Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 173 discussion

The correct answer is: A. Review GuardDuty findings to find InstanceCredentialExfiltration events. Explanation: AWS GuardDuty provides threat detection and automatically detects suspicious activities, including InstanceCredentialExfiltration events. The InstanceCredentialExfiltration finding in GuardDuty indicates that credentials from the EC2 instance metadata were potentially stolen and used outside of AWS. Since the company already uses GuardDuty, it is the best tool for detecting this type of attack quickly. D. CloudWatch logs store logs, but they do not provide the intelligence to detect credential exfiltration like GuardDuty does.

The InstanceCredentialExfiltration finding is not guaranteed to be raised by GuardDuty. So A can be only used for alerts. For forensics, cloudtrail is the way to go, so C.

The best solution to determine if the credentials were used to access the company’s resources from an external account is Option A: A. Review GuardDuty findings to find InstanceCredentialExfiltration events. Amazon GuardDuty is designed to detect suspicious activity, including the use of EC2 instance credentials from an external account1. It generates findings such as InstanceCredentialExfiltration events, which specifically indicate that instance credentials have been used from an IP address associated with a different AWS account1. This approach leverages GuardDuty’s built-in threat detection capabilities, providing a streamlined and automated way to identify potential security breaches with minimal manual effort. Options B, C, and D involve more manual log analysis and do not directly leverage GuardDuty’s specialized detection capabilities for this type of event.

Use managed solution instead of custom solution

My answer is A.

My answer is A.

My answer is A. https://aws.amazon.com/blogs/aws/amazon-guardduty-enhances-detection-of-ec2-instance-credential-exfiltration/

A UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address. Default severity: High Data source: CloudTrail management events or S3 data events This finding informs you that a host outside of AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an EC2 instance in your AWS environment. The listed EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS.

My answer is C. By reviewing CloudTrail logs for GetSessionToken calls originating from external accounts, the security engineer can identify attempts to use the stolen credentials to assume temporary roles within the company's AWS environment. This would be a strong indicator of compromised credentials.

i think C

A https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws