CCNA Threat Detection and Incident Response Questions

18 of 243 questions · Page 4/4 · Threat Detection and Incident Response · Answers revealed

226
MCQmedium

A security engineer is analyzing a potential security incident involving an Amazon RDS for MySQL database. The engineer suspects that a SQL injection attack was successful. Which AWS service can the engineer use to review the actual SQL queries that were executed against the database?

A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon RDS Audit Logs
AnswerD

RDS Audit Logs can record SQL statements executed.

Why this answer

Amazon RDS for MySQL supports audit logs that capture detailed records of database activities, including the actual SQL queries executed. By enabling the `audit_log` plugin and configuring the `server_audit_events` parameter, the engineer can review the exact SQL statements that were run, which is essential for identifying a SQL injection attack. This is the only AWS service that provides query-level visibility into RDS database operations.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (which logs control-plane API calls) with database audit logs (which log data-plane SQL queries), leading them to incorrectly select CloudTrail for reviewing executed SQL statements.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture metadata about network traffic (IP addresses, ports, protocols) but do not log the content of SQL queries or database operations. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes AWS CloudTrail events, VPC Flow Logs, and DNS logs for suspicious activity, but it does not provide direct access to the SQL queries executed against an RDS database. Option C is wrong because AWS CloudTrail records API calls made to the RDS service (e.g., creating a DB instance) but does not log the data-plane SQL queries executed within the database itself.

227
MCQeasy

A company has a requirement to detect and alert on S3 objects that contain personally identifiable information (PII) being shared publicly. Which AWS service should be used?

A.Amazon CloudWatch
B.Amazon GuardDuty
C.Amazon Inspector
D.Amazon Macie
AnswerD

Macie is designed to discover and protect sensitive data in S3.

Why this answer

Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in S3. Option B (GuardDuty) detects threats, not data classification. Option C (Inspector) is for vulnerabilities.

Option D (CloudWatch) is for monitoring.

228
MCQeasy

Refer to the exhibit. A security engineer is analyzing VPC Flow Logs and notices a pattern of outbound traffic from an EC2 instance to an external IP on port 22 (SSH). The engineer wants to identify which instances are initiating SSH connections to the internet. Which field in the flow log record indicates the source of the connection?

A.The first IP address in the log entry (srcaddr)
B.The second IP address (dstaddr)
C.The first port number (srcport)
D.The second port number (dstport)
AnswerA

The first IP is the source address; for outbound traffic, it is the internal IP of the instance.

Why this answer

In VPC Flow Logs, the `srcaddr` field records the source IP address of the traffic. Since the engineer is looking for which EC2 instances are initiating outbound SSH connections (port 22), the source IP in the flow log entry (srcaddr) directly identifies the instance that started the connection. The direction of the traffic is determined by the source and destination fields, not by the port numbers alone.

Exam trap

The trap here is that candidates confuse the source port (srcport) with the source address (srcaddr), mistakenly thinking the port number identifies the initiating instance, when in fact the source IP address is the correct field to determine which EC2 instance started the connection.

How to eliminate wrong answers

Option B is wrong because `dstaddr` is the destination IP address (the external server), not the source EC2 instance. Option C is wrong because `srcport` is the source port number (a random ephemeral port used by the client), not the IP address of the initiating instance. Option D is wrong because `dstport` is the destination port (22 for SSH), which identifies the service but not the source of the connection.

229
Multi-Selecteasy

A security engineer needs to detect and respond to malware on an EC2 instance. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon Inspector
B.AWS Lambda
C.Amazon CloudWatch
D.AWS WAF
E.Amazon GuardDuty with Malware Protection
AnswersB, E

Can automate response to GuardDuty findings.

Why this answer

AWS Lambda is correct because it can be used as a serverless compute target to automate incident response actions when malware is detected. For example, a Lambda function can be triggered by a GuardDuty finding to isolate the compromised EC2 instance by modifying security group rules or detaching the instance from an Auto Scaling group, enabling rapid, automated remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse Amazon Inspector's vulnerability scanning with malware detection, or assume CloudWatch alone can perform automated incident response, when in fact GuardDuty's Malware Protection is the only AWS-native service that directly detects malware on EC2, and Lambda is required for automated remediation.

230
MCQhard

During an incident, a security engineer needs to isolate a compromised Amazon EC2 instance without losing the ability to capture forensic data from its EBS volumes. What is the best course of action?

