct because CloudWatch Events rules require an IAM role to invoke the SNS topic. The role must have sns:Publish permissions. Option A is wrong because the trail is logging management events by default.

Option C is wrong because the event pattern is correct, but the target action fails. Option D is wrong because SNS topic subscriptions are for subscribers, not for publishing.

123
Multi-Selecthard

A security team is implementing automated response to AWS GuardDuty findings. Which THREE actions should be taken to ensure proper incident response?

Select 3 answers
A.Create an AWS Lambda function that automatically modifies the security group of the affected instance to block all traffic.
B.Tag the affected instance with a 'quarantine' tag for tracking.
C.Create a snapshot of the EBS volumes attached to the instance for forensic analysis.
D.Terminate the affected instance immediately to neutralize the threat.
E.Disable AWS CloudTrail to prevent further logging of malicious activity.
AnswersA, B, C

Containment action.

Why this answer

Option A is correct because isolating the affected instance by modifying its security group to block all traffic is a common containment strategy that stops malicious network activity without destroying evidence. This approach allows the security team to perform forensic analysis and remediation while preventing further compromise, aligning with AWS incident response best practices.

Exam trap

The trap here is that candidates may think immediate termination (Option D) is the fastest way to neutralize a threat, but AWS incident response frameworks emphasize containment and evidence preservation over destruction.

124
MCQhard

A security engineer is reviewing AWS CloudTrail logs and notices a large number of `DescribeInstances` API calls from a single IAM user in a short period. The engineer suspects a credential compromise. What is the most effective way to automatically revoke the compromised credentials and notify the security team?

A.Use AWS CloudTrail to automatically disable the IAM user's access keys.
B.Create an Amazon EventBridge rule that triggers an AWS Lambda function to revoke the keys and send an SNS notification.
C.Create an AWS Config rule that checks for excessive API calls and revokes keys.
D.Enable Amazon GuardDuty to automatically revoke compromised credentials.
AnswerB

EventBridge can match CloudTrail events, invoke Lambda to revoke keys, and publish to SNS.

Why this answer

AWS CloudTrail can trigger a Lambda function via CloudWatch Events (now Amazon EventBridge). The Lambda function can then revoke the IAM user's keys and notify via SNS. AWS Config cannot revoke keys.

IAM does not have built-in automatic revocation based on CloudTrail events. GuardDuty provides findings but does not automatically revoke credentials.

125
MCQmedium

A company uses a hybrid architecture with on-premises servers and AWS. The company uses AWS Site-to-Site VPN to connect to a VPC. The security team suspects that a VPN tunnel has been compromised and an attacker is intercepting traffic. The team needs to verify the integrity of the VPN connection. What is the MOST effective way to detect if traffic is being intercepted?

A.Monitor Amazon CloudWatch metrics for the VPN tunnel, such as tunnel state and data throughput.
B.Use AWS Config to check VPN configuration compliance.
C.Use a third-party network monitoring tool to perform deep packet inspection.
D.Enable VPC Flow Logs and analyze traffic patterns for unusual destinations.
AnswerA

Anomalies in metrics can indicate issues.

Why this answer

Option A is correct because monitoring Amazon CloudWatch metrics for the VPN tunnel, specifically the 'TunnelState' metric, directly indicates whether the tunnel is up or down. A compromised tunnel that is intercepting traffic would likely cause the tunnel to flap or drop unexpectedly, which CloudWatch can alert on. Additionally, abnormal data throughput patterns (e.g., sudden spikes or drops) can signal interception or rerouting of traffic, making this the most effective way to detect integrity issues without relying on traffic content.

Exam trap

The trap here is that candidates confuse configuration compliance (AWS Config) or traffic analysis (VPC Flow Logs) with active tunnel integrity verification, overlooking that CloudWatch metrics directly monitor the VPN tunnel's operational state and performance, which is the most reliable indicator of compromise without requiring decryption.

How to eliminate wrong answers

Option B is wrong because AWS Config checks configuration compliance (e.g., encryption settings, routing rules) but cannot detect active interception or compromise of a live VPN tunnel; it only validates static configuration. Option C is wrong because deep packet inspection (DPI) requires decrypting the VPN traffic, which is not possible without the VPN encryption keys; the attacker would also be encrypted, so DPI cannot distinguish legitimate from intercepted traffic. Option D is wrong because VPC Flow Logs capture metadata (IPs, ports, protocols) but not the content or integrity of the VPN tunnel; unusual destinations might indicate exfiltration but do not directly confirm tunnel interception, and flow logs cannot detect if traffic is being modified or replayed within the encrypted tunnel.

126
MCQeasy

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. What is the MOST efficient way to enable GuardDuty for all accounts?

A.Create a Lambda function that uses AWS Organizations API to enable GuardDuty in each account
B.Use AWS Service Catalog to provision GuardDuty across accounts
C.Manually enable GuardDuty in each member account
D.Enable GuardDuty in the management account and designate a delegated administrator to manage GuardDuty
AnswerD

GuardDuty supports delegated administrator for Organizations, simplifying enablement.

Why this answer

Option D is correct because AWS Organizations allows you to enable GuardDuty at the management account level and then designate a delegated administrator to manage GuardDuty across all member accounts. This approach is the most efficient as it eliminates the need for per-account manual or scripted enablement, leveraging the Organizations API to automatically enroll all existing and future accounts.

