Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSCS-C02DomainsSecurity Logging and Monitoring
SCS-C02Free — No Signup

Security Logging and Monitoring

Practice SCS-C02 Security Logging and Monitoring questions with full explanations on every answer.

323questions

Start practicing

Security Logging and Monitoring — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SCS-C02 Domains

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice Security Logging and Monitoring questions

10Q20Q30Q50Q

SCS-C02 Security Logging and Monitoring questions (showing 300 of 323)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?

2

A company uses AWS CloudTrail to log management events in all regions. The security team notices that some API calls made by an IAM user are not appearing in the CloudTrail event history. What is the most likely reason?

3

A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?

4

A security engineer needs to be alerted when an IAM user attempts to modify an S3 bucket policy. Which method is the MOST efficient?

5

A company uses Amazon GuardDuty and wants to suppress low-severity findings that are known false positives. What is the recommended approach?

6

A company stores sensitive data in Amazon S3 and wants to detect and alert on any public read access to objects. Which combination of services provides the most comprehensive solution?

7

A security engineer needs to centrally collect and analyze AWS CloudTrail logs from multiple accounts. Which service is designed for this purpose?

8

A company uses AWS CloudTrail and wants to ensure that any modification to the trail itself is detected immediately. What should be done?

9

A security engineer needs to capture all network traffic between EC2 instances in a VPC for forensic analysis. Which TWO services should be used together? (Choose TWO.)

10

A company wants to use AWS CloudTrail to monitor data events for all S3 buckets. Which THREE steps are necessary? (Choose THREE.)

11

Which TWO AWS services provide native integration with Amazon CloudWatch Logs for real-time monitoring of application logs? (Choose TWO.)

12

A security engineer needs to monitor cross-account access to resources. Which THREE AWS services can be used to log or detect such access? (Choose THREE.)

13

Refer to the exhibit. A security engineer reviews a CloudTrail log entry. What is the MOST concerning security issue?

14

Refer to the exhibit. A security engineer reviews the CloudTrail trail configuration. What is a security concern?

15

A company runs a multi-account AWS environment using AWS Organizations. The security team needs to implement centralized logging for all AWS CloudTrail events across all accounts. They create a new trail in the management account with the following configuration: trail name 'central-trail', apply to all accounts in the organization, enable data events for all S3 buckets, and store logs in a centralized S3 bucket. After one week, they notice that some accounts are not delivering CloudTrail logs to the central bucket. The security engineer verifies that the trail is still configured to apply to all accounts and that the S3 bucket policy allows cross-account access. What is the MOST likely reason for the missing logs?

16

A security engineer wants to receive real-time notifications when an AWS API call is made to delete an S3 bucket. Which service should be used to capture and forward these events to an Amazon SNS topic?

17

A company is using AWS Organizations with multiple accounts. The security team needs to centrally monitor all root user API activity across all accounts and receive alerts within minutes. What is the MOST efficient solution?

18

A company uses AWS CloudTrail to log all API calls. The security team notices that some expected log entries are missing for actions performed by an IAM role assumed by an EC2 instance. The instance has the required permissions. What is the MOST likely cause of the missing log entries?

19

A security engineer is designing a monitoring solution for a multi-account AWS environment using AWS Organizations. The solution must provide a centralized view of all API activities and send alerts for suspicious events. Which TWO services together can achieve this? (Choose TWO.)

20

A company runs a critical application on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The security team enabled VPC Flow Logs, CloudTrail, and CloudWatch Logs for the application tier. Recently, they noticed that some EC2 instances are being terminated unexpectedly by an unknown IAM user. The CloudTrail logs show the TerminateInstances API call, but the source IP address is from within the VPC CIDR range. The security team suspects the action is coming from an EC2 instance that has been compromised. They need to identify the specific compromised instance and the IAM role it used. Which combination of steps will provide the necessary information? (Choose TWO.)

21

A security engineer needs to ensure that all API calls made in an AWS account are captured and retained for auditing purposes. The engineer must be able to query the logs for specific user activity over the past 90 days. Which AWS service should the engineer use to meet these requirements?

22

A company is using AWS CloudTrail to monitor API activity in its AWS account. The security team needs to be alerted when unauthorized API calls are made to delete Amazon S3 buckets. Which TWO steps should the security team take to meet this requirement? (Choose TWO.)

23

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to get and put objects in the S3 bucket 'example-bucket' only from the IP range 203.0.113.0/24. However, the user reports that they are unable to put objects from an IP within that range. What is the most likely cause of this issue?

24

Drag and drop the steps to set up AWS Shield Advanced with automatic application layer DDoS mitigation in the correct order.

25

Drag and drop the steps to respond to a suspected AWS IAM credential compromise in the correct order.

26

Match each AWS CloudTrail log type to its description.

27

Match each AWS security tool to its purpose.

28

A security engineer needs to monitor for suspicious API calls in near real-time and trigger an automated response. Which AWS service should be used to capture and analyze these API calls?

29

A company uses AWS Organizations with multiple accounts. The security team wants to centralize security logs (CloudTrail, VPC Flow Logs, AWS Config) from all accounts into a single S3 bucket for analysis. What is the MOST secure way to set up this centralized logging?

30

A company is using Amazon CloudWatch Logs to store application logs. The security team needs to retain logs for 7 years to comply with regulatory requirements. The logs are accessed infrequently after the first 90 days. What is the MOST cost-effective way to meet these retention and access requirements?

31

A security engineer is troubleshooting an issue where Amazon GuardDuty is not generating findings for a specific EC2 instance that is known to be compromised. The instance is in a VPC with VPC Flow Logs enabled. What could be the reason for the lack of findings?

32

A company wants to monitor failed SSH login attempts to its EC2 instances. Which AWS service should be used to collect and analyze these logs?

33

A company uses Amazon S3 to store sensitive data. The security team needs to be alerted when an S3 bucket policy is changed to allow public access. Which combination of services should be used to meet this requirement?

34

A security engineer is investigating a potential security incident involving an EC2 instance that was used to launch an outbound DDoS attack. The engineer needs to determine the source of the attack and the commands executed on the instance. Which logs should be analyzed?

35

A company wants to detect and alert on suspicious IAM user behavior, such as accessing services that are not typically used. Which AWS service provides prebuilt anomaly detection for IAM users?

36

A company has enabled AWS CloudTrail in all regions and is delivering logs to a central S3 bucket. The security team needs to ensure that any attempt to delete or modify CloudTrail logs is detected and alerted. What should be done?

37

A company is using Amazon CloudWatch Logs to collect application logs. The security team wants to detect patterns that indicate security threats, such as multiple failed login attempts. Which TWO services can be used together to perform real-time log analysis and alerting?

38

A company uses AWS Organizations and wants to enforce that all member accounts enable VPC Flow Logs for all VPCs. Which THREE services or features should be used to enforce this policy automatically?

39

A security engineer is setting up monitoring for AWS API calls. Which TWO AWS services can be used to capture and analyze API activity?

40

A security engineer is troubleshooting why CloudTrail logs are not being delivered to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured to log management events. However, no log files appear in the bucket. What is the MOST likely cause?

41

A company uses AWS Config to track resource changes. They notice that a weekly compliance report shows an S3 bucket as non-compliant with a rule that checks for server-side encryption. However, the bucket has default encryption enabled. What is the MOST likely reason for this discrepancy?

42

A company wants to centrally collect VPC Flow Logs from multiple accounts into a single S3 bucket in the security account. Which solution is the MOST operationally efficient?

43

A security team needs to be alerted when an IAM user generates a console login failure. Which combination of AWS services should be used to meet this requirement?

44

A company has a CloudTrail trail that logs management events for all regions in the management account. They want to also log data events for all S3 buckets in the organization. Which configuration change will meet this requirement with the LEAST operational overhead?

45

A security engineer needs to ensure that all S3 buckets in an AWS account have server access logging enabled. Which AWS service should be used to continuously monitor for compliance?

46

A company is using Amazon Route 53 and wants to log DNS queries for investigative purposes. The logs must be stored in a centralized S3 bucket in the security account. What is the MOST efficient way to achieve this?

47

A company uses AWS CloudTrail to log all API calls. The security team notices that some PutObject API calls are not appearing in the CloudTrail logs. The S3 bucket in question has server access logging enabled. What is the MOST likely reason for the missing CloudTrail events?

48

A security engineer needs to detect when an EC2 instance is terminated in an AWS account. The solution must provide near-real-time notification. Which combination of services should be used?

49

A company is designing a centralized logging solution for VPC Flow Logs across multiple AWS accounts. The solution must meet the following requirements: - Centralized storage in an S3 bucket in the security account. - Real-time analysis of flow logs. - Minimal operational overhead. Which TWO actions should the company take? (Choose two.)