A.Terminate the instance immediately and take a snapshot after termination.
B.Take a snapshot of the EBS volumes, then detach the instance from the Auto Scaling group and modify the security group to deny all traffic.
C.Stop the instance, detach the volumes, and attach them to a forensic instance.
D.Change the security group to restrict traffic to only the forensic team's IP addresses.
AnswerB

Snapshot preserves data, then isolation by removing from ASG and blocking traffic.

Why this answer

Option B is correct because taking a snapshot of the EBS volumes preserves the forensic data before any changes occur, while detaching the instance from the Auto Scaling group prevents automatic replacement, and modifying the security group to deny all traffic isolates the instance without losing the running state or the ability to capture additional volatile data. This approach balances isolation with forensic preservation, ensuring the instance remains available for further analysis if needed.

Exam trap

The trap here is that candidates often confuse 'stopping' an instance with 'isolating' it, not realizing that stopping triggers OS shutdown processes that can destroy volatile evidence, whereas modifying the security group to deny all traffic achieves isolation without altering the instance state.

How to eliminate wrong answers

Option A is wrong because terminating the instance destroys the running state and any volatile data (e.g., memory, process list), and while a snapshot can be taken after termination, the EBS volumes may have been altered or deleted, losing critical forensic evidence. Option C is wrong because stopping the instance clears the instance store (if used) and may trigger OS-level shutdown scripts that could overwrite or delete forensic data; detaching volumes and attaching them to a forensic instance is a valid step but should be done after taking a snapshot to ensure a point-in-time copy, and stopping the instance is unnecessary and risky. Option D is wrong because restricting traffic to only the forensic team's IP addresses does not fully isolate the instance from lateral movement or external threats; the instance remains accessible and could still be compromised or used as a pivot point, and it does not prevent the instance from being terminated or altered by an attacker.

231
Multi-Selectmedium

Which TWO actions should a security engineer take to investigate a potential AWS API credential leak? (Choose two.)

Select 2 answers
A.Use AWS CloudTrail to review API calls made with the compromised keys.
B.Change the IAM user's password.
C.Disable all AWS services in the account.
D.Immediately rotate the compromised access keys.
E.Delete the IAM user and recreate it with the same permissions.
AnswersA, D

CloudTrail logs show what actions were performed.

Why this answer

AWS CloudTrail logs all API calls made within an AWS account, including those using compromised access keys. By reviewing these logs, a security engineer can identify the scope of the breach, such as which resources were accessed, from which IP addresses, and at what times. This is a critical first step in incident response to understand the impact and gather forensic evidence.

Exam trap

The trap here is that candidates often confuse 'rotating the keys' with 'changing the password' (Option B), not realizing that access keys and passwords are independent credentials, and that immediate rotation (Option D) is the correct containment action alongside forensic investigation (Option A).

232
MCQmedium

During a security incident, a security engineer needs to verify whether an EC2 instance's security group allowed inbound SSH from a specific IP address at the time of the incident. Which AWS service or feature should the engineer use to obtain this historical information?

A.Amazon CloudTrail event history.
B.AWS Systems Manager Inventory.
C.VPC Flow Logs.
D.AWS Config configuration history.
AnswerD

AWS Config records the configuration of security groups over time, allowing you to see the rules at the time of the incident.

Why this answer

AWS Config configuration history records changes to security group rules, including the addition or removal of inbound SSH allow rules. By querying the configuration history for the specific security group, the engineer can determine the exact state of the rules at the time of the incident, including whether a specific IP address was allowed. This is the only service that provides a historical record of security group rule configurations.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which show traffic) with security group configuration history, but Flow Logs only show whether traffic was permitted or denied based on the rules at that time, not the rules themselves.

How to eliminate wrong answers

Option A is wrong because CloudTrail event history logs API calls (e.g., AuthorizeSecurityGroupIngress) but does not capture the actual state of the security group rules at a point in time; it only shows when changes were made, not the current or historical configuration. Option B is wrong because AWS Systems Manager Inventory collects software and configuration data from managed instances, not security group rule history. Option C is wrong because VPC Flow Logs capture network traffic metadata (source/destination IP, port, protocol) but do not record security group rule configurations; they show traffic that was allowed or denied, not the rules themselves.

