SCS-C03 Exam Cram: Responding to Security Events

This guide covers Domain 2.2 of the AWS Certified Security - Specialty exam, focusing on the tactical response to security incidents, forensic preservation, and automated remediation.

Topic Weighting

• Domain 2: Incident Response accounts for 20% of the total exam.
• Task 2.2 (Respond to security events) is a core component, often appearing in scenario-based questions involving EC2 compromises, S3 data leaks, and IAM credential abuse.

Key Concepts Summary

1. The Incident Response Lifecycle

AWS recommends following the NIST SP 800-61 framework tailored for the cloud:

1. Preparation: Creating runbooks (SSM OpsCenter) and IAM roles for forensics.
2. Detection & Analysis: Using Amazon GuardDuty, Security Hub, and Amazon Detective.
3. Containment: Isolating resources (e.g., Security Group "Isolation Rule").
4. Eradication/Recovery: Cleaning infected resources or restoring from AWS Backup.
5. Post-Incident: Root cause analysis via Amazon Detective.

2. Forensic Artifact Collection

• EC2 Preservation: Do NOT stop the instance immediately if memory forensics are needed. Take an EBS Snapshot of all volumes. Use SSM Automation to automate the detachment and mounting of volumes to a Forensic Workstation.
• Network Artifacts: Enable VPC Flow Logs and Route 53 Resolver Logs. Use Amazon Security Lake to aggregate logs for long-term storage.
• Log Correlation: Use CloudWatch Logs Insights for quick queries across log groups or Amazon Athena for querying S3-resident logs using SQL.

3. Isolation & Containment Strategies

• Network Layer: Apply a "Deny-All" Security Group. Change the NACL to block specific IP ranges.
• Identity Layer: Attach a Deny-All IAM Policy to the compromised user or role. Revoke active sessions via the IAM console or CLI (aws iam revoke-service-specific-credential).

Common Pitfalls

• [!WARNING] Termination Protection: Forgetting that an instance has termination protection enabled can block automated forensic workflows. Ensure your automation script handles this.
• NACLs vs. Security Groups: NACLs are stateless. If you block outbound traffic at the NACL level, you must account for the return traffic. Security Groups are stateful; changing a rule applies immediately to existing connections.
• Overwriting Evidence: Logging into a compromised EC2 instance via SSH/RDP to investigate. Reality: This alters file timestamps and memory. Use SSM Session Manager if necessary, or better yet, analyze a snapshot copy.
• S3 Public Access: Assuming Block Public Access (BPA) fixes existing permissions. Reality: BPA prevents new public access but you must still audit existing ACLs/Policies.

Mnemonics / Memory Triggers

• C-E-R (Contain, Eradicate, Recover): The primary goal order during the "Action" phase.
• "Detective Detects the Why": Use Amazon Detective to see the relationship between resources (who did what, when) rather than just the event log.
• "Athena is the S3 SQL Queen": If the logs are in S3 and you need SQL, the answer is almost always Athena.

Formula / Equation Sheet

Practice Set

1. Scenario: A GuardDuty finding indicates an EC2 instance is communicating with a known C&C (Command & Control) server. What is the first containment step?
   • Answer: Apply a Security Group that restricts all inbound and outbound traffic to the instance.
2. Scenario: You need to investigate the root cause of a multi-account credential compromise. Which service provides a unified graph-based view of the relationships?
   • Answer: Amazon Detective.
3. Scenario: An S3 bucket is found to be public. You enable "Block Public Access" at the account level. Does this immediately secure existing public objects?
   • Answer: No, it prevents new public access; you must still remediate existing bucket policies or ACLs.

Worked Examples

Problem: Automating Forensic Isolation

Task: Create a workflow that automatically isolates an EC2 instance when GuardDuty detects a Backdoor:EC2/C&CActivity.B!DNS threat.

Solution Breakdown:

1. Trigger: GuardDuty sends a finding to Amazon EventBridge.
2. Rule: Create an EventBridge Rule that matches the specific GuardDuty finding type.
3. Target: Set the target to an SSM Automation Document.
4. Action: The SSM Document executes:
   • aws ec2 describe-instances to get metadata.
   • aws ec2 modify-instance-attribute to change the Security Group to an "Isolated" SG (no ingress/egress).
   • aws ec2 create-snapshots of all attached EBS volumes for later analysis.

Visual Anchor: The Blast Radius

\begin{tikzpicture} % Core Resource \draw[fill=red!20, thick] (0,0) circle (0.5cm); \node at (0,0) {\small Target};

% Containment Rings \draw[dashed] (0,0) circle (1.5cm); \node at (0,1.2) {\small SG Isolation};

\draw[dashed] (0,0) circle (2.5cm); \node at (0,2.2) {\small NACL / Subnet};

\draw[dashed] (0,0) circle (3.5cm); \node at (0,3.2) {\small VPC / Account};

% Arrows indicating blast radius \draw[->, thick, red] (0.5,0) -- (3.5,0) node[right] {\small Uncontained}; \draw[->, thick, blue] (0.5,0) -- (1.5,0) node[below left] {\small Contained};

\end{tikzpicture}

Fact Recall Blanks

1. To search logs across multiple accounts and regions using SQL, use _______.
2. The service used to visualize the interaction between AWS resources during an investigation is _______.
3. _______ logs are essential for investigating DNS exfiltration.
4. Before stopping an EC2 instance for forensics, you should capture _______ if the investigation requires it.
5. _______ provides a central dashboard for security findings across an entire organization.

▶Click for Answers

1. Amazon Athena
2. Amazon Detective
3. Route 53 Resolver Logs
4. Volatile Memory (RAM)
5. AWS Security Hub