Amazon AWS Certified Security – Specialty SCS-C02 Exam Dumps and Practice Test Questions Set 10 Q181-200

Practice Exams:

View All

Visit here for our full Amazon AWS Certified Security – Specialty SCS-C02 exam dumps and practice test questions.

Question 181

A company wants to create a dashboard that displays the total number of open cases per department and highlights overdue cases. Users should be able to filter by priority dynamically. Which tool is most appropriate?

A) Power BI

B) Canvas app

C) Desktop flow

D) Business process flow

Answer: A) Power BI

Explanation:

Power BI is a business intelligence tool designed for creating interactive dashboards and visualizations. In this scenario, it can aggregate case data to calculate the total number of open cases per department and highlight overdue cases using conditional formatting. Users can apply dynamic filters to view data by priority, department, or other fields. Power BI dashboards can refresh automatically to provide up-to-date insights and allow drill-down for more detailed analysis. Interactive visualizations, such as charts, tables, and cards, help managers understand metrics and make informed decisions.

Canvas apps allow building interactive applications but are not ideal for complex data aggregation or analytical dashboards. They can display data but lack advanced filtering and visualization features needed for analytical reporting.

Desktop flows automate repetitive desktop tasks but are not intended for data aggregation or reporting. They cannot create dashboards or interactive visualizations for business analysis.

Business process flows guide users through sequential steps in workflows to ensure process compliance but do not provide reporting or interactive visualization capabilities. They are operational tools rather than analytical solutions.

Power BI is correct because it allows aggregation, dynamic filtering, and visual highlighting of key metrics across departments, providing actionable insights in real time, which satisfies the requirement for a dashboard with interactive filtering and visual cues.

Question 182

A company wants to detect anomalous API activity, such as unusual IAM or EC2 calls, across multiple accounts and centralize alerts for the security team. Which AWS service combination is most appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect suspicious API activity and potential threats, including anomalous IAM or EC2 calls. It leverages machine learning, anomaly detection, and threat intelligence to produce actionable findings with context, severity, and remediation recommendations. Security Hub aggregates findings from multiple accounts into a centralized dashboard, enabling security teams to monitor, prioritize alerts, and respond efficiently. Automated remediation can be implemented via CloudWatch Events or Lambda, enabling rapid containment and mitigation of threats across accounts.

CloudTrail logs API activity but does not detect anomalies or generate actionable alerts on its own. It is reactive and requires manual review for analysis.

IAM policies define access permissions but cannot detect suspicious API activity. They are preventive controls, not monitoring or detection tools.

Security groups manage network traffic but cannot monitor API activity or detect anomalous behavior. They operate at the network layer and are not suitable for API anomaly detection.

Amazon GuardDuty with Security Hub is correct because it provides continuous anomaly detection, centralized alerting, actionable insights, and integration with automated response workflows across multiple accounts, enhancing the overall security posture.

Question 183

A company wants to ensure that all newly created RDS instances are encrypted and that automated backups and snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable RDS encryption at the instance level using a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level using a KMS key

Explanation:

Enabling encryption at the RDS instance level ensures that all stored data is encrypted using AWS KMS. Customer-managed KMS keys allow administrators to control access, rotate keys, and audit usage through CloudTrail. Automated backups, snapshots, and read replicas inherit encryption automatically, ensuring consistent protection across all associated resources. This approach reduces operational risk, prevents accidental exposure of sensitive data, supports regulatory compliance, and eliminates the need for manual enforcement. Encryption at creation guarantees secure storage and simplifies operational procedures.

IAM policies can restrict who can create RDS instances but do not enforce encryption. Without default encryption, users could create unencrypted instances.

Security groups control network access but do not provide encryption for RDS instances or backups.

CloudTrail logs API calls and tracks actions for auditing but cannot enforce encryption. It is a reactive tool rather than a preventive mechanism.

Enabling RDS encryption at the instance level using a KMS key is correct because it ensures encryption for primary data, automated backups, and snapshots, integrates with auditing, and aligns with security best practices for database protection.

