CCNA Threat Detection Questions

75 of 243 questions · Page 3/4 · Threat Detection topic · Answers revealed

151
MCQeasy

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to designate a delegated administrator account to manage GuardDuty for all member accounts. Which AWS service must be used to enable GuardDuty for all accounts?

A.AWS CloudFormation StackSets
B.AWS Control Tower
C.AWS Config
D.AWS Organizations
AnswerD

GuardDuty integrates with AWS Organizations for multi-account management.

Why this answer

Option D is correct because AWS Organizations is the foundational service required to designate a delegated administrator for Amazon GuardDuty in a multi-account environment. GuardDuty integrates directly with Organizations to allow a management account to enable GuardDuty for all member accounts and delegate administration to a specified account, which then manages threat detection across the organization without needing additional services.

Exam trap

The trap here is that candidates may confuse AWS Organizations as merely an organizational tool and think they need a separate service like CloudFormation StackSets or Control Tower to enable GuardDuty across accounts, but GuardDuty natively integrates with Organizations for delegated administration and automatic enablement.

How to eliminate wrong answers

Option A is wrong because AWS CloudFormation StackSets is used to deploy infrastructure as code across multiple accounts and regions, but it is not required or used to enable GuardDuty or designate a delegated administrator; GuardDuty's multi-account setup is managed through the GuardDuty console or API using Organizations. Option B is wrong because AWS Control Tower provides a governance framework for landing zones and uses Account Factory and preventive/ detective guardrails, but it does not directly enable GuardDuty or designate a delegated administrator; GuardDuty integration is handled via Organizations, not Control Tower. Option C is wrong because AWS Config is a service for resource inventory, configuration history, and compliance rules, not for enabling GuardDuty or managing delegated administration; GuardDuty's multi-account enablement relies on Organizations APIs, not Config.

152
MCQmedium

A company has enabled Amazon GuardDuty in all accounts within AWS Organizations. The security team wants to view aggregated findings from all accounts in a single dashboard. Which service should the team use?

A.Amazon CloudWatch
B.Amazon Inspector
C.Amazon Macie
D.AWS Security Hub
AnswerD

Security Hub aggregates findings from multiple services across accounts.

Why this answer

AWS Security Hub is the correct service because it provides a single dashboard that aggregates and prioritizes security findings from multiple AWS services, including Amazon GuardDuty, across all accounts in an AWS Organization. It normalizes findings from GuardDuty, Inspector, Macie, and other sources into the AWS Security Finding Format (ASFF), enabling centralized viewing and automated response workflows.

Exam trap

The trap here is that candidates may confuse GuardDuty's own multi-account dashboard with Security Hub's cross-service aggregation, or mistakenly think CloudWatch can serve as a centralized security dashboard, but CloudWatch lacks the finding normalization and multi-account aggregation capabilities that Security Hub provides.

How to eliminate wrong answers

Option A is wrong because Amazon CloudWatch is a monitoring and observability service for metrics, logs, and alarms, not designed to aggregate security findings from GuardDuty across multiple accounts into a single dashboard. Option B is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and network exposure; it does not aggregate GuardDuty findings. Option C is wrong because Amazon Macie is a data security service that discovers and protects sensitive data in S3 using machine learning; it does not aggregate GuardDuty findings from other accounts.

153
MCQhard

A financial services company uses AWS Organizations with over 100 accounts. The security team uses AWS CloudTrail to log all API calls to a central S3 bucket in the security account. The bucket policy enables cross-account log delivery from all member accounts. The team notices that some API calls from a specific member account are not appearing in the central bucket. The CloudTrail trail in that member account is configured to deliver logs to the central bucket. The IAM role used by CloudTrail in the member account has permissions to write to the central bucket. The security team has verified that the bucket policy allows the member account to write. What is the MOST likely cause of the missing logs?

A.The S3 bucket policy in the central bucket exceeds the size limit, causing write failures for some accounts.
B.The CloudTrail trail in the member account is not a multi-region trail.
C.The member account has not enabled CloudTrail logging for the specific region.
D.A service control policy (SCP) is denying the CloudTrail service in the member account from writing to the central bucket.
AnswerA

Bucket policies have a 20 KB limit; exceeding it can cause intermittent failures.

Why this answer

The S3 bucket policy has a maximum size limit of 20,480 characters. When a bucket policy exceeds this limit, AWS may reject new or updated policy statements, causing write failures for some accounts. In this scenario, with over 100 accounts, the bucket policy likely grew too large, preventing CloudTrail from the specific member account from writing logs to the central bucket, even though the trail and IAM role are correctly configured.

Exam trap

The trap here is that candidates often overlook the S3 bucket policy size limit and instead focus on trail configuration or SCPs, assuming missing logs are due to misconfigured trails or permission denials, rather than a resource limit on the policy itself.

How to eliminate wrong answers

Option B is wrong because a multi-region trail is not required for cross-account log delivery; a single-region trail can still deliver logs to a central bucket if the trail is configured in the region where the API calls are made. Option C is wrong because the question states that the CloudTrail trail in the member account is configured to deliver logs to the central bucket, implying logging is enabled; missing logs from a specific account are not due to a region-specific setting if the trail is already delivering other logs. Option D is wrong because a service control policy (SCP) applies to all IAM principals in the member account, but CloudTrail uses an IAM role with permissions to write to the central bucket; if an SCP were denying the write, it would affect all accounts uniformly, not just one specific account, and the security team has already verified the bucket policy allows the member account to write.

154
MCQmedium

A company is using AWS Lambda functions to process sensitive data. The security team wants to detect when a Lambda function is invoked with an unexpected payload that may indicate an injection attack. Which AWS service should the team use to inspect the function's input for malicious patterns?

A.AWS WAF
B.None of the above; the team should implement custom validation within the Lambda function.
C.Amazon Inspector
D.AWS Shield
E.Amazon GuardDuty
AnswerB

Lambda does not have a built-in service to inspect payloads for injection attacks; validation must be custom.

Why this answer

Option B is correct because AWS Lambda functions process event payloads directly within the function code, and no AWS managed service can inspect the actual input data passed to a Lambda function at invocation time. AWS WAF operates at the HTTP/HTTPS layer for API Gateway or CloudFront, not for Lambda function payloads. Amazon Inspector scans for software vulnerabilities in EC2 instances and container images, not runtime payloads.

AWS Shield provides DDoS protection at the network and transport layers. Amazon GuardDuty analyzes VPC flow logs, DNS logs, and CloudTrail events for threats, but it does not inspect Lambda function invocation payloads. Therefore, the only way to detect malicious patterns in the function's input is to implement custom validation logic within the Lambda function code itself.

Exam trap

The trap here is that candidates often assume AWS WAF or GuardDuty can inspect all types of data flowing through AWS, but in reality, these services have specific scope limitations and cannot inspect Lambda invocation payloads directly.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that inspects HTTP/HTTPS traffic at the application layer for resources like API Gateway, CloudFront, or ALB, but it cannot inspect the payload passed directly to a Lambda function via SDK, CLI, or other AWS services. Option C is wrong because Amazon Inspector is a vulnerability management service that assesses EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure, not for inspecting runtime invocation payloads for injection attacks. Option D is wrong because AWS Shield is a managed DDoS protection service that operates at the network and transport layers (Layer 3/4) and does not inspect application-level payloads for malicious patterns.

Option E is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC flow logs, CloudTrail management events, DNS logs, and EKS audit logs, but it does not have visibility into the actual data payloads passed to Lambda functions during invocation.

155
MCQhard

A security analyst notices an IAM role 'AdminRole' is being assumed from an IP address outside the company's allowed network. The analyst wants to receive real-time alerts when this role is assumed from unauthorized locations. Which combination of services should be used?

A.AWS CloudTrail, Amazon S3, and Amazon Athena
B.AWS Config, Amazon SNS, and AWS Lambda
C.Amazon GuardDuty and AWS Lambda
D.AWS CloudTrail, Amazon CloudWatch Events, and Amazon SNS
AnswerD

CloudTrail logs the event, CloudWatch Events matches the pattern, SNS sends alert.

Why this answer

Option D is correct because AWS CloudTrail logs IAM role assumption events (sts:AssumeRole) as CloudTrail events, which can be sent to Amazon CloudWatch Events (now Amazon EventBridge) as a real-time event stream. CloudWatch Events rules can then match specific patterns (e.g., source IP outside allowed ranges) and trigger an Amazon SNS notification to alert the security analyst immediately. This combination provides the real-time alerting required without additional polling or storage.

Exam trap

The trap here is that candidates often confuse AWS Config (which evaluates configuration compliance) with CloudTrail (which records API activity), or they assume GuardDuty can be customized for specific role assumption alerts, when in fact GuardDuty does not support custom event pattern matching for individual IAM roles.

How to eliminate wrong answers

Option A is wrong because while CloudTrail logs to S3 and Athena can query those logs, this setup is for historical analysis and batch queries, not real-time alerting. Option B is wrong because AWS Config evaluates resource configuration changes (e.g., IAM policy changes) but does not monitor API call events like sts:AssumeRole from specific IP addresses; it is not designed for real-time event-driven alerting on API activity. Option C is wrong because Amazon GuardDuty detects threats based on DNS, VPC flow logs, and CloudTrail management events, but it does not provide custom real-time alerts for a specific IAM role being assumed from unauthorized IPs; it focuses on broader anomaly detection and requires additional services to trigger custom SNS alerts.

156
MCQmedium

A security engineer is configuring automated response to a GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce'. The engineer needs to isolate the compromised instance by modifying the security group to deny all inbound traffic. Which AWS service should be used to orchestrate this response?

A.AWS Lambda
B.AWS CloudFormation
C.AWS Config
D.AWS Systems Manager Automation
AnswerD

Correct: Systems Manager Automation provides runbooks to automate response actions like modifying security groups.

Why this answer

Option A is correct because AWS Systems Manager Automation can run a runbook to modify security group rules in response to a GuardDuty finding via EventBridge. Option B is wrong because Lambda can be used but is not the orchestration service; it is a compute service. Option C is wrong because Config is for compliance, not response.

Option D is wrong because CloudFormation is for infrastructure provisioning, not real-time response.

157
MCQhard

A company is using Amazon GuardDuty to detect threats. They notice that GuardDuty is generating a high volume of 'UnauthorizedAccess:EC2/SSHBruteForce' findings from an internal EC2 instance that is used for vulnerability scanning. The security team wants to reduce false positives without disabling GuardDuty entirely. What should they do?

A.Change the security group of the vulnerability scanner to block SSH traffic.
B.Disable GuardDuty for the subnet where the vulnerability scanner is located.
C.Disable the 'UnauthorizedAccess:EC2/SSHBruteForce' finding type in GuardDuty.
D.Create a suppression rule for findings originating from the vulnerability scanner's IP address.
AnswerD

Suppression rules allow you to automatically archive findings from trusted sources, reducing false positives.

Why this answer

Option D is correct because Amazon GuardDuty's suppression rules allow you to filter out findings based on criteria such as IP address, without disabling the detector or any finding types. By creating a suppression rule that matches the vulnerability scanner's IP address, you automatically archive and suppress future 'UnauthorizedAccess:EC2/SSHBruteForce' findings from that specific source, reducing false positives while maintaining full threat detection coverage for all other instances.

Exam trap

The trap here is that candidates often confuse suppression rules with disabling finding types or disabling GuardDuty entirely, not realizing that suppression rules provide a granular, IP-based mechanism to reduce noise without compromising overall security coverage.

How to eliminate wrong answers

Option A is wrong because changing the security group to block SSH traffic would break the vulnerability scanner's functionality, as it needs SSH access to perform its scanning tasks. Option B is wrong because disabling GuardDuty for the subnet would stop all threat detection for every instance in that subnet, not just the scanner, leaving other workloads unprotected. Option C is wrong because disabling the 'UnauthorizedAccess:EC2/SSHBruteForce' finding type globally would suppress all SSH brute force alerts across the entire AWS account, including legitimate threats, which defeats the purpose of targeted false positive reduction.

158
MCQeasy

A company uses AWS CloudTrail to log all API activity. The security team wants to be alerted when an IAM user creates a new access key. They have created a CloudWatch metric filter on the CloudTrail log group for the event name 'CreateAccessKey' and set up a CloudWatch alarm that sends an email via Amazon SNS. However, the alarm is not triggering even though the team knows that access keys have been created. The metric filter has been tested and shows data points in CloudWatch. What should the security team check next?

A.Ensure that the CloudTrail trail is delivering logs to the correct CloudWatch Logs log group.
B.Verify that the CloudTrail trail is logging data events.
C.Review the CloudWatch alarm configuration, including the period and threshold.
D.Check that the IAM user has permissions to create access keys.
AnswerC

The alarm may be misconfigured with a period that is too long or a threshold that is not crossed.

Why this answer

Option C is correct because the metric filter is producing data points, which means logs are being ingested and the filter is matching events. The most likely issue is that the CloudWatch alarm's period or threshold is misconfigured—for example, the evaluation period might be too long or the threshold too high, causing the alarm to not transition to ALARM state despite the metric having values. The security team should verify the alarm's settings, such as the period (e.g., 5 minutes) and the threshold (e.g., >= 1), to ensure they align with the expected frequency of access key creation events.

Exam trap

The trap here is that candidates assume the issue must be with log delivery or event type, but the metric filter already shows data points, so the problem lies in the alarm's evaluation configuration—specifically the period and threshold settings that control when the alarm triggers.