50

A security engineer is investigating a potential security incident. The engineer has enabled CloudTrail and VPC Flow Logs. Which THREE pieces of information can the engineer obtain from CloudTrail logs that are NOT available in VPC Flow Logs? (Choose three.)

51

A company is using Amazon GuardDuty to detect threats. The security team wants to receive alerts for specific findings. Which TWO AWS services can be used to forward GuardDuty findings to a custom application for analysis? (Choose two.)

52

A company wants to monitor for unauthorized API calls in real-time. The solution must meet the following requirements: - Detect calls that fail authentication (AccessDenied). - Detect calls that use a revoked IAM role. - Provide a centralized view across multiple accounts. Which THREE services should be used together to implement this solution? (Choose three.)

53

A security engineer needs to detect unauthorized API calls in an AWS account. Which AWS service should be used to record and monitor API activity for auditing?

54

A company needs to centralize security logs from multiple AWS accounts and on-premises servers. The logs must be encrypted at rest and stored in a cost-effective manner. Which solution meets these requirements?

55

A Security Engineer is troubleshooting why AWS CloudTrail is not delivering logs to an S3 bucket. The bucket policy allows CloudTrail access. What is a likely cause of the issue?

56

A company wants to monitor failed SSH login attempts to EC2 instances. Which approach should be used?

57

A company uses AWS WAF to protect a web application. The security team needs to analyze blocked requests to identify attack patterns. Which service should be used to query and visualize WAF logs?

58

A company has a CloudTrail trail that logs management events for all regions. The security team notices that some S3 data events are not being logged. How should the team enable logging for all S3 data events?

59

A company needs to be alerted when root account credentials are used in their AWS account. Which service should be used to create a metric filter and alarm for this event?

60

A company uses AWS Organizations to manage multiple accounts. The security team wants to enable CloudTrail for all accounts and centrally store logs. What is the most efficient way to achieve this?

61

A security engineer needs to analyze VPC Flow Logs to identify traffic to a known malicious IP address. The logs are stored in Amazon S3. Which approach is the most cost-effective for querying the logs?

62

A company wants to receive notifications when AWS CloudTrail logs are delivered to an S3 bucket. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

63

A security engineer needs to monitor DNS query logs for malicious domain names. Which THREE services can be used together to collect, analyze, and alert on DNS logs? (Choose THREE.)

64

A company wants to ensure that all API calls in their AWS account are logged and immutable. Which TWO actions should be taken? (Choose TWO.)

65

Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs. However, log delivery is failing. What is the most likely cause?

66

Refer to the exhibit. The security team is investigating a security incident in us-west-2 region. They notice that management events from us-west-2 are not appearing in the CloudTrail logs. Based on the exhibit, what is the most likely reason?

67

Refer to the exhibit. A security engineer creates this CloudWatch Logs metric filter on a CloudTrail log group to detect root account usage. However, no metrics are generated. What is the most likely issue?

68

A company uses AWS CloudTrail to log all API calls in their AWS account. They need to ensure that log files are not tampered with after they are delivered to the S3 bucket. Which feature should be enabled to provide integrity validation?

69

A security engineer is designing a monitoring solution for an AWS Lambda function that processes sensitive data. The function occasionally fails due to timeouts. The engineer needs to be alerted immediately when the function fails and also wants to analyze the error logs. Which combination of services should the engineer use?

70

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centralize all CloudTrail logs from all accounts into a single S3 bucket in the management account. The bucket policy allows cross-account access. However, logs from member accounts are not being delivered. What is the most likely cause?

71

A company uses Amazon RDS for MySQL and wants to monitor database activity for security analysis. Which AWS service should be used to capture detailed database activity logs such as login attempts and query execution?

72

A security engineer is configuring VPC Flow Logs for a VPC that hosts a web application. The engineer wants to capture all traffic to and from the internet. Which of the following is the most appropriate configuration?

73

A security team wants to collect and analyze logs from multiple AWS services including CloudTrail, VPC Flow Logs, and AWS WAF. They need a centralized solution that can filter, transform, and route logs to multiple destinations in near real-time. Which AWS service should they use?

74

A company wants to detect and alert on unauthorized API calls in their AWS account. Which AWS service can provide real-time notifications when specific API calls are made?

