Bash, the Crucial Exams Chat Bot
AI Bot
Logging, Monitoring & Incident Response (SCS-C03) Flashcards
AWS Certified Security Specialty SCS-C03 Flashcards
| Front | Back |
| Alert enrichment examples | Include resource tags runbook links and recent related events in alerts |
| Automated alerting best practice | Tune thresholds reduce false positives and enrich alerts with context for faster triage |
| Automated containment methods | Isolate instances update security groups revoke credentials or terminate compromised resources |
| Automating recovery | Use automated runbooks snapshots and infrastructure as code to restore known good state |
| AWS Config purpose | Continuously assess and record resource configuration and compliance state |
| AWS KMS and log encryption | Encrypt logs at rest using KMS keys with strict key policies and key rotation |
| Centralized logging architecture best practice | Send logs to a dedicated logging account with restricted access and archival storage |
| CloudTrail aggregation strategy | Enable organization trails to centralize events across accounts |
| CloudTrail event types logged | Logs management events and configurable data events such as S3 and Lambda |
| CloudTrail log integrity | Use log file validation and S3 object locking to ensure integrity and immutability |
| CloudTrail main purpose | Records AWS API calls and delivers event history for auditing |
| CloudWatch Alarms action types | Send SNS notifications execute runbooks or trigger Lambda for automated response |
| CloudWatch Contributor Insights | Identify top contributors to system behavior such as heavy callers or latency sources |
| CloudWatch Logs purpose | Collect monitor and store logs from AWS resources and applications |
| CloudWatch metric filters | Extract metric data from log events using filter patterns |
| Config Aggregator | Collect configuration and compliance data from multiple accounts and regions |
| Config Rules | Evaluate resource configurations against desired settings using managed or custom rules |
| Containment vs eradication | Containment limits spread eradication removes the threat from the environment |
| Cross account log access control | Use IAM roles resource policies and AWS Lake Formation or Lake House controls for secure access |
| Detective data sources | Ingests CloudTrail VPC flow logs and GuardDuty findings to build graphs |
| Detective purpose | Visualize and investigate security issues using behavior graphs and relationship analysis |
| Enabling GuardDuty across orgs | Use Organizations delegated admin and enable in all accounts via the console or API |
| Evidence chain hash algorithms | Use strong hashes such as SHA256 for file integrity and verification |
| Evidence collection order | Collect volatile data first then non volatile data then logs and configuration snapshots |
| Forensics chain of custody basics | Document who collected when and where evidence was stored and preserve integrity |
| GuardDuty data sources | Analyzes VPC flow logs CloudTrail events and DNS logs |
| GuardDuty detection types | Threat detection for malicious activity and unauthorized behavior using ML and threat intel |
| Incident response runbook components | Detection indicators containment steps evidence collection and recovery procedures |
| Key incident metrics to track | Mean time to detect MTTD mean time to respond MTTR and containment time |
| Legal hold for logs | Implement retention holds for logs required by investigations or regulatory requests |
| Log integrity verification workflow | Validate log file signatures and compare checksums against a trusted store |
| Log retention policy considerations | Balance operational needs compliance requirements storage cost and investigation timelines |
| Memory capture importance | Memory can contain credentials running processes and in memory malware not visible on disk |
| Network forensics data sources | Packet captures flow logs and proxy logs help reconstruct attacker activity |
| Playbook testing frequency | Regularly test playbooks with tabletop exercises and simulated incidents |
| Post incident activities | Root cause analysis lessons learned remediation and updating detection and playbooks |
| Preserving evidence in cloud | Snapshot volumes export logs and copy artifacts to immutable storage with strict access control |
| S3 object lifecycle for logs | Use lifecycle rules to transition logs to cheaper storage and to expire when no longer needed |
| Security Hub purpose | Aggregate findings from multiple security services and third party products for compliance |
| Security Hub standards | Provide automated checks such as CIS AWS Foundations and AWS Foundational Security Best Practices |
Covers centralized logging and detection: CloudTrail, CloudWatch, AWS Config, GuardDuty, Security Hub, Detective, log integrity/retention, automated alerting, IR playbooks, evidence collection, forensics basics, and automating containment and recovery.