How to eliminate wrong answers

Option A is wrong because the metric filter is showing data points, which confirms that the CloudTrail trail is already delivering logs to the correct CloudWatch Logs log group; if it were not, no data points would appear. Option B is wrong because 'CreateAccessKey' is a management event, not a data event, and CloudTrail logs management events by default; data events are for S3 object-level or Lambda function invocations and are irrelevant here. Option D is wrong because the question states that access keys have been created, which means the IAM user already has the necessary permissions; the issue is with the alarm triggering, not with the creation of keys.

159
MCQmedium

A security team needs to analyze historical CloudTrail logs across multiple AWS accounts to detect patterns of suspicious activity. Which solution provides the MOST cost-effective and scalable analysis?

A.Aggregate logs into a central S3 bucket and query with Amazon Athena
B.Stream logs to Amazon Elasticsearch Service and use Kibana
C.Load logs into Amazon Redshift for analysis
D.Use Amazon CloudWatch Logs Insights across all accounts
AnswerA

Athena allows serverless SQL queries on S3 data, cost-effective for historical analysis.

Why this answer

Aggregating CloudTrail logs into a central S3 bucket and querying with Amazon Athena is the most cost-effective and scalable solution because Athena uses a serverless, pay-per-query model with no infrastructure to manage, and it can directly analyze large volumes of structured log data stored in S3 using standard SQL. This approach avoids the cost of provisioning and maintaining dedicated clusters (as with Redshift or Elasticsearch) and avoids the per-GB ingestion and storage fees of CloudWatch Logs Insights, making it ideal for historical analysis across multiple accounts.

Exam trap

The trap here is that candidates often choose CloudWatch Logs Insights (Option D) because it seems convenient for log analysis, but they overlook its high ingestion costs and limited retention for historical data, whereas Athena's serverless, pay-per-query model is far more cost-effective for large-scale, infrequent queries of archived logs.

How to eliminate wrong answers

Option B is wrong because streaming logs to Amazon Elasticsearch Service (now OpenSearch Service) incurs ongoing costs for cluster instances, storage, and data ingestion, and it is not as cost-effective for infrequent historical queries compared to Athena's pay-per-query model. Option C is wrong because loading logs into Amazon Redshift requires provisioning a cluster, paying for compute and storage even when idle, and involves ETL overhead, making it overkill and more expensive for ad-hoc analysis of CloudTrail logs. Option D is wrong because Amazon CloudWatch Logs Insights is designed for real-time log analysis and has a per-GB ingestion cost and a limited query history retention (typically 30 days), making it unsuitable and costly for analyzing long-term historical logs across multiple accounts.

160
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to centralize threat detection and automatically remediate high-severity GuardDuty findings across all accounts. What is the MOST efficient way to achieve this?

A.Enable GuardDuty in the management account and designate a delegated administrator to manage findings across all accounts
B.Create a Lambda function that enables GuardDuty in each account using cross-account IAM roles
C.Configure Amazon EventBridge to forward findings from each account to a central account
D.Use AWS Security Hub and enable GuardDuty in each account separately
AnswerA

GuardDuty organization-level management automates enablement and centralizes findings.

Why this answer

Option A is correct because GuardDuty can be enabled at the organization level, and findings are sent to a delegated administrator account. Option B is wrong because enabling manually in each account is inefficient. Option C is wrong because Security Hub aggregates findings but does not enable GuardDuty automatically.

Option D is wrong because EventBridge alone does not enable GuardDuty across accounts.

161
MCQhard

A company uses AWS Lambda functions to process sensitive data. The security team wants to ensure that if a Lambda function is compromised, the attacker cannot use the function's IAM role to access other AWS resources. The team has implemented the principle of least privilege by restricting the IAM role's permissions. However, they are concerned about a scenario where an attacker could use the Lambda function to execute AWS API calls that are not intended by the application. What additional measure should the team implement to reduce the risk of such lateral movement?

A.Use AWS IAM Access Analyzer to generate and refine the IAM policy based on actual usage.
B.Enable AWS CloudTrail data events for the Lambda function.
C.Attach a service control policy (SCP) that denies all actions except those explicitly allowed.
D.Place the Lambda function inside a VPC with no internet access.
AnswerA

Helps create least privilege policies by analyzing usage patterns.

Why this answer

Option A is correct because AWS IAM Access Analyzer can generate IAM policies based on the actual API calls made by the Lambda function over a specified period. By reviewing and refining the policy to include only those actions, the team can further tighten least privilege beyond manual estimation, reducing the risk that an attacker could abuse unintended API calls. This directly addresses the concern of lateral movement by ensuring the function's role cannot perform actions not observed in normal operation.

Exam trap

The trap here is that candidates may confuse service control policies (SCPs) with IAM permissions boundaries or think they can be applied to individual resources, when in fact SCPs only affect accounts in an organization and cannot be attached to a Lambda function.

How to eliminate wrong answers

Option B is wrong because enabling CloudTrail data events for the Lambda function only provides logging of invocations and does not restrict the function's IAM role permissions or prevent an attacker from making unintended API calls. Option C is wrong because service control policies (SCPs) apply at the AWS Organizations level to accounts or organizational units, not to individual Lambda functions or their IAM roles; they cannot be attached directly to a function to limit its permissions. Option D is wrong because placing the Lambda function inside a VPC with no internet access restricts network connectivity but does not prevent the function from using its IAM role to call AWS APIs via the AWS private network or VPC endpoints; the attacker could still make API calls to other AWS services.

162
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to automatically receive alerts when an IAM user attempts to access resources they do not have permissions for, across all accounts. Which combination of services should be used?

A.Amazon Inspector and AWS Lambda
B.AWS Config and Amazon SNS
C.AWS CloudTrail and Amazon CloudWatch Logs
D.Amazon GuardDuty and AWS Security Hub
AnswerD

GuardDuty detects threats; Security Hub aggregates findings and can send alerts via SNS.

Why this answer

Amazon GuardDuty continuously monitors for suspicious activity, including unauthorized API calls or failed access attempts, across all accounts in an AWS Organization. Security Hub aggregates these findings from GuardDuty and other services, enabling automated alerts via integrations like Amazon SNS or AWS Chatbot. Together, they provide a centralized, cross-account threat detection and alerting solution that meets the requirement of notifying the security team when IAM users attempt unauthorized resource access.

Exam trap

The trap here is that candidates often choose CloudTrail and CloudWatch Logs (Option C) because they know CloudTrail logs API calls, but they overlook that GuardDuty and Security Hub provide automated, cross-account threat detection and aggregation without requiring custom metric filters and manual setup for every account.

How to eliminate wrong answers

Option A is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and network exposure, not for monitoring IAM user access attempts or authorization failures. Option B is wrong because AWS Config evaluates resource configurations against rules and tracks configuration changes, but it does not monitor or detect unauthorized API calls or access attempts by IAM users. Option C is wrong because AWS CloudTrail logs API calls and CloudWatch Logs can store and alert on those logs, but this combination requires custom metric filters and alarms to detect unauthorized access attempts; it lacks the built-in, automated threat detection and cross-account aggregation that GuardDuty and Security Hub provide, making it less efficient and more error-prone for this specific use case.

163
MCQeasy

A company is using AWS WAF to protect a web application. The security team wants to receive alerts when a specific rule block is triggered. Which AWS service should they use to achieve this?

A.Amazon EventBridge
B.CloudWatch Alarms with SNS
C.Amazon S3
D.Amazon SNS
AnswerB

CloudWatch Alarms monitor WAF metrics and send notifications via SNS.

Why this answer

AWS WAF integrates with Amazon CloudWatch to provide metrics for each rule, including the 'BlockedRequests' count. By creating a CloudWatch Alarm on this metric, you can trigger an SNS notification when the threshold is exceeded, alerting the security team. This is the standard pattern for receiving alerts on WAF rule actions, as CloudWatch Alarms with SNS provide the necessary monitoring and notification pipeline.

Exam trap

The trap here is that candidates often confuse the notification mechanism (SNS) with the evaluation mechanism (CloudWatch Alarms), selecting SNS alone without recognizing that CloudWatch Alarms are required to evaluate the WAF metric and trigger the notification.

How to eliminate wrong answers

Option A is wrong because Amazon EventBridge is used for event-driven architectures to route events from various sources to targets, but it does not natively evaluate metric thresholds or generate alerts based on WAF rule triggers without additional custom logic. Option C is wrong because Amazon S3 is an object storage service and cannot evaluate metrics or send alerts; it can only store logs or data. Option D is wrong because Amazon SNS alone is a notification service that requires a publisher to send messages; without a CloudWatch Alarm to evaluate the WAF metric and publish to the SNS topic, no alert will be generated.

164
Multi-Selectmedium

A security engineer is configuring AWS CloudTrail to monitor data events for S3 objects. Which TWO of the following must be enabled to log object-level operations? (Select TWO.)

Select 2 answers
A.Enable data events in the CloudTrail trail.
B.Enable S3 server access logs on the bucket.
C.Enable management events in the CloudTrail trail.
D.Enable S3 Object Lambda.
E.Specify the S3 bucket ARN or prefix in the trail configuration.
AnswersA, E

Data events capture object-level operations.

Why this answer

Option A is correct because CloudTrail data events capture S3 object-level operations such as GetObject, PutObject, and DeleteObject. To enable this, you must explicitly select 'Data events' in the CloudTrail trail configuration, as management events only cover bucket-level operations like CreateBucket.

Exam trap

The trap here is that candidates often confuse management events (which log bucket-level actions) with data events (which log object-level actions), leading them to select Option C instead of recognizing that both data events and a specific bucket ARN or prefix are required.

165
MCQhard

A company uses AWS Systems Manager Patch Manager to apply patches to EC2 instances. The security team wants to ensure that instances are patched within 7 days of a patch release. Which service should be used to monitor and report compliance?

A.AWS Config
B.AWS Security Hub
C.Amazon Inspector
D.AWS Trusted Advisor
AnswerA

Config can use rules to evaluate whether instances are patched within a defined timeframe.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of your AWS resource configurations, including patch compliance status via Systems Manager Patch Manager. You can create an AWS Config rule (e.g., 'ec2-managedinstance-patch-compliance-status') that checks whether instances have the required patches installed within a specified time frame (e.g., 7 days). AWS Config then reports noncompliant resources, enabling the security team to track and remediate patching gaps.

Exam trap

The trap here is that candidates often confuse Amazon Inspector's vulnerability scanning with patch compliance monitoring, but Inspector does not track whether patches have been applied within a specific time window after release—it only identifies missing patches or vulnerabilities at a point in time.

How to eliminate wrong answers

Option B (AWS Security Hub) is wrong because it aggregates security findings from multiple AWS services (like AWS Config, GuardDuty, Inspector) but does not itself perform patch compliance monitoring; it relies on AWS Config rules to provide that data. Option C (Amazon Inspector) is wrong because it focuses on vulnerability assessments and network reachability analysis, not on tracking whether patches have been applied within a specific time window after release. Option D (AWS Trusted Advisor) is wrong because it provides best-practice checks for cost, performance, security, and fault tolerance, but it does not monitor patch compliance status or report on patch age relative to release dates.

166
MCQmedium

During an incident response, a security team needs to capture a memory dump of an Amazon EC2 instance running Linux. What is the recommended approach?

A.Use AWS Systems Manager Run Command to run a script that extracts memory using LiME.
B.Use Amazon Inspector to collect memory dumps.
C.Stop the instance and create an EBS snapshot for memory analysis.
D.Use the EC2 console to take a screenshot and capture memory from the hypervisor.
AnswerA

SSM Run Command can execute memory capture tools like LiME securely on the instance.

Why this answer

Option A is correct because AWS Systems Manager Run Command allows you to execute a script on a running EC2 instance without needing SSH access, and LiME (Linux Memory Extractor) is a trusted tool for capturing volatile memory. This approach preserves the memory state for forensic analysis while maintaining the instance's running state, which is critical for incident response.

Exam trap

The trap here is that candidates confuse memory capture with disk capture, assuming an EBS snapshot or Inspector can retrieve volatile data, when in fact only a tool like LiME executed on the running instance can capture RAM.

How to eliminate wrong answers

Option B is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and network exposures, not a tool for capturing memory dumps. Option C is wrong because stopping the instance and creating an EBS snapshot captures only disk data, not volatile memory (RAM), which is lost when the instance stops. Option D is wrong because the EC2 console screenshot captures only the display output, not the full memory contents, and the hypervisor does not expose a mechanism to capture a guest instance's RAM directly.

167
MCQeasy

A security engineer is investigating a potential compromise of an EC2 instance. The engineer wants to capture memory and disk forensics without shutting down the instance. Which service should the engineer use?

A.AWS Config
B.AWS Systems Manager
C.EC2 Instance Connect
D.Amazon CloudWatch Logs
AnswerB

Systems Manager allows running forensic scripts and commands without SSH.

Why this answer

AWS Systems Manager (SSM) is the correct service because it provides the capability to perform forensic data collection on a running EC2 instance without shutting it down. Specifically, SSM Automation documents like AWS-RunShellScript or AWS-GatherEC2InstanceInfo can execute commands to capture memory (e.g., using LiME or fmem) and disk forensics (e.g., dd or volume snapshots) via the SSM Agent, which runs as a system service and does not require instance termination.