Exam trap

The trap here is that candidates may think a custom Lambda function or manual per-account setup is required, overlooking the built-in delegated administrator feature that streamlines multi-account GuardDuty management via AWS Organizations.

How to eliminate wrong answers

Option A is wrong because creating a Lambda function to call the Organizations API for each account is unnecessary and less efficient; the delegated administrator feature in GuardDuty already automates multi-account enablement without custom code. Option B is wrong because AWS Service Catalog is designed for provisioning and governing IT service catalogs, not for enabling security services like GuardDuty across accounts; it adds complexity without benefit. Option C is wrong because manually enabling GuardDuty in each member account is inefficient, error-prone, and does not scale, especially in environments with many accounts or frequent account creation.

127
MCQhard

A security engineer suspects that an EC2 instance is communicating with a known malicious IP address. The engineer needs to capture the full network packets for analysis. Which approach should be taken?

A.Enable AWS Security Hub to detect and capture malicious traffic.
B.Install the Amazon CloudWatch agent on the instance to capture network logs.
C.Enable VPC Flow Logs on the subnet and analyze the logs.
D.Use VPC Traffic Mirroring to mirror the instance's ENI to a monitoring appliance.
AnswerD

Traffic Mirroring captures full packets for deep packet inspection.

Why this answer

VPC Traffic Mirroring captures and copies all network traffic from an EC2 instance's Elastic Network Interface (ENI) and forwards it to a monitoring appliance (e.g., a security appliance or packet analyzer) for full packet-level analysis. This is the only option that provides raw, full network packets (including headers and payloads) without impacting the instance's performance or requiring software installation on the instance itself.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which provide metadata only) with full packet capture, leading them to choose Option C, but VPC Flow Logs cannot capture packet payloads required for deep forensic analysis.

How to eliminate wrong answers

Option A is wrong because AWS Security Hub is a security posture management service that aggregates findings from other services (e.g., GuardDuty, Inspector) and does not capture raw network packets. Option B is wrong because the Amazon CloudWatch agent collects metrics and logs (e.g., CPU, memory, application logs) but cannot capture full network packets at the OSI Layer 2/3 level; it lacks packet capture capabilities. Option C is wrong because VPC Flow Logs capture metadata (e.g., source/destination IP, port, protocol, packet count) but do not capture the actual packet payloads or full network packets required for deep analysis.

128
Multi-Selecteasy

A company is designing an incident response plan for AWS. The plan must include the ability to collect forensic data from EC2 instances without requiring SSH key pairs. Which TWO AWS services can be used to acquire forensic data from EC2 instances without remote access? (Choose 2.)

Select 2 answers
A.AWS Systems Manager Run Command
B.AWS Config
C.Amazon Inspector
D.AWS CloudTrail
E.Amazon EBS snapshots
AnswersA, E

Run Command executes commands without SSH.

Why this answer

AWS Systems Manager Run Command allows you to run scripts or commands on EC2 instances via the SSM Agent, without requiring SSH keys or direct network access. This enables forensic data collection (e.g., memory dumps, log files) by executing commands remotely through the AWS Systems Manager service, using IAM roles for authentication.

Exam trap

The trap here is that candidates often confuse AWS Config or CloudTrail as tools for collecting instance-level forensic data, when in fact they are governance and logging services that do not provide direct access to instance memory or disk contents.

129
MCQeasy

A security engineer is reviewing AWS CloudTrail and notices `AssumeRole` API calls to a role that should not be assumed by the source identity. What is the FIRST step in the incident response process?

A.Enable AWS GuardDuty to detect future anomalies.
B.Delete the IAM role immediately.
C.Investigate the source IP address and user agent of the `AssumeRole` calls.
D.Disable the AWS account and contact support.
AnswerC

Helps determine if the activity is malicious.

Why this answer

The first step in any incident response process is to investigate and gather evidence to understand the scope and impact of the potential security event. Option C is correct because analyzing the source IP address and user agent of the `AssumeRole` API calls provides critical forensic data to determine if the activity is malicious or a false positive, without disrupting operations or destroying evidence. AWS CloudTrail logs these details, enabling the security engineer to trace the origin of the unauthorized assumption before taking any containment or remediation actions.

Exam trap

The trap here is that candidates often jump to containment actions like deleting the role or disabling the account, forgetting that the first step in incident response is always to investigate and gather evidence to confirm the threat and preserve forensic data.

How to eliminate wrong answers

Option A is wrong because enabling AWS GuardDuty is a proactive detection measure, not an immediate first step during an active incident; it would not help investigate the existing suspicious `AssumeRole` calls already logged. Option B is wrong because immediately deleting the IAM role could destroy forensic evidence, disrupt legitimate workloads that depend on the role, and is a hasty containment action that should only follow a thorough investigation. Option D is wrong because disabling the entire AWS account is an extreme, disproportionate response that would cause a complete denial of service for all users and applications, and contacting support is not a technical first step for investigation.

130
MCQeasy

A security engineer is investigating a potential compromise of an EC2 instance. The engineer needs to capture network traffic to and from the instance for forensic analysis. Which AWS service should be used to capture this traffic?

A.AWS Config
B.AWS Network Firewall
C.VPC Traffic Mirroring
D.Amazon Inspector
AnswerC

VPC Traffic Mirroring replicates network traffic for analysis.

