🕵️ Amazon GuardDuty - SCS-C02 Practice Questions

Study threat detection using VPC Flow Logs, DNS logs, CloudTrail events, S3 data events, EKS audit logs, and Lambda network activity for intelligent security monitoring.

6Questions Available
2Exam Domains

Practice GuardDuty Questions Now

Start a timed practice session focusing on Amazon GuardDuty topics from the SCS-C02 question bank.

Start SCS-C02 Practice Quiz →

SCS-C02 GuardDuty Question Bank (6 Questions)

Browse all 6 practice questions covering Amazon GuardDuty for the SCS-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Threat Detection and Incident Response

    A security analyst receives a GuardDuty finding that an EC2 instance is communicating with a cryptocurrency mining pool. As part of incident response, the analyst must preserve forensic evidence. Which FIRST step maintains evidence integrity?

    ATerminate the instance immediately
    BIsolate the instance by modifying its security group to block all traffic and take an EBS snapshot
    CCreate an AMI of the instance and terminate it
    DRestore the instance from the last known good backup

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  2. Question 2Threat Detection and Incident Response

    An AWS environment has been compromised. GuardDuty raises a finding of type 'UnauthorizedAccess:IAMUser/MaliciousIPCaller'. The IR team wants to immediately prevent the compromised IAM user from making further API calls without deleting the user. Which action should they take first?

    ADelete the IAM user's access keys
    BRotate the IAM user's password
    CAttach an explicit Deny policy to the IAM user to revoke all permissions
    DDisable the IAM user's MFA device

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  3. Question 3Threat Detection and Incident Response

    A company wants to centralize security findings from multiple AWS accounts and services (GuardDuty, Inspector, Macie, Config) into a single pane of glass. Which AWS service provides this centralized aggregation?

    AAWS CloudTrail
    BAmazon Detective
    CAWS Security Hub
    DAmazon CloudWatch

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  4. Question 4Threat Detection and Incident Response

    A company needs to set up automated remediation when GuardDuty detects a high-severity finding. Which approach is recommended?

    AGuardDuty auto-remediation feature
    BEventBridge rule triggering a Lambda function
    CCloudWatch Alarm with SNS
    DAWS Config auto-remediation

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  5. Question 5Threat Detection and Incident Response

    How should automated incident response be implemented for GuardDuty findings?

    AManual review only
    BEventBridge rules triggered by GuardDuty findings invoking Lambda functions for automated remediation (isolate instance, revoke keys)
    CEmail alerts only
    DDisable GuardDuty

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz
  6. Question 6Threat Detection and Incident Response

    What are Amazon GuardDuty finding types?

    AOnly one type
    BRecon (port scan, API enumeration), Backdoor (C&C, cryptocurrency), Trojan (DDoS, data exfiltration), Stealth (CloudTrail disabled, log tampering), and UnauthorizedAccess (brute force, credential theft)
    COnly network findings
    DOnly API findings

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SCS-C02 Quiz

Key GuardDuty Concepts for SCS-C02

guarddutythreat detectionfindingdetectormalwaredns exfiltrationcryptocurrency mining

SCS-C02 GuardDuty Exam Tips

Amazon GuardDuty questions in SCS-C02 are typically scenario-based. Focus on threat detection, preventive controls, encryption strategy, and security governance. Priority concepts: guardduty, threat detection, finding, detector, malware, dns exfiltration.

What SCS-C02 Expects

  • Anchor your answer in choose layered security controls with clear detection and response pathways.
  • GuardDuty scenarios for SCS-C02 are frequently mapped to Domain 4 (16%), Domain 5 (18%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where GuardDuty interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Specialty) and vendor best practices.

High-Value GuardDuty Concepts

  • Know the core GuardDuty building blocks cold: guardduty, threat detection, finding, detector.
  • Review the edge-case features and limits for malware, dns exfiltration; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how GuardDuty pairs with Security Hub, Detective, Incident Response in real deployment patterns.
  • For SCS-C02, explain why the chosen GuardDuty design meets reliability, security, and cost expectations better than the alternatives.

Common SCS-C02 Traps

  • Watch for relying on one control where defense-in-depth is expected.
  • Questions in Identity & Access Management often include distractors that look correct for GuardDuty but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two GuardDuty implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Identity & Access Management (16%) outcomes for SCS-C02?
  • Can you explain security and access boundaries for GuardDuty without relying on default-open assumptions?
  • Can you describe how GuardDuty integrates with Security Hub and Detective during failure, scaling, and monitoring events?

Exam Domains Covering GuardDuty

Domain 4Identity & Access Management16%Domain 5Data Protection18%

Related Resources

🎯 Free SCS-C02 Mock Exam Security Hub Questions Detective Questions Incident Response Questions

More SCS-C02 Study Resources

← SCS-C02 Study Hub30-Day Study PlanFull Practice Exam