Exam trap

The trap here is that candidates may confuse AWS Systems Manager with EC2 Instance Connect, thinking that SSH access alone is sufficient for forensic collection, but Systems Manager provides the necessary automation and agent-based execution to capture memory and disk data without requiring the instance to be stopped or terminated.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for resource inventory, compliance auditing, and configuration change tracking, not for capturing memory or disk forensics on a running instance. Option C is wrong because EC2 Instance Connect only provides SSH access to the instance for interactive shell sessions; it does not have built-in capabilities to capture memory dumps or perform disk forensics without additional tools and manual intervention. Option D is wrong because Amazon CloudWatch Logs is a service for collecting, monitoring, and storing log files from EC2 instances and other sources; it cannot capture memory or disk forensics data directly.

168
MCQmedium

A security engineer receives an Amazon GuardDuty finding for 'UnauthorizedAccess:EC2/SSHBruteForce'. The engineer needs to automatically isolate the compromised EC2 instance and then perform forensic analysis. Which solution meets these requirements with the LEAST operational overhead?

A.Manually SSH into the instance, stop it, and create an AMI for analysis.
B.Create an Amazon EventBridge rule that triggers an AWS Lambda function to isolate the instance by modifying its security group and then take a forensic snapshot.
C.Use AWS Config rules to automatically stop the instance.
D.Configure an Auto Scaling lifecycle hook to terminate the instance and launch a new one.
AnswerB

Automated response with minimal operational overhead.

Why this answer

Option B is correct because it automates the isolation and forensic capture of the compromised EC2 instance with minimal operational overhead. An Amazon EventBridge rule listens for the specific GuardDuty finding and triggers an AWS Lambda function that modifies the instance's security group to deny all inbound/outbound traffic (isolation) and then creates an EBS snapshot for forensic analysis. This serverless, event-driven approach eliminates manual intervention and ensures consistent, rapid response.

Exam trap

The trap here is that candidates may assume manual SSH or AWS Config rules are sufficient for incident response, but they fail to recognize that GuardDuty findings require automated, event-driven isolation without human intervention, and that Config rules lack the ability to trigger real-time security group modifications or snapshots.

How to eliminate wrong answers

Option A is wrong because manually SSHing into a compromised instance is dangerous (the attacker may still have access), and manually stopping and creating an AMI introduces high operational overhead and delays, violating the 'least operational overhead' requirement. Option C is wrong because AWS Config rules are designed for compliance and resource configuration auditing, not for real-time incident response actions like stopping instances; they cannot directly trigger instance isolation based on GuardDuty findings. Option D is wrong because an Auto Scaling lifecycle hook terminates the instance and launches a new one, which destroys forensic evidence and does not allow for isolation or forensic analysis of the original compromised instance.

169
MCQmedium

A company uses AWS Lambda functions that process sensitive data. The security team wants to ensure that any unauthorized invocation of the functions is detected and alerted. The team has enabled AWS CloudTrail and is monitoring for Lambda Invoke API calls. However, they are concerned about missing events that occur within the Lambda service itself (e.g., internal retries). What should the team do to capture all relevant events?

A.Enable VPC Flow Logs for the Lambda function's VPC.
B.Configure CloudWatch Logs to capture all Lambda function logs.
C.Enable Amazon CloudWatch Lambda Insights.
D.Enable CloudTrail data events for Lambda functions.
AnswerC

Lambda Insights provides detailed monitoring of function invocations, including internal retries and performance metrics.

Why this answer

Option C is correct because Amazon CloudWatch Lambda Insights provides a monitoring and troubleshooting solution for serverless applications, capturing detailed metrics and logs for all Lambda invocations, including internal retries and invocations that occur within the Lambda service itself. Unlike CloudTrail data events, which only log API calls made to the Lambda Invoke API, Lambda Insights collects telemetry from the Lambda execution environment, ensuring visibility into events that happen after the initial invocation, such as retries triggered by the Lambda service due to throttling or errors.

Exam trap

The trap here is that candidates often assume CloudTrail data events capture all Lambda invocation activity, but they miss that internal retries and service-side invocations are not API calls and thus are invisible to CloudTrail, requiring a monitoring solution like Lambda Insights that operates within the execution environment.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) within a VPC, not Lambda invocation events or internal service retries; they are irrelevant for detecting unauthorized Lambda invocations. Option B is wrong because CloudWatch Logs capture logs generated by the Lambda function code (e.g., print statements, custom logs), not the invocation events or internal retries performed by the Lambda service; they do not provide visibility into the invocation lifecycle itself. Option D is wrong because CloudTrail data events for Lambda functions only log the Invoke API calls made by external entities (e.g., users, services) to the Lambda service, but they do not capture internal retries or invocations that occur within the Lambda service (e.g., asynchronous invocations retried by the service), which is the specific gap the security team is concerned about.

170
MCQhard

A security engineer is configuring an automated incident response workflow. When a GuardDuty finding of type 'UnauthorizedAccess:EC2/SSHBruteForce' is generated, the workflow should isolate the EC2 instance and snapshot its EBS volume. Which AWS service can coordinate these actions?

A.AWS Lambda functions invoked sequentially
B.AWS Step Functions
C.AWS CloudFormation
D.AWS Config rules with auto-remediation
AnswerB

Step Functions can coordinate multiple AWS services in a state machine.

Why this answer

AWS Step Functions can orchestrate multiple actions (isolation, snapshot) in a workflow triggered by EventBridge. Option A (Lambda) can do one action but chaining requires custom code. Option B (Config) is for rules.

Option D (CloudFormation) is for infrastructure.

171
Multi-Selectmedium

A company uses Amazon GuardDuty to monitor its AWS environment. The security team has received a GuardDuty finding of type 'Recon:EC2/PortProbeUnprotectedPort'. The finding indicates that an EC2 instance has an open SSH port that is being probed from the internet. The team wants to reduce the attack surface and prevent future probes. Which THREE actions should the team take? (Choose THREE.)

Select 3 answers
A.Suppress the GuardDuty finding to reduce noise.
B.Modify the security group to allow SSH only from specific IP addresses.
C.Terminate the EC2 instance and launch a new one.
D.Move the instance to a private subnet and use a NAT gateway for outbound internet access.
E.Use AWS Systems Manager Session Manager to access the instance instead of SSH.
AnswersB, D, E

Restricting SSH access reduces the attack surface.

Why this answer

Options A, C, and D are correct: changing the security group to restrict SSH access to known IPs, placing the instance in a private subnet with a NAT gateway, and using Systems Manager Session Manager instead of SSH. Option B is wrong because terminating the instance is not necessary if it can be secured. Option E is wrong because GuardDuty suppression is for false positives, not for fixing actual vulnerabilities.

172
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centrally aggregate and analyze VPC Flow Logs from all accounts. Which solution is MOST efficient and scalable?

A.Configure VPC Flow Logs to send to an S3 bucket in each account and use S3 Cross-Region Replication to a central bucket.
B.Launch Amazon EC2 instances in each account to run tcpdump and send logs to a central S3 bucket.
C.Configure VPC Flow Logs to send to CloudWatch Logs in each account and use cross-account CloudWatch dashboards.
D.Configure VPC Flow Logs to send to Amazon Kinesis Data Firehose in each account, which delivers to a central Amazon OpenSearch Service domain.
AnswerD

Scalable, real-time, and centralized.

Why this answer

Option D is correct because Amazon Kinesis Data Firehose can directly receive VPC Flow Logs from each account and deliver them to a centralized Amazon OpenSearch Service domain, enabling near-real-time aggregation and analysis without intermediate storage or replication overhead. This architecture is serverless, scales automatically, and avoids the complexity of managing cross-account S3 replication or EC2 instances, making it the most efficient and scalable solution for centralized log analysis.

Exam trap

The trap here is that candidates often default to S3-based solutions (Option A) because they are familiar with S3 for log storage, but they overlook that Kinesis Data Firehose provides a more direct, serverless pipeline for real-time analysis without the latency and complexity of S3 replication.

How to eliminate wrong answers

Option A is wrong because S3 Cross-Region Replication adds latency, requires managing replication rules and IAM permissions across accounts, and does not provide native querying or analysis capabilities—logs would need additional services like Athena or OpenSearch for analysis. Option B is wrong because launching EC2 instances to run tcpdump is inefficient, introduces management overhead, scales poorly across many accounts, and tcpdump captures raw packets rather than VPC Flow Logs, which are already a structured log format. Option C is wrong because cross-account CloudWatch dashboards only visualize logs stored in each account's CloudWatch Logs; they do not centrally aggregate the logs into a single store, and querying across accounts requires complex cross-account log group subscriptions or additional infrastructure.

173
MCQeasy

A startup uses a single AWS account for development. The security engineer wants to detect if any EC2 instances have been compromised and are performing reconnaissance by probing open ports on other internal instances. The engineer has enabled VPC Flow Logs for all subnets. What is the most cost-effective way to detect this behavior?

A.Enable Amazon GuardDuty and review the findings.
B.Install a third-party intrusion detection system on each EC2 instance.
C.Use Amazon CloudWatch Logs Insights to query VPC Flow Logs for rejected traffic patterns.
D.Use AWS Config rules to check for security group changes.
AnswerA

GuardDuty automatically detects reconnaissance activity.

Why this answer

Amazon GuardDuty is a managed threat detection service that uses machine learning and integrated threat intelligence to analyze VPC Flow Logs, DNS logs, and other data sources. It can automatically detect reconnaissance behavior such as port probing or port scanning from compromised EC2 instances without requiring any additional infrastructure or manual query setup. This makes it the most cost-effective solution because it operates on a pay-per-volume basis and eliminates the need for custom log analysis or per-instance agents.

Exam trap

The trap here is that candidates often assume querying VPC Flow Logs directly with CloudWatch Logs Insights is the most cost-effective approach, but they overlook the operational cost and lack of automation, while GuardDuty provides automated, managed detection with no manual query overhead.

How to eliminate wrong answers

Option B is wrong because installing a third-party intrusion detection system on each EC2 instance incurs significant overhead in terms of licensing, management, and compute resources, and it is not cost-effective compared to a managed service like GuardDuty. Option C is wrong because while CloudWatch Logs Insights can query VPC Flow Logs, it requires manual creation and tuning of queries to detect port scanning patterns, and it does not provide automated, continuous detection or threat intelligence integration, leading to higher operational cost and potential missed detections. Option D is wrong because AWS Config rules monitor changes to security group configurations, not network traffic patterns; they cannot detect active reconnaissance behavior such as port probing or scanning.

174
MCQeasy

A company has enabled AWS CloudTrail and wants to receive real-time notifications when specific API calls, such as DeleteTrail, are made. Which service should be used to trigger an alert based on CloudTrail log events?

A.AWS CloudTrail console notifications
B.Amazon CloudWatch Events / Amazon EventBridge
C.Amazon VPC Flow Logs
D.Amazon S3 event notifications
AnswerB

EventBridge can match CloudTrail events and trigger actions like SNS notifications.

Why this answer

Amazon CloudWatch Events (now part of Amazon EventBridge) is the correct service to trigger real-time alerts based on CloudTrail log events. You can create a rule that matches specific API calls, such as DeleteTrail, and route the event to a target like an SNS topic or Lambda function for immediate notification. CloudTrail delivers log events to CloudWatch Logs, and EventBridge can directly consume those events for pattern matching and alerting.

Exam trap

The trap here is that candidates often confuse S3 event notifications (which work on S3 objects) with CloudTrail log delivery to S3, mistakenly thinking S3 notifications can parse CloudTrail logs for specific API calls, but S3 notifications only react to bucket-level object events, not the content of log files.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail console notifications do not exist as a feature; CloudTrail does not provide built-in real-time alerting from its console. Option C is wrong because Amazon VPC Flow Logs capture IP traffic metadata (source/destination IPs, ports, protocols) and are not designed to monitor or alert on CloudTrail API call events. Option D is wrong because Amazon S3 event notifications are triggered by object-level operations (e.g., PutObject, DeleteObject) in an S3 bucket, not by CloudTrail log events or API calls like DeleteTrail.

175
MCQeasy

A company has an incident response (IR) process that includes isolating compromised EC2 instances. During a security incident, the IR team needs to block all traffic to and from a compromised instance while preserving the instance for forensic analysis. Which approach should the team take?

A.Detach the instance from the Auto Scaling group and stop it.
B.Modify the security group associated with the instance to remove all inbound and outbound rules.
C.Update the network ACL for the subnet to deny all traffic.
D.Terminate the instance immediately.
AnswerB

This blocks all traffic to/from the instance while keeping it running for forensics.

Why this answer

Modifying the security group to deny all traffic is the quickest way to isolate an instance while keeping it running. Detaching the instance stops it and may lose volatile data. Deleting the instance destroys evidence.

Changing network ACLs affects the entire subnet, not just the instance.

176
MCQmedium

The above condition is added to an S3 bucket policy to restrict access to a specific VPC endpoint. An EC2 instance in the same VPC is unable to access the bucket. What is the most likely reason?

A.The condition should use aws:SourceVpc instead of aws:SourceVpce
B.The EC2 instance does not have a public IP address
C.The VPC endpoint policy does not allow the s3:GetObject action
D.The resource ARN in the policy is for EC2, not for S3
AnswerD

An S3 bucket policy must have resource ARN for S3, such as arn:aws:s3:::bucket-name.

