AWS Incident Response Microcredential Sample Questions

Use this page if you are tracking AWS incident-response credential updates and want an early self-check around cloud security operations.

This is an update-watch page. It is not an official AWS exam guide. Until formal public details are available, treat the model below as practical preparation for AWS incident detection, triage, containment, evidence preservation, recovery, and review.

Candidate preparation model

Sample Exam Questions

Try these 12 original AWS Incident Response Microcredential planning questions. They are designed for self-assessment and are not official AWS exam questions.

Question 1

Topic: IAM credential compromise

GuardDuty reports unusual API calls from an access key used by a deployment role. What should happen first?

• A. Publish the access key in the incident channel
• B. Validate the finding, restrict or rotate the credential, preserve evidence, and review recent API activity
• C. Delete CloudTrail logs to reduce noise
• D. Ignore the finding because deployment roles are expected to call APIs

Best answer: B

Explanation: A suspected credential compromise requires fast containment and evidence preservation. Restricting or rotating the credential, then reviewing CloudTrail and related signals, is safer than assuming the role is behaving normally.

Question 2

Topic: evidence preservation

An EC2 instance may be compromised. The team needs forensic evidence before rebuilding. Which action is most appropriate?

• A. Immediately terminate the instance and delete all attached volumes
• B. Preserve relevant snapshots, logs, metadata, security-group state, and timeline details before destructive cleanup
• C. Disable all monitoring
• D. Share root credentials with the investigation team

Best answer: B

Explanation: Incident response should preserve evidence before irreversible changes. Snapshots, logs, configuration state, and timelines support analysis and defensible recovery decisions.

Question 3

Topic: containment

An instance is communicating with a known malicious IP address. The application is not business critical. What containment step is most defensible?

• A. Ignore the traffic until the next patch window
• B. Add more public IP addresses
• C. Isolate the instance using network controls while preserving evidence for review
• D. Disable the entire account

Best answer: C

Explanation: Isolation reduces ongoing risk while preserving the instance for investigation. The response should be proportional to business impact and evidence needs.

Question 4

Topic: CloudTrail analysis

An attacker may have changed security groups to allow inbound SSH from the internet. Which source best helps reconstruct the administrative action?

• A. A marketing dashboard
• B. User-agent strings from a web CDN only
• C. An unrelated application log
• D. CloudTrail management events for the security-group change

Best answer: D

Explanation: CloudTrail records many control-plane API actions, including security group changes. It helps identify who changed what, when, and from where.

Question 5

Topic: S3 exposure

A public S3 bucket exposure is discovered. What is the safest response sequence?

• A. Contain public access, preserve access evidence, assess exposure scope, rotate affected secrets if needed, and fix the policy
• B. Announce that no data was exposed before checking logs
• C. Delete all logs immediately
• D. Move the same policy to another bucket

Best answer: A

Explanation: The team should stop exposure, preserve evidence, determine what may have been accessed, rotate secrets if necessary, and correct the policy or account-level public-access controls.

Question 6

Topic: automation

The same suspicious port is repeatedly opened by mistake across accounts. What improvement best reduces recurrence?

• A. Ask teams to remember better
• B. Remove all network logging
• C. Add preventive policy controls, detection rules, and automated remediation with approval where appropriate
• D. Disable all security groups

Best answer: C

Explanation: Repeated incidents should drive preventive and detective controls. Policy guardrails, alerts, and controlled automation reduce recurrence more reliably than reminders alone.

Question 7

Topic: ransomware response

An application volume shows signs of ransomware encryption. What is the best recovery principle?

• A. Rebuild from trusted backups or golden images after containment and root-cause analysis
• B. Continue using the affected volume without validation
• C. Disable backup retention
• D. Pay immediately without assessing scope

Best answer: A

Explanation: Recovery should use trusted sources after containment and analysis. Restoring without understanding root cause risks reinfection or incomplete remediation.

Question 8

Topic: alert triage

Security Hub shows multiple findings across IAM, S3, and EC2. What is the best triage approach?

• A. Sort by visual preference
• B. Close all low-severity findings automatically
• C. Investigate every finding in alphabetical order
• D. Prioritize by severity, asset criticality, exploitability, exposure, and evidence quality

Best answer: D

Explanation: Incident triage should combine technical severity with business and exposure context. Critical assets and externally exploitable paths usually deserve earlier attention.

Question 9

Topic: root account protection

CloudTrail shows use of the AWS account root user from an unfamiliar location. What should the team do?

• A. Treat it as high severity, secure the root account, rotate credentials, review account activity, and verify MFA and contact settings
• B. Ignore it because root usage is always safe
• C. Delete the account email address
• D. Add another root access key

Best answer: A

Explanation: Unfamiliar root usage is high risk. The response should secure the root identity, review activity, rotate or remove credentials, and confirm account recovery settings.

Question 10

Topic: post-incident review

After containment and recovery, what should the team do next?

• A. Document the timeline, root cause, control gaps, response lessons, and follow-up actions
• B. Delete the incident ticket to reduce audit burden
• C. Disable lessons-learned meetings
• D. Remove monitoring to avoid future alerts

Best answer: A

Explanation: Post-incident review turns an incident into better controls, runbooks, detections, and training. It should be blameless, specific, and action-oriented.

Question 11

Topic: communication

An incident may involve customer data, but the scope is not confirmed. What is the best communication posture?

• A. Make unsupported public claims
• B. Share all raw logs with everyone in the company
• C. Use approved escalation paths, legal/compliance coordination, and fact-based updates while scope is assessed
• D. Wait until all evidence is gone

Best answer: C

Explanation: Sensitive incidents need controlled, accurate communication. Legal, compliance, and leadership channels help avoid overstatement, understatement, and accidental disclosure.

Question 12

Topic: runbook readiness

Which runbook detail is most useful during a live AWS incident?

• A. A clear decision path for detection, severity, containment, evidence, recovery, communications, and handoff owners
• B. A generic statement that security is important
• C. A list of unrelated marketing contacts
• D. A policy to avoid documenting decisions

Best answer: A

Explanation: Runbooks should help responders make time-sensitive decisions. Owner assignments, severity criteria, containment actions, evidence steps, and communication paths reduce confusion.

What to open now

• Need current AWS security practice? Open AWS SCS-C03 .
• Need operations and incident remediation first? Open AWS SOA-C03 .
• Want notifications for this possible microcredential route? Use the Notify me form above.