Question 184

A company wants to ensure that all EBS volumes are encrypted at creation and snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable EBS encryption by default and specify a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable EBS encryption by default and specify a KMS key

Explanation:

Enabling EBS encryption by default ensures that all newly created volumes are automatically encrypted. Using a customer-managed KMS key allows administrators to enforce access control, rotate keys, and monitor usage via CloudTrail. Snapshots of encrypted volumes inherit encryption automatically, ensuring consistent protection across backups and derivative volumes. Default encryption reduces human error, prevents unencrypted storage, simplifies compliance, and mitigates operational risk. This ensures secure storage and operational consistency without relying on manual intervention.

IAM policies control permissions for volume creation but cannot enforce encryption at creation. Users could still create unencrypted volumes without defaults.

Security groups manage network traffic but cannot enforce encryption on EBS volumes or snapshots.

CloudTrail logs API activity but cannot enforce encryption or ensure snapshots inherit encryption.

Enabling EBS encryption by default with a KMS key is correct because it enforces encryption at creation, ensures inherited encryption for snapshots, supports auditing, and reduces operational and compliance risks.

Question 185

A company wants to ensure that all Lambda functions retrieving secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager provides secure storage for sensitive data, including API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, eliminating the need to hardcode credentials. Secrets Manager supports automatic secret rotation, fine-grained IAM-based access control, and audit logging via CloudTrail. This ensures credentials are securely retrieved, reduces exposure risk, supports compliance, and enables secure serverless application development. Administrators can enforce least-privilege access, monitor usage, and integrate secrets securely without operational complexity.

Storing secrets in plaintext environment variables exposes credentials to anyone with Lambda configuration access, increasing security risks.

Using S3 buckets for secrets requires additional encryption, access control, and runtime integration, making it less secure and operationally complex compared to Secrets Manager.

Security groups control network traffic but cannot enforce secure retrieval of secrets or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, controlled access, automated rotation, auditability, and secure runtime integration, ensuring secrets are protected and compliant.

Question 186

A company wants to automatically disable IAM users who have not logged in for 90 days to reduce orphaned account risks. Which AWS service combination accomplishes this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM maintains metadata for each user, including the last login timestamp. CloudWatch Events (EventBridge) can monitor this information and trigger Lambda functions for users inactive for 90 days. Lambda can automatically disable these users, reducing the risk of orphaned accounts being exploited. This automated approach ensures identity lifecycle management is consistent, policy enforcement is maintained, and operational effort is reduced. Automation also eliminates human error, ensures timely enforcement, and proactively mitigates the security risks associated with inactive accounts.

Security groups control network traffic but cannot detect inactive IAM users or disable accounts.

CloudTrail logs user activity but cannot automatically disable inactive accounts. It provides audit data only, requiring manual action.

S3 bucket policies manage object access but do not affect IAM user status or enforce inactivity policies.

IAM with CloudWatch Events and Lambda automation is correct because it combines proactive detection, automated remediation, centralized enforcement, and risk reduction for orphaned accounts, ensuring compliance and operational security.

Question 187

A company wants to monitor all configuration changes to IAM roles and policies to detect unauthorized modifications. Which AWS service provides this capability?

A) AWS Config

B) CloudTrail only

C) Security groups only

D) S3 bucket policies

Answer: A) AWS Config

Explanation:

AWS Config continuously monitors and records configuration changes for IAM roles and policies. It maintains detailed history of all modifications, enabling administrators to detect unauthorized changes promptly. Config can evaluate resources against predefined compliance rules, such as least-privilege enforcement, detecting overly permissive policies, or checking required tags. Violations can trigger automated alerts through CloudWatch Events or automated remediation actions. Continuous monitoring supports compliance, operational security, and governance, providing centralized visibility and audit history across multiple accounts.

CloudTrail logs API activity for IAM roles and policies but does not evaluate compliance or trigger automated alerts. Analysis is reactive and requires manual review.

Security groups control network traffic and cannot monitor IAM configuration changes.

S3 bucket policies govern access to objects and cannot track IAM role or policy changes.

AWS Config is correct because it enables continuous monitoring, historical tracking, compliance evaluation, alerting, and centralized governance, ensuring secure and compliant management of IAM resources.

Question 188

A company wants to enforce that all API requests to S3 buckets are encrypted in transit using HTTPS. Which configuration enforces this requirement?

A) Require SSL connections in S3 bucket policies

B) Enable S3 versioning only

C) Use IAM policies without encryption

D) Enable public access

Answer: A) Require SSL connections in S3 bucket policies

Explanation:

Requiring SSL connections in S3 bucket policies ensures that all requests to the bucket use HTTPS, encrypting data in transit. Any requests over HTTP are denied, preventing eavesdropping or man-in-the-middle attacks. Bucket policies provide centralized enforcement across all access methods, including SDKs, APIs, and console access. This configuration ensures compliance with regulatory standards, protects sensitive data during transmission, and prevents accidental exposure. When combined with server-side encryption, it ensures security for both data in transit and at rest.

Enabling S3 versioning addresses object durability and recovery but does not enforce encryption during data transfer.

Using IAM policies without encryption controls access but cannot enforce HTTPS, leaving data potentially exposed in transit.

Enabling public access exposes data without ensuring encryption, increasing security risks and violating compliance best practices.

Requiring SSL connections in S3 bucket policies is correct because it enforces encryption in transit, centralizes security control, and ensures secure communication for all S3 interactions.

Question 189

A company wants to detect anomalous network traffic from EC2 instances that may indicate compromised hosts. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies only

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously analyzes VPC Flow Logs, CloudTrail logs, and DNS logs to detect unusual network activity or suspicious behavior from EC2 instances. It can identify communication with known malicious IPs, unusual traffic patterns, or deviations from baseline behavior, indicating potential compromise. GuardDuty uses machine learning, anomaly detection, and threat intelligence to generate actionable findings with context, severity, and remediation recommendations. Findings can trigger automated responses through CloudWatch Events or Lambda, enabling rapid containment and mitigation of threats. GuardDuty provides centralized monitoring and threat detection across multiple accounts without requiring instance modifications.

AWS Config tracks configuration changes but does not analyze network traffic for anomalies. It focuses on compliance and resource configuration monitoring rather than threat detection.

IAM policies define access permissions but cannot detect anomalous traffic or compromised hosts. They are preventive controls.

CloudTrail logs API activity but cannot detect suspicious network traffic on its own. Analysis is reactive and requires additional tools.

Amazon GuardDuty is correct because it provides continuous, automated detection of network anomalies, actionable alerts, and integration with automated response workflows, enabling proactive security monitoring for EC2 instances.

Question 190

A company wants to ensure that all Lambda functions accessing secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive information such as API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, eliminating the need to hardcode credentials. Secrets Manager supports automatic rotation, fine-grained IAM-based access control, and audit logging through CloudTrail. This approach reduces the risk of credential exposure, ensures compliance, and enables secure serverless application deployment. Administrators can enforce least-privilege access, monitor usage, and integrate secrets seamlessly into Lambda functions.

Storing secrets in plaintext environment variables exposes credentials to anyone with Lambda configuration access, increasing the risk of leaks.

Using S3 buckets for secret storage requires additional encryption, access management, and runtime integration, which is operationally complex and less secure than Secrets Manager.

Security groups manage network traffic but cannot enforce secure secret retrieval or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it provides secure storage, automated rotation, centralized access control, auditing, and runtime integration, ensuring that sensitive secrets are protected and compliant.

Question 191

A company wants to automatically rotate IAM access keys for users and notify administrators before expiration. Which AWS configuration achieves this requirement?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM maintains metadata for each access key, including creation and last-used timestamps. CloudWatch Events (EventBridge) can monitor key age and trigger Lambda functions to rotate keys automatically. Lambda can generate new keys, update dependent applications, and notify administrators before key expiration. This ensures secure credential management, reduces the risk of compromised or stale keys, and maintains compliance with organizational policies. Automated rotation eliminates human error, ensures timely enforcement, and provides centralized management across multiple accounts.

