Episode 46: Domain 2 Audio Quiz: Scenario Walkthroughs
In this quiz session, we shift from short practice questions to full scenario walkthroughs. The goal is to apply the concepts from Domain 2 to realistic situations that could appear on the exam or in day-to-day cloud operations. Each walkthrough will describe a situation, highlight the risks, and identify the most direct AWS tool or best practice that applies. For beginners, this style of learning is especially helpful because it shows not just the right answer, but also the thought process behind choosing it. Think of it as learning how to solve puzzles step by step, rather than just memorizing the finished picture.
Imagine the first scenario: an unexpected root account sign-in occurs. Root usage should be rare and tightly controlled. The correct response is to detect it using CloudTrail events and set up alerts through EventBridge or CloudWatch. Next, containment steps include reviewing whether the sign-in was authorized, rotating credentials if necessary, and investigating activity. Finally, document the event for compliance. For learners, remember that root events are always high-risk, and detection plus follow-up is the proper flow.
Now picture an exposed S3 bucket discovered in your environment. The right fix is to apply Block Public Access at both the account and bucket level, which overrides any permissive ACLs or bucket policies. Additionally, enforce Object Ownership so the bucket owner maintains control, regardless of who uploads files. Beginners should see this scenario as closing a gate that was mistakenly left wide open. On the exam, when S3 exposure comes up, the safe and preventive control is Block Public Access.
Consider an IAM policy that is far too broad, perhaps granting *:* permissions to a role. The remediation is to tighten it according to least-privilege principles. Use groups, permission boundaries, or attribute-based access control tags to limit what the identity can do. The risk here is accidental or malicious misuse of excessive permissions. For learners, it’s like someone having master keys to every door when they only need access to the supply closet. Least privilege is the universal fix for IAM problems.
Next, think about administrators without multi-factor authentication enabled. This is a major compliance failure. The enforcement is to require MFA at the IAM level, track which users are missing it, and prove enforcement with IAM credential reports. Beginners should remember that MFA is one of the simplest but most powerful controls. On the exam, when missing MFA is described, the correct answer will involve enabling MFA, enforcing policies, and producing evidence of compliance.
Sometimes the confusion is between KMS key policies and IAM allow statements. If a user has IAM permissions but is still blocked from using a key, the issue is that the key policy must explicitly grant them access. Key policies take precedence, so the solution is to update the key policy or issue a grant. Beginners should keep this simple rule in mind: IAM permissions allow you to request, but key policies decide if the key itself honors the request. Without the right key policy, IAM alone isn’t enough.
Another scenario: a public-facing EC2 instance is discovered due to a misconfigured security group. The immediate action is to lock down the security group, limiting it to specific IPs or ranges. To prevent recurrence, enforce a Config rule that checks for overly permissive security groups. Beginners should think of this as closing a window that was left wide open, then installing a rule that prevents anyone from opening it again. Prevention and continuous detection work together here.
GuardDuty findings are another common exam scenario. If GuardDuty detects anomalous activity, the correct response is to triage the finding, route it through EventBridge or Security Hub, and document the response. GuardDuty itself does not fix issues — it alerts you. The next step is to follow an incident response playbook, whether quarantining an instance or rotating keys. Beginners should remember that GuardDuty is about raising the alarm; your job is to interpret and act.
When Amazon Inspector surfaces critical Common Vulnerabilities and Exposures, or CVEs, the priority is to address the most severe issues first. This means patching affected systems on a defined cadence, starting with those that are exploitable or internet-facing. Inspector findings guide where the most urgent work lies. For learners, it’s like a medical triage ward: treat life-threatening injuries first, then move to minor wounds. The exam expects you to prioritize based on severity, exposure, and exploitability.
