Log Analysis PBQs: AWS Certified Security - Specialty (SCS-C03)
easyQuestion 1 of 3
You are a cloud security engineer responding to an automated alert from AWS GuardDuty indicating a possible data exposure event in your production AWS account. The alert triggered approximately 20 minutes ago. Your security operations team has asked you to review the recent CloudTrail and GuardDuty findings in your SIEM dashboard to determine what happened, identify the scope of the exposure, and recommend an immediate response. Flag all log entries related to the suspicious activity and answer the incident questions.
Objectives
- •Review the CloudTrail and GuardDuty findings for suspicious activity in the last 30 minutes
- •Flag all log entries related to the S3 bucket exposure incident
- •Classify the type of security incident
- •Identify the affected S3 bucket
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 14:00:00 | INFO | cloudtrail | ListBuckets called by user:data-engineer via console from 10.0.1.22 | |
| 14:02:30 | INFO | cloudtrail | DescribeInstances called by role:prod-monitoring-role from 10.0.2.10 | |
| 14:05:15 | WARN | cloudtrail | PutBucketPolicy called by user:dev-intern on bucket:customer-data-prod -- policy grants s3:GetObject to Principal: * | |
| 14:05:18 | ALERT | cloudtrail | PutBucketAcl called by user:dev-intern on bucket:customer-data-prod -- ACL set to public-read | |
| 14:06:00 | INFO | cloudtrail | GetBucketPolicy called by role:config-recorder-role on bucket:customer-data-prod | |
| 14:07:45 | ALERT | guardduty | Policy:S3/BucketAnonymousAccessGranted -- bucket:customer-data-prod now allows anonymous access | |
| 14:08:00 | INFO | cloudtrail | DescribeAlarms called by role:prod-monitoring-role from 10.0.2.10 | |
| 14:10:30 | INFO | cloudtrail | GetObject called on bucket:app-config-prod/settings.json by role:app-server-role from 10.0.3.5 | |
| 14:12:00 | WARN | guardduty | UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS -- credentials for user:dev-intern used from unusual IP 203.0.113.88 | |
| 14:13:00 | INFO | cloudtrail | PutMetricAlarm called by role:prod-monitoring-role -- alarm:HighCPUUtilization updated | |
| 14:15:00 | INFO | cloudtrail | ListObjects called on bucket:customer-data-prod by anonymous from 203.0.113.88 | |
| 14:15:45 | WARN | cloudtrail | GetObject called on bucket:customer-data-prod/exports/customers-2026.csv by anonymous from 203.0.113.88 | |
| 14:18:00 | INFO | cloudtrail | CreateLogGroup called by role:lambda-logging-role -- log group: /aws/lambda/data-processor |
13 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 9 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete