New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 1 Question 26 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 26
Topic #: 1
[All SCS-C02 Questions]

A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadat

a. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts.

A security engineer must determine if the credentials were used to access the company's resources from an external account.

Which solution will provide this information?

Show Suggested Answer Hide Answer
Suggested Answer: A

The correct answer is A because GuardDuty can detect and alert on EC2 instance credential exfiltration events.These events indicate that the credentials obtained from the EC2 instance metadata service are being used from an IP address that is owned by a different AWS account than the one that owns the instance1.GuardDuty can also provide details such as the source and destination IP addresses, the AWS account ID of the attacker, and the API calls made using the exfiltrated credentials2.

The other options are incorrect because they do not provide the information needed to determine if the credentials were used to access the company's resources from an external account. Option B is incorrect because Audit Manager does not generate InstanceCredentialExfiltration events.Audit Manager is a service that helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards3. Option C is incorrect because CloudTrail logs do not show the account ID of the caller for GetSessionToken API calls to AWS STS.CloudTrail logs show the account ID of the identity whose credentials were used to call the API4. Option D is incorrect because CloudWatch logs do not show the GetSessionToken API calls to AWS STS by default.CloudWatch logs can show the API calls made by AWS Lambda functions, Amazon API Gateway, and other AWS services that integrate with CloudWatch5.


by Diane at Aug 27, 2024, 07:36 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Karina
3 months ago
I disagree, CloudTrail is the way to go here.
upvoted 0 times
...
Thurman
3 months ago
Surprised they didn't mention checking CloudWatch logs too!
upvoted 0 times
...
Lindsey
3 months ago
Audit Manager reports won't show that info, so skip that option.
upvoted 0 times
...
Venita
4 months ago
I think GuardDuty findings are more reliable for this kind of event.
upvoted 0 times
...
Mickie
4 months ago
Definitely check CloudTrail logs for those GetSessionToken calls.
upvoted 0 times
...
Gilma
4 months ago
I feel like the Audit Manager reports might not be as useful for this specific incident, but I could be wrong. It’s hard to remember all the details!
upvoted 0 times
...
Maile
4 months ago
I’m a bit confused about whether CloudWatch logs would provide the same insights as CloudTrail. I think I need to double-check that.
upvoted 0 times
...
Gwenn
4 months ago
I remember practicing with CloudTrail logs for similar questions, and I feel like reviewing those for GetSessionToken calls could be the right approach here.
upvoted 0 times
...
Douglass
5 months ago
I think we might need to look at the GuardDuty findings, but I'm not entirely sure if that's the best option for tracking credential exfiltration.
upvoted 0 times
...
Glory
5 months ago
I've got a good feeling about this one. Reviewing the CloudWatch logs for those GetSessionToken API calls from outside the company seems like the most direct way to find the information we need.
upvoted 0 times
...
Maile
5 months ago
Okay, I see. The question is asking about determining if the credentials were used from an external account. I'll check the CloudTrail logs for any suspicious GetSessionToken API calls.
upvoted 0 times
...
Sharee
5 months ago
Hmm, I think the key is to focus on the InstanceCredentialExfiltration events mentioned in the question. I'll start by reviewing the GuardDuty findings.
upvoted 0 times
...
Margarett
5 months ago
This looks like a tricky one. I'll need to carefully review the different AWS services and logs to determine the best approach.
upvoted 0 times
...
Rory
5 months ago
I'm a bit confused by all the different AWS services involved here. I'll need to make sure I understand how they work together to identify the potential credential exfiltration.
upvoted 0 times
...
Brandee
5 months ago
I'm a bit unsure about this one. I'll need to review my notes on the different components that make up a Marketing Cloud Personalization web campaign.
upvoted 0 times
...
Owen
1 year ago
I'm voting for option D, just to keep things interesting. What could go wrong with checking CloudWatch logs, right? *nervous laughter*
upvoted 0 times
Ligia
1 year ago
I'm going with option D. CloudWatch logs might provide the information we need. Let's see how it goes.
upvoted 0 times
...
Tamie
1 year ago
I agree with Tamie. CloudTrail logs are more reliable for this type of investigation.
upvoted 0 times
...
Nancey
1 year ago
I think option C is the best choice. We should review CloudTrail logs for GetSessionToken API calls.
upvoted 0 times
...
...
Howard
1 year ago
Ah, the classic 'which log should I check' dilemma. I'm going with C. Who needs fancy security tools when you've got good old-fashioned CloudTrail?
upvoted 0 times
...
Vivienne
1 year ago
Let's not overthink this. The CloudTrail logs are where it's at. If the credentials were used, the GetSessionToken calls will be right there.
upvoted 0 times
Hana
1 year ago
Let's check those logs then.
upvoted 0 times
...
Marsha
1 year ago
Exactly, no need to overthink it.
upvoted 0 times
...
Lenna
1 year ago
Got it, CloudTrail logs it is.
upvoted 0 times
...
Maile
1 year ago
C) Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
upvoted 0 times
...
...
Tamekia
1 year ago
Hmm, I'm not sure. GuardDuty might be a good place to start, but the Audit Manager reports could also have the info we need. I'd check both just to be thorough.
upvoted 0 times
Casie
1 year ago
Yeah, but we should also review the Audit Manager reports just to cover all bases.
upvoted 0 times
...
Fidelia
1 year ago
I think checking GuardDuty findings is a good idea.
upvoted 0 times
...
...
Zack
1 year ago
That's a good point, maybe both C and A could be the right answers.
upvoted 0 times
...
Rodney
1 year ago
But wouldn't reviewing GuardDuty findings also help in identifying the events?
upvoted 0 times
...
Felix
1 year ago
I agree with Zack, reviewing CloudTrail logs for GetSessionToken API calls makes sense.
upvoted 0 times
...
Zack
2 years ago
I think the answer is C.
upvoted 0 times
...
Almeta
2 years ago
I think option C is the way to go. Reviewing the CloudTrail logs for GetSessionToken API calls from outside accounts is the most direct way to find the evidence we need.
upvoted 0 times
Johnson
1 year ago
True, but I still think reviewing CloudTrail logs for external API calls is the most direct approach.
upvoted 0 times
...
Vicky
1 year ago
That's a good point, GuardDuty findings could also provide valuable information.
upvoted 0 times
...
Chaya
1 year ago
But what about checking GuardDuty findings for InstanceCredentialExfiltration events?
upvoted 0 times
...
Tyisha
1 year ago
I agree, reviewing CloudTrail logs for GetSessionToken API calls from external accounts is crucial.
upvoted 0 times
...
...

Save Cancel