233
MCQhard

A security engineer is designing an incident response plan for a containerized application running on Amazon ECS with Fargate. The engineer needs to ensure that if a container is compromised, the incident response team can capture a memory dump and disk snapshot for forensic analysis. The containers are stateless and use ephemeral storage. Which approach provides the necessary forensic data?

A.Configure the container to stream /dev/mem to CloudWatch Logs.
B.Enable ECS task memory dumps to CloudWatch Logs.
C.Use ECS Exec to access the container and capture a memory dump; snapshot the task's ephemeral storage.
D.Stop the task and create a new task from the same image.
AnswerC

ECS Exec provides interactive access; snapshots can capture disk state.

Why this answer

Option C is correct because ECS Exec allows interactive access to a running container without stopping it, enabling the capture of a memory dump (e.g., via `gcore` or `/proc/kcore`). Additionally, the task's ephemeral storage can be snapshotted while the container is still running, preserving disk state for forensic analysis. This approach aligns with incident response best practices for stateless containers on Fargate, where traditional host-level forensics are unavailable.

Exam trap

The trap here is that candidates assume stopping the task (Option D) is safe because containers are stateless, but they overlook that forensic data (memory and ephemeral disk) is lost upon task termination, making live capture via ECS Exec (Option C) the only viable method.

How to eliminate wrong answers

Option A is wrong because `/dev/mem` is not accessible in Fargate containers (no kernel-level access) and streaming it to CloudWatch Logs would not produce a usable memory dump; CloudWatch Logs is for log data, not binary forensic artifacts. Option B is wrong because ECS does not have a native feature to send task memory dumps to CloudWatch Logs; memory dumps require explicit capture via tools like `gcore` or `dd` from within the container. Option D is wrong because stopping the task destroys the ephemeral storage and the container's memory, losing all forensic evidence; creating a new task from the same image provides no snapshot of the compromised state.

234
Multi-Selecthard

A security engineer is investigating a potential compromise. The engineer has captured a memory dump from an EC2 instance and needs to analyze it for malware. Which TWO actions should the engineer take to preserve the chain of custody? (Choose TWO.)

Select 2 answers
A.Create an EBS snapshot of the instance's root volume.
B.Analyze the memory dump on the same EC2 instance.
C.Record the date, time, and digital signature of the acquisition.
D.Generate a cryptographic hash of the memory dump file.
E.Upload the memory dump to a public S3 bucket for analysis.
AnswersC, D

Establishes chain of custody.

Why this answer

Option C is correct because recording the date, time, and digital signature of the acquisition establishes a clear audit trail, which is essential for proving that the evidence has not been tampered with. In forensic investigations, this metadata is part of the standard chain-of-custody documentation that demonstrates who collected the evidence, when, and that it remains unaltered. A digital signature (e.g., using a tool like gpg or a signed hash) provides non-repudiation and integrity verification beyond a simple hash.

Exam trap

The trap here is that candidates confuse preserving the chain of custody with preserving the data itself, leading them to choose Option A (EBS snapshot) as a backup method, when in fact chain of custody is about documentation and integrity verification, not data preservation.

235
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants a centralized view of all security alerts and findings from services like GuardDuty, Security Hub, and Inspector across all accounts. What is the MOST efficient way to achieve this?

A.Use AWS Systems Manager OpsCenter to centrally view all security findings.
B.Use individual service consoles (GuardDuty, Security Hub, Inspector) for each account.
C.Use Amazon CloudWatch Logs to collect logs from each account and create custom dashboards.
D.Use AWS Security Hub with cross-account aggregation in the management account.
AnswerD

Security Hub can aggregate findings from multiple accounts and services into a single dashboard.

Why this answer

AWS Security Hub is designed to aggregate findings from multiple security services (GuardDuty, Inspector, etc.) across accounts. By enabling cross-account aggregation in the management account of AWS Organizations, Security Hub provides a single, centralized dashboard for all security alerts and findings without needing to collect raw logs or build custom dashboards. This is the most efficient and native approach for a multi-account environment.

