Incident Response — AWS Certified Security Specialty Practice Questions

Learning

Loading practice session...

Loading certificate…

Ready to learn

Sample questions — Incident Response

1. A security engineer discovers that an IAM access key has been publicly exposed in a GitHub repository. What is the FIRST action to take to limit damage?

A.Immediately deactivate or delete the exposed IAM access key to stop any unauthorized use of those credentials.✓ Correct
B.Rotate the access key by generating a new one and updating all applications before deleting the old key.
C.Review CloudTrail logs to determine what actions were taken before taking any remediation steps.
D.Enable MFA on the root account to prevent further escalation of the compromised credentials.

Explanation

Deactivating/deleting the key immediately stops ongoing unauthorized use. Rotation (B) takes longer. Log review (C) is important but not the first step. MFA on root (D) doesn't address the exposed key.

2. After revoking a compromised IAM access key, which additional step BEST ensures the blast radius is fully understood and contained?

A.Attach a deny-all inline policy to the compromised IAM user or role to prevent any residual session from executing actions.✓ Correct
B.Delete the entire IAM user account immediately to ensure no further access is possible under any circumstances.
C.Disable AWS Organizations service control policies (SCPs) temporarily to allow faster incident investigation.
D.Enable AWS Shield Advanced on all resources to protect against any DDoS attacks launched using the stolen keys.

Explanation

A deny-all inline policy blocks active sessions that may still hold valid temporary tokens. Deleting the user (B) is too destructive and may lose audit data. SCPs (C) are unrelated. Shield (D) addresses DDoS, not key misuse.

3. A security team receives an AWS abuse notice indicating unauthorized API calls from an IAM role. Which CloudTrail feature allows them to quickly trace all actions taken by that specific role?

A.Filter CloudTrail Event History by the compromised role ARN using the 'User name' or 'Access key ID' filter to see all associated API calls.✓ Correct
B.Use AWS Config rules to query the configuration history of the IAM role and see all permission changes over time.
C.Enable VPC Flow Logs and filter by source IP to identify all network traffic generated by the compromised role.
D.Check AWS Trusted Advisor security recommendations to view a list of actions performed by high-risk IAM principals.

Explanation

CloudTrail Event History can be filtered by username or access key ID, directly surfacing every API call made by the compromised role. Config (B) tracks config changes, not API calls. VPC Flow Logs (C) show network traffic, not API actions. Trusted Advisor (D) doesn't log individual actions.

4. An investigator needs to determine whether a compromised access key was used to create new IAM users or escalate privileges. Which CloudTrail log field is MOST useful for identifying these specific actions?

A.The 'eventName' field, which records the specific API call made (e.g., CreateUser, AttachUserPolicy) and reveals privilege escalation attempts.✓ Correct
B.The 'sourceIPAddress' field, which shows the originating IP and helps geolocate the attacker but not the action taken.
C.The 'userAgent' field, which identifies the tool or SDK used by the attacker but not the specific resources modified.
D.The 'requestParameters' field alone, which contains the target resource details but omits the action type performed.

Explanation

The 'eventName' field directly names the API action (e.g., CreateUser, AttachUserPolicy), making it the primary indicator of privilege escalation. Source IP (B) and userAgent (C) are useful context but don't identify the action. requestParameters (D) without eventName is incomplete.

5. AWS sends an abuse notice to an account owner indicating that an EC2 instance is participating in a DDoS attack. What is the required response timeframe to avoid account suspension?

A.Respond to the AWS abuse notice within 24 hours by acknowledging the report and providing a remediation plan or evidence of corrective action.✓ Correct
B.Respond within 72 hours by submitting a formal security audit report to the AWS Trust & Safety team for review.
C.Respond within 7 business days by filing an official appeal through the AWS Support console with a signed attestation.
D.No response is required; AWS will automatically quarantine the offending instance and restore it after 48 hours.

