Q47 — AWS SCS-C02 Ch.1
Question 47 of 100 | ← Chapter 1
A company suspects that an attacker has exploited an overly permissive role to export credentials from Amazon EC2 instance metadata. The company uses Amazon GuardDuty and AWS Audit Manager. The company has enabled AWS CloudTrail logging and Amazon CloudWatch logging for all of its AWS accounts. A security engineer must determine if the credentials were used to access the company's resources from an external account. Which solution will provide this information?
- A. Review GuardDuty ndings to nd InstanceCredentialExltration events. ✓
- B. Review assessment reports in the Audit Manager console to nd InstanceCredentialExltration events.
- C. Review CloudTrail logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
- D. Review CloudWatch logs for GetSessionToken API calls to AWS Security Token Service (AWS STS) that come from an account ID from outside the company.
Correct Answer: A. Review GuardDuty ndings to nd InstanceCredentialExltration events.
Explanation
Amazon GuardDuty的InstanceCredentialExfiltration事件类型专门用于检测从EC2实例元数据中不当导出凭证的行为,包括凭证被外部AWS账户使用的场景。AWS官方文档明确说明GuardDuty能识别此类异常活动并生成对应安全发现结果。选项B的Audit Manager侧重合规性评估而非实时威胁检测。选项C和D涉及的CloudTrail/CloudWatch日志需手动筛选特定API调用,无法直接关联凭证泄露后的外部账户使用行为。选项A直接对应凭证泄露场景的自动化威胁检测能力。