75

A company uses AWS CloudTrail and wants to ensure that logs are encrypted at rest using a customer-managed KMS key. The CloudTrail trail is configured to deliver logs to an S3 bucket. After enabling SSE-KMS on the S3 bucket, the logs are not being delivered. What is the most likely cause?

76

A security engineer is investigating a potential security incident. They suspect that an IAM user's credentials were compromised and used to launch EC2 instances in a region where the user normally does not operate. Which AWS service can help the engineer identify the source IP address and user agent of the API calls that launched the instances?

77

Which TWO actions should a security engineer take to ensure that Amazon GuardDuty can effectively monitor for suspicious activity in a VPC? (Choose two.)

78

Which THREE are best practices for securing AWS CloudTrail log files? (Choose three.)

79

Which TWO AWS services can be used to monitor and detect unauthorized changes to Amazon S3 bucket policies? (Choose two.)

80

A company uses AWS CloudTrail to log all API calls. The security team needs to be alerted when an IAM user creates a new access key. Which approach is most efficient?

81

A security engineer needs to centralize logs from multiple AWS accounts into a single S3 bucket. Which solution is most secure?

82

A company is using Amazon GuardDuty to detect threats. The security team notices that GuardDuty findings are not triggering the intended automated response via a CloudWatch Events rule. What is the most likely reason?

83

A company wants to monitor for unauthorized changes to its Amazon S3 bucket policies. Which AWS service should be used to detect such changes?

84

A security analyst needs to review all failed SSH login attempts to an EC2 instance. Which combination will provide this information?

85

A company has enabled AWS CloudTrail in all accounts and regions, with log file validation enabled. The security team needs to verify that a specific log file has not been modified since it was delivered. Which action should be taken?

86

A company wants to receive real-time notifications for every root user login to the AWS Management Console. Which service should be used?

87

A security engineer notices that an S3 bucket containing sensitive logs is publicly accessible. Which service should be used to automatically remediate this by applying a bucket policy?

88

A company is using Amazon Macie to discover sensitive data in S3. The security team wants to be notified when Macie finds a high-severity alert. Which integration should be used?

89

A security team needs to monitor for unauthorized API calls in their AWS account. Which TWO services can provide real-time alerts for such events?

90

A company wants to ensure that all S3 buckets are encrypted at rest. Which THREE services can be used to detect and alert on unencrypted buckets?

91

A security engineer needs to collect and analyze operating system logs from EC2 instances. Which TWO services are required?

92

Which THREE actions can be performed using AWS CloudTrail to enhance security monitoring?

93

A security engineer needs to capture all DNS queries made by EC2 instances in a VPC and send them to a security analytics tool. Which AWS service should be used to capture this traffic?

94

An organization wants to detect and alert on any IAM user that creates a new access key without using multi-factor authentication (MFA). What is the MOST efficient way to achieve this?

95

A company uses AWS Organizations and wants to centralize security logs from all member accounts into a single S3 bucket in the management account. The bucket policy allows only the management account's root user to write objects. However, logs are not being delivered from member accounts. What is the MOST likely cause?

96

A security engineer needs to monitor for failed SSH login attempts to EC2 instances and send alerts. Which combination of AWS services should be used?

97

A company uses AWS CloudTrail to log all API activity. A security analyst notices that some delete operations on S3 buckets are missing from the CloudTrail logs. What is the MOST likely reason?

98

An organization has a requirement to retain all security logs for at least 7 years for compliance. The logs are stored in Amazon S3 and are rarely accessed. Which storage class is the MOST cost-effective for this retention period?

99

A security team wants to receive real-time notifications when an IAM user makes a change to a security group. Which AWS service should be used to trigger the notification?

100

A company has multiple AWS accounts and wants to centrally aggregate VPC Flow Logs from all accounts into a single S3 bucket in the logging account. What is the MOST secure way to configure cross-account delivery?

101

A security engineer needs to ensure that all objects uploaded to an S3 bucket are automatically scanned for malware before being made accessible to users. Which solution is MOST appropriate?

102

Which TWO actions are valid ways to send application logs from an EC2 instance to Amazon CloudWatch Logs? (Select TWO.)

103

Which THREE are features of Amazon GuardDuty that help with threat detection? (Select THREE.)

104

Which TWO AWS services can be used to centrally collect and analyze logs from multiple AWS accounts? (Select TWO.)

105

Refer to the exhibit. A security engineer configured this S3 bucket policy to allow CloudTrail to deliver logs. However, logs are not being delivered. What is the MOST likely reason?