Why this answer

VPC Traffic Mirroring captures and inspects network traffic at the Elastic Network Interface (ENI) level by copying packets from a source ENI to a target, such as a Network Load Balancer or another ENI. This allows the security engineer to perform deep packet inspection and forensic analysis without impacting the production traffic flow. It supports both IPv4 and IPv6 traffic and can filter by protocol, port, or packet direction, making it ideal for incident response scenarios.

Exam trap

The trap here is that candidates confuse VPC Traffic Mirroring with AWS Network Firewall, assuming that a firewall inherently captures traffic, but Network Firewall only inspects and filters traffic in-line without providing a separate packet capture stream for forensic analysis.

How to eliminate wrong answers

Option A is wrong because AWS Config is a resource inventory and compliance auditing service that records configuration changes, not network traffic. Option B is wrong because AWS Network Firewall is a managed firewall service that filters traffic at the VPC level but does not capture or mirror traffic for forensic analysis; it blocks or allows traffic based on rules. Option D is wrong because Amazon Inspector is a vulnerability assessment service that scans for software vulnerabilities and unintended network exposure, not a packet capture tool.

131
Multi-Selectmedium

A security engineer is designing a threat detection solution for a multi-account AWS environment. The engineer needs to detect and respond to suspicious API activity across all accounts. Which TWO services should be used together to achieve this? (Choose two.)

Select 2 answers
A.Amazon CloudWatch
B.Amazon GuardDuty
C.AWS Security Hub
D.Amazon Inspector
E.AWS Config
AnswersB, C

GuardDuty analyzes CloudTrail, DNS, and VPC Flow Logs for threats.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior across AWS accounts, including suspicious API activity. By enabling GuardDuty in all accounts and aggregating findings to a central administrator account, it provides the necessary detection layer for multi-account environments.

Exam trap

The trap here is that candidates often confuse AWS Security Hub (a findings aggregation and compliance service) with a primary detection tool, but Security Hub itself does not generate threat detections—it ingests findings from GuardDuty and other services, so both are needed together.

132
MCQmedium

Refer to the exhibit. A security engineer runs this AWS CLI command to investigate root user logins. The output shows a successful ConsoleLogin event. What should the engineer do next to improve security?

A.Delete the root user account.
B.Disable the root user password and require all logins via IAM users.
C.Enable IAM Access Analyzer to detect and alert on root user activity.
D.Enable multi-factor authentication (MFA) for the root user.
AnswerC

Access Analyzer can monitor root user activity.

Why this answer

Option B is correct because the root user should not be used for daily activities. The best practice is to enable IAM Access Analyzer to detect root user activity. Option A is wrong because the root user password cannot be disabled; it can only be deleted.

Option C is wrong because root user MFA is important but not the most direct response to this finding. Option D is wrong because the root user cannot be deleted.

133
MCQeasy

A security team detects that an IAM user's access keys are being used from an unusual geographic location. Which AWS service provides this type of anomaly detection?

A.Amazon Inspector
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerC

GuardDuty detects anomalous behavior such as unusual geographic access.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, including anomalous API calls from unusual geographic locations. It uses machine learning models and integrated threat intelligence to analyze AWS CloudTrail management events, VPC Flow Logs, and DNS logs, making it the correct service for detecting IAM user access key usage from an unexpected region.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with active threat detection, but CloudTrail only records events and does not analyze them for anomalies—GuardDuty is the service that performs the analysis and generates findings.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure, not for monitoring IAM user activity or geographic anomalies. Option B is wrong because AWS CloudTrail is a governance, compliance, and auditing service that records API activity but does not perform real-time anomaly detection or flag unusual geographic patterns on its own. Option D is wrong because AWS Config is a resource inventory and compliance service that evaluates resource configurations against rules, not a threat detection service for anomalous user behavior.

134
MCQmedium

A company uses Amazon GuardDuty and AWS Security Hub. The security team wants to automatically remediate high-severity GuardDuty findings that indicate an EC2 instance is communicating with a known command and control (C&C) server. The remediation should isolate the instance by modifying the security group to deny all inbound and outbound traffic. Which solution is the most efficient?

A.Use Amazon CloudWatch Events to directly modify the security group when a GuardDuty finding is published.
B.Send Security Hub findings to Amazon EventBridge, which triggers a Lambda function to modify the security group.
C.Configure GuardDuty to automatically update the security group when a finding is generated.
D.Create an AWS Config rule that triggers a Lambda function when a security group change is detected.
AnswerB

EventBridge can route findings to Lambda for custom remediation actions.

Why this answer

Option B is correct because it leverages Security Hub as a central aggregation point for GuardDuty findings, then uses EventBridge to trigger a Lambda function that modifies the security group. This is the most efficient architecture as Security Hub normalizes findings from multiple sources, and EventBridge provides reliable, low-latency event routing to Lambda for custom remediation logic without requiring direct GuardDuty-to-security-group integration.

Exam trap

The trap here is that candidates assume GuardDuty can directly modify security groups (Option C) or that CloudWatch Events can directly perform API actions (Option A), when in reality both require a Lambda function as an intermediary to execute the remediation logic.

How to eliminate wrong answers

Option A is wrong because CloudWatch Events (now part of EventBridge) can trigger on GuardDuty findings, but directly modifying a security group from a CloudWatch Events rule is not possible — CloudWatch Events cannot execute API calls to modify security groups; it only routes events to targets like Lambda. Option C is wrong because GuardDuty does not have native capability to automatically modify security groups; it only generates findings and can send them to EventBridge or Security Hub, but cannot directly perform remediation actions. Option D is wrong because an AWS Config rule that triggers on security group changes is reactive and does not address the requirement to automatically remediate the GuardDuty finding; it would only detect changes after they occur, not initiate the isolation based on the finding.