Exam trap

The trap here is that candidates may think CloudWatch Logs or OpsCenter are suitable for centralized security findings, but they lack the native cross-account aggregation and structured finding format that Security Hub provides, which is the most efficient and purpose-built solution.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager OpsCenter is primarily for operational issues and incident management, not for aggregating security findings from GuardDuty, Security Hub, or Inspector across accounts; it lacks native cross-account security finding aggregation. Option B is wrong because using individual service consoles for each account is inefficient and does not provide a centralized view; it requires manual logins and lacks cross-account aggregation. Option C is wrong because Amazon CloudWatch Logs can collect logs, but building custom dashboards for security findings is complex, requires additional parsing, and does not natively aggregate structured findings from GuardDuty, Security Hub, or Inspector as Security Hub does.

236
MCQeasy

A company uses AWS CloudFormation to deploy infrastructure. During a security incident, the security team needs to quickly capture a point-in-time snapshot of the entire environment for forensic analysis. The environment includes EC2 instances, RDS databases, and EBS volumes. What is the fastest way to preserve the state of the environment?

A.Create Amazon Machine Images (AMIs) of all EC2 instances.
B.Enable AWS CloudTrail and start logging.
C.Create EBS snapshots of all EC2 instances and RDS snapshots of all databases.
D.Export the CloudFormation stack template.
AnswerC

Snapshots are quick point-in-time captures.

Why this answer

Option C is correct because creating EBS snapshots of EC2 instances and RDS snapshots of databases captures point-in-time, crash-consistent copies of the underlying block storage, preserving the exact disk state for forensic analysis. This is the fastest method as snapshots are incremental and initiated asynchronously, allowing the environment to remain operational while the snapshot is being created.

Exam trap

The trap here is that candidates may confuse 'capturing state' with 'logging activity' (CloudTrail) or 'infrastructure definition' (CloudFormation template), overlooking that forensic analysis requires the actual disk data, not metadata or logs.

How to eliminate wrong answers

Option A is wrong because creating AMIs involves bundling an EBS snapshot with instance metadata and optionally rebooting the instance, which takes longer and may alter the instance state; snapshots alone are faster and sufficient for forensic preservation. Option B is wrong because enabling CloudTrail starts logging future API calls but does not capture the current state of EC2 instances, RDS databases, or EBS volumes, making it useless for point-in-time forensic snapshots. Option D is wrong because exporting the CloudFormation stack template only captures the infrastructure-as-code definition, not the runtime data or disk contents, so it cannot preserve the environment's state for forensic analysis.

237
MCQhard

A company's security team is designing an incident response plan for AWS resources. They want to ensure that when a security incident is detected in a production account, a pre-defined runbook is executed automatically. The runbook includes steps to isolate the compromised resource and collect forensic evidence. Which combination of services should the team use to implement this automation?

A.Amazon EventBridge and AWS Lambda
B.AWS Config and Amazon EC2 Auto Scaling
C.AWS Step Functions and AWS Lambda
D.AWS Systems Manager Incident Manager and AWS Systems Manager Automation
AnswerD

Incident Manager manages incidents and can trigger Automation runbooks for response.

Why this answer

AWS Systems Manager Incident Manager provides the incident management lifecycle, including automated response plans that trigger runbooks when an incident is detected. AWS Systems Manager Automation runbooks contain predefined steps (e.g., isolating EC2 instances, capturing memory dumps, and collecting logs) that can be executed automatically. This combination directly meets the requirement for a pre-defined runbook that isolates the compromised resource and collects forensic evidence.

Exam trap

The trap here is that candidates often choose EventBridge and Lambda (Option A) because they are familiar with event-driven automation, but they overlook that Incident Manager provides the required incident lifecycle, response plans, and pre-built runbook templates specifically designed for security incident response.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge and AWS Lambda can trigger actions based on events, but they lack a built-in incident management lifecycle, runbook orchestration, and the ability to execute complex, multi-step forensic workflows without custom code. Option B is wrong because AWS Config evaluates resource compliance and EC2 Auto Scaling manages instance scaling; neither provides incident response automation or runbook execution for security incidents. Option C is wrong because AWS Step Functions orchestrates workflows and Lambda executes code, but this combination does not include incident detection, alerting, or the pre-defined, auditable runbook capabilities that Systems Manager Incident Manager and Automation provide.

238
Multi-Selecthard

A security engineer is investigating a potential data exfiltration incident. The engineer notices large volumes of data being transferred from an Amazon S3 bucket to an external IP address. Which AWS services can be used to detect and alert on such behavior? (Choose THREE.)