Why this answer

Option C is correct because the condition uses aws:SourceVpce, which checks the VPC endpoint ID. However, if the EC2 instance is accessing S3 through a gateway endpoint (not interface endpoint), the sourceVpce condition will not match because gateway endpoints do not provide a VPC endpoint ID in the request. Option A is wrong because the resource ARN is for EC2 instances, but the policy is for S3 bucket? Actually, the exhibit shows a condition, not a full policy.

The condition is likely part of an S3 bucket policy. The resource ARN for S3 would be different. The exhibit shows a resource ARN for EC2, which is suspicious.

Actually, the exhibit shows Resource: "arn:aws:ec2:..." which is incorrect for S3. That might be the problem. Option D: The resource ARN is for EC2, not S3.

So the policy is malformed. The most likely reason is that the resource ARN is incorrect. So option D.

Let's re-evaluate: The exhibit shows Resource: "arn:aws:ec2:..." but the condition is for S3? The stem says 'added to an S3 bucket policy'. So the resource ARN should be for S3. Therefore the policy is invalid.

So answer D.

177
Multi-Selectmedium

A security engineer is configuring Amazon GuardDuty to generate alerts for specific threat types. The engineer wants to ensure that alerts are sent to the security team's email distribution list and also trigger an automated Lambda function for immediate response. Which two actions should the engineer take? (Select TWO.)

Select 2 answers
A.Create an Amazon EventBridge rule that matches GuardDuty findings and triggers a Lambda function.
B.Configure Amazon CloudWatch Logs to send log events to an email distribution list.
C.Create an Amazon CloudWatch Events rule to route findings to a Lambda function.
D.Create an Amazon Simple Notification Service (SNS) topic and subscribe the email distribution list.
E.Create an Amazon Simple Queue Service (SQS) queue and have the Lambda function poll the queue.
AnswersA, D

EventBridge can directly invoke Lambda functions.

Why this answer

Option A is correct because Amazon EventBridge (formerly CloudWatch Events) can be configured with a rule that matches GuardDuty finding events. When a finding matches the rule pattern, EventBridge can directly invoke a Lambda function for automated incident response, such as isolating a compromised instance or updating security groups.

Exam trap

The trap here is that candidates may confuse CloudWatch Events (now EventBridge) with CloudWatch Logs or think that SQS alone can handle email notifications, overlooking the need for SNS to deliver messages to email distribution lists.

178
MCQhard

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to ensure that all security findings from GuardDuty, Security Hub, and Detective are centrally collected and correlated. Which architecture is the MOST scalable and cost-effective?

A.Deploy a central Lambda function that polls each account's GuardDuty, Security Hub, and Detective APIs and stores findings in DynamoDB.
B.Enable AWS Security Hub as the central aggregator, with GuardDuty and Detective integrated. Use Security Hub cross-account aggregation.
C.Configure each account to send findings to a central CloudWatch Logs log group and use CloudWatch Logs Insights to correlate.
D.Stream all findings from all services to a central Amazon S3 bucket and use Amazon Athena to query them.
AnswerB

Security Hub is designed for this.

Why this answer

Option B is correct because AWS Security Hub natively supports cross-account aggregation via a delegated administrator, allowing findings from GuardDuty, Security Hub, and Detective to be centrally collected without custom code. This architecture is both scalable (handles hundreds of accounts without polling or custom infrastructure) and cost-effective (no additional Lambda, DynamoDB, or S3 query costs), leveraging built-in integrations and consolidated findings views.

Exam trap

The trap here is that candidates may over-engineer a solution with Lambda, DynamoDB, or S3/Athena, overlooking that Security Hub's built-in cross-account aggregation is the simplest, most scalable, and most cost-effective approach for centralizing security findings.

How to eliminate wrong answers

Option A is wrong because polling each account's APIs with a central Lambda function introduces latency, single points of failure, and significant cost at scale (Lambda invocations, DynamoDB read/write capacity), and does not leverage native cross-account aggregation features. Option C is wrong because CloudWatch Logs is not designed to receive structured findings from GuardDuty, Security Hub, or Detective natively; it would require custom log shipping and parsing, and CloudWatch Logs Insights is not optimized for correlating security findings across hundreds of accounts. Option D is wrong because streaming all findings to a central S3 bucket and querying with Athena incurs high storage and query costs, adds latency for real-time correlation, and misses native deduplication and enrichment provided by Security Hub's consolidated findings view.

179
MCQhard

A security engineer is configuring automated incident response for an Amazon EC2 instance that has been compromised. The engineer needs to isolate the instance while preserving forensic data. Which solution meets these requirements?

A.Detach the EBS volumes and attach them to a new instance in a different VPC.
B.Terminate the instance immediately to prevent further damage.
C.Create an AMI of the instance, then remove the instance from the security group to isolate it.
D.Stop the instance and change the security group to deny all traffic.
AnswerC

The AMI preserves the volume data, and removing from security group blocks traffic while keeping instance running.

Why this answer

Option C is correct because creating an AMI preserves the EBS volumes and their forensic data, while removing the instance from the security group effectively isolates it by denying all network traffic. This approach allows the engineer to later launch a forensic instance from the AMI in a controlled environment for analysis, without losing the compromised instance's state.

Exam trap

The trap here is that candidates may think stopping the instance (Option D) is sufficient for isolation, but they overlook that stopping does not prevent an attacker from restarting the instance, and it can destroy volatile forensic data.

How to eliminate wrong answers

Option A is wrong because detaching EBS volumes and attaching them to a new instance in a different VPC does not isolate the original instance; the instance remains running and could still be accessed or cause further damage. Option B is wrong because terminating the instance immediately destroys the forensic data on the instance store and EBS volumes (unless snapshots were taken beforehand), violating the requirement to preserve forensic data. Option D is wrong because stopping the instance and changing the security group to deny all traffic does not prevent the instance from being started again by an attacker with access, and stopping an instance can cause loss of in-memory forensic data (e.g., running processes, network connections).

180
MCQhard

A security engineer creates an Amazon CloudWatch Events rule with this event pattern to trigger an AWS Lambda function for automated response to GuardDuty findings. However, the Lambda function is not triggered for new findings. What is the MOST likely cause?

A.The finding type is not specified in the pattern.
B.CloudTrail is not enabled in the account.
C.The event pattern does not match the actual structure of GuardDuty findings.
D.The Lambda function does not have permission to be invoked by CloudWatch Events.
AnswerC

The `resources` field is an array of objects with `arn` property.

Why this answer

Option C is correct because the event pattern provided in the CloudWatch Events rule must exactly match the JSON structure of a GuardDuty finding as it is published to the default event bus. GuardDuty findings are delivered with a specific schema that includes a `detail` object containing `type`, `severity`, and other fields. If the event pattern uses incorrect field names, nesting, or missing required elements (e.g., `source` must be `aws.guardduty`), CloudWatch Events will not match the incoming events, and the Lambda function will not be triggered.

Exam trap

The trap here is that candidates often assume the issue is a missing permission (Option D) or a missing finding type (Option A), but AWS specifically designs this question to test whether you understand that CloudWatch Events pattern matching is strict and case-sensitive, and that GuardDuty findings have a predefined event structure that must be replicated exactly.

How to eliminate wrong answers

Option A is wrong because the finding type does not need to be specified in the pattern; you can use an empty pattern or a pattern that matches all GuardDuty findings, and the function will still trigger. Option B is wrong because CloudTrail is not required for GuardDuty to publish findings to CloudWatch Events; GuardDuty sends findings directly to the default event bus via its own integration. Option D is wrong because if the Lambda function lacked permission to be invoked by CloudWatch Events, you would see an explicit error in the CloudWatch Events rule's monitoring or the Lambda function's CloudWatch Logs, and the rule would show a failed invocation count; the question states the function is not triggered at all, which points to a pattern mismatch, not a permissions issue.

181
Multi-Selecthard

A security engineer is investigating a potential incident where an EC2 instance was compromised. The engineer has access to the following logs: CloudTrail, VPC Flow Logs, and OS-level logs from the instance. Which TWO log sources would be MOST useful to determine the initial attack vector? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Metrics for the instance
B.OS-level authentication and system logs
C.AWS CloudTrail logs
D.AWS Config configuration history
E.VPC Flow Logs
AnswersB, C

OS logs (e.g., /var/log/auth.log) show login attempts, sudo commands, and other activities that can pinpoint the attack vector.

Why this answer

Option A is correct because CloudTrail logs API calls, which can show who launched the instance and what security groups were used. Option D is correct because OS-level logs show login attempts, processes, and file changes. Option B is wrong because VPC Flow Logs show network traffic but not application-level details.

Option C is wrong because CloudWatch Metrics are aggregated and do not provide detailed logs. Option E is wrong because Config records configuration changes, not attack vectors.

182
MCQhard

A financial services company uses a multi-account AWS organization with a centralized security account. The security team has enabled Amazon GuardDuty in all accounts and configured it to send findings to the security account via AWS Organizations. The team also uses AWS Security Hub in the security account to aggregate findings. They have set up automated response using AWS Systems Manager Automation documents to isolate compromised EC2 instances by applying a security group that denies all traffic. However, during a recent incident, the automation failed because the Systems Automation document did not have permission to modify the security group in the member account. The security team needs to design a solution that allows the security account to automatically isolate instances in any member account. What should they do?

A.Create a Lambda function in each member account that is triggered by GuardDuty findings and modifies the security group.
B.Create a single IAM role in the security account that has permissions to modify security groups in all member accounts.
C.Use AWS CloudFormation StackSets to deploy an IAM role in each member account with permissions to modify security groups. Then, in the security account, configure the Systems Manager Automation document to assume that role when running the isolation step.
D.Modify the IAM role used by Systems Manager Automation in the security account to include permissions to modify security groups in all member accounts.
AnswerC

StackSets deploy the role across all accounts, and the automation assumes the role to perform cross-account actions.

Why this answer

Option A is correct because using a CloudFormation StackSet to deploy the necessary IAM roles in each member account with the appropriate permissions, and then having the automation in the security account assume that role via cross-account access, is a scalable and secure approach. Option B is wrong because modifying the IAM role in the security account does not grant permissions in member accounts. Option C is wrong because using a Lambda function in each member account is less scalable than using StackSet.

Option D is wrong because creating a single role in the security account does not grant access to member accounts.

183
MCQmedium

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. The policy is intended to allow read access to objects in the bucket only from the corporate network (203.0.113.0/24). However, users outside the network can still access the bucket. What is the most likely reason?

A.The bucket policy does not include an explicit Deny statement for IP addresses outside the allowed range.
B.The s3:GetObject action is misspelled; it should be s3:GetObjectVersion.
C.The condition key should be aws:SourceIp instead of aws:SourceIp.
D.The bucket policy must be attached to the bucket's ACL instead.
AnswerA

Without an explicit Deny, the Allow applies only to the specified IP, but other users might be denied by default if no other policies allow them. However, if users have IAM permissions, they could access from any IP. The policy should include a Deny to restrict.

Why this answer

The bucket policy alone is not sufficient; the bucket must also block public access. A bucket policy that grants access to a specific IP range still allows access to anyone who can satisfy the condition. However, if the bucket's block public access settings are not configured, anonymous users could bypass the policy? Actually, the policy allows access only from that IP, but if the bucket is not public, only authorized IAM users can access.

The issue could be that the policy doesn't deny access from other IPs. The correct answer is that the policy allows access but does not explicitly deny access from other IPs. A more correct policy would include a Deny statement.

The other options: Users are using pre-signed URLs would bypass IP restriction. The bucket policy has a typo? The resource is correct. The condition key is correct.

The most likely reason is that the policy allows access but does not deny access from other IPs. However, among the options, the best is that the policy does not include an explicit Deny for other IPs.

184
MCQmedium

A security engineer is analyzing VPC Flow Logs and sees the entry above. The source IP 203.0.113.5 is flagged as suspicious. What additional information would help determine if this is malicious?

A.The source port used by 203.0.113.5.
B.CloudTrail logs for any `ConsoleLogin` or `AssumeRole` events from 203.0.113.5.
C.Network ACL changes associated with the destination subnet.
D.Amazon GuardDuty findings for the destination 10.0.1.5.
AnswerB

Could indicate compromised credentials.

Why this answer

Option B is correct because VPC Flow Logs capture network traffic metadata (IPs, ports, protocols) but not the identity or authentication context of the source. CloudTrail logs record API calls, including ConsoleLogin and AssumeRole events, which can reveal whether 203.0.113.5 is associated with an authenticated user or role. If no such events exist, the traffic is likely from an unauthenticated external source, strengthening the case for malicious activity.

Exam trap

The trap here is that candidates focus on network-layer indicators (ports, ACLs, GuardDuty) instead of recognizing that VPC Flow Logs lack identity context, so CloudTrail is the only service that can tie an IP to an authenticated action.

How to eliminate wrong answers

Option A is wrong because the source port is ephemeral and dynamically assigned by the OS; it provides no meaningful security context for determining malicious intent. Option C is wrong because network ACL changes affect traffic filtering rules, not the identity or behavior of the source IP; they are irrelevant to assessing whether 203.0.113.5 is malicious. Option D is wrong because GuardDuty findings for the destination 10.0.1.5 would indicate threats targeting that host, but they do not directly confirm whether the source IP 203.0.113.5 is malicious—the source could be benign even if the destination is compromised.