106

Refer to the exhibit. This is a line from a VPC Flow Log. A security analyst notices that the log shows an ACCEPT record for a connection from 10.0.1.5 to 10.0.2.10 on port 443. However, the analyst expected the connection to be denied. Which field in the flow log record indicates that the connection was accepted?

107

Refer to the exhibit. A security engineer ran this AWS CLI command to find when a specific CreateKeyPair API call was made. The command returns no results, even though the engineer knows the call was made. What is the MOST likely reason?

108

A security engineer notices that S3 server access logs are not being delivered to the specified destination bucket. The source bucket has a bucket policy that grants s3:PutObject permission to the Log Delivery group. The destination bucket is in the same AWS account but a different region. What is the most likely cause of the failure?

109

A company wants to centrally collect CloudTrail logs from multiple AWS accounts and enable real-time analysis. Which combination of services should be used?

110

A DevOps engineer is configuring VPC Flow Logs for a subnet that contains a public-facing Application Load Balancer (ALB). The engineer wants to capture only accepted traffic for security analysis. What should the engineer do?

111

A company is using AWS CloudTrail to monitor API activity. The security team wants to be alerted when an IAM user creates a new access key. Which CloudTrail event should be used to create a CloudWatch Events rule?

112

A security analyst wants to monitor unsuccessful login attempts to the AWS Management Console. Which AWS service and log combination should be used?

113

A company is using AWS Config to track resource changes. They want to receive notifications when a security group is modified to allow inbound traffic from 0.0.0.0/0. What is the most efficient way to achieve this?

114

A company has a requirement to retain CloudTrail logs for 7 years to meet regulatory compliance. They want to minimize storage costs while ensuring logs are immutable and cannot be deleted by anyone, including the root user. What should they do?

115

A security engineer is investigating a potential security incident and needs to determine if an EC2 instance was launched with a specific AMI ID. Which AWS log should be examined?

116

A company uses Amazon GuardDuty and wants to automatically isolate a compromised EC2 instance by removing it from the security group. Which approach should be used?

117

A company is designing a centralized logging solution for multiple AWS accounts. The logs must be encrypted at rest and in transit, and access must be audited. Which TWO actions should be taken? (Choose TWO.)

118

A security engineer is investigating a possible data exfiltration from an S3 bucket. Which THREE AWS services can be used to detect and alert on suspicious activity? (Choose THREE.)

119

A company needs to ensure that all API calls made to AWS are logged and that the logs are immutable. Which TWO steps should be taken? (Choose TWO.)

120

Refer to the exhibit. A security engineer configured the above bucket policy for CloudTrail log delivery. However, logs are not being delivered. What is the most likely cause?

121

Refer to the exhibit. A security analyst is reviewing a VPC Flow Log entry. The analyst wants to determine if this flow represents a potentially malicious RDP connection. Based on the log, which conclusion is most accurate?

122

Refer to the exhibit. A security engineer finds this S3 bucket policy on a bucket that should be private. What is the most effective way to detect if this bucket was accessed by unauthorized users?

123

A security engineer needs to capture all API calls made to AWS services for forensic analysis. Which AWS service should be used to store these logs durably and cost-effectively for long-term retention?

124

A company is using AWS CloudTrail to log API calls and wants to ensure that log files are not tampered with after delivery to S3. Which feature should be enabled to validate the integrity of CloudTrail log files?

125

A security team notices that an S3 bucket containing sensitive data has been repeatedly accessed from an IP address outside the company's network. They need to set up a real-time alert when such access occurs. Which combination of services should they use?

126

A company wants to monitor CPU utilization of their EC2 instances and receive an alert when utilization exceeds 80% for 5 consecutive minutes. Which AWS service should be used to set up this metric alarm?

127

A security engineer is reviewing AWS CloudTrail logs and finds that an IAM user 'developer1' deleted an S3 bucket. The engineer needs to determine the source IP address of the delete operation. Which field in the CloudTrail log record contains this information?

128

A company uses AWS Organizations with multiple accounts. They want to centralize logging of all API calls across all accounts and store them in a single S3 bucket. Which configuration should be used?

129

A security team needs to detect unauthorized attempts to access an S3 bucket that contains sensitive data. Which AWS service can automatically analyze S3 access logs and generate findings for suspicious activity?

130

A company is using Amazon RDS for MySQL and needs to monitor database login attempts for security analysis. Which feature should be enabled to capture authentication events?

