SCS-C03 · Question #20
SCS-C03 Question #20: Real Exam Question with Answer & Explanation
The correct answer is B: Log in to the AWS account by using read-only credentials. Review the GuardDuty finding to. Amazon GuardDuty findings provide high-level detection of suspicious activity but are not designed for deep investigation on their own. The AWS Certified Security - Specialty documentation explains that Amazon Detective is purpose-built to support rapid investigations by automati
Question
A company has an AWS account that hosts a production application. The company receives an email notification that Amazon GuardDuty has detected an Impact:IAMUser/AnomalousBehavior finding in the account. A security engineer needs to run the investigation playbook for this security incident and must collect and analyze the information without affecting the application. Which solution will meet these requirements MOST quickly?
Options
- ALog in to the AWS account by using read-only credentials. Review the GuardDuty finding for
- BLog in to the AWS account by using read-only credentials. Review the GuardDuty finding to
- CLog in to the AWS account by using administrator credentials. Review the GuardDuty finding for
- DLog in to the AWS account by using read-only credentials. Review the GuardDuty finding to
Explanation
Amazon GuardDuty findings provide high-level detection of suspicious activity but are not designed for deep investigation on their own. The AWS Certified Security - Specialty documentation explains that Amazon Detective is purpose-built to support rapid investigations by automatically collecting, correlating, and visualizing data from GuardDuty, AWS CloudTrail, and VPC Flow Logs. Detective enables security engineers to analyze API calls, user behavior, and resource interactions in context without making any changes to the environment. Using read-only credentials ensures that the investigation does not impact the production application. Amazon Detective allows investigators to pivot directly from a GuardDuty finding into a detailed activity graph, showing which IAM user made anomalous calls, what resources were accessed, and how behavior deviated from the baseline. This significantly accelerates incident Options A and C involve applying DenyAll policies, which are containment actions and could affect application availability. Option D requires manual analysis and setup and is slower than using Amazon Detective, which is designed for immediate investigative workflows. AWS incident response guidance recommends using Detective for rapid, non-intrusive analysis after GuardDuty findings.
Community Discussion
No community discussion yet for this question.