Security groups manage network traffic and cannot rotate IAM access keys or send proactive notifications.

CloudTrail logs API activity but cannot automate key rotation or notifications. It only provides audit data, requiring manual intervention for key rotation.

S3 bucket policies manage access to objects but do not control IAM keys or automate rotation.

IAM with CloudWatch Events and Lambda automation is correct because it combines proactive monitoring, automated remediation, and centralized enforcement, ensuring secure and efficient access key management and reducing operational and security risks.

Question 192

A company wants to ensure that all newly created S3 buckets are encrypted by default and public access is blocked across multiple accounts. Which AWS service combination achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations allows centralized governance across multiple accounts using Service Control Policies (SCPs). SCPs can enforce that all S3 buckets are encrypted by default and block public access upon creation. AWS Config continuously monitors bucket configurations and applies compliance rules such as s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited. Non-compliant buckets can trigger automated remediation, reducing accidental exposure and ensuring consistent security standards across all accounts. This approach simplifies operational management, reduces human error, and enforces organization-wide compliance policies effectively.

IAM policies applied individually to each account require manual configuration, increasing the chance of inconsistencies and misconfigurations.

Enabling S3 versioning only addresses object durability and does not enforce encryption or public access restrictions.

Security groups control network traffic but cannot enforce bucket-level encryption or block public access.

AWS Organizations SCPs with AWS Config rules are correct because they provide centralized enforcement of encryption and public access policies, continuous monitoring, automated remediation, and consistent governance across multiple accounts.

Question 193

A company wants to detect anomalous API activity, such as unusual IAM or EC2 calls, and centralize alerts for the security team. Which AWS service combination is most appropriate?

A) Amazon GuardDuty with Security Hub

B) CloudTrail logging only

C) IAM policies only

D) Security groups only

Answer: A) Amazon GuardDuty with Security Hub

Explanation:

Amazon GuardDuty continuously analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to detect suspicious API activity and potential threats, including anomalous IAM or EC2 calls. It uses machine learning, anomaly detection, and threat intelligence to produce actionable findings with severity, context, and remediation recommendations. Security Hub aggregates these findings from multiple accounts into a centralized dashboard, allowing security teams to monitor alerts, prioritize issues, and respond efficiently. Findings can trigger automated remediation through CloudWatch Events or Lambda, enabling rapid containment and mitigation of threats.

CloudTrail logs API activity but cannot detect anomalies or generate actionable alerts on its own. It is reactive and requires additional analysis or integration.

IAM policies define access permissions but cannot detect suspicious API activity. They prevent unauthorized actions but do not monitor behavior.

Security groups manage network traffic but cannot monitor API activity or detect anomalous behavior.

Amazon GuardDuty with Security Hub is correct because it provides centralized anomaly detection, proactive alerting, actionable insights, and integration with automated response workflows, enhancing the overall security posture.

Question 194

A company wants to ensure that all RDS instances are encrypted by default and that automated backups and snapshots inherit encryption automatically. Which AWS configuration satisfies this requirement?

A) Enable RDS encryption at the instance level using a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level using a KMS key

Explanation:

Enabling encryption at the RDS instance level ensures that all stored data is encrypted using AWS KMS. Customer-managed KMS keys allow administrators to control access, perform key rotation, and audit usage through CloudTrail. Automated backups, snapshots, and read replicas inherit encryption automatically, providing consistent protection across all associated resources. This reduces operational risk, prevents accidental exposure of sensitive data, supports compliance requirements, and eliminates the need for manual enforcement. Encryption at creation guarantees secure storage and simplifies operational management.

IAM policies can restrict who can create RDS instances but cannot enforce encryption. Users could still create unencrypted instances if defaults are not configured.

Security groups control network traffic but do not encrypt RDS instances or backups.

CloudTrail logs API calls for auditing but cannot enforce encryption or ensure snapshots inherit encryption.