Explanation

AWS expects a response within 24 hours to abuse notices to prevent account suspension. Delays beyond 24 hours risk suspension. AWS does not auto-restore instances (D), and 72-hour or 7-day windows (B, C) exceed the expected timeframe.

Practice all 54+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Security Specialty practice questions are there for Incident Response?↓

AnyCert has 54 AWS Certified Security Specialty practice questions specifically for the Incident Response domain, each with a detailed AI-tutored explanation.

Is Incident Response heavily tested on the AWS Certified Security Specialty exam?↓

Incident Response is one of the core domains in the AWS Certified Security Specialty exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the Incident Response domain for AWS Certified Security Specialty?↓

Practice all 54 Incident Response questions in AnyCert, review every explanation for missed answers, and use the AI tutor to clarify any concept. Focus on understanding the reasoning behind each answer, not just memorizing the correct choice.

Sample questions — Incident Response

1. A security engineer discovers that an IAM access key has been publicly exposed in a GitHub repository. What is the FIRST action to take to limit damage?

A.Immediately deactivate or delete the exposed IAM access key to stop any unauthorized use of those credentials.✓ Correct
B.Rotate the access key by generating a new one and updating all applications before deleting the old key.
C.Review CloudTrail logs to determine what actions were taken before taking any remediation steps.
D.Enable MFA on the root account to prevent further escalation of the compromised credentials.

Explanation

2. After revoking a compromised IAM access key, which additional step BEST ensures the blast radius is fully understood and contained?

A.Attach a deny-all inline policy to the compromised IAM user or role to prevent any residual session from executing actions.✓ Correct
B.Delete the entire IAM user account immediately to ensure no further access is possible under any circumstances.
C.Disable AWS Organizations service control policies (SCPs) temporarily to allow faster incident investigation.
D.Enable AWS Shield Advanced on all resources to protect against any DDoS attacks launched using the stolen keys.

Explanation

3. A security team receives an AWS abuse notice indicating unauthorized API calls from an IAM role. Which CloudTrail feature allows them to quickly trace all actions taken by that specific role?

A.Filter CloudTrail Event History by the compromised role ARN using the 'User name' or 'Access key ID' filter to see all associated API calls.✓ Correct
B.Use AWS Config rules to query the configuration history of the IAM role and see all permission changes over time.
C.Enable VPC Flow Logs and filter by source IP to identify all network traffic generated by the compromised role.
D.Check AWS Trusted Advisor security recommendations to view a list of actions performed by high-risk IAM principals.

Explanation

A.The 'eventName' field, which records the specific API call made (e.g., CreateUser, AttachUserPolicy) and reveals privilege escalation attempts.✓ Correct
B.The 'sourceIPAddress' field, which shows the originating IP and helps geolocate the attacker but not the action taken.
C.The 'userAgent' field, which identifies the tool or SDK used by the attacker but not the specific resources modified.
D.The 'requestParameters' field alone, which contains the target resource details but omits the action type performed.

Explanation

5. AWS sends an abuse notice to an account owner indicating that an EC2 instance is participating in a DDoS attack. What is the required response timeframe to avoid account suspension?

A.Respond to the AWS abuse notice within 24 hours by acknowledging the report and providing a remediation plan or evidence of corrective action.✓ Correct
B.Respond within 72 hours by submitting a formal security audit report to the AWS Trust & Safety team for review.
C.Respond within 7 business days by filing an official appeal through the AWS Support console with a signed attestation.
D.No response is required; AWS will automatically quarantine the offending instance and restore it after 48 hours.

Explanation

Practice all 54+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Security Specialty practice questions are there for Incident Response?↓

AnyCert has 54 AWS Certified Security Specialty practice questions specifically for the Incident Response domain, each with a detailed AI-tutored explanation.

Is Incident Response heavily tested on the AWS Certified Security Specialty exam?↓

How should I study the Incident Response domain for AWS Certified Security Specialty?↓