Bash, the Crucial Exams Chat Bot
AI Bot
Logging, Monitoring & Incident Response (SCS-C03) Flashcards
AWS Certified Security Specialty SCS-C03 Flashcards
Study our Logging, Monitoring & Incident Response (SCS-C03) flashcards for the AWS Certified Security Specialty SCS-C03 exam with 40+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Alert enrichment examples | Include resource tags runbook links and recent related events in alerts |
| Automated alerting best practice | Tune thresholds reduce false positives and enrich alerts with context for faster triage |
| Automated containment methods | Isolate instances update security groups revoke credentials or terminate compromised resources |
| Automating recovery | Use automated runbooks snapshots and infrastructure as code to restore known good state |
| AWS Config purpose | Continuously assess and record resource configuration and compliance state |
| AWS KMS and log encryption | Encrypt logs at rest using KMS keys with strict key policies and key rotation |
| Centralized logging architecture best practice | Send logs to a dedicated logging account with restricted access and archival storage |
| CloudTrail aggregation strategy | Enable organization trails to centralize events across accounts |
| CloudTrail event types logged | Logs management events and configurable data events such as S3 and Lambda |
| CloudTrail log integrity | Use log file validation and S3 object locking to ensure integrity and immutability |
| CloudTrail main purpose | Records AWS API calls and delivers event history for auditing |
| CloudWatch Alarms action types | Send SNS notifications execute runbooks or trigger Lambda for automated response |
| CloudWatch Contributor Insights | Identify top contributors to system behavior such as heavy callers or latency sources |
| CloudWatch Logs purpose | Collect monitor and store logs from AWS resources and applications |
| CloudWatch metric filters | Extract metric data from log events using filter patterns |
| Config Aggregator | Collect configuration and compliance data from multiple accounts and regions |
| Config Rules | Evaluate resource configurations against desired settings using managed or custom rules |
| Containment vs eradication | Containment limits spread eradication removes the threat from the environment |
| Cross account log access control | Use IAM roles resource policies and AWS Lake Formation or Lake House controls for secure access |
| Detective data sources | Ingests CloudTrail VPC flow logs and GuardDuty findings to build graphs |
| Detective purpose | Visualize and investigate security issues using behavior graphs and relationship analysis |
| Enabling GuardDuty across orgs | Use Organizations delegated admin and enable in all accounts via the console or API |
| Evidence chain hash algorithms | Use strong hashes such as SHA256 for file integrity and verification |
| Evidence collection order | Collect volatile data first then non volatile data then logs and configuration snapshots |
| Forensics chain of custody basics | Document who collected when and where evidence was stored and preserve integrity |
| GuardDuty data sources | Analyzes VPC flow logs CloudTrail events and DNS logs |
| GuardDuty detection types | Threat detection for malicious activity and unauthorized behavior using ML and threat intel |
| Incident response runbook components | Detection indicators containment steps evidence collection and recovery procedures |
| Key incident metrics to track | Mean time to detect MTTD mean time to respond MTTR and containment time |
| Legal hold for logs | Implement retention holds for logs required by investigations or regulatory requests |
| Log integrity verification workflow | Validate log file signatures and compare checksums against a trusted store |
| Log retention policy considerations | Balance operational needs compliance requirements storage cost and investigation timelines |
| Memory capture importance | Memory can contain credentials running processes and in memory malware not visible on disk |
| Network forensics data sources | Packet captures flow logs and proxy logs help reconstruct attacker activity |
| Playbook testing frequency | Regularly test playbooks with tabletop exercises and simulated incidents |
| Post incident activities | Root cause analysis lessons learned remediation and updating detection and playbooks |
| Preserving evidence in cloud | Snapshot volumes export logs and copy artifacts to immutable storage with strict access control |
| S3 object lifecycle for logs | Use lifecycle rules to transition logs to cheaper storage and to expire when no longer needed |
| Security Hub purpose | Aggregate findings from multiple security services and third party products for compliance |
| Security Hub standards | Provide automated checks such as CIS AWS Foundations and AWS Foundational Security Best Practices |
About the Flashcards
Flashcards for the AWS Certified Security Specialty exam give you a rapid way to drill the AWS logging, monitoring, and security services most likely to appear on test day. Review CloudTrail event types, CloudWatch alarms, Config rules, and how GuardDuty, Security Hub, and Detective integrate to detect and investigate threats across an organization.
Cards focus on core terminology and best practices: building centralized logging architectures, validating log integrity, tuning automated alerts, and structuring incident response and forensic workflows. Practice remembering key metrics like MTTD, containment time, and MTTR so you can confidently answer scenario-based questions and demonstrate compliance knowledge.
Topics covered in this flashcard deck:
- AWS logging & monitoring
- Threat detection services
- Compliance & configuration
- Incident response workflows
- Forensics & evidence
- Log integrity & retention