SCS-C02 · topic practice

Threat Detection and Incident Response practice questions

Practise AWS Certified Security Specialty SCS-C02 Threat Detection and Incident Response practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Threat Detection and Incident Response

What the exam tests

What to know about Threat Detection and Incident Response

Threat Detection and Incident Response questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Threat Detection and Incident Response exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Threat Detection and Incident Response questions

20 questions · select your answer, then reveal the explanation

A security engineer is configuring an AWS environment to detect and respond to potential security threats. Which AWS service can be used to automate the remediation of unwanted access to Amazon S3 buckets by invoking AWS Lambda functions?

Question 2mediummulti select
Read the full NAT/PAT explanation →

A security team suspects that an attacker has compromised an EC2 instance and is using it to launch outbound DDoS attacks. The team needs to quickly isolate the instance while preserving forensic data. Which combination of actions should the team take? (Choose TWO.)

During an incident response, a security engineer needs to collect memory and disk forensics from a running EC2 Windows instance without causing the instance to crash. The engineer has AWS Systems Manager SSM Agent installed. Which method should the engineer use?

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all API calls in the organization are logged and retained for at least one year. Which AWS services or features should be used to meet these requirements? (Choose TWO.)

A security engineer is investigating a potential data exfiltration incident. The engineer notices large volumes of data being transferred from an Amazon S3 bucket to an external IP address. Which AWS services can be used to detect and alert on such behavior? (Choose THREE.)

A security engineer reviews the CloudTrail log entry in the exhibit. The engineer notices that an EC2 instance was launched using an AdminRole. Which additional information would help determine if this is a legitimate action or a potential compromise?

Exhibit

Refer to the exhibit.

CloudTrail log entry (simplified):
{
  "eventSource": "ec2.amazonaws.com",
  "eventName": "RunInstances",
  "userIdentity": {
    "arn": "arn:aws:iam::123456789012:role/AdminRole",
    "accountId": "123456789012"
  },
  "requestParameters": {
    "instanceType": "m5.xlarge",
    "imageId": "ami-0abcdef1234567890",
    "securityGroupSet": [{"groupId": "sg-0123456789abcdef0"}]
  },
  "responseElements": {
    "instancesSet": {
      "items": [{"instanceId": "i-0a1b2c3d4e5f6g7h8"}]
    }
  },
  "sourceIPAddress": "203.0.113.50",
  "userAgent": "console.amazonaws.com",
  "eventTime": "2025-03-15T14:30:00Z"
}

A security engineer is analyzing the VPC Flow Logs entry in the exhibit. The log shows traffic from an internal IP to an external IP. Which potential security concern should the engineer investigate?

Exhibit

Refer to the exhibit.

VPC Flow Logs entry:
2 123456789010 eni-1234567890abcdef 10.0.1.5 203.0.113.50 3389 443 6 10 840 1625097600 1625097660 ACCEPT OK

A company has a security rule that all S3 buckets must have server access logging enabled. A security engineer uses AWS Config to evaluate compliance. The engineer configures a managed rule but notices that the rule does not evaluate all buckets. What is the most likely reason?

During a security incident, a security engineer needs to verify whether an EC2 instance's security group allowed inbound SSH from a specific IP address at the time of the incident. Which AWS service or feature should the engineer use to obtain this historical information?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is implementing automated incident response. The engineer wants to use AWS Lambda to automatically remediate GuardDuty findings. What is the recommended pattern to trigger the Lambda function?

Question 11easymulti select
Read the full NAT/PAT explanation →

A company uses AWS Systems Manager Patch Manager to patch EC2 instances. During a security incident, the security team needs to quickly patch a critical vulnerability across all Windows instances in a specific AWS region. Which steps should the team take? (Choose TWO.)

A company runs a critical web application on a fleet of EC2 instances behind an Application Load Balancer (ALB). The application uses an Aurora MySQL database. The security team receives an alert from Amazon GuardDuty that a specific EC2 instance is exhibiting behavior consistent with a cryptocurrency mining attack, including outbound connections to known mining pools. The instance is part of an Auto Scaling group that uses a launch template with a security group that allows outbound HTTPS traffic to 0.0.0.0/0. The security engineer needs to contain the incident while minimizing downtime for the application. The engineer has already taken a forensic snapshot of the instance's EBS volume. Which course of action should the engineer take next?

A security engineer is investigating a potential credential compromise. An IAM user's access key was used to launch EC2 instances in a region where the user has never operated before. The engineer wants to quickly identify all API calls made by this user in the last 24 hours, including the source IP addresses. Which AWS service or feature should be used?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with multiple accounts and has enabled AWS Security Hub in the management account. The security team wants to automatically remediate a specific finding type that appears in Security Hub. Which combination of services should be used to achieve this?

A security engineer is configuring an automated incident response workflow for Amazon GuardDuty findings. Which TWO actions should the engineer take to ensure that the response is triggered for all current and future GuardDuty findings?

A security engineer is reviewing a CloudTrail log entry (exhibit). What is the most immediate security concern indicated by this event?

Exhibit

Refer to the exhibit.

```
{
  "Records": [
    {
      "eventVersion": "1.08",
      "userIdentity": {
        "type": "IAMUser",
        "arn": "arn:aws:iam::123456789012:user/JohnDoe",
        "accountId": "123456789012",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE"
      },
      "eventTime": "2024-08-01T12:34:56Z",
      "eventSource": "ec2.amazonaws.com",
      "eventName": "AuthorizeSecurityGroupIngress",
      "awsRegion": "us-east-1",
      "sourceIPAddress": "203.0.113.5",
      "userAgent": "console.amazonaws.com",
      "requestParameters": {
        "groupId": "sg-0123456789abcdef0",
        "ipPermissions": {
          "items": [
            {
              "ipProtocol": "tcp",
              "fromPort": 22,
              "toPort": 22,
              "ipRanges": [
                {
                  "cidrIp": "0.0.0.0/0"
                }
              ]
            }
          ]
        }
      }
    }
  ]
}
```
Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB) in a VPC. The security team uses Amazon GuardDuty and has enabled Amazon Detective. Recently, GuardDuty raised a 'Recon:EC2/PortProbeUnprotectedPort' finding for one of the instances. The security engineer verified that the ALB security group only allows inbound HTTP/HTTPS from the internet. However, the finding indicates that the instance is receiving probes on port 22 (SSH). Further investigation with Detective shows that the probes originate from multiple IP addresses and are reaching the instance's private IP address. The engineer suspects that the SSH port is exposed despite the security group configuration. What is the MOST likely cause of this exposure?

A security engineer is investigating a potential compromise. An EC2 instance running Amazon Linux 2 is sending outbound traffic to a known malicious IP address. The engineer needs to capture the network traffic for analysis without alerting the attacker. Which solution meets these requirements?

Drag and drop the steps to configure AWS WAF with rate-based rules in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to implement a secure CI/CD pipeline with AWS CodePipeline and IAM in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Threat Detection and Incident Response sessions

Start a Threat Detection and Incident Response only practice session

Every question in these sessions is drawn from the Threat Detection and Incident Response domain — nothing else.

Related practice questions

Related SCS-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SCS-C02 exam test about Threat Detection and Incident Response?
Threat Detection and Incident Response questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Threat Detection and Incident Response questions in a focused session?
Yes — the session launcher on this page draws every question from the Threat Detection and Incident Response domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SCS-C02 topics?
Use the topic links above to move to related areas, or go back to the SCS-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SCS-C02 exam covers. They are not copied from any real exam or dump site.