185
Multi-Selectmedium

A security engineer is investigating a potential compromise of an EC2 instance. The engineer wants to capture volatile memory data and create a forensic image of the instance's EBS volumes. Which TWO actions should the engineer take? (Choose 2.)

Select 2 answers
A.Enable AWS CloudTrail for the instance.
B.Use AWS Systems Manager Run Command to execute a memory capture script.
C.Use AWS Backup to create a backup of the instance.
D.Create an Amazon EBS snapshot of the instance's root volume.
E.Use Amazon Inspector to scan the instance for vulnerabilities.
AnswersB, D

Run Command can execute memory capture tools.

Why this answer

Option B is correct because AWS Systems Manager Run Command allows you to remotely execute scripts on EC2 instances without needing SSH access, which is critical during incident response to capture volatile memory data before the instance is compromised further. Option D is correct because creating an EBS snapshot provides a point-in-time forensic image of the root volume that can be analyzed offline without altering the original evidence.

Exam trap

The trap here is that candidates confuse AWS Backup (a managed backup service) with EBS snapshots, not realizing that AWS Backup does not provide the immediate, point-in-time forensic snapshot needed for incident response and may introduce additional latency or metadata changes.

186
Multi-Selectmedium

A security team is setting up incident response automation. Which TWO steps should be taken to ensure that a compromised EC2 instance is isolated while preserving forensic data? (Choose TWO.)

Select 2 answers
A.Assign a new security group that denies all inbound and outbound traffic.
B.Shut down the instance from the OS.
C.Remove the instance from any Auto Scaling group or load balancer target group.
D.Create an EBS snapshot of the instance's root volume.
E.Terminate the instance.
AnswersC, D

Stops new traffic.

Why this answer

Option C is correct because removing the instance from Auto Scaling groups or load balancer target groups stops new traffic from being routed to it, effectively isolating it from application traffic without destroying the instance. Option D is correct because creating an EBS snapshot preserves the root volume's data for forensic analysis before any changes occur. Together, these steps ensure the instance is isolated for investigation while retaining evidence.

Exam trap

The trap here is that candidates often choose Option A (assigning a deny-all security group) thinking it isolates the instance, but they overlook that existing connections remain active and that Auto Scaling may immediately launch a replacement, losing the forensic opportunity.

187
MCQhard

A company has multiple AWS accounts in AWS Organizations. The security team wants to centralize threat detection and automate incident response. Which combination of services should they use?

A.GuardDuty + Security Hub + Step Functions
B.GuardDuty + Amazon EventBridge + AWS Lambda
C.Amazon Macie + AWS Config + SNS
D.CloudTrail + CloudWatch Logs + Lambda
AnswerB

GuardDuty detects threats, EventBridge routes findings, Lambda automates response.

Why this answer

Option B is correct because GuardDuty generates threat detection findings, which are sent to Amazon EventBridge as events. EventBridge then triggers an AWS Lambda function to automate incident response actions, such as isolating an EC2 instance or revoking IAM credentials. This combination provides a fully serverless, event-driven pipeline for centralized threat detection and automated remediation across multiple AWS accounts in Organizations.

Exam trap

The trap here is that candidates often confuse Security Hub with EventBridge, thinking Security Hub is required to aggregate findings before automation, but EventBridge can directly consume GuardDuty findings without Security Hub, and Security Hub is a separate service for multi-framework compliance and aggregation, not a prerequisite for automated incident response.

How to eliminate wrong answers

Option A is wrong because Step Functions is a workflow orchestration service, not a direct event trigger for GuardDuty findings; while it can be used for complex workflows, the standard pattern for automated incident response uses EventBridge to directly invoke Lambda, making Step Functions an unnecessary and less efficient intermediate layer for simple automation. Option C is wrong because Amazon Macie focuses on sensitive data discovery in S3, not threat detection, and AWS Config tracks resource configuration changes, not security threats; SNS alone cannot automate incident response actions. Option D is wrong because CloudTrail and CloudWatch Logs are logging and monitoring services, not dedicated threat detection services; while Lambda can be triggered from CloudWatch Logs, this setup lacks GuardDuty's intelligent threat detection and requires custom log analysis to identify threats, missing the centralized threat detection requirement.

188
Multi-Selecteasy

A company wants to ensure that all API calls made to AWS are logged for security analysis. Which TWO services can be used to achieve this? (Choose two.)

Select 2 answers
A.Amazon S3 server access logs
B.AWS CloudTrail
C.Amazon VPC Flow Logs
D.Amazon CloudWatch Logs
E.AWS Config
AnswersA, B

S3 server access logs record requests made to S3, which are a subset of API calls.

Why this answer

Amazon S3 server access logs capture detailed records of requests made to an S3 bucket, including the requester, bucket name, request time, and action. This enables security analysis of API calls specifically targeting S3 resources. AWS CloudTrail records all API calls made to the AWS Management Console, SDKs, and CLI across the entire AWS account, providing a comprehensive audit trail for security analysis.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which log network traffic) or CloudWatch Logs (a log storage service) with services that directly capture API calls, but only CloudTrail and S3 server access logs provide the specific API-level logging required for security analysis.

189
MCQhard

An organization uses AWS Organizations with hundreds of accounts. The security team wants to automatically respond to a specific GuardDuty finding by isolating the affected EC2 instance. What is the recommended architecture?

A.Use EventBridge to trigger a Lambda function in the delegated administrator account, which assumes an IAM role in the affected account to isolate the instance.
B.Configure GuardDuty to invoke a Lambda function in the affected account directly.
C.Use EventBridge to send the finding to a Step Functions workflow that isolates the instance.
D.Use AWS Systems Manager Automation to isolate the instance across accounts.
AnswerA

This is the recommended pattern for cross-account automated response.

Why this answer

Option A is correct because it follows the recommended architecture for cross-account automated response to GuardDuty findings. EventBridge in the delegated administrator account captures the finding and triggers a Lambda function, which then assumes an IAM role (using STS AssumeRole) in the affected member account to perform the isolation. This pattern centralizes management while respecting the security boundary between accounts.

Exam trap

The trap here is that candidates may assume GuardDuty can directly trigger a Lambda in any account, but in reality, GuardDuty findings are centralized in the delegated administrator account and cross-account actions require explicit role assumption via EventBridge and Lambda.

How to eliminate wrong answers

Option B is wrong because GuardDuty cannot directly invoke Lambda functions in member accounts; it can only send findings to EventBridge or to the delegated administrator account. Option C is wrong because while Step Functions can orchestrate workflows, the recommended architecture uses a Lambda function to assume a role in the affected account, not a direct Step Functions cross-account invocation (which would require additional complexity and is not the standard pattern). Option D is wrong because AWS Systems Manager Automation does not natively support cross-account isolation of EC2 instances without first assuming a role via Lambda or similar; the recommended approach uses EventBridge and Lambda, not Systems Manager Automation directly.

190
MCQhard

During a security incident, a security engineer needs to collect EBS snapshots of multiple EC2 instances across different accounts in AWS Organizations. The snapshots must be copied to a central forensics account. Which combination of steps is MOST efficient?

A.Use Amazon Data Lifecycle Manager (DLM) to create snapshots and copy them to the forensics account using S3 cross-region replication.
B.Use AWS CloudFormation StackSets to deploy a stack that creates snapshots and copies them manually.
C.Use AWS Systems Manager Automation to run scripts in each account that create snapshots and copy them to the forensics account via Lambda.
D.Use AWS Backup to create backup plans in each account and enable cross-account backup copy to the forensics account.
AnswerD

Automated, centralized, and supports cross-account.

Why this answer

AWS Backup is the most efficient solution because it natively supports cross-account backup copy, allowing you to create backup plans in each account and automatically copy EBS snapshots to a central forensics account without custom scripting or manual intervention. This integrates directly with AWS Organizations, enabling centralized management of backup policies across multiple accounts, which is ideal for incident response scenarios requiring rapid, consistent snapshot collection.

Exam trap

The trap here is that candidates may choose DLM (Option A) because it is commonly used for snapshot automation, but they overlook that DLM cannot copy snapshots across accounts, which is a critical requirement for cross-account forensics.

How to eliminate wrong answers

Option A is wrong because Amazon Data Lifecycle Manager (DLM) does not support cross-account snapshot copying; it can only copy snapshots within the same account or across regions, not to a different AWS account. Option B is wrong because CloudFormation StackSets can deploy stacks across accounts, but they cannot create snapshots or copy them automatically; manual copying is required, which is inefficient during an incident. Option C is wrong because Systems Manager Automation with Lambda introduces unnecessary complexity and latency; it requires custom scripts and cross-account IAM roles, whereas AWS Backup provides a managed, policy-driven solution that is more reliable and efficient.

191
MCQeasy

A company needs to ensure that all API calls in their AWS account are logged and monitored for suspicious activity. Which service should be enabled first?

A.Amazon GuardDuty
B.Amazon Inspector
C.AWS Config
D.AWS CloudTrail
AnswerD

CloudTrail logs all API calls.

Why this answer

AWS CloudTrail records all API calls in the account. GuardDuty uses CloudTrail logs for threat detection, but CloudTrail must be enabled first. AWS Config is for configuration compliance.

Amazon Inspector is for host vulnerabilities.

192
MCQeasy

A security engineer is reviewing CloudTrail logs and notices API calls from an unknown IP address. The engineer needs to immediately block the IP address and receive alerts for any future suspicious activity. Which combination of actions should the engineer take?

A.Create an AWS WAF IP set and associate it with the CloudFront distribution. Configure CloudFront to block the IP.
B.Add the IP address to a security group with a DENY rule and enable AWS Security Hub to send alerts.
C.Revoke IAM permissions for the user associated with the IP and enable GuardDuty for alerting.
D.Add the IP address to a VPC NACL with a DENY rule and update a CloudWatch metric filter to create an alarm on the IP address.
AnswerD

Immediate network blocking plus alerting.

Why this answer

Option D is correct because VPC Network ACLs (NACLs) are stateless and can explicitly deny traffic from a specific IP address at the subnet level, providing immediate blocking without affecting existing security group rules. A CloudWatch metric filter on CloudTrail logs can trigger an alarm for any future API calls from that IP, enabling proactive alerting. This combination addresses both the immediate blocking and ongoing monitoring requirements.

Exam trap

The trap here is that candidates often confuse security groups (which are stateful and allow-only) with NACLs (which are stateless and support explicit DENY rules), leading them to incorrectly choose Option B.

How to eliminate wrong answers

Option A is wrong because AWS WAF IP sets associated with CloudFront only block traffic at the edge, not API calls made directly to AWS services via the AWS API or console, and the unknown IP may not be hitting CloudFront. Option B is wrong because security groups do not support DENY rules; they are allow-only, so you cannot explicitly block an IP address with a security group. Option C is wrong because revoking IAM permissions for the user associated with the IP does not block the IP address itself—the attacker could use different credentials—and GuardDuty alerts on threats but does not block traffic.

193
MCQhard

Refer to the exhibit. A security engineer reviews this CloudFormation template. The bucket is intended to be private. What is the security issue in the configuration?

A.The PublicAccessBlock configuration is missing the BlockPublicPolicy setting.
B.The bucket does not have versioning enabled.
C.The bucket policy grants public read access to the bucket, which overrides the PublicAccessBlock configuration.
D.The bucket policy uses an incorrect resource ARN.
AnswerC

PublicAccessBlock blocks public policies but not if the policy is applied directly and explicitly allows public access.

Why this answer

Option C is correct because the bucket policy explicitly grants public read access (Effect: Allow, Principal: *, Action: s3:GetObject), which overrides the PublicAccessBlock configuration when the policy is applied. PublicAccessBlock settings block new public policies but do not retroactively block existing policies that grant public access; the bucket policy takes precedence and makes the bucket publicly readable despite the intended private configuration.

Exam trap

The trap here is that candidates assume PublicAccessBlock settings automatically prevent any public access, but they do not override an existing bucket policy that explicitly grants public access; the policy is evaluated first and takes effect.

How to eliminate wrong answers

Option A is wrong because the PublicAccessBlock configuration includes BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets; the template shows BlockPublicPolicy set to true, so it is not missing. Option B is wrong because versioning is a data protection and recovery feature, not a security control for preventing public access; its absence does not cause the bucket to be publicly readable. Option D is wrong because the resource ARN arn:aws:s3:::my-bucket/* correctly specifies all objects in the bucket, and the bucket name matches the logical ID; the ARN is valid for the policy statement.

194
MCQhard

Refer to the exhibit. A security engineer is analyzing a VPC Flow Logs entry for an EC2 instance with private IP 192.0.2.10. The log shows an accepted outbound connection from the instance to 203.0.113.50 on port 443. The instance is not expected to initiate outbound HTTPS connections. What should the engineer do next to investigate?

A.Log into the instance and check for unauthorized processes or malware.
B.Block the IP 203.0.113.50 in the security group immediately.
C.Check the security group rules to see if outbound HTTPS is allowed.
D.Check Amazon Route 53 DNS logs to see what domain was resolved.
AnswerA

The instance may be compromised; investigate the OS.

Why this answer

Option A is correct because the VPC Flow Logs show an accepted outbound connection from the EC2 instance to an external IP on port 443, which is unexpected behavior. The immediate next step is to log into the instance and investigate for unauthorized processes, malware, or compromised credentials that could be initiating this outbound HTTPS traffic. This aligns with incident response best practices: verify the host before making network-level changes.

