Why This Cheat Sheet Matters for SCS-C02
This cheat sheet covers the most important GuardDuty & Threat Detection concepts tested on the SCS-C02 (AWS Security Specialty) certification exam. It contains 4 sections with 18 key points that you should memorize before exam day. Study threat detection using VPC Flow Logs, DNS logs, CloudTrail events, S3 data events, EKS audit logs, and Lambda network activity for intelligent security monitoring. Use this as a quick-reference guide during your final review sessions.
4Sections
18Key Points
Data Sources
- CloudTrail management events and S3 data events
- VPC Flow Logs (not actual logs — internal analysis)
- DNS logs (Route 53 Resolver queries)
- EKS audit logs and runtime monitoring
- Lambda network activity monitoring
Finding Categories
- Recon: port scanning, API enumeration
- UnauthorizedAccess: compromised credentials, unusual API calls
- Trojan/Backdoor: malware communication, C2 connections
- CryptoCurrency: mining activity
- Impact: resource hijacking, data destruction
Severity & Response
- High (7.0–8.9): immediate action needed
- Medium (4.0–6.9): investigate and potentially remediate
- Low (1.0–3.9): informational, may indicate early-stage attacks
- Findings → EventBridge → Lambda/Step Functions for automation
Multi-Account
- Administrator account: manages member accounts (delegated from Org)
- Findings from all members visible in administrator account
- Auto-enable for new accounts in Organization
- Trusted IP lists: suppress findings from known IPs
Practice GuardDuty Questions
Put your knowledge to the test with practice questions.