🃏 Detection & Response Flashcards

Test your knowledge of GuardDuty, Security Hub, CloudTrail, incident response, and automated remediation.

Card 1 of 10

Question

What data sources does GuardDuty analyze?

Click to reveal answer

Answer

CloudTrail management + S3 data events, VPC Flow Logs, DNS logs, EKS audit logs, Lambda network activity, and RDS login activity. Does not require you to enable these separately.

Click to flip back

All Detection & Response Flashcards

1

Q: What data sources does GuardDuty analyze?

A: CloudTrail management + S3 data events, VPC Flow Logs, DNS logs, EKS audit logs, Lambda network activity, and RDS login activity. Does not require you to enable these separately.

2

Q: What is ASFF (AWS Security Finding Format)?

A: Standardized JSON format for security findings in Security Hub. All integrated services (GuardDuty, Inspector, Config, etc.) normalize findings to ASFF.

3

Q: How do you automate GuardDuty finding response?

A: GuardDuty finding → EventBridge rule (filter by finding type/severity) → Lambda/Step Functions for containment/notification. Example: auto-isolate EC2 on high-severity finding.

4

Q: What is CloudTrail log file validation?

A: Creates a digest file every hour with hash of each log file. Allows you to detect if logs were modified or deleted after delivery. Use aws cloudtrail validate-logs.

5

Q: What is the difference between GuardDuty and Detective?

A: GuardDuty detects threats (alerts). Detective investigates findings by analyzing behavior graphs (who did what, when, entity relationships). Detective builds on GuardDuty data.

6

Q: How do you forensically investigate a compromised EC2?

A: 1. Tag instance, 2. Isolate (change SG to no ingress/egress), 3. Snapshot all EBS volumes, 4. Capture memory (SSM), 5. Copy metadata, 6. Terminate or keep for investigation.

7

Q: What is Security Hub cross-region aggregation?

A: Designate a home region that aggregates findings from all linked regions. Provides single-pane view of security posture across all regions.

8

Q: How do you detect credential compromise?

A: GuardDuty: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. CloudTrail: unusual API calls, new regions, credential used from unexpected IP.

9

Q: What is Config auto-remediation?

A: Config rule evaluates resource → non-compliant → triggers SSM Automation document to fix (e.g., enable encryption, add tags, restrict SG). Automatic or with approval.

10

Q: What is Amazon Inspector?

A: Automated vulnerability scanning for EC2 (CVEs), Lambda (code dependencies), and ECR images. Continuous scanning — findings sent to Security Hub.

More SCS-C02 Flashcard Decks

🃏IAM & Access Control Flashcards10 cards🃏Encryption & Data Protection Flashcards10 cards🃏Network & Edge Security Flashcards10 cards🃏Governance & Compliance Flashcards10 cards
← SCS-C02 Study HubFree Mock Exam30-Day Study Plan