exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 173 discussion

A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts.

A security engineer must determine if the credentials were used to access the company's resources from an external account.

Which solution will provide this information?

  • A. Review GuardDuty findings to find InstanceCredentialExfiltration events.
  • B. Review assessment reports in the Audit Manager console to find InstanceCredentialExfiltration events.
  • C. Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
  • D. Review CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
IPLogic
1 day, 11 hours ago
Selected Answer: A
The best solution to determine if the credentials were used to access the company’s resources from an external account is Option A: A. Review GuardDuty findings to find InstanceCredentialExfiltration events. Amazon GuardDuty is designed to detect suspicious activity, including the use of EC2 instance credentials from an external account1. It generates findings such as InstanceCredentialExfiltration events, which specifically indicate that instance credentials have been used from an IP address associated with a different AWS account1. This approach leverages GuardDuty’s built-in threat detection capabilities, providing a streamlined and automated way to identify potential security breaches with minimal manual effort. Options B, C, and D involve more manual log analysis and do not directly leverage GuardDuty’s specialized detection capabilities for this type of event.
upvoted 1 times
...
GirishArora22
4 months, 1 week ago
Selected Answer: A
Use managed solution instead of custom solution
upvoted 2 times
...
xekiva3329
5 months, 2 weeks ago
Selected Answer: A
My answer is A.
upvoted 2 times
...
xekiva3329
5 months, 2 weeks ago
My answer is A.
upvoted 2 times
...
PegasusForever
5 months, 3 weeks ago
My answer is A. https://aws.amazon.com/blogs/aws/amazon-guardduty-enhances-detection-of-ec2-instance-credential-exfiltration/
upvoted 3 times
...
grekh001
6 months ago
A UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address. Default severity: High Data source: CloudTrail management events or S3 data events This finding informs you that a host outside of AWS has attempted to run AWS API operations using temporary AWS credentials that were created on an EC2 instance in your AWS environment. The listed EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS.
upvoted 3 times
...
aescudero51
6 months ago
Selected Answer: C
My answer is C. By reviewing CloudTrail logs for GetSessionToken calls originating from external accounts, the security engineer can identify attempts to use the stolen credentials to assume temporary roles within the company's AWS environment. This would be a strong indicator of compromised credentials.
upvoted 1 times
helloworldabc
2 months, 2 weeks ago
just A
upvoted 1 times
...
...
5409b91
6 months, 2 weeks ago
Selected Answer: C
i think C
upvoted 1 times
...
Zek
6 months, 3 weeks ago
A https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...