Question 195

A company wants to detect anomalous network traffic from EC2 instances that may indicate compromised hosts. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies only

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously analyzes VPC Flow Logs, CloudTrail logs, and DNS logs to detect unusual network activity, including traffic from EC2 instances that may indicate compromise. It can detect communication with known malicious IP addresses, unusual traffic patterns, or deviations from baseline behavior. GuardDuty uses machine learning, anomaly detection, and threat intelligence to generate actionable findings with severity, context, and recommended remediation steps. Findings can trigger automated responses via CloudWatch Events or Lambda, enabling rapid containment of potential threats. GuardDuty provides centralized monitoring and threat detection across multiple accounts without requiring instance modifications.

AWS Config tracks resource configurations but does not monitor network traffic for anomalies. Its focus is on compliance and resource configuration.

IAM policies define access permissions but cannot detect anomalous traffic or compromised hosts. They are preventive measures, not monitoring tools.

CloudTrail logs API activity but cannot detect suspicious network traffic by itself. Analysis requires additional tools or services.

Amazon GuardDuty is correct because it provides continuous, automated detection of network anomalies, centralized monitoring, actionable alerts, and integration with automated remediation workflows, enabling proactive security management for EC2 instances.

Question 196

A company wants to ensure that all Lambda functions retrieving secrets do not hardcode credentials and retrieve them securely. Which AWS solution satisfies this requirement?

A) AWS Secrets Manager with IAM-based access

B) Store secrets in plaintext environment variables

C) Use S3 buckets for secret storage only

D) Security groups only

Answer: A) AWS Secrets Manager with IAM-based access

Explanation:

AWS Secrets Manager securely stores sensitive information, including API keys, database credentials, and tokens. Lambda functions can retrieve secrets at runtime using IAM roles, eliminating the need for hardcoded credentials. Secrets Manager supports automatic secret rotation, fine-grained IAM-based access control, and audit logging through CloudTrail. This approach reduces exposure risk, ensures compliance, and enables secure serverless application deployment. Administrators can enforce least-privilege access, monitor usage, and integrate secrets seamlessly into Lambda functions.

Storing secrets in plaintext environment variables exposes credentials to anyone with access to the Lambda configuration, increasing the risk of unauthorized disclosure.

Using S3 buckets for secret storage requires additional encryption, access control, and runtime integration, making it less secure and operationally complex compared to Secrets Manager.

Security groups manage network traffic but cannot enforce secure secret retrieval or prevent hardcoding of credentials.

AWS Secrets Manager with IAM-based access is correct because it provides encrypted storage, automated rotation, centralized access control, auditing, and secure runtime integration, ensuring secrets are protected, compliant, and accessible only to authorized functions.

Question 197

A company wants to automatically disable IAM users who have not logged in for 60 days to reduce orphaned account risks. Which AWS service combination accomplishes this?

A) IAM with CloudWatch Events and Lambda automation

B) Security groups only

C) CloudTrail logging only

D) S3 bucket policies

Answer: A) IAM with CloudWatch Events and Lambda automation

Explanation:

IAM maintains metadata for each user, including last login timestamps. CloudWatch Events (EventBridge) can monitor user activity and trigger Lambda functions for users inactive for 60 days. Lambda can automatically disable these accounts, reducing the risk of orphaned accounts being exploited. Automation ensures consistent identity lifecycle management, policy enforcement, and reduced operational effort. Eliminating manual intervention reduces human error and ensures timely enforcement of security policies for inactive users.

Security groups manage network traffic and cannot detect inactive IAM users or disable accounts.

CloudTrail logs user activity but cannot automatically disable inactive accounts. It only provides audit data, requiring manual intervention.

S3 bucket policies manage object access but do not affect IAM user account activity or enforce inactivity rules.

IAM with CloudWatch Events and Lambda automation is correct because it combines proactive detection, automated remediation, centralized enforcement, and risk reduction, ensuring that inactive accounts are promptly disabled and security posture is maintained.

