SCS-C02 · Question #405
SCS-C02 Question #405: Real Exam Question with Answer & Explanation
The correct answer is A: Enable VPC Flow Logs in all VPCs Create a scheduled AWS Lambda function that downloads. Options A and E are correct because they implement detective controls with alerting capabilities - exactly what the question asks for. VPC Flow Logs (A) capture network traffic metadata from all EC2 activity, and a scheduled Lambda function can analyze those logs to flag anomalou
Question
An Incident Response team is investigating an AWS access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later. The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future. Which controls should the company implement to achieve this? {Select TWO.)
Options
- AEnable VPC Flow Logs in all VPCs Create a scheduled AWS Lambda function that downloads
- BUse AWS CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to
- CAdd the following bucket policy to the company's AWS CloudTrail bucket to prevent log tampering
- DCreate a Security Auditor role with permissions to access Amazon CloudWatch Logs m all
- EVerify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch
Explanation
Options A and E are correct because they implement detective controls with alerting capabilities - exactly what the question asks for. VPC Flow Logs (A) capture network traffic metadata from all EC2 activity, and a scheduled Lambda function can analyze those logs to flag anomalous behavior like unexpected instance launches. GuardDuty (E) is AWS's purpose-built threat detection service that continuously analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to identify unauthorized API calls (such as EC2 launches from a compromised key), and pairing it with a CloudWatch alarm ensures the security team gets notified immediately when a finding is generated.
Distractors:
- B (CloudTrail trail to S3) provides audit logging but has no built-in alerting mechanism - it records what happened but won't proactively notify anyone.
- C (S3 bucket policy on CloudTrail bucket) is a log-integrity/tampering-prevention control, not a detection or alerting control.
- D (Security Auditor IAM role) grants humans the ability to review logs manually but does nothing to automate detection or generate alerts.
Memory tip: Ask yourself, "Does this control TELL me something is wrong right now?" - VPC Flow Logs + Lambda analysis and GuardDuty + CloudWatch both actively push alerts; the others are passive logging or access-management measures that require someone to go looking.
Topics
Community Discussion
No community discussion yet for this question.