135
MCQhard

A company runs a critical web application on a fleet of EC2 instances behind an Application Load Balancer (ALB). The application uses an Aurora MySQL database. The security team receives an alert from Amazon GuardDuty that a specific EC2 instance is exhibiting behavior consistent with a cryptocurrency mining attack, including outbound connections to known mining pools. The instance is part of an Auto Scaling group that uses a launch template with a security group that allows outbound HTTPS traffic to 0.0.0.0/0. The security engineer needs to contain the incident while minimizing downtime for the application. The engineer has already taken a forensic snapshot of the instance's EBS volume. Which course of action should the engineer take next?

A.Modify the security group attached to the instance to deny all outbound traffic, and let Auto Scaling launch a replacement instance.
B.SSH into the instance and run a script to kill the mining process.
C.Detach the instance from the Auto Scaling group and isolate it by removing all security group rules.
D.Immediately terminate the compromised EC2 instance and allow Auto Scaling to launch a new instance.
AnswerA

This immediately blocks outbound communication from the compromised instance while Auto Scaling replaces it, minimizing downtime.

Why this answer

Option A is correct because modifying the security group to deny all outbound traffic immediately stops the cryptocurrency mining communication to known mining pools without terminating the instance, preserving forensic data. The Auto Scaling group will detect the instance's health check failure (due to the application becoming unreachable) and automatically launch a replacement instance, minimizing downtime. This approach contains the incident while allowing the application to recover through the Auto Scaling group's self-healing mechanism.

Exam trap

The trap here is that candidates may think immediate termination (Option D) is the fastest containment method, but they overlook that security group modification can contain the threat instantly without destroying evidence or causing unnecessary downtime.

How to eliminate wrong answers

Option B is wrong because SSHing into a compromised instance is unsafe; the attacker may have modified system binaries or installed rootkits, and killing the process is temporary as it could restart or the instance could be reinfected. Option C is wrong because detaching the instance from the Auto Scaling group and removing security group rules does not stop the outbound mining traffic immediately—the instance still has network access via its existing security group until rules are removed, and detaching prevents Auto Scaling from automatically replacing it. Option D is wrong because immediately terminating the instance destroys the forensic snapshot's value (the snapshot is already taken, but termination is premature) and could cause application downtime if the replacement instance takes time to launch, whereas containing via security group allows a smoother transition.

136
MCQeasy

Which AWS service can be used to detect and alert on suspicious network traffic patterns within a VPC, such as port scanning or unusual outbound traffic?

A.AWS WAF
B.Amazon GuardDuty
C.AWS Network Firewall
D.VPC Flow Logs
AnswerB

GuardDuty uses machine learning and threat intelligence to detect suspicious network activity.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors VPC Flow Logs, DNS logs, and CloudTrail events to identify suspicious network traffic patterns such as port scanning, unusual outbound traffic, and other malicious activities. It uses machine learning, anomaly detection, and integrated threat intelligence to generate security alerts without requiring manual rules or signatures.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (a raw data source) with a detection service, or assume AWS Network Firewall's stateful inspection includes anomaly-based alerting, when in fact GuardDuty is the only service that provides automated threat detection and alerting for network patterns like port scanning and unusual outbound traffic.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting at the application layer (HTTP/HTTPS), not for detecting network-level anomalies like port scanning or unusual outbound traffic within a VPC. Option C is wrong because AWS Network Firewall is a stateful managed firewall that enforces network traffic rules (e.g., allow/deny based on IP, port, protocol) but does not perform threat detection or anomaly-based alerting for patterns like port scanning; it requires explicit rule configuration. Option D is wrong because VPC Flow Logs is a raw logging feature that captures metadata about IP traffic (e.g., source/destination IP, port, protocol) but does not analyze, detect, or alert on suspicious patterns; it only provides the data that services like GuardDuty consume.

137
Multi-Selecthard

Which TWO steps are part of the forensic acquisition process for an EC2 instance suspected of being compromised?

Select 2 answers
A.Stop the instance immediately to prevent further damage.
B.Enable termination protection on the instance.
C.Terminate the instance to ensure the threat is contained.
D.Capture the instance's memory using a forensic tool.
E.Create a snapshot of the root EBS volume.
AnswersD, E

Memory contains volatile data like running processes.

Why this answer

Option D is correct because capturing the instance's memory using a forensic tool (such as LiME or F-Response) preserves volatile data—including running processes, network connections, and encryption keys—that would be lost if the instance were stopped or terminated. This is a critical step in the forensic acquisition process to gather evidence of compromise without altering the system state.

Exam trap

The trap here is that candidates often confuse incident response containment (stopping or terminating the instance) with forensic acquisition, which requires preserving both volatile memory and disk state before any changes are made.

138
MCQeasy

A company's security team wants to detect unauthorized S3 bucket access attempts in real time. Which service should they use to generate alerts when an IAM user attempts to access a bucket without proper permissions?

A.Amazon GuardDuty
B.AWS CloudTrail with CloudWatch alarms
C.S3 server access logs
D.AWS Config
AnswerB

CloudTrail logs every API call; metric filters on error codes trigger alarms in real time.