A dangerous scenario occurs if CloudTrail is disabled in an account. The fix is to establish an organization-wide trail through AWS Organizations, ensuring logs are collected centrally into an S3 bucket with encryption and retention policies. Tamper protections, such as restricting who can delete or modify logs, must also be enforced. Beginners should picture this as security cameras being turned off — the only remedy is to turn them back on everywhere and protect the recordings.
At the edge, a question might ask whether to use WAF or Shield. If the threat is application-specific, like SQL injection or cross-site scripting, the answer is WAF. If the threat is a large-scale denial-of-service flood, the answer is Shield, with Shield Advanced providing extra guarantees and support. Beginners should view this as choosing between different guards: one inspects bags at the door, the other defends against a stampeding crowd. Matching the threat type to the right tool is the key exam skill.
Secrets in code repositories are another common issue. If a developer commits API keys into version control, the correct response is to rotate those keys immediately and move them into AWS Secrets Manager or KMS. Automation can then supply secrets securely into applications without hardcoding them. Beginners should imagine this as someone accidentally publishing the keys to the vault online — the only fix is to change the locks and secure them properly. Secrets Manager and KMS are the long-term solutions.
Cross-account access scenarios often appear in exam questions. The safe design is to use IAM roles for assumption rather than long-lived keys, combined with SCP guardrails in Organizations to enforce boundaries. This allows one account to use resources in another without weakening security. Beginners should picture this as a guest pass rather than a permanent copy of the house key. Role assumption ensures temporary, auditable access, while SCPs prevent misuse across the organization.
Finally, imagine an auditor requesting proof that AWS infrastructure meets specific standards. The correct service to provide this is Artifact. Download the relevant SOC, ISO, or PCI report and present it as evidence. Security Hub or GuardDuty findings are not substitutes here. For learners, Artifact is the official library of compliance documents. When the exam asks about audits or evidence, Artifact is always the right answer.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
The most effective way to approach scenarios is to use a structured method: identify the symptoms, analyze the risks, and then apply the most direct AWS control. Symptoms are the surface details in the question — such as “an unexpected root login” or “an S3 bucket accessible to the public.” Risks are what could happen if left unresolved — like account compromise or data leakage. The correct AWS control is the service or feature that addresses the risk in the most preventive, reliable way. Beginners should think of this as medical diagnosis: start with symptoms, consider possible illnesses, and apply the right treatment.
Let’s revisit the root sign-in case. The symptom is an alert showing a root login. The risk is that someone with unlimited permissions may misuse or destroy resources. The correct control flow is to use CloudTrail to detect the event, EventBridge or CloudWatch alarms to notify immediately, and incident response recordkeeping to document every action. Containment may include rotating root credentials and validating MFA settings. For learners, the lesson is that root account activity always demands investigation, and monitoring plus documentation are key.
In the S3 exposure scenario, the symptom is a bucket found to be public. The risk is accidental or malicious data exfiltration. The control flow is to enforce Block Public Access, validate policies with IAM Access Analyzer, and optionally confirm sensitive data with Macie. This combines prevention, analysis, and validation. Beginners should picture this as closing a gate, checking the locks, and then scanning the house to make sure valuables are still safe. Multiple controls layer together to restore confidence.
IAM repairs often revolve around overbroad policies. The symptom is a *:* permission or a policy granting far too much power. The risk is privilege misuse. The correct remediation flow is to check last-used data to see what permissions are actually required, use the policy simulator to test narrower policies, and replace broad allows with least-privilege rules. Beginners should recognize that IAM fixes involve evidence-driven trimming: know what’s used, test alternatives, and then enforce the smaller scope.
MFA rollout scenarios begin with the symptom of administrators without MFA. The risk is that a stolen password grants full access. The flow is to register MFA devices for every admin, enforce MFA in IAM policies, and track exceptions for temporary cases. IAM credential reports verify compliance. Beginners should view this as putting deadbolts on every critical door. Not everyone may get one on day one, but enforcement ensures no admin remains unprotected.
