Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon Exam SCS-C02 Topic 1 Question 26 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 26
Topic #: 1
[All SCS-C02 Questions]

A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadat

a. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts.

A security engineer must determine if the credentials were used to access the company's resources from an external account.

Which solution will provide this information?

Show Suggested Answer Hide Answer
Suggested Answer: A

The correct answer is A because GuardDuty can detect and alert on EC2 instance credential exfiltration events.These events indicate that the credentials obtained from the EC2 instance metadata service are being used from an IP address that is owned by a different AWS account than the one that owns the instance1.GuardDuty can also provide details such as the source and destination IP addresses, the AWS account ID of the attacker, and the API calls made using the exfiltrated credentials2.

The other options are incorrect because they do not provide the information needed to determine if the credentials were used to access the company's resources from an external account. Option B is incorrect because Audit Manager does not generate InstanceCredentialExfiltration events.Audit Manager is a service that helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards3. Option C is incorrect because CloudTrail logs do not show the account ID of the caller for GetSessionToken API calls to AWS STS.CloudTrail logs show the account ID of the identity whose credentials were used to call the API4. Option D is incorrect because CloudWatch logs do not show the GetSessionToken API calls to AWS STS by default.CloudWatch logs can show the API calls made by AWS Lambda functions, Amazon API Gateway, and other AWS services that integrate with CloudWatch5.


by Diane at Aug 27, 2024, 07:36 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Owen
3 months ago
I'm voting for option D, just to keep things interesting. What could go wrong with checking CloudWatch logs, right? *nervous laughter*
upvoted 0 times
Ligia
1 months ago
I'm going with option D. CloudWatch logs might provide the information we need. Let's see how it goes.
upvoted 0 times
...
Tamie
1 months ago
I agree with Tamie. CloudTrail logs are more reliable for this type of investigation.
upvoted 0 times
...
Nancey
2 months ago
I think option C is the best choice. We should review CloudTrail logs for GetSessionToken API calls.
upvoted 0 times
...
...
Howard
3 months ago
Ah, the classic 'which log should I check' dilemma. I'm going with C. Who needs fancy security tools when you've got good old-fashioned CloudTrail?
upvoted 0 times
...
Vivienne
3 months ago
Let's not overthink this. The CloudTrail logs are where it's at. If the credentials were used, the GetSessionToken calls will be right there.
upvoted 0 times
Hana
1 months ago
Let's check those logs then.
upvoted 0 times
...
Marsha
1 months ago
Exactly, no need to overthink it.
upvoted 0 times
...
Lenna
1 months ago
Got it, CloudTrail logs it is.
upvoted 0 times
...
Maile
2 months ago
C) Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
upvoted 0 times
...
...
Tamekia
3 months ago
Hmm, I'm not sure. GuardDuty might be a good place to start, but the Audit Manager reports could also have the info we need. I'd check both just to be thorough.
upvoted 0 times
Casie
2 months ago
Yeah, but we should also review the Audit Manager reports just to cover all bases.
upvoted 0 times
...
Fidelia
2 months ago
I think checking GuardDuty findings is a good idea.
upvoted 0 times
...
...
Zack
3 months ago
That's a good point, maybe both C and A could be the right answers.
upvoted 0 times
...
Rodney
3 months ago
But wouldn't reviewing GuardDuty findings also help in identifying the events?
upvoted 0 times
...
Felix
3 months ago
I agree with Zack, reviewing CloudTrail logs for GetSessionToken API calls makes sense.
upvoted 0 times
...
Zack
4 months ago
I think the answer is C.
upvoted 0 times
...
Almeta
4 months ago
I think option C is the way to go. Reviewing the CloudTrail logs for GetSessionToken API calls from outside accounts is the most direct way to find the evidence we need.
upvoted 0 times
Johnson
2 months ago
True, but I still think reviewing CloudTrail logs for external API calls is the most direct approach.
upvoted 0 times
...
Vicky
2 months ago
That's a good point, GuardDuty findings could also provide valuable information.
upvoted 0 times
...
Chaya
3 months ago
But what about checking GuardDuty findings for InstanceCredentialExfiltration events?
upvoted 0 times
...
Tyisha
3 months ago
I agree, reviewing CloudTrail logs for GetSessionToken API calls from external accounts is crucial.
upvoted 0 times
...
...

Save Cancel