Select 3 answers
A.Amazon CloudWatch Logs with S3 access log analysis.
B.AWS CloudTrail with S3 data event logging.
C.Amazon GuardDuty with anomaly detection.
D.AWS Config with compliance rules.
E.VPC Flow Logs.
AnswersA, B, C

S3 server access logs can be sent to CloudWatch Logs for monitoring and alerting.

Why this answer

Amazon CloudWatch Logs can ingest and analyze S3 access logs, which record detailed information about requests made to an S3 bucket, including the source IP address, request type, and bytes transferred. By analyzing these logs with CloudWatch Logs Insights or metric filters, you can detect large data transfers to external IPs and trigger alerts via CloudWatch Alarms, making it a valid detection and alerting mechanism for data exfiltration.

Exam trap

The trap here is that candidates may think VPC Flow Logs (Option E) are sufficient for S3 data exfiltration detection, but they lack the application-layer context needed to identify S3-specific operations and external IPs in S3 access logs or CloudTrail events.

239
MCQhard

During an incident response, a security engineer needs to collect memory and disk forensics from a running EC2 Windows instance without causing the instance to crash. The engineer has AWS Systems Manager SSM Agent installed. Which method should the engineer use?

A.Create an AMI of the instance.
B.Use AWS Systems Manager Inventory to collect memory and disk information.
C.Use AWS Backup to create a backup of the instance.
D.Create an EBS snapshot of the root volume.
AnswerB

SSM Inventory can collect system metadata, and by using custom inventory scripts, it can collect memory dumps and disk files without crashing the instance.

Why this answer

Option B is correct because AWS Systems Manager Inventory can collect both memory and disk forensics from a running EC2 Windows instance without causing it to crash. The SSM Agent, already installed, allows Inventory to gather metadata such as running processes (memory) and file system details (disk) via the AWS-CollectInventory document, which is designed for live data collection without rebooting or halting the instance.

Exam trap

The trap here is that candidates confuse AWS Systems Manager Inventory with a full forensic collection tool, but Inventory only gathers metadata and not raw memory or disk images, so it is safe for live instances but limited in forensic depth.

How to eliminate wrong answers

Option A is wrong because creating an AMI requires the instance to be stopped or at least enters a state where the instance is rebooted to ensure consistency, which can crash a running instance or disrupt incident response. Option C is wrong because AWS Backup creates backups via snapshots or AMIs, which similarly require instance quiescence or reboot, and it does not collect live memory or disk forensics without interruption. Option D is wrong because an EBS snapshot of the root volume captures only disk data at a point in time, but it does not capture volatile memory (RAM) and typically requires the instance to be stopped or the volume to be frozen to ensure crash consistency, risking instance crash.

240
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to detect and automatically respond to suspicious API calls across all accounts. Which solution is the MOST efficient and scalable?

A.Use AWS Config rules to detect API calls and trigger Lambda functions
B.Deploy Amazon GuardDuty and use its automated response feature
C.Create a CloudTrail trail in each account and aggregate logs via cross-account S3 bucket
D.Enable AWS CloudTrail organization trail and use Amazon EventBridge to invoke automated responses
AnswerD

Organization trail centralizes logging; EventBridge enables automated response to API calls.

Why this answer

Option D is correct because enabling an AWS CloudTrail organization trail centrally logs all API calls from every account in the AWS Organization into a single Amazon S3 bucket and CloudWatch Logs log group. Amazon EventBridge can then be used to create event rules that match specific suspicious API calls (e.g., IAM DeleteRolePolicy) and automatically invoke target actions like AWS Lambda functions or AWS Systems Manager Automation, providing a scalable, centralized, and efficient detection and response mechanism without per-account management overhead.

Exam trap

The trap here is that candidates often confuse AWS Config rules (which evaluate configuration drift) with CloudTrail (which records API activity), or assume that GuardDuty's threat detection includes built-in automated response capabilities, when in fact both require EventBridge for custom automation, making the centralized CloudTrail organization trail plus EventBridge the most efficient and scalable solution.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are designed to evaluate resource configurations and compliance, not to detect real-time API calls; they cannot directly capture or react to API events like CloudTrail does. Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS logs, VPC Flow Logs, and CloudTrail events for malicious activity, but it does not have a built-in 'automated response feature' for triggering custom remediation actions; any automated response would require integration with EventBridge or Lambda, making this option incomplete and less direct. Option C is wrong because creating a separate CloudTrail trail in each account and aggregating logs via a cross-account S3 bucket introduces significant operational overhead, duplication, and potential for inconsistent configuration, whereas an organization trail provides a single, automatically replicated trail across all accounts with no per-account setup.