Question 198

A company wants to ensure that all newly created S3 buckets are encrypted by default and public access is blocked across multiple accounts. Which AWS service combination achieves this?

A) AWS Organizations SCPs with AWS Config rules

B) IAM policies on each account separately

C) Enable S3 versioning only

D) Security groups

Answer: A) AWS Organizations SCPs with AWS Config rules

Explanation:

AWS Organizations enables centralized governance across multiple accounts using Service Control Policies (SCPs). SCPs can enforce that all S3 buckets are encrypted by default and block public access upon creation. AWS Config continuously monitors bucket configurations and applies compliance rules such as s3-bucket-server-side-encryption-enabled and s3-bucket-public-read-prohibited. Non-compliant buckets can trigger automated remediation, reducing accidental exposure and ensuring consistent security standards. Centralized enforcement simplifies operational management, reduces human error, and ensures organization-wide compliance.

IAM policies applied individually to each account require manual configuration, which increases the risk of inconsistencies and misconfigurations.

Enabling S3 versioning only addresses object durability but does not enforce encryption or public access restrictions.

Security groups control network traffic but cannot enforce bucket-level encryption or prevent public access.

AWS Organizations SCPs with AWS Config rules are correct because they provide centralized enforcement, continuous monitoring, automated remediation, and consistent governance across multiple accounts, ensuring that S3 buckets are secure by default.

Question 199

A) Enable RDS encryption at the instance level using a KMS key

B) IAM policies only

C) Security groups only

D) CloudTrail logging only

Answer: A) Enable RDS encryption at the instance level using a KMS key

Explanation:

Enabling encryption at the RDS instance level ensures that all stored data is encrypted using AWS KMS. Customer-managed KMS keys provide administrators with control over access, key rotation, and auditing through CloudTrail. Automated backups, snapshots, and read replicas inherit encryption automatically, providing consistent protection across all resources. This approach reduces operational risk, prevents accidental data exposure, supports compliance requirements, and eliminates manual intervention. Encryption at creation guarantees secure storage and simplifies operational procedures for databases.

IAM policies can restrict who can create RDS instances but cannot enforce encryption. Without defaults, users could still create unencrypted instances.

Security groups control network access but cannot encrypt RDS instances, backups, or snapshots.

CloudTrail logs API calls but cannot enforce encryption or ensure inherited encryption for snapshots.

Enabling RDS encryption at the instance level using a KMS key is correct because it ensures encryption for primary data, backups, and snapshots, integrates with auditing, and aligns with security best practices for database protection.

Question 200

A company wants to detect anomalous network traffic from EC2 instances that may indicate compromised hosts. Which AWS service provides this capability?

A) Amazon GuardDuty

B) AWS Config

C) IAM policies only

D) CloudTrail only

Answer: A) Amazon GuardDuty

Explanation:

Amazon GuardDuty continuously analyzes VPC Flow Logs, CloudTrail logs, and DNS logs to detect suspicious network activity from EC2 instances that may indicate compromise. It can identify communication with known malicious IP addresses, unusual traffic patterns, or deviations from baseline behavior. GuardDuty uses machine learning, anomaly detection, and threat intelligence to generate actionable findings with context, severity, and recommended remediation. Findings can trigger automated responses via CloudWatch Events or Lambda, enabling rapid containment of potential threats. GuardDuty provides centralized monitoring and threat detection across multiple accounts without requiring modifications to instances or network configurations.

AWS Config monitors resource configurations but does not analyze network traffic for anomalies. It focuses on compliance and configuration changes, not threat detection.

IAM policies define permissions but cannot detect anomalous traffic or compromised instances. They are preventive measures, not monitoring tools.

CloudTrail logs API activity but cannot detect anomalous network traffic on its own. It is reactive and requires additional analysis tools to detect potential threats.

Amazon GuardDuty is correct because it provides continuous, automated detection of network anomalies, actionable alerts, centralized monitoring, and integration with automated remediation workflows, enabling proactive security management for EC2 instances.

Related posts: