AWS Certified Security – Specialty (SCS-C02) — Question 143

A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts.

A security engineer must determine if the credentials were used to access the company's resources from an external account.

Which solution will provide this information?

Answer options

• A. Review GuardDuty findings to find InstanceCredentialExfiltration events.
• B. Review assessment reports in the Audit Manager console to find InstanceCredentialExfiltration events.
• C. Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
• D. Review CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.

Correct answer: A

Explanation

The correct answer is A because GuardDuty is specifically designed to monitor and identify suspicious activity, including InstanceCredentialExfiltration events. Options B, C, and D, while they may provide useful information, are not as direct or efficient in confirming the specific event of credential exfiltration as GuardDuty findings are.