241
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team wants to be alerted when an IAM user creates a new access key for another IAM user (an action that could indicate privilege escalation). What is the most effective way to detect this specific API call?

A.Query AWS CloudTrail logs using Amazon Athena on a schedule.
B.Use AWS Config to create a custom rule that checks for changes to IAM users.
C.Create an Amazon CloudWatch Events rule that matches the 'iam:CreateAccessKey' API call and sends a notification to an SNS topic.
D.Enable Amazon GuardDuty and look for the 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' finding.
AnswerC

This provides real-time alerting for the specific action.

Why this answer

Option C is correct because Amazon CloudWatch Events (now Amazon EventBridge) can be configured with a rule that matches the specific 'iam:CreateAccessKey' API call as it occurs. When this API call is made, CloudTrail delivers the event in near real-time to CloudWatch Events, which can then trigger an SNS topic to send an alert. This provides immediate, event-driven detection without the latency of scheduled queries or the overhead of custom rules.

Exam trap

The trap here is that candidates confuse AWS Config (which evaluates resource state) with CloudTrail (which records API actions), leading them to choose Option B, but Config cannot detect the API call itself—only the resulting configuration change, which may be too late or ambiguous.

How to eliminate wrong answers

Option A is wrong because querying CloudTrail logs with Amazon Athena on a schedule introduces significant delay (minutes to hours) between the API call and detection, making it unsuitable for real-time alerting. Option B is wrong because AWS Config custom rules evaluate resource configuration changes, not API calls; they can detect that an access key exists but cannot detect the specific 'iam:CreateAccessKey' API action itself. Option D is wrong because GuardDuty's 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' finding detects stolen credentials being used from an EC2 instance, not the creation of access keys for another user.

242
Multi-Selectmedium

A security engineer is configuring automated incident response for Amazon GuardDuty findings. The engineer wants to isolate a compromised EC2 instance by changing its security group and stopping the instance. Which THREE services should the engineer use together to achieve this? (Choose THREE.)

Select 3 answers
A.Amazon EC2
B.AWS Config
C.AWS Systems Manager
D.Amazon EventBridge
E.AWS Lambda
AnswersC, D, E

Systems Manager can run automation documents to isolate instances.

Why this answer

AWS Systems Manager (SSM) is correct because it provides the Automation runbook capability that can be used to stop an EC2 instance and modify its security groups as part of an incident response workflow. SSM Automation can be triggered by an EventBridge rule and can invoke Lambda functions or run commands directly on the instance to isolate it. This allows the security engineer to automate the isolation and stopping of the compromised instance without manual intervention.

Exam trap

The trap here is that candidates may think AWS Config can directly remediate findings (e.g., via AWS Config Rules with auto-remediation), but Config only triggers evaluations and cannot perform actions like stopping instances or modifying security groups without a separate automation service like SSM or Lambda.

243
Multi-Selecteasy

A company wants to detect anomalous behavior in their AWS environment. Which THREE AWS services can be used for threat detection? (Choose THREE.)

Select 3 answers
A.AWS Trusted Advisor
B.AWS Security Hub
C.AWS Config
D.Amazon GuardDuty
E.Amazon Inspector
AnswersB, D, E

Aggregates findings from multiple detection services.

Why this answer

AWS Security Hub is correct because it aggregates and prioritizes security findings from multiple AWS services (like GuardDuty, Inspector, and Macie) and third-party tools, providing a comprehensive view of security alerts and compliance status. It uses integrated findings to detect anomalous behavior across accounts and regions, making it a central threat detection service.

Exam trap

The trap here is that candidates often confuse AWS Trusted Advisor's security checks (like open port alerts) with threat detection, but Trusted Advisor is a best-practice advisor, not a real-time threat detection service—it lacks the ML-based anomaly detection and threat intelligence that GuardDuty and Security Hub provide.

← PreviousPage 4 of 4 · 243 questions total

Ready to test yourself?

Try a timed practice session using only Threat Detection and Incident Response questions.