Domain 2 — Incident Response (14%)¶
Prepare for security incidents, investigate events, contain threats, automate remediation, and recover workloads securely.
1. Incident Preparation¶
Core Services: - AWS Systems Manager - AWS Shield Advanced - AWS Organizations - AWS Resilience Hub - AWS Fault Injection Service
Know: - Runbooks - OpsCenter - Blast radius reduction - Delegated administration - Chaos testing - IR readiness
2. Detection → Investigation¶
Core Services: - Amazon GuardDuty - AWS Security Hub - Amazon Security Lake - Amazon Detective - AWS CloudTrail - AWS CloudTrail Lake
Know: - Findings validation - Timeline analysis - Scope determination - Root cause analysis - Event correlation
3. Evidence Collection & Forensics¶
Core Services: - Automated Forensics Orchestrator for Amazon EC2 - AWS Systems Manager - Amazon S3 - AWS CloudTrail - Amazon Security Lake
Know: - Snapshot acquisition - Log preservation - Chain of custody - Immutable evidence - Artifact storage
4. Automated Remediation¶
Core Services: - AWS Lambda - AWS Step Functions - AWS Systems Manager - Amazon Application Recovery Controller
Know: - Event-driven response - Isolation workflows - Auto remediation - Recovery orchestration
5. Containment & Recovery¶
Core Services: - AWS Backup - AWS WAF - AWS Network Firewall - Security Groups - AWS Site-to-Site VPN
Know: - Quarantine - Block malicious traffic - Restore workloads - Rollback - Network isolation
Incident Response Lifecycle¶
Preparation → Detection → Investigation → Containment → Eradication → Recovery → Lessons Learned
Most Important Comparisons¶
| If question says | Service |
|---|---|
| Threat detected | GuardDuty |
| Aggregate findings | Security Hub |
| Investigate root cause | Detective |
| Collect evidence | Forensics Orchestrator |
| Automate remediation | Step Functions |
| Execute operational actions | Systems Manager |
| Restore workloads | Backup |
| Test response plans | Fault Injection Service |
| Validate resilience | Resilience Hub |
Exam Scenarios¶
EC2 Compromise¶
GuardDuty → Security Hub → Detective → Snapshot → Isolate SG → Lambda → Restore Backup
DDoS Attack¶
Shield Advanced → WAF → CloudFront → Security Hub
Credential Exposure¶
CloudTrail → Detective → Disable IAM Access → Rotate Secrets
Exam Weight¶
14%