Try 10 focused AWS SCS-C03 questions on Incident Response, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
| Field | Detail |
|---|---|
| Exam route | AWS SCS-C03 |
| Topic area | Incident Response |
| Blueprint weight | 14% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Incident Response for AWS SCS-C03. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 14% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Incident Response
An incident response team is investigating suspicious use of an IAM role. The team must reconstruct event timing and affected resources by correlating API activity, VPC network flows, DNS queries, and security findings across 30 AWS accounts and multiple Regions. Investigators need a central, queryable evidence source. Which approach best satisfies this requirement?
Options:
A. Send GuardDuty findings from all accounts to one SNS topic
B. Run CloudWatch Logs Insights queries in each application account
C. Create a CloudTrail Lake event data store in each account
D. Deploy Amazon Security Lake with organization-wide log collection
Best answer: D
Explanation: Amazon Security Lake is the best fit for cross-service forensic correlation across many accounts and Regions. It can centralize supported security log sources such as CloudTrail events, VPC Flow Logs, Route 53 Resolver query logs, and Security Hub findings into a security data lake using OCSF normalization. That gives investigators a common schema and central query location to reconstruct timelines and identify affected resources without separately searching each account. CloudTrail Lake is strong for CloudTrail event analysis, but it does not provide the same broad, normalized correlation layer for network, DNS, and finding data. The key takeaway is to choose the evidence store that matches the scope of the investigation, not only the first detection signal.
Topic: Incident Response
A security team isolated an Amazon EC2 instance after GuardDuty reported credential exfiltration and file encryption activity. The application was rebuilt from AWS Backup in an isolated recovery VPC. Which recovery action is best supported by the evidence?
Exhibit: Recovery validation note
Original instance: isolated; EBS snapshots preserved
Restored backup: 02:00 UTC recovery point
Inspector scan: no critical/high findings
EDR scan: no malware detected
Application checksum: matches approved release artifact
CloudTrail: compromised access key disabled before restore
Options:
A. Delete the original instance and snapshots
B. Promote the validated restore to production
C. Restore the latest backup directly to production
D. Declare the entire AWS account uncompromised
Best answer: B
Explanation: Recovery should use a known-good state only after containment and validation. The evidence shows that the compromised instance remains isolated, forensic snapshots are preserved, the restored recovery point was checked in a separate recovery VPC, and the restored application matches the approved artifact. Because the compromised access key was disabled before the restore is promoted, the evidence supports returning service from the validated backup. It does not prove every resource in the account is safe, and it does not justify destroying evidence needed for root cause analysis.
Topic: Incident Response
A security team is preparing to test an automated AWS incident-response runbook for GuardDuty findings that indicate possible EC2 credential exfiltration. The runbook can quarantine instances, detach instance profiles, and revoke active sessions. The workload processes regulated data, false positives are possible, and production disruption must be minimized while preserving forensic evidence. What is the BEST security decision before enabling remediation in production?
Options:
A. Run remediation automatically for every matching GuardDuty finding
B. Add approvals, rollback criteria, and evidence checks to the runbook
C. Grant the automation administrator access to simplify testing
D. Disable remediation and rely only on analyst notifications
Best answer: B
Explanation: Automated incident-response testing should prove that the runbook is safe, repeatable, and evidence-aware before production use. For a regulated workload with possible false positives, the test plan should include human approval points before high-impact actions, checks that forensic artifacts such as snapshots and logs are captured before containment or credential revocation, and rollback criteria for changes such as security group updates or instance profile detachment. This balances speed with evidence preservation and operational risk. Fully automatic remediation can be appropriate for low-risk actions, but disruptive actions in this scenario need controlled gates and recovery conditions.
Topic: Incident Response
A security team receives medium-severity findings from GuardDuty and AWS Config across several accounts. The team does not need to declare a major incident or page responders, but it must assign investigation tasks, link related AWS resources, record actions taken, and run approved Systems Manager Automation documents during remediation. Which control best satisfies these requirements?
Options:
A. Use AWS Systems Manager OpsCenter to manage OpsItems
B. Use AWS Systems Manager Incident Manager response plans
C. Use AWS Security Hub to archive the findings
D. Use Amazon EventBridge rules to invoke Lambda functions
Best answer: A
Explanation: AWS Systems Manager OpsCenter is the right fit when the team needs an operational work record rather than a full incident declaration. OpsCenter uses OpsItems to centralize issue context, affected resources, related findings, status, severity, ownership, and remediation history. It also integrates with Systems Manager Automation so responders can run approved runbooks from the same operational record. This supports coordinated response tasks and auditable operational tracking for lower- or medium-severity events. Incident Manager is better when the requirement includes incident declaration, escalation, responder engagement, and on-call coordination.
Topic: Incident Response
A company’s security team receives a high-severity GuardDuty finding for an EC2 instance in a production member account. CloudTrail and VPC Flow Logs are available, and the instance processes regulated customer data. During the response, the security team cannot determine who is authorized to approve isolation of the instance or how to escalate after business hours. Which incident response plan element is missing?
Options:
A. A new service control policy denying EC2 network changes
B. An automated Lambda function that terminates affected instances
C. An escalation matrix with response owners and approval authority
D. A centralized CloudTrail Lake event data store
Best answer: C
Explanation: Incident response plans must define roles, responsibilities, decision authority, and escalation paths before an incident occurs. In this scenario, the technical evidence exists, but responders do not know who can approve containment for a production instance that handles regulated data, especially after hours. That points to a missing ownership and escalation element, often documented as an escalation matrix, contact tree, or RACI model. The plan should identify incident commander responsibilities, application and platform owners, legal or compliance contacts when sensitive data is involved, and who can authorize potentially disruptive containment actions. More logging or preventive policy controls do not solve the immediate governance gap.
Topic: Incident Response
A company is writing incident response runbooks for EC2 workloads in private subnets across multiple AWS accounts. During a suspected compromise, responders must quickly isolate an instance, collect evidence, and run approved commands without opening inbound management ports. Which toolset should the company deploy before an incident?
Options:
A. CloudTrail Lake event data stores and saved queries
B. Security Hub custom insights and finding aggregation
C. AWS Config rules with automatic remediation
D. Systems Manager managed instances and Automation runbooks
Best answer: D
Explanation: For EC2 incident response preparation, AWS Systems Manager is the right operational control. Instances must be managed before the incident with SSM Agent, appropriate instance profiles, network reachability to Systems Manager endpoints, and least-privilege responder roles. Automation runbooks can encode approved steps such as isolating an instance by changing security groups, collecting command output, and creating snapshots while preserving auditability. This supports rapid, repeatable response without SSH/RDP exposure. CloudTrail Lake, Security Hub, and AWS Config can help with detection, investigation, or compliance, but they do not by themselves provide the private, command-execution and runbook automation path needed for immediate EC2 response actions.
Topic: Incident Response
A company runs a public web application behind Amazon CloudFront with an Application Load Balancer origin. The security team is updating the incident readiness plan for possible DDoS attacks. They want AWS to provide enhanced DDoS detection and mitigation support and to contact the on-call team when an attack threatens application availability.
Which control should the team implement?
Options:
A. Enable AWS Shield Advanced with protected resources and proactive engagement
B. Enable AWS WAF managed rules only on the CloudFront distribution
C. Create Amazon GuardDuty findings notifications for the CloudFront distribution
D. Deploy AWS Network Firewall in the VPC before the ALB
Best answer: A
Explanation: AWS Shield Advanced is designed for DDoS readiness and response for internet-facing resources such as CloudFront distributions, Route 53 hosted zones, Global Accelerator accelerators, Elastic IP addresses, and load balancers. For this scenario, the team should subscribe to Shield Advanced, add the CloudFront distribution and relevant origin-facing resources as protected resources, and configure proactive engagement with health checks and emergency contacts. This gives the organization enhanced detection, mitigation visibility, and access to AWS DDoS response assistance when availability is at risk. AWS WAF is useful for application-layer filtering, but by itself it does not provide the same Shield Advanced incident response support.
Topic: Incident Response
An organization’s incident response plan requires analysts to use investigative notebooks during high-severity incidents. Evidence copies from CloudTrail, VPC Flow Logs, and GuardDuty are stored in a central S3 bucket and must not be modified by analysts. Which approach best supports this workflow?
Options:
A. Use a SageMaker AI notebook with a read-only evidence IAM role
B. Use CloudTrail Lake saved queries as the notebook platform
C. Use Amazon Detective only for all evidence analysis
D. Use AWS Systems Manager Session Manager on production instances
Best answer: A
Explanation: SageMaker AI notebooks can support incident response analysis workflows when a runbook requires investigative notebooks. Analysts can use a managed Jupyter-style environment to run Python or other analysis against copied evidence, while the notebook execution role is limited to read-only access to the evidence bucket. This keeps the analysis environment separate from production systems and helps preserve evidence integrity. Amazon Detective and CloudTrail Lake can help investigations, but they do not replace a notebook-based analysis requirement.
Topic: Incident Response
A company’s production web application was contained after credentials on an EC2 instance were abused to encrypt files on attached EBS volumes and modify application binaries. AWS Backup has recovery points from before and after the first suspicious CloudTrail activity. The incident commander must recover service without reintroducing malware and must preserve the compromised volumes. Which recovery action is best?
Options:
A. Restore the latest recovery point directly over the production volumes.
B. Reopen production after enabling GuardDuty Malware Protection for the account.
C. Restore a pre-incident recovery point into an isolated VPC, validate it, then cut over.
D. Detach and delete the compromised volumes, then rebuild from the current AMI.
Best answer: C
Explanation: Recovery should not simply put systems back online from an unvalidated state. After containment, use a recovery point from before the suspected compromise, restore it into an isolated environment, and verify that the data, binaries, configuration, and required security controls are clean and functional. Keep compromised volumes or snapshots preserved for investigation rather than overwriting or deleting them. Only after validation should traffic or production dependencies be shifted to the restored environment. The key distinction is recovery with evidence preservation and safety validation, not the fastest possible restore.
Topic: Incident Response
A company is updating its incident response runbook for 60 AWS accounts in AWS Organizations. Responders must be able to investigate within minutes, access must be attributable to individual users, containment permissions must not be available as broad standing privileges, and all role use must be visible in CloudTrail. Which access provisioning approach is the BEST security decision?
Options:
A. Create responder roles manually during each incident
B. Share workload account root credentials in a vault
C. Pre-provision scoped roles with time-bound STS access
D. Assign permanent AdministratorAccess to the response group
Best answer: C
Explanation: Incident response access should be ready before an incident, but not broadly available at all times. Pre-provision dedicated investigation and containment roles across accounts, scope each role to the runbook task, and allow responders to obtain time-bound AWS STS credentials through an identity-aware approval path such as IAM Identity Center integration. This supports rapid response, individual attribution, and CloudTrail visibility without giving responders permanent administrator privileges. Separate roles also reduce blast radius by keeping evidence-collection permissions distinct from disruptive containment actions. Permanent admin access is faster but violates least privilege; creating roles during an incident is safer on paper but can delay response or fail if account access is already impaired.
Use the AWS SCS-C03 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try AWS SCS-C03 on Web View AWS SCS-C03 Practice Test
Use the practice page above for mixed-topic practice, timed mocks, explanations, and app access.