Exam trap

The trap here is that candidates assume the first step is to modify network controls (security groups or DNS logs) rather than performing host-level investigation, which is the correct incident response priority when the instance itself is the source of unexpected traffic.

How to eliminate wrong answers

Option B is wrong because blocking the IP immediately without first confirming the instance is compromised could disrupt legitimate traffic or alert an attacker prematurely; security groups should be modified only after a thorough investigation. Option C is wrong because checking security group rules is unnecessary—the flow log already shows the connection was accepted, meaning outbound HTTPS is permitted; the question is why the instance is making the connection, not whether it can. Option D is wrong because Amazon Route 53 DNS logs would only show DNS queries made to Route 53, and the instance may be using an external DNS resolver or a hardcoded IP, so this step is not the immediate priority for investigating unexpected outbound traffic.

195
Drag & Dropmedium

Drag and drop the steps to configure AWS WAF with rate-based rules in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Rate-based rules require creating a web ACL first, then adding the rule, associating with a resource, testing, and monitoring.

196
MCQeasy

A security engineer is configuring an automated response to a GuardDuty finding that indicates a compromised EC2 instance. The engineer wants to isolate the instance by changing its security group to a 'quarantine' group. Which AWS service is BEST suited to automate this response?

A.AWS Step Functions
B.AWS Config
C.Amazon EventBridge
D.AWS Systems Manager Automation
AnswerC

EventBridge can trigger a Lambda function on GuardDuty findings.

Why this answer

Amazon EventBridge is the best choice because it can directly receive GuardDuty findings as events and trigger an automated response, such as invoking a Lambda function or Systems Manager Automation runbook to change the EC2 instance's security group to a quarantine group. EventBridge provides native integration with GuardDuty via its default event bus, enabling real-time, event-driven automation without additional orchestration overhead.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Automation as the primary automation service, forgetting that it requires an event source like EventBridge to trigger it, making EventBridge the correct answer for the 'best suited' service to automate the response directly from GuardDuty.

How to eliminate wrong answers

Option A is wrong because AWS Step Functions is a workflow orchestration service that requires an event source (like EventBridge) to trigger it; it is not the direct trigger for GuardDuty findings and adds unnecessary complexity for a simple one-step response. Option B is wrong because AWS Config is a configuration auditing and compliance service that can evaluate resource configurations and trigger remediation via Systems Manager Automation, but it cannot directly receive GuardDuty findings as events and is not designed for real-time threat response. Option D is wrong because AWS Systems Manager Automation is a runbook execution service that can perform remediation actions, but it requires an event trigger (such as EventBridge) to start; it is not the service that listens for GuardDuty findings directly.

197
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs a centralized solution to automatically initiate incident response runbooks across all accounts when a threat is detected. Which approach meets these requirements?

A.Use AWS Security Hub with cross-account aggregation and Amazon EventBridge to trigger AWS Systems Manager Automation runbooks.
B.Enable Amazon GuardDuty in all accounts and use its built-in remediation actions.
C.Configure AWS CloudFormation StackSets to deploy incident response stacks in all accounts.
D.Deploy an AWS Lambda function in each member account to respond to findings.
AnswerA

Security Hub aggregates findings centrally, and EventBridge can trigger runbooks in target accounts.

Why this answer

AWS Security Hub with cross-account aggregation collects findings from all accounts into a single administrator account. Amazon EventBridge can then be configured to match specific Security Hub findings (e.g., a GuardDuty threat detection) and trigger AWS Systems Manager Automation runbooks. This provides a centralized, automated incident response mechanism across all accounts without requiring per-account Lambda functions or manual remediation.

Exam trap

The trap here is that candidates often assume GuardDuty's built-in remediation actions are sufficient for centralized multi-account response, but those actions are per-account and lack the orchestration and customization of Security Hub + EventBridge + Systems Manager Automation.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty's built-in remediation actions are limited to predefined, account-specific responses (e.g., blocking IPs via network ACLs) and cannot be centrally orchestrated across all accounts or customized as runbooks. Option C is wrong because AWS CloudFormation StackSets deploy static infrastructure stacks, not dynamic incident response workflows triggered by real-time threats; they lack event-driven automation. Option D is wrong because deploying a Lambda function in each member account creates a decentralized, harder-to-manage solution that requires per-account IAM roles and lacks a single point of orchestration, contrary to the requirement for a centralized solution.

198
Multi-Selecthard

Which THREE services can be used to detect and alert on suspicious API activity across an AWS organization? (Choose three.)

Select 3 answers
A.Amazon Inspector
B.Amazon GuardDuty
C.AWS Config
D.AWS Security Hub
E.AWS CloudTrail
AnswersB, D, E

GuardDuty analyzes CloudTrail events for malicious activity.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior, including suspicious API activity. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze AWS CloudTrail management events, VPC Flow Logs, and DNS logs across an AWS organization, and can trigger alerts via Amazon EventBridge or Security Hub.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance monitoring (e.g., checking if CloudTrail is enabled) with actual threat detection, but Config does not analyze API calls for suspicious patterns—it only checks configuration state against rules.

199
MCQeasy

A security team wants to detect and alert on API calls that create or modify IAM roles in their AWS account. Which AWS service can be used to create a metric filter and alarm for these specific CloudTrail events?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.AWS Config
AnswerC

CloudWatch Logs can filter CloudTrail logs and create alarms.

Why this answer

Amazon CloudWatch Logs can create metric filters on CloudTrail log data to detect specific API calls, such as CreateRole or UpdateAssumeRolePolicy. These metric filters can then trigger CloudWatch alarms for real-time notification. CloudTrail delivers logs to CloudWatch Logs, but the metric filter and alarm capabilities reside in CloudWatch Logs, not in CloudTrail itself.

Exam trap

The trap here is that candidates often confuse CloudTrail's logging capability with CloudWatch Logs' metric and alarm features, assuming CloudTrail itself can create alarms, when in reality CloudTrail only delivers logs and CloudWatch Logs provides the filtering and alerting mechanism.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes CloudTrail events, VPC flow logs, and DNS logs for malicious activity, but it does not allow you to create custom metric filters or alarms for specific API calls. Option B is wrong because AWS CloudTrail records API calls and delivers log files to an S3 bucket or CloudWatch Logs, but it does not have native metric filter or alarm creation capabilities. Option D is wrong because AWS Config evaluates resource configurations against rules and tracks configuration changes, but it does not create metric filters or alarms on CloudTrail event patterns.

200
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to detect suspicious API activity across all accounts in real time. They have enabled AWS CloudTrail in all accounts and are sending logs to a centralized S3 bucket. However, they are receiving alerts only after a significant delay. What should the security team do to reduce the latency of threat detection?

A.Set up Amazon EventBridge rules in each account to send specific CloudTrail events to a centralized event bus for immediate processing.
B.Enable Amazon GuardDuty in each account and configure it to send findings to a centralized S3 bucket.
C.Configure CloudTrail to deliver logs to a single S3 bucket and use S3 Event Notifications to trigger a Lambda function.
D.Use Amazon CloudWatch Logs Insights to query CloudTrail logs across accounts in real time.
AnswerA

EventBridge can capture CloudTrail events in near real time and send them to a central bus for immediate analysis and alerting.

Why this answer

Option D is correct because Amazon EventBridge can consume CloudTrail events in near real time across accounts by using cross-account event buses, allowing immediate action. Option A is wrong because consolidating logs is already done; the issue is latency in analysis, not aggregation. Option B is wrong because GuardDuty can analyze CloudTrail logs but may still introduce delay; EventBridge is faster for real-time detection.

Option C is wrong because CloudWatch Logs Insights is for querying, not real-time alerting.

201
Multi-Selectmedium

Which THREE steps should a security engineer take to ensure that an incident response plan for an AWS environment is effective? (Choose three.)

Select 3 answers
A.Regularly test the incident response plan through tabletop exercises and simulations.
B.Document and maintain an up-to-date list of incident response team members and their contact information.
C.Use the AWS account root user for incident response actions to ensure full permissions.
D.Store all evidence in an S3 bucket with public read access for easy sharing.
E.Automate containment actions using AWS Lambda and AWS Systems Manager.
AnswersA, B, E

Testing validates the plan's effectiveness.

Why this answer

Options A, B, and C are correct. Testing the plan via simulations (A) validates its effectiveness. Automating containment actions (B) reduces response time.

Documenting procedures and contacts (C) ensures clarity. Option D is wrong because using the root user for incident response is a security risk. Option E is wrong because storing evidence in public S3 buckets is insecure.

202
MCQeasy

A company wants to automate the response to a specific GuardDuty finding. When GuardDuty detects a finding of type `UnauthorizedAccess:EC2/SSHBruteForce`, they want to automatically block the offending IP address using a network ACL. Which AWS service can they use to orchestrate this response?

A.AWS Lambda
B.AWS Systems Manager Automation
C.AWS Config
D.AWS CloudFormation
AnswerB

Systems Manager Automation can execute runbooks to modify network ACLs in response to GuardDuty findings.

Why this answer

AWS Systems Manager Automation can be used to run predefined runbooks that modify network ACLs. AWS Config is for compliance, not automation. AWS CloudFormation is for infrastructure as code.

AWS Lambda can be used but requires custom code; Systems Manager Automation provides a managed solution.

203
MCQmedium

A security engineer is investigating a potential compromise of an IAM user. The engineer sees that the user's access keys were used from an IP address outside the company's allowed geography. Which AWS service can provide the most immediate notification of such anomalous API calls?

A.AWS Trusted Advisor
B.Amazon GuardDuty
C.AWS CloudTrail
D.Amazon CloudWatch
AnswerB

GuardDuty detects anomalous API calls and generates findings.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior, including anomalous API calls from unusual geographies. It uses machine learning and integrated threat intelligence to analyze CloudTrail events, VPC flow logs, and DNS logs in near real-time, enabling immediate notification of suspicious activity such as access key usage from an unexpected IP address.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail's logging capability with active threat detection, forgetting that CloudTrail only records events and requires an additional service like GuardDuty or a custom CloudWatch alarm to provide immediate notification of anomalous activity.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice recommendations for cost, performance, security, and fault tolerance, but it does not monitor or alert on anomalous API calls in real-time; it is a reactive advisory tool, not a threat detection service. Option C is wrong because AWS CloudTrail is a logging service that records API activity, but it does not analyze or alert on anomalous behavior; it requires an additional service like GuardDuty or a custom CloudWatch rule to generate notifications. Option D is wrong because Amazon CloudWatch can monitor metrics and logs and trigger alarms, but it lacks built-in threat detection intelligence; to detect anomalous geolocation-based API calls, you would need to manually create custom metrics and alarms from CloudTrail logs, which is not immediate or automated compared to GuardDuty's out-of-the-box anomaly detection.

204
MCQmedium

A security engineer is investigating a potential compromise. An EC2 instance running Amazon Linux 2 is sending outbound traffic to a known malicious IP address. The engineer needs to capture the network traffic for analysis without alerting the attacker. Which solution meets these requirements?

A.Enable VPC Flow Logs on the ENI and stream to Amazon S3 for analysis.
B.Attach a security group to the instance that logs all traffic to CloudWatch Logs.
C.Use VPC Traffic Mirroring to mirror the EC2 instance's ENI traffic to a monitoring appliance in a separate VPC.
D.Enable AWS Network Firewall on the VPC and configure a rule to log all traffic to the malicious IP.
AnswerC

VPC Traffic Mirroring copies traffic at the ENI level without inline inspection, enabling passive capture for analysis without alerting the attacker.

Why this answer

Option C is correct because VPC Traffic Mirroring captures all network traffic at the packet level from the EC2 instance's Elastic Network Interface (ENI) and forwards it to a monitoring appliance without any inline processing or modification of the traffic. This allows the security engineer to perform deep packet analysis while remaining completely transparent to the attacker, as the mirrored traffic is a copy and does not affect the original flow. Unlike other options, Traffic Mirroring provides full packet capture (including headers and payloads) for forensic analysis, which is essential for investigating a compromise.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which only provide metadata) with full packet capture, or assume that security groups or Network Firewall can log traffic passively, when in fact they are active security controls that could interfere with the attacker's activities.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture only metadata (source/destination IP, ports, protocol, packet/byte counts) and not the actual packet payloads, so they cannot provide the deep packet analysis needed for investigating a compromise. Option B is wrong because security groups are stateful firewalls that filter traffic at the instance level and do not have a logging capability to CloudWatch Logs; they only allow or deny traffic based on rules, and any logging would require additional agent-based solutions. Option D is wrong because AWS Network Firewall is a managed firewall service that inspects and potentially modifies traffic inline, which could alert the attacker by dropping or altering packets, and it does not provide passive packet capture for analysis.

205
Multi-Selectmedium

A security team suspects that an attacker has compromised an EC2 instance and is using it to launch outbound DDoS attacks. The team needs to quickly isolate the instance while preserving forensic data. Which combination of actions should the team take? (Choose TWO.)

Select 2 answers
A.Apply a restrictive security group that blocks all outbound traffic.
B.Modify the network ACL for the subnet to deny all outbound traffic.
C.Create a snapshot of the EBS volumes attached to the EC2 instance.
D.Detach the instance from the Auto Scaling group.
E.Terminate the EC2 instance immediately.
AnswersA, C

This isolates the instance by preventing outbound connections while allowing forensic access via inbound rules if needed.

Why this answer

Option A is correct because applying a restrictive security group that blocks all outbound traffic immediately stops the EC2 instance from sending any network packets, including DDoS traffic, without terminating the instance. This preserves the running state and allows forensic data collection from the instance's memory and disk. Security groups act as a stateful virtual firewall at the instance level, so blocking outbound traffic effectively isolates the instance from the network.

Exam trap

The trap here is that candidates often confuse network ACLs with security groups, thinking a subnet-level NACL change is equivalent to instance-level isolation, but NACLs affect all instances in the subnet and are stateless, making them unsuitable for targeted incident response.

206
MCQeasy

A security engineer is analyzing the VPC Flow Logs entry in the exhibit. The log shows traffic from an internal IP to an external IP. Which potential security concern should the engineer investigate?

A.The instance is participating in a DDoS attack against the external IP.
B.An EC2 instance is attempting to connect to an external host on port 3389 (RDP).
C.An external host is scanning the internal network on port 443.
D.The security group allows inbound RDP from 0.0.0.0/0.
AnswerB

Outbound RDP traffic from an internal instance is suspicious and may indicate data exfiltration or a compromised machine.

Why this answer

The VPC Flow Logs entry shows outbound traffic from an internal IP to an external IP on destination port 3389, which is the default port for Remote Desktop Protocol (RDP). RDP outbound from an EC2 instance to an external host is a security concern because it could indicate an attacker using the instance as a pivot point to connect to an external command-and-control server or to exfiltrate data via an RDP tunnel. The log direction (src internal, dst external) and port 3389 specifically point to an outbound RDP attempt, not inbound scanning or DDoS.

Exam trap

The trap here is that candidates focus on the port number (3389) and assume it is about inbound RDP from the internet, but the flow direction (src internal, dst external) indicates outbound traffic, which is a different security concern related to egress filtering and potential command-and-control activity.

How to eliminate wrong answers

Option A is wrong because a single outbound RDP connection to an external IP does not indicate participation in a DDoS attack; DDoS attacks typically involve high-volume traffic (e.g., SYN floods, UDP floods) to many targets, not a single TCP connection on port 3389. Option C is wrong because the log shows traffic from an internal IP to an external IP (src internal, dst external), not an external host scanning the internal network; scanning would have the external IP as the source. Option D is wrong because the VPC Flow Logs entry does not contain any information about security group rules; it only shows the traffic flow, and the concern is the outbound RDP attempt, not inbound rules.

207
MCQhard

During a security incident, a security engineer needs to capture network traffic from an EC2 instance for forensic analysis. The instance is part of an Auto Scaling group and may be terminated. What is the MOST efficient way to capture the traffic without affecting the instance's performance?

A.Use VPC Traffic Mirroring to mirror the instance's network traffic.
B.Enable VPC Flow Logs for the subnet.
C.SSH into the instance and run tcpdump to capture packets.
D.Attach a Network Load Balancer in front of the instance.
AnswerA

Traffic Mirroring is agentless and does not affect the instance.

Why this answer

VPC Traffic Mirroring allows you to copy network traffic from an EC2 instance to a monitoring appliance without impacting the instance. Option A (tcpdump) is intrusive. Option B (VPC Flow Logs) captures metadata, not full packets.

Option D (Network Load Balancer) forwards traffic but is not designed for forensic capture.

208
MCQhard

During an incident investigation, a security analyst finds that an IAM user 'JohnDoe' has been using an access key that was last rotated over 2 years ago. The analyst needs to determine if this key has been compromised. Which approach provides the MOST definitive evidence?

A.Check the S3 access logs to see if the key was used to download sensitive data
B.Use AWS CloudTrail LookupEvents to find API calls made by the key, focusing on unusual IP addresses or times
C.Review the IAM password policy to see if the key was created before the current policy
D.Use AWS Config to see if the key's permissions have changed
AnswerB

CloudTrail logs provide detailed records of API calls, helping identify anomalous activity.

Why this answer

Option B is correct because AWS CloudTrail LookupEvents allows you to filter API calls by user identity (such as the access key ID) and examine attributes like source IP address, user agent, and timestamp. Unusual IP addresses or times of day are strong indicators of compromise, as they suggest the key is being used from locations or at hours inconsistent with the legitimate user's behavior. This provides the most definitive evidence because it directly correlates the key's usage with anomalous patterns, rather than relying on indirect indicators like data downloads or permission changes.

Exam trap

The trap here is that candidates assume S3 access logs (Option A) are the definitive source for detecting compromise, but they miss that CloudTrail provides a complete audit trail of all API calls, including those that don't involve S3 data access, making it the superior choice for identifying anomalous behavior.

How to eliminate wrong answers

Option A is wrong because S3 access logs only show object-level operations (e.g., GetObject, PutObject) and do not capture all API calls made by the key; a compromised key might be used for reconnaissance or other actions that don't involve downloading sensitive data, so absence of such logs does not rule out compromise. Option C is wrong because the IAM password policy governs user passwords, not access keys; access key rotation is managed independently via the IAM console or API, and the password policy has no bearing on whether a key is compromised. Option D is wrong because AWS Config tracks resource configuration changes over time, but a compromised key can be used without any permission changes—attackers often use existing permissions to exfiltrate data or perform actions, so unchanged permissions do not indicate the key is safe.

209
MCQmedium

A company uses AWS Lambda functions to process data from an S3 bucket. The security team wants to detect any unauthorized attempts to invoke the Lambda function from outside the company's VPC. The Lambda function is configured to be VPC-enabled and is attached to a VPC with a security group. The team has enabled CloudTrail and VPC Flow Logs. However, they are not seeing any logs for the Lambda invocations in CloudTrail. The team has checked that CloudTrail is logging management events and that the Lambda function is being invoked. What is the most likely reason for the missing CloudTrail logs?

A.CloudTrail is not logging Lambda Invoke API calls because they are data events, not management events.
B.The Lambda function is not configured to send logs to CloudTrail.
C.The CloudTrail trail is not configured to log data events for Lambda.
D.VPC Flow Logs are not enabled for the Lambda function's VPC.
AnswerA

Invoke calls are data events and require enabling data events in CloudTrail.

Why this answer

Option D is correct because CloudTrail management events do not include Lambda Invoke API calls unless data events are enabled. Option A is wrong because VPC Flow Logs capture network traffic, not Lambda invocations. Option B is wrong because the Lambda function's VPC configuration does not affect CloudTrail logging.

Option C is wrong because CloudTrail is not limited by VPC endpoints.

210
Matchingmedium

Match each AWS IAM policy type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attached to a user, group, or role

Attached to a resource like S3 bucket

Maximum permissions for an identity

Used in AWS Organizations to restrict permissions

Why these pairings

Different types of policies control access in AWS.

211
Multi-Selecthard

A security engineer is investigating a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B!DNS'. Which TWO actions should the engineer take as part of the initial response? (Choose two.)

Select 2 answers
A.Enable Amazon GuardDuty in the account if not already enabled.
B.Isolate the EC2 instance by modifying its security group to deny all traffic.
C.Immediately terminate the EC2 instance to stop the activity.
D.Take a snapshot of the instance's EBS volume for forensic analysis.
E.Disable termination protection on the instance to allow future termination.
AnswersB, D

Isolation prevents further malicious activity.

Why this answer

Option B is correct because isolating the EC2 instance by modifying its security group to deny all traffic is a critical containment step in incident response. This immediately stops the C2 (command and control) communication detected by GuardDuty's 'Backdoor:EC2/C&CActivity.B!DNS' finding, preventing further data exfiltration or lateral movement while preserving the instance for forensic analysis.

Exam trap

The trap here is that candidates may confuse incident response containment with eradication, choosing immediate termination (Option C) instead of isolation and forensic preservation (Option B and D).

212
MCQmedium

A security engineer is investigating a potential data breach. AWS CloudTrail logs show that an IAM user 'svc-backup' created an S3 bucket in the us-east-1 region and then uploaded a large number of objects. The engineer suspects that the user's credentials were compromised. What is the MOST efficient way to quickly identify the source IP address and user agent of the API calls made by this user?

A.Query AWS CloudTrail logs in Amazon Athena for the user's API calls.
B.Analyze VPC Flow Logs for traffic to the S3 bucket.
C.Enable Amazon GuardDuty and review the generated findings.
D.Use AWS Config to review the configuration history of the S3 bucket.
AnswerA

CloudTrail logs include sourceIPAddress and userAgent for API calls, and Athena enables efficient querying of large log datasets.

Why this answer

Option B is correct because CloudTrail logs contain the sourceIPAddress and userAgent fields for each API call, which can be queried using CloudTrail Insights or Athena to identify the source. Option A is wrong because VPC Flow Logs capture network traffic but do not include IAM user information. Option C is wrong because GuardDuty detects threats but does not store historical API call details.

Option D is wrong because Config records resource configuration changes but not API call source details.

213
MCQeasy

A security engineer is configuring an AWS environment to detect and respond to potential security threats. Which AWS service can be used to automate the remediation of unwanted access to Amazon S3 buckets by invoking AWS Lambda functions?

A.AWS Config
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS WAF
AnswerB

GuardDuty uses threat intelligence and machine learning to detect threats, and findings can trigger automated remediation via EventBridge and Lambda.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior across AWS accounts and workloads. It can integrate with AWS Lambda functions via CloudWatch Events to automate remediation actions, such as blocking unwanted access to S3 buckets by updating bucket policies or removing public access. This makes GuardDuty the correct choice for detecting and automatically responding to security threats against S3 resources.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to auto-remediate noncompliant resources (using AWS Config rules and Lambda) with GuardDuty's threat-specific detection and response, but AWS Config does not detect security threats like unauthorized access—it only enforces configuration rules.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration auditing and compliance service that evaluates resource configurations against rules, but it does not natively detect security threats or invoke Lambda functions for threat remediation; it can trigger Lambda for configuration drift, not for threat response. Option C is wrong because Amazon Inspector is a vulnerability assessment service that scans EC2 instances and container images for software vulnerabilities and network exposure, not for detecting or remediating unwanted access to S3 buckets. Option D is wrong because AWS WAF is a web application firewall that protects web applications from common exploits like SQL injection and cross-site scripting, and it does not monitor or remediate S3 bucket access patterns.

214
MCQmedium

A company uses Amazon S3 to store sensitive data. The security team wants to detect and alert on public read access to S3 buckets. Which combination of AWS services is MOST appropriate?

A.AWS CloudTrail and Amazon CloudWatch Logs with metric filters for `PutBucketPolicy` events.
B.Amazon Macie with automated discovery jobs and Amazon CloudWatch Events to send alerts.
C.Amazon GuardDuty and AWS Lambda.
D.AWS Config with managed rules like `s3-bucket-public-read-prohibited` and Amazon SNS.
AnswerB

Macie can evaluate bucket policies and alert on public access.

Why this answer

Amazon Macie is purpose-built for discovering and protecting sensitive data in S3, and its automated discovery jobs can detect public read access to buckets. By integrating with Amazon CloudWatch Events, Macie can trigger alerts in real-time when such access is identified, making it the most appropriate choice for this detection and alerting requirement.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation (which is periodic and reactive) with real-time detection and alerting, or they mistakenly believe CloudTrail captures all public access events, when in fact it only logs API calls that change permissions, not the resulting access state.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs `PutBucketPolicy` events, but this only captures policy changes, not the actual public read access state; a bucket could be publicly readable via ACLs or a pre-existing policy without triggering a new `PutBucketPolicy` event, leading to missed detections. Option C is wrong because GuardDuty focuses on threat detection (e.g., unusual API calls, credential compromise) and does not natively scan S3 bucket permissions for public read access; while Lambda could be used to write custom logic, it is not a direct or managed solution for this specific requirement. Option D is wrong because AWS Config managed rule `s3-bucket-public-read-prohibited` is a detective control that evaluates compliance but does not natively generate real-time alerts; while SNS can be configured, the rule only runs on periodic evaluations or configuration changes, not continuously, and it does not detect public read access via ACLs or bucket policies that are already in place.

215
Multi-Selecteasy

Which TWO AWS services can be used to detect unauthorized access to an S3 bucket? (Select TWO.)

Select 2 answers
A.AWS WAF
B.AWS CloudTrail
C.Amazon GuardDuty
D.Amazon Macie
E.AWS Config
AnswersC, D

GuardDuty includes S3 threat detection findings.

Why this answer

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior across AWS accounts and workloads. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze S3 data events (e.g., GetObject, PutObject) logged via CloudTrail management and data events, identifying suspicious patterns such as unusual access from a known malicious IP address or an anonymous user gaining access to an S3 bucket.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (a logging service) with a detection service, forgetting that CloudTrail only records events and does not analyze or alert on unauthorized access without additional services like GuardDuty or Amazon Detective.

216
MCQmedium

A company uses AWS Organizations and has enabled GuardDuty in the management account. The security team wants to view GuardDuty findings for all member accounts from a single delegated administrator account. Which configuration step is required?

A.Enable GuardDuty in each member account and configure cross-account IAM roles to aggregate findings in the management account.
B.Enable GuardDuty only in the management account and share findings via CloudWatch Logs cross-account subscription.
C.Designate a delegated administrator account in Organizations, then enable GuardDuty in that account. GuardDuty will automatically aggregate findings from member accounts.
D.Enable GuardDuty in the management account and use CloudWatch cross-account dashboard to view findings from member accounts.
AnswerC

Correct design for centralized GuardDuty.