Why this answer

AWS CloudTrail logs all API calls made to S3, including access denied errors. By creating a CloudWatch alarm on the `S3 AccessDenied` event in CloudTrail logs, the security team can receive real-time alerts when an IAM user attempts to access a bucket without proper permissions. This approach directly captures the unauthorized attempt at the API level, enabling immediate detection.

Exam trap

The trap here is that candidates often choose Amazon GuardDuty because it is associated with threat detection, but they overlook that GuardDuty does not provide real-time, per-user unauthorized access alerts for S3; instead, CloudTrail with CloudWatch alarms directly captures the specific API error event needed for this use case.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events for malicious activity, but it does not generate real-time alerts specifically for individual IAM user unauthorized S3 access attempts; it focuses on broader threat patterns. Option C is wrong because S3 server access logs are delivered on a best-effort basis, typically with a delay of several hours, making them unsuitable for real-time alerting. Option D is wrong because AWS Config is a service for evaluating resource compliance and tracking configuration changes, not for monitoring real-time API access attempts or generating alerts for unauthorized access.

139
MCQmedium

A company uses AWS CloudTrail to log all API activity. The security team needs to retain the logs for 7 years and ensure they are tamper-proof. Additionally, the team must be able to query the logs for investigations. Which solution meets these requirements?

A.Store logs in AWS CloudTrail Lake and use the built-in query feature.
B.Store logs in Amazon CloudWatch Logs with a retention policy of 7 years.
C.Store logs in an Amazon S3 bucket with standard settings and use Amazon S3 Select for querying.
D.Store logs in an Amazon S3 bucket with S3 Object Lock enabled and query using Amazon Athena.
AnswerD

Object Lock provides immutability; Athena enables querying.

Why this answer

Option D is correct because Amazon S3 Object Lock provides a write-once-read-many (WORM) model that prevents logs from being deleted or overwritten, ensuring tamper-proof retention for 7 years. Amazon Athena allows querying the logs directly in S3 using standard SQL, meeting the investigation requirement without needing to move data.

Exam trap

The trap here is that candidates often choose CloudTrail Lake (Option A) because it offers built-in querying, but they overlook the tamper-proof requirement, which only S3 Object Lock can guarantee for long-term retention.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail Lake is designed for short-term retention and analysis (up to 7 years but with limited query capabilities and higher cost), and it does not provide native tamper-proof controls like S3 Object Lock. Option B is wrong because Amazon CloudWatch Logs has a maximum retention period of 10 years, but it does not offer tamper-proof features; logs can be deleted or modified by authorized users, and querying is limited to CloudWatch Logs Insights, which is not as flexible as Athena for large-scale analysis. Option C is wrong because storing logs in an S3 bucket with standard settings does not prevent tampering—logs can be overwritten or deleted—and Amazon S3 Select is limited to simple filtering and cannot handle complex SQL queries needed for thorough investigations.

140
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all CloudTrail trails are enabled and logging to a central S3 bucket. They need to detect any account that disables or modifies its CloudTrail trail. Which approach meets these requirements with the least operational overhead?

A.Use AWS Config rules with an aggregator in the management account to evaluate CloudTrail configuration across all accounts.
B.Enable CloudTrail Insights in all accounts to detect unusual activity.
C.Enable IAM Access Analyzer in each account to monitor CloudTrail changes.
D.Create a Lambda function that periodically checks CloudTrail status in each account via the API.
AnswerA

AWS Config rules can continuously evaluate compliance and trigger notifications on changes.

Why this answer

AWS Config rules with an aggregator in the management account can evaluate CloudTrail configuration across all accounts in AWS Organizations without deploying per-account resources. The aggregator collects configuration snapshots and changes from member accounts, allowing a single managed rule (e.g., cloud-trail-enabled) to detect when a trail is disabled or modified. This approach minimizes operational overhead because it uses native AWS services with no custom code or cross-account IAM roles to manage.

Exam trap

The trap here is that candidates may think a custom Lambda function (Option D) is necessary for cross-account monitoring, overlooking that AWS Config with an aggregator natively supports multi-account evaluation with far less operational overhead.

How to eliminate wrong answers

Option B is wrong because CloudTrail Insights detects unusual API activity (e.g., write events with error rates), not configuration changes to the trail itself; it does not monitor whether a trail is enabled or modified. Option C is wrong because IAM Access Analyzer analyzes resource-based policies for external access, not CloudTrail trail configuration or status; it cannot detect trail disablement or modification. Option D is wrong because a Lambda function that periodically checks CloudTrail status via the API requires custom code, cross-account IAM roles, and scheduling infrastructure, resulting in higher operational overhead compared to a managed AWS Config rule with an aggregator.

141
MCQhard

Your organization uses AWS Organizations with 50 member accounts. You are the security administrator for the root account. You have enabled AWS CloudTrail in all accounts and centralized the logs in an S3 bucket in the root account. You also enabled Amazon GuardDuty in the root account and have delegated an administrator account. Recently, you received an alert from GuardDuty about a potential credential compromise in a member account. The finding indicates that an IAM user in that account made an API call from an unusual IP address. You need to quickly gather all CloudTrail events for that user from the last 30 days across all accounts. The logs are stored in a single S3 bucket with a prefix structure like 'AWSLogs/<account-id>/CloudTrail/<region>/<year>/<month>/<day>'. What is the MOST efficient way to query these logs?

A.Use Amazon Athena to query the CloudTrail logs by creating a table partitioned by account, region, and date.
B.Enable AWS CloudTrail Lake and create a new event data store that includes the historical logs.
C.Download all log files from the S3 bucket for the last 30 days and parse them locally.
D.Use Amazon CloudWatch Logs Insights to query the logs from the member account.
AnswerA

Athena allows efficient SQL querying of the log data.

Why this answer

Amazon Athena is the most efficient way to query CloudTrail logs stored in S3 because it allows you to run SQL queries directly on the data without moving or downloading it. By creating a table partitioned by account, region, and date, you can quickly filter for the specific IAM user's events across all 50 accounts for the last 30 days, leveraging partition pruning to scan only the relevant log files. This approach minimizes data scanned and cost, while providing near-instant results.

Exam trap

The trap here is that candidates may think CloudTrail Lake (Option B) is the only way to query CloudTrail logs efficiently, but Athena is actually the native, cost-effective solution for querying CloudTrail logs stored in S3 without additional ingestion steps.

How to eliminate wrong answers

Option B is wrong because CloudTrail Lake requires you to create a new event data store, which would need to ingest the historical logs from S3, incurring additional costs and time for data ingestion and indexing, making it less efficient than directly querying the existing S3 logs with Athena. Option C is wrong because downloading all log files for 30 days from a multi-account S3 bucket would be extremely time-consuming, bandwidth-intensive, and impractical for 50 accounts, and parsing them locally would require significant manual effort and storage. Option D is wrong because CloudWatch Logs Insights can only query logs that are sent to CloudWatch Logs, but the CloudTrail logs are stored in S3, not in CloudWatch Logs, and even if they were, CloudWatch Logs Insights cannot query logs across multiple accounts from a single query.

142
MCQmedium

Refer to the exhibit. A security engineer reviews an S3 bucket policy that is intended to allow the root user of account 123456789012 to get objects only from the 10.0.0.0/24 IP range. However, the policy is not working as expected. What is the MOST likely reason?

A.The principal is set to root, which cannot be used in bucket policies.
B.The resource ARN is incorrect because it should include the bucket name without /*.
C.The condition should use 'aws:VpcSourceIp' instead of 'aws:SourceIp' when requests come through a VPC endpoint.
D.The condition key 'aws:SourceIp' is not supported for S3 bucket policies.
AnswerC

If the request is made through a VPC endpoint, the source IP is the endpoint IP, and 'aws:VpcSourceIp' is needed.

Why this answer

Option C is correct because when requests to an S3 bucket originate from a VPC endpoint (such as a gateway VPC endpoint for S3), the source IP address is translated to the private IP of the VPC endpoint, and the `aws:SourceIp` condition key cannot be used to evaluate the original client IP. Instead, you must use the `aws:VpcSourceIp` condition key to restrict access based on the IP address of the VPC endpoint. The policy as written would fail to match any requests coming through the VPC endpoint, causing the intended restriction to not work.

Exam trap

The trap here is that candidates assume `aws:SourceIp` works universally for all S3 access scenarios, but they overlook the special behavior of VPC endpoints where the source IP is replaced, making `aws:VpcSourceIp` the correct key for IP-based restrictions in that context.

How to eliminate wrong answers

Option A is wrong because the root user of an AWS account can be specified as a principal in a bucket policy using the ARN `arn:aws:iam::123456789012:root`, and it is a valid principal for S3 bucket policies. Option B is wrong because the resource ARN `arn:aws:s3:::bucket-name/*` is correct for granting access to objects within the bucket; omitting `/*` would only grant access to the bucket itself, not its objects. Option D is wrong because `aws:SourceIp` is fully supported in S3 bucket policies for IP-based restrictions, but it does not work when the request traverses a VPC endpoint due to IP address translation.

143
Multi-Selecteasy

Which TWO are best practices for securing an AWS account's root user? (Choose two.)

Select 2 answers
A.Share the root user credentials with the security team.
B.Delete the root user account.
C.Enable multi-factor authentication (MFA) on the root user.
D.Delete any access keys associated with the root user.
E.Use the root user for daily administrative tasks.
AnswersC, D

MFA adds a layer of security.

Why this answer

Option C is correct because enabling multi-factor authentication (MFA) on the root user adds a second layer of security beyond the password and is the single most effective control to prevent unauthorized access to the most privileged account in an AWS environment. AWS strongly recommends MFA for the root user as it mitigates the risk of credential theft or compromise, which could lead to full account takeover and irreversible damage.

Exam trap

The trap here is that candidates may think deleting the root user (Option B) is possible or that sharing credentials with a team (Option A) is a valid security practice, when in fact AWS prohibits deletion of the root user and sharing credentials violates security best practices.

144
MCQeasy

A company uses Amazon RDS for its database. The security team needs to detect when a database instance is started or stopped outside of maintenance windows. Which AWS service should the team use to monitor these API calls?

A.Amazon CloudWatch
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Config
AnswerC

CloudTrail logs all RDS API calls, enabling monitoring and alerting.

Why this answer

AWS CloudTrail is the correct service because it records API activity in your AWS account, including StartDBInstance and StopDBInstance calls from the RDS service. By monitoring CloudTrail logs, the security team can detect when a database instance is started or stopped outside of maintenance windows, as each API call is logged with a timestamp and user identity. CloudTrail is specifically designed for auditing API calls, making it the appropriate tool for this use case.