Key policy conflicts in KMS come up when IAM permissions allow use but the key policy blocks it. The symptom is an “access denied” error. The risk is confusion leading to insecure workarounds. The correct control flow is to update the key policy, which always takes precedence, or issue a grant for temporary access. Beginners should remember: IAM policies open the front gate, but key policies are the lock on the vault. Without alignment, the vault remains closed.
For misconfigured security groups, the symptom is an EC2 instance exposed to the public internet. The risk is intrusion or exploitation. The control flow is to lock down the security group, limit sources to trusted IPs, and verify connectivity with VPC Reachability Analyzer. Config rules then ensure noncompliant groups are flagged automatically in the future. Beginners should see this as not just closing the window today but also installing a sensor to alert if it’s ever reopened.
GuardDuty findings require a structured response. The symptom is a suspicious activity alert, such as connections to a known malicious IP. The risk is compromised credentials or infrastructure. The control flow involves enriching the finding with context, routing it into ticketing systems, and applying suppression rules if noise is excessive. Documenting the response ensures accountability. Beginners should note that GuardDuty alone does not fix — it informs, and your workflows provide the action.
When Inspector identifies critical CVEs, the symptom is a long list of vulnerabilities. The risk is that attackers exploit them before patches are applied. The control flow is to assess based on business impact, patch the most severe and exploitable first, and automate remediation where possible using Systems Manager runbooks. Beginners should imagine a hospital triage ward: the sickest patients are treated first. Inspector findings must be filtered for priority, not addressed all at once.
A disabled CloudTrail is another urgent case. The symptom is missing or stopped logs. The risk is a blind spot in auditing and investigations. The correct flow is to enable an organization-wide trail, encrypt logs with KMS, and set lifecycle policies for retention. Access controls must prevent deletion or modification. Beginners should view this as restoring security cameras across the entire property, with locks on the footage room to prevent tampering. Visibility and integrity matter as much as coverage.
Choosing between WAF and Shield comes down to symptoms. If the threat involves SQL injection, cross-site scripting, or bot traffic, WAF is the right choice. If it’s a distributed denial-of-service flood aiming to overwhelm capacity, Shield or Shield Advanced is correct. The risk is misidentifying the layer of attack. Beginners should think of this as deciding whether to call in door guards for suspicious individuals or reinforcements against an invading army. Different symptoms point to different defenders.
Secrets found in a code repository require immediate action. The symptom is exposed credentials. The risk is unauthorized access to accounts and resources. The flow is to rotate those secrets immediately, migrate them into AWS Secrets Manager or KMS, and enable automated rotation going forward. Integration with CI/CD pipelines prevents future leaks. Beginners should imagine this as changing the locks once a spare key has been lost, then storing new keys in a guarded vault so they can’t be misplaced again.
Cross-account access scenarios begin with the symptom of accounts needing shared access. The risk is long-lived keys and uncontrolled sharing. The correct control is to use IAM roles with temporary session tokens and guardrails enforced by SCPs. This ensures access is short-lived and centrally governed. Beginners should see this as issuing visitor badges that expire, rather than handing out permanent keys. It balances security with necessary collaboration.
Auditor requests are a final common scenario. The symptom is a request for proof that AWS infrastructure meets standards. The risk is failing to provide evidence or presenting outdated reports. The correct control is to use AWS Artifact, confirm report currency, and store them securely with tags for retention. Beginners should note that audits always require evidence, not opinion. Artifact is AWS’s official library of such documents, and presenting them correctly is the mark of good compliance hygiene.
In summary, the pattern across these scenarios is clear: start with preventive guardrails where possible, back them with detective controls, and finish with responsive processes. Root activity is detected with CloudTrail, S3 is secured with Block Public Access, IAM is remediated with least privilege, and compliance is proven with Artifact. For learners, the guiding principle is to always think: what is the most direct AWS service or feature that prevents or corrects the risk? By mastering this pattern, both the exam and real-world practice become far more manageable.