Why this answer

Option C is correct because AWS Organizations allows you to designate a delegated administrator account for GuardDuty, which can then manage and view findings from all member accounts without needing to enable GuardDuty individually in each account. Once the delegated administrator is set up, GuardDuty automatically aggregates findings from all member accounts in the organization, providing a single-pane-of-glass view for the security team.

Exam trap

The trap here is that candidates often assume GuardDuty must be enabled manually in each account or that CloudWatch cross-account features can aggregate GuardDuty findings, but the exam tests knowledge of the delegated administrator feature which is the native, automated solution for multi-account aggregation.

How to eliminate wrong answers

Option A is wrong because it describes a manual, cross-account IAM role approach that is unnecessary and less efficient; GuardDuty's delegated administrator feature eliminates the need for per-account enablement and custom aggregation. Option B is wrong because enabling GuardDuty only in the management account does not allow it to monitor member account activity; GuardDuty must be enabled in each account (or via the delegated administrator) to generate findings from those accounts, and CloudWatch Logs cross-account subscription is not the intended mechanism for aggregating GuardDuty findings. Option D is wrong because CloudWatch cross-account dashboards can visualize metrics but do not automatically aggregate GuardDuty findings from member accounts; GuardDuty findings are not natively pushed to CloudWatch as metrics without additional configuration, and the delegated administrator approach is the correct method.

217
MCQmedium

A security engineer needs to detect and alert on suspicious API calls made from a compromised EC2 instance. The instance is associated with an IAM role that has permissions to call various AWS APIs. Which AWS service should the engineer use to monitor API calls and trigger alerts?

A.Amazon GuardDuty
B.AWS CloudTrail combined with Amazon CloudWatch Events
C.AWS Config
D.VPC Flow Logs
AnswerB

CloudTrail logs API calls; CloudWatch Events can trigger alerts based on those logs.

Why this answer

AWS CloudTrail records all API calls made by or on behalf of the EC2 instance's IAM role. By sending these logs to Amazon CloudWatch Events (now Amazon EventBridge), you can create rules that match specific API actions (e.g., 'ec2:TerminateInstances') and trigger alerts via SNS, Lambda, or other targets. This combination provides real-time monitoring and alerting for suspicious API activity from a compromised instance.

Exam trap

The trap here is that candidates confuse GuardDuty's threat detection capabilities with the need for custom alerting on specific API calls, overlooking that CloudTrail combined with CloudWatch Events (EventBridge) is the correct service pair for granular, user-defined monitoring and alerting.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to identify malicious behavior, but it does not natively trigger custom alerts for specific API calls; it generates its own findings. Option C is wrong because AWS Config is a resource inventory and compliance service that evaluates configuration changes against rules, not a real-time API monitoring and alerting service. Option D is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log API calls or IAM role activity, so they cannot detect suspicious API calls.

218
MCQmedium

A security engineer needs to analyze large volumes of VPC Flow Logs stored in Amazon S3 to identify anomalous traffic patterns. Which approach is MOST cost-effective and scalable?

A.Use AWS Glue to catalog and query the logs.
B.Download the logs to an EC2 instance and use grep commands.
C.Use Amazon Athena with partitioned data in S3.
D.Use Amazon QuickSight to directly query the logs.
AnswerC

Athena is serverless and cost-effective for querying data in S3.

Why this answer

Amazon Athena is the most cost-effective and scalable solution for querying large volumes of VPC Flow Logs stored in S3 because it uses a serverless, pay-per-query model with no infrastructure to manage. By partitioning the data (e.g., by date or region), Athena minimizes the amount of data scanned per query, directly reducing costs while enabling complex SQL-based analysis for anomaly detection.

Exam trap

The trap here is that candidates may confuse AWS Glue's cataloging role with a query engine, or assume QuickSight can directly query S3 without an intermediate service, leading them to overlook Athena's serverless, pay-per-query model as the optimal choice for scalable log analysis.

How to eliminate wrong answers

Option A is wrong because AWS Glue is primarily a metadata catalog and ETL service, not optimized for direct ad-hoc querying of large datasets; using Glue for this purpose would incur unnecessary costs for crawlers and ETL jobs without providing the scalable, on-demand querying that Athena offers. Option B is wrong because downloading logs to an EC2 instance and using grep is not scalable for large volumes, introduces egress costs from S3, requires managing EC2 resources, and cannot efficiently handle complex analytical queries across terabytes of data. Option D is wrong because Amazon QuickSight is a business intelligence visualization tool that relies on a query engine like Athena or a database; directly querying S3 with QuickSight is not supported—it would need Athena as an intermediary, making the suggestion technically incorrect and inefficient.

219
Multi-Selectmedium

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all API calls in the organization are logged and retained for at least one year. Which AWS services or features should be used to meet these requirements? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty with threat detection enabled.
B.AWS Config with recording enabled for all resources.
C.Amazon S3 lifecycle policy to transition logs to S3 Glacier after one year.
D.VPC Flow Logs for all VPCs.
E.AWS CloudTrail with organization trail.
AnswersC, E

This ensures logs are retained and cost-effective.

Why this answer

Option C is correct because an Amazon S3 lifecycle policy can automatically transition CloudTrail log objects from S3 Standard to S3 Glacier after one year, meeting the retention requirement cost-effectively. Option E is correct because AWS CloudTrail with an organization trail logs all API calls across all accounts in the AWS Organization, ensuring comprehensive logging.

Exam trap

The trap here is that candidates often confuse AWS Config (which records resource configuration changes) with CloudTrail (which records API calls), leading them to select Config as a logging solution for API activity.

220
Multi-Selectmedium

A security engineer is designing an incident response plan for a compromised S3 bucket. Which TWO actions should be taken to contain the incident? (Choose TWO.)

Select 2 answers
A.Delete the bucket and recreate it.
B.Enable MFA Delete on the bucket.
C.Enable CloudTrail data events for the bucket to log all object-level operations.
D.Apply a bucket policy that denies all principals access to the bucket.
E.Enable default encryption for the bucket.
AnswersC, D

Provides visibility for investigation.

Why this answer

Enabling CloudTrail data events for the S3 bucket (Option C) is a critical detective control that logs all object-level operations (e.g., GetObject, PutObject, DeleteObject). This allows the security engineer to perform forensic analysis, identify the scope of the compromise, and understand the attacker's actions, which is essential for containment and remediation. While not a direct containment action, it is a necessary step to gather evidence before or during containment.

Exam trap

The trap here is confusing detective controls (logging) with containment actions, and thinking that enabling encryption or MFA Delete will stop an active compromise, when they only protect against future risks or specific deletion scenarios.

221
MCQeasy

Refer to the exhibit. A security engineer is reviewing this IAM policy attached to an IAM user. The user reports being unable to download objects from the S3 bucket when connecting from a VPN with IP address 10.0.1.45. What is the most likely reason for the failure?

A.The policy does not include an Allow effect for s3:GetObject.
B.The aws:SourceIp condition key is not supported for IAM user policies; it should be used with IAM role trust policies.
C.The source IP 10.0.1.45 is not within the allowed range 10.0.0.0/16.
D.The policy uses the wrong action name; it should be s3:GetObjectAcl.
AnswerB

Condition keys like aws:SourceIp work only in the context of IAM roles, not user policies.

Why this answer

Option D is correct because IAM policies do not support the aws:SourceIp condition key for IAM users; it only works for IAM roles. Options A, B, and C are incorrect because the policy syntax is valid for roles, the IP is in the range, and the action is allowed.

222
Multi-Selectmedium

A security engineer is configuring an automated incident response workflow for Amazon GuardDuty findings. Which TWO actions should the engineer take to ensure that the response is triggered for all current and future GuardDuty findings?

Select 2 answers
A.Enable GuardDuty to export findings to CloudWatch Logs and then create a metric filter.
B.Create an Amazon EventBridge rule with an event pattern that matches GuardDuty finding events.
C.Create an Amazon SNS topic and subscribe the Lambda function to it, then configure GuardDuty to publish to SNS.
D.Configure the rule to invoke an AWS Lambda function that executes the incident response playbook.
E.Set up a CloudWatch Logs subscription filter to forward GuardDuty logs to the Lambda function.
AnswersB, D

EventBridge allows matching GuardDuty finding events to trigger a response.

Why this answer

Option B is correct because Amazon EventBridge can capture all GuardDuty findings by using an event pattern that matches the 'GuardDuty Finding' event type. This ensures that both current and future findings automatically trigger the rule without requiring manual updates or additional configuration.

Exam trap

The trap here is that candidates often confuse GuardDuty's integration with CloudWatch Logs (which does not exist) or assume GuardDuty can directly publish to SNS, when in fact EventBridge is the required intermediary for automated workflows.

223
MCQmedium

During a security incident, a security engineer suspects that an EC2 instance has been compromised and is exfiltrating data to an external IP address. Which AWS service can provide real-time network traffic analysis and alert on unusual outbound traffic patterns?

A.Amazon Inspector
B.AWS CloudTrail
C.Amazon GuardDuty
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture network traffic metadata for analysis.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information and can be analyzed to detect abnormal outbound traffic. Option A is wrong because GuardDuty uses VPC Flow Logs and other sources but does not provide raw flow log analysis. Option C is wrong because CloudTrail logs API calls, not network traffic.

Option D is wrong because Inspector is for vulnerability assessment, not network traffic analysis.

224
MCQhard

A security engineer is investigating a potential compromise of an EC2 instance. The instance was launched from a custom AMI. The engineer needs to determine if the AMI itself contains malicious software. Which approach provides the most thorough analysis without risking the production environment?

A.Launch a test instance from the AMI in an isolated VPC and run Amazon Inspector.
B.Use AWS Systems Manager to run a compliance scan on the running instance.
C.Create an EBS snapshot from the AMI and scan the snapshot with Amazon Detective.
D.Launch a test instance from the AMI in an isolated VPC and analyze its behavior.
AnswerA

Isolated environment prevents impact; Inspector scans for vulnerabilities and CVEs.

Why this answer

Option A is correct because launching a test instance from the AMI in an isolated VPC allows you to run Amazon Inspector, which performs automated vulnerability assessments and network reachability checks against the instance. This approach provides a thorough analysis of the AMI's software and configuration without exposing the production environment to any potential malicious activity. Amazon Inspector uses a knowledge base of common vulnerabilities and exposures (CVEs) and CIS benchmarks to identify security issues, making it effective for detecting malicious software embedded in the AMI.

Exam trap

The trap here is that candidates may choose Option D (behavioral analysis) because it seems more hands-on and thorough, but they overlook that Amazon Inspector provides a more systematic, automated, and comprehensive scan for known vulnerabilities and misconfigurations, which is the most efficient way to identify malicious software in an AMI without risking the production environment.

How to eliminate wrong answers

Option B is wrong because AWS Systems Manager compliance scans are designed to assess the configuration of a running instance against defined policies (e.g., patch compliance), not to detect malicious software within the AMI itself; the scan runs on the potentially compromised production instance, risking the production environment. Option C is wrong because Amazon Detective analyzes VPC flow logs, CloudTrail logs, and GuardDuty findings to investigate security incidents, but it does not scan EBS snapshots for malware; creating a snapshot from the AMI and scanning it with Detective would not reveal malicious software in the snapshot. Option D is wrong because while launching a test instance in an isolated VPC and analyzing its behavior (e.g., network traffic, process activity) can provide insights, it lacks the automated, comprehensive vulnerability scanning capabilities of Amazon Inspector, making it less thorough for identifying known malicious software or CVEs.

225
MCQmedium

A company is designing an automated incident response workflow. When a high-severity GuardDuty finding is generated, the security team wants to automatically isolate the affected EC2 instance by modifying its security group to deny all traffic. Which service should orchestrate this response?

A.AWS Lambda
B.AWS Config
C.AWS Step Functions
D.AWS Systems Manager Automation
AnswerD

Automation provides predefined runbooks for incident response, including security group modification.

Why this answer

AWS Systems Manager Automation is the correct choice because it provides a pre-built runbook (AWS-DetachAndIsolateEC2Instance) that can be triggered by Amazon EventBridge when a GuardDuty finding is generated. This runbook automatically modifies the EC2 instance's security group to deny all traffic, effectively isolating the instance without requiring custom code. Systems Manager Automation is designed for such operational workflows, offering built-in error handling and approval steps.

Exam trap

The trap here is that candidates often choose AWS Lambda because they think they need custom code to modify security groups, overlooking that AWS Systems Manager Automation provides a purpose-built, no-code runbook for EC2 isolation that integrates directly with GuardDuty findings via EventBridge.

How to eliminate wrong answers

Option A is wrong because AWS Lambda is a serverless compute service for running code, but it would require you to write custom logic to modify security groups, handle API calls, and manage permissions, whereas Systems Manager Automation provides a ready-to-use runbook. Option B is wrong because AWS Config is a service for evaluating resource compliance against rules, not for orchestrating automated incident response actions like modifying security groups. Option C is wrong because AWS Step Functions is a workflow orchestration service that could coordinate multiple steps, but it lacks the pre-built runbook for EC2 isolation and would require you to build the entire workflow from scratch, including Lambda functions for each action.

← PreviousPage 3 of 4 · 243 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Threat Detection questions.