Exam trap

The trap here is that candidates confuse CloudWatch's ability to create alarms on CloudTrail events with CloudWatch itself being the service that records API calls, but CloudWatch only processes logs delivered by CloudTrail and cannot natively capture API activity without CloudTrail as the source.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, but it does not natively capture or record API calls like StartDBInstance or StopDBInstance; it can only alert on CloudTrail-delivered events via a metric filter, not directly detect the API calls themselves. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail management events for malicious activity, but it is not designed for custom operational monitoring of specific API calls like database start/stop events; it focuses on security threats, not operational compliance. Option D is wrong because AWS Config is a configuration tracking and compliance service that evaluates resource configurations against rules, but it does not monitor real-time API calls; it can detect configuration changes (e.g., a DB instance being stopped) only after they occur via configuration changes, not the API call event itself.

145
MCQeasy

A security engineer needs to detect and respond to potential credential theft where an IAM user's access key is being used from an unusual geographic location. Which AWS service should be used to generate alerts based on this anomaly?

A.AWS IAM Access Analyzer
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerC

GuardDuty uses ML to detect suspicious API activity, including credential compromise.

Why this answer

Amazon GuardDuty is the correct choice because it is a threat detection service that uses machine learning and integrated threat intelligence to identify anomalous behavior, such as an IAM access key being used from an unusual geographic location. It specifically analyzes CloudTrail management and data events, VPC flow logs, and DNS logs to detect credential theft patterns like a new geolocation or an impossible travel scenario, and can trigger alerts via Amazon EventBridge or SNS for automated response.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with active threat detection, assuming that CloudTrail alone can generate alerts for geographic anomalies, when in reality it only provides raw logs that require additional analysis services like GuardDuty or custom solutions to detect and alert on such patterns.

How to eliminate wrong answers

Option A is wrong because AWS IAM Access Analyzer is designed to identify resources shared with external entities by analyzing resource-based policies, not to detect anomalous usage patterns like geographic anomalies in access key usage. Option B is wrong because AWS CloudTrail is a logging service that records API activity but does not perform real-time anomaly detection or generate alerts based on unusual geographic locations; it would require additional custom logic (e.g., Athena queries or Lambda functions) to analyze the logs for such patterns. Option D is wrong because AWS Config is a configuration management and compliance service that tracks resource configuration changes and evaluates rules, not a threat detection service capable of identifying credential theft or geographic anomalies in IAM user activity.

146
MCQeasy

A security engineer needs to ensure that any changes to an S3 bucket's public access settings are immediately detected and an alert is sent. Which combination of AWS services should be used?

A.Amazon GuardDuty and AWS Lambda
B.Amazon CloudWatch Logs and Amazon SNS
C.AWS CloudTrail and Amazon CloudWatch Logs
D.AWS Config and AWS Lambda
AnswerD

Config can evaluate S3 bucket public access settings and trigger a Lambda function for alerting.

Why this answer

AWS Config continuously monitors and records changes to AWS resource configurations, including S3 bucket public access settings. By creating a Config rule that triggers on changes to the `PublicAccessBlockConfiguration` or bucket ACLs, you can invoke an AWS Lambda function via an Amazon SNS topic to send an alert. This combination provides real-time detection and automated response to unauthorized public access changes.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs API calls) with AWS Config (which evaluates configuration compliance), leading them to choose Option C, but CloudTrail alone cannot trigger alerts without additional services like CloudWatch Logs and Lambda, and it lacks the continuous compliance evaluation that AWS Config provides.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity (e.g., unusual API calls or compromised credentials), not for configuration changes to S3 bucket public access settings. Option B is wrong because Amazon CloudWatch Logs can store log data but does not natively detect or alert on S3 configuration changes; it would require additional services like CloudTrail to capture the events, and the combination lacks the rule-based evaluation needed for immediate detection. Option C is wrong because AWS CloudTrail logs API calls (including changes to S3 bucket policies), but CloudTrail alone does not provide real-time alerting; while you can create a metric filter on CloudWatch Logs, this setup requires manual configuration and does not natively evaluate configuration compliance like AWS Config does, and it lacks the automated remediation capability of AWS Lambda.

147
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team uses AWS Security Hub to consolidate findings. They notice that a critical finding in the production account is not being aggregated in Security Hub. The finding is generated by Amazon GuardDuty. What is the MOST likely cause?

A.Amazon GuardDuty is not enabled in the production account.
B.The IAM role for Security Hub does not have permissions to read GuardDuty findings.
C.AWS Config is not enabled in the production account.
D.VPC Flow Logs are not enabled in the production account.
AnswerA

GuardDuty must be enabled in each account to generate findings that Security Hub aggregates.

Why this answer

Amazon Security Hub aggregates findings from enabled security services across accounts. For GuardDuty findings to appear in Security Hub, GuardDuty must be enabled in the account where the finding is generated. If GuardDuty is not enabled in the production account, it cannot produce findings for Security Hub to consume, which is the most likely cause of the missing critical finding.

Exam trap

The trap here is that candidates may assume Security Hub automatically enables or integrates with all security services across accounts, but in reality, each service (like GuardDuty) must be individually enabled in each account for its findings to be aggregated.

How to eliminate wrong answers

Option B is wrong because Security Hub uses a service-linked role (AWSServiceRoleForSecurityHub) that automatically includes permissions to read findings from GuardDuty via the BatchImportFindings API; an explicit IAM role for reading GuardDuty findings is not required. Option C is wrong because AWS Config is not a prerequisite for Security Hub to aggregate GuardDuty findings; Security Hub can ingest GuardDuty findings independently of Config. Option D is wrong because VPC Flow Logs are not a source of findings for Security Hub; they are used by GuardDuty for anomaly detection but are not required for Security Hub to receive GuardDuty findings.

