Amazon SCS-C03 Exam Questions

A credential stuffing attack at the ALB is aLayer 7problem and is best mitigated withAWS WAF. The attacker is distributed across many IPs, so blocking by IP in a security group (Option B) is ineffective and operationally heavy. A CloudWatch alarm (Option A) only alerts; it does not block or mitigate requests.

Because the malicious traffic uses a distinctive, knownUser-Agentstring associated with a mobile device emulator, AWS WAF can quickly reduce the attack by inspecting the User-Agent header and blocking matching requests. This approach is targeted: it blocks the identified automated attack pattern while allowing legitimate users who do not present that emulator User-Agent to continue logging in. The WAF rule can be deployed immediately on the existing ALB-associated web ACL and can be further refined (for example, applied only to /login paths, combined with rate-based rules, or integrated with Bot Control) to minimize false positives.

Option D is risky because ''allow only legitimate user agents'' is brittle: user agents are diverse and change frequently, and a strict allow-list can accidentally block real users. Therefore, a WAF custom block rule for the known malicious User-Agent string is the correct solution.

Amazon S3 Lifecycle rules are the native and most efficient way to enforce data retention policies. AWS Certified Security -- Specialty documentation recommends lifecycle rules over custom automation to reduce operational complexity and failure risk.

Lifecycle rules automatically and reliably delete objects after a specified age, ensuring compliance without additional compute services. Lambda-based solutions increase cost and management overhead. Intelligent-Tiering manages storage cost, not data deletion.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

Amazon S3 Lifecycle Management

Option C best meets the requirements because Amazon GuardDuty provides Kubernetes-focused threat detection for Amazon EKS by analyzingEKS control plane audit logs(EKS Protection) and combining that signal withruntime telemetryfrom the worker nodes (Runtime Monitoring). EKS audit logs capture Kubernetes API activity and authorization decisions, allowing GuardDuty to detect suspicious cluster actions such as unusual API calls, unexpected access patterns, or indicators of compromise within the cluster. Runtime Monitoring extends coverage tooperating system/process activity, network connections, and file activityon the nodes, which directly aligns with the need to monitor OS, networking, and file events in addition to audit logs.

For notifications, GuardDuty generatesfindingsthat can be delivered throughAmazon EventBridgerules. EventBridge can route relevant GuardDuty findings to anAmazon SNS topic, and SNS can sendemail alertsto the security team by subscribing the team's mailing list to the topic. This approach is fully managed, near real time, and avoids building custom log-parsing pipelines while still providing actionable alerts based on GuardDuty's curated EKS threat detections.

Amazon GuardDuty generates security findings when it detects suspicious or malicious activity, includingCryptoCurrency:EC2/* findings that indicate an EC2 instance may be involved in unauthorized cryptocurrency mining. According to AWS Certified Security -- Specialty documentation, GuardDuty findings are published as events toAmazon EventBridge(formerly Amazon CloudWatch Events).

Amazon EventBridge is the recommended service for buildingautomated incident response workflows. By creating an EventBridge rule that listens for GuardDuty findings of type CryptoCurrency:EC2/*, the security engineer can automatically invoke a Lambda function to isolate the affected EC2 instance by modifying its security group attachments.

Option A is incorrect because GuardDuty does not directly invoke Lambda functions. Option B and Option D are incorrect because AWS Config tracks configuration compliance and resource changes, not real-time threat detection events. Cryptocurrency findings are security detections, not configuration changes.

AWS documentation explicitly describes this pattern---GuardDuty EventBridge Lambda remediation action---as a best practice for automated threat response and containment.

AWS Certified Security -- Specialty Official Study Guide

Amazon GuardDuty User Guide -- Findings

Amazon EventBridge User Guide

AWS Incident Response Best Practices

Before beginning an investigation, incident response best practice is topreserve evidence,prevent accidental loss of the asset, andclearly mark and control the potentially affected resource. Enablingtermination protection(Option B) helps ensure the instance is not accidentally terminated during triage, which would destroy volatile evidence and complicate forensics and recovery.

TakingEBS snapshotsof all attached data volumes (Option C) preserves a point-in-time copy of disk evidence for later forensic analysis, malware scanning, or offline investigation. Snapshots allow responders to create forensic volumes or AMIs in an isolated environment without repeatedly touching the potentially compromised instance.

Capturinginstance metadataand tagging the instance asunder quarantine(Option E) supports both investigation and operational control. Metadata capture (instance ID, IAM role, network interfaces, security groups, user-data, tags, recent changes) provides context for responders. Quarantine tagging enables automated workflows (for example, incident runbooks that isolate the instance, restrict IAM, or move it to a quarantine security group) and signals to other teams/tools that the instance is under investigation.

Option A is the opposite of what you want. Option D destroys evidence. Option F is not an appropriate ''before investigation'' step; altering metadata risks losing evidence and is not the primary containment approach.