148
MCQmedium

An organization uses AWS Organizations and wants to centrally manage Amazon GuardDuty across multiple accounts. What is the correct architecture?

A.Enable GuardDuty only in the master account; it will automatically monitor all member accounts.
B.Use AWS CloudFormation StackSets to deploy GuardDuty in all accounts and regions.
C.Designate a delegated administrator account in Organizations and enable GuardDuty in that account.
D.Enable GuardDuty in each region separately and use cross-region aggregation.
AnswerC

Delegated admin can manage GuardDuty across member accounts.

Why this answer

Option C is correct because AWS Organizations allows you to designate a delegated administrator account for Amazon GuardDuty, which can then centrally manage GuardDuty across all member accounts in the organization. This architecture simplifies enabling GuardDuty and managing findings without needing to configure each account individually, as the delegated administrator can enable GuardDuty for all accounts in the organization from a single point.

Exam trap

The trap here is that candidates often assume enabling GuardDuty in the master account automatically covers all member accounts (Option A), but in reality, GuardDuty requires explicit member account management or a delegated administrator setup, and the delegated administrator model is the recommended architecture for centralized management in Organizations.

How to eliminate wrong answers

Option A is wrong because enabling GuardDuty only in the master account does not automatically monitor member accounts; GuardDuty must be explicitly enabled in each account, or a delegated administrator must be used to manage member accounts centrally. Option B is wrong because while AWS CloudFormation StackSets can deploy resources across accounts and regions, GuardDuty is a regional service that requires a centralized management approach via Organizations, and StackSets do not provide the native integration for cross-account threat detection management that a delegated administrator does. Option D is wrong because GuardDuty findings are regional by default, and cross-region aggregation is not a built-in feature; instead, you would need to use a delegated administrator to centrally view findings from multiple regions, but the correct architecture for multi-account management is through Organizations delegation, not separate per-region enablement.

149
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to centrally collect and analyze VPC Flow Logs from all accounts. The team has set up a central logging account with an S3 bucket that has a bucket policy allowing cross-account writes. However, VPC Flow Logs from member accounts are not appearing. What is the most likely cause?

A.AWS CloudTrail is not enabled in the member accounts.
B.The VPC Flow Logs must be delivered to CloudWatch Logs first, then exported to S3.
C.VPC Flow Logs cannot be published directly to an S3 bucket in a different account. The logs must be published to a bucket in the same account as the VPC, and then replicated to the central account.
D.The S3 bucket policy does not allow the s3:PutObject action for the member accounts.
AnswerC

Direct cross-account publishing is not supported.

Why this answer

Option A is correct because VPC Flow Logs can be published to Amazon S3 only if the log group and stream are in the same account as the VPC; cross-account publishing is not supported directly. Option B is wrong because CloudTrail is not involved in Flow Log collection. Option C is wrong because S3 bucket policies are not the issue as they allow cross-account writes.

Option D is wrong because Flow Logs can be published to a central bucket via cross-account delivery with proper permissions, but the key point is that the bucket must be in the same account as the VPC or use S3 replication.

150
MCQmedium

Your company has a single AWS account with a production VPC that contains several EC2 instances running a web application. The security team has enabled Amazon GuardDuty and AWS CloudTrail. Recently, GuardDuty reported a finding 'UnauthorizedAccess:EC2/TorClient' for one of the instances. The finding indicates that the instance is making connections to Tor exit nodes. You need to investigate and contain the incident. The instance is critical to the application and cannot be terminated. You have a forensic analysis instance in a separate security group. What should you do FIRST?

A.Isolate the instance by modifying its security group to remove all inbound and outbound rules except for the forensic analysis instance.
B.Terminate the instance immediately and launch a replacement.
C.Take an EBS snapshot of the instance's root volume for analysis.
D.Use AWS Systems Manager Run Command to install a forensic agent on the instance.
AnswerA

Isolation stops exfiltration and allows safe investigation.

Why this answer

Option A is correct because the first step in incident response for a compromised instance that cannot be terminated is to contain the threat by isolating it from the network. Modifying the security group to remove all inbound and outbound rules except for a specific forensic analysis instance prevents the compromised EC2 instance from communicating with Tor exit nodes or other external hosts, while still allowing controlled forensic access. This containment is immediate and reversible, aligning with the AWS incident response best practice of 'isolate first, investigate later'.

Exam trap

The trap here is that candidates may rush to collect forensic evidence (snapshot or agent) before containing the threat, failing to recognize that the first priority in incident response is to stop the active malicious behavior (outbound Tor connections) to prevent data exfiltration or further compromise.

How to eliminate wrong answers

Option B is wrong because the instance is critical to the application and cannot be terminated, and immediate termination would destroy volatile data (e.g., running processes, memory contents) needed for forensic analysis. Option C is wrong because taking an EBS snapshot is a valid forensic step, but it should be performed after containment to prevent the compromised instance from continuing malicious outbound connections during the snapshot process. Option D is wrong because installing a forensic agent via Systems Manager Run Command requires network connectivity and could be blocked or tampered with by the malware, and it does not address the immediate need to stop the outbound Tor connections.

← PreviousPage 2 of 4 · 243 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Threat Detection and Incident Response questions.