131

A company uses AWS CloudTrail and wants to ensure that log files are encrypted at rest and that access to the logs is logged. Which combination of S3 features should be enabled on the destination bucket?

132

A security engineer is implementing centralized logging across multiple AWS accounts. Which TWO actions should the engineer take to ensure logs are securely stored and immutable? (Choose TWO.)

133

A company wants to monitor for suspicious IAM activity, such as a user creating access keys without authorization. Which THREE AWS services can be used together to detect and alert on this activity in real-time? (Choose THREE.)

134

A security engineer needs to capture network traffic between EC2 instances in a VPC for analysis. Which TWO services can provide this capability? (Choose TWO.)

135

A company is using AWS CloudTrail and wants to detect when an IAM user performs a specific action, such as stopping an EC2 instance. The security engineer needs to set up a real-time notification. Which THREE steps should the engineer take? (Choose THREE.)

136

Refer to the exhibit. An IAM policy is attached to an IAM user. The user reports that they can upload objects to the S3 bucket but cannot list the contents of the bucket. Which statement explains this behavior?

137

Refer to the exhibit. A security engineer runs the above AWS CLI command to search for CreateKeyPair events in CloudTrail. The command returns no results, but the engineer knows that a key pair was created during that time. What is the most likely reason for the missing events?

138

A company has a multi-account AWS environment using AWS Organizations. The security team has enabled AWS CloudTrail with an organization trail that delivers logs to a centralized S3 bucket in the management account. They have also enabled Amazon GuardDuty in all accounts. Recently, they noticed that some EC2 instances in a member account are exhibiting unusual network behavior, such as outbound traffic to known malicious IP addresses. The security engineer needs to quickly determine the source of the traffic and identify which EC2 instances are affected. The engineer has access to the management account and the member account. Which course of action should the engineer take to most efficiently investigate this incident?

139

A company uses AWS Organizations with multiple accounts. The security team needs to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which configuration ensures that only the management account can delete the log files?

140

A security engineer is investigating a potential data exfiltration from an EC2 instance. CloudTrail logs show that an IAM user created a new access key for an existing IAM role and used it to call S3 GetObject from an unfamiliar IP address. What is the MOST likely reason the CloudTrail logs captured this activity?

141

A company is required to retain CloudTrail logs for 7 years for compliance. Which solution meets this requirement with the LEAST operational overhead?

142

A company has enabled AWS Config to record resource changes. The security team needs to be notified when a security group is modified to allow inbound SSH from 0.0.0.0/0. Which AWS service should be used to evaluate the Config rules and trigger notifications?

143

A security engineer notices that an S3 bucket containing sensitive data has been accessed from an IP address outside the allowed range. CloudTrail logs show the access was made using temporary credentials from an assumed role. What additional logging is needed to trace the access back to the original IAM user who assumed the role?

144

A company uses Amazon GuardDuty for threat detection. The security team wants to automatically isolate an EC2 instance that is communicating with a known malicious IP address. Which combination of services should be used?

145

A company is required to audit all changes to IAM policies. Which AWS service should be used to record these changes?

146

A security engineer needs to monitor AWS API calls for potential unauthorized access. The engineer wants to be alerted when a specific IAM user performs a high-risk action like deleting a CloudTrail trail. What is the MOST efficient way to achieve this?

147

A company wants to detect and alert on SSH brute force attacks on EC2 instances. Which AWS service should be used?

148

A security engineer is designing a centralized logging solution for multiple AWS accounts. Which TWO services should be used to aggregate logs from all accounts into a single account? (Choose TWO.)

149

A company is using AWS Organizations and wants to enable a central security team to view API activity across all member accounts. Which THREE steps are required? (Choose THREE.)

150

A security engineer is investigating a potential security incident. Which TWO AWS services can be used to analyze historical network traffic patterns? (Choose TWO.)

151

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot upload objects to the S3 bucket 'example-bucket' using the AWS CLI from a remote location. What is the MOST likely cause?

152

A company has a multi-account AWS environment with 50 accounts. The security team uses AWS CloudTrail to log management events in each account and delivers logs to a centralized S3 bucket in the security account. Recently, the team noticed that some CloudTrail logs are missing from the central bucket for a few accounts. The logs appear to be delivered intermittently. The security engineer checks the CloudTrail configuration in one of the affected accounts and sees that the trail is configured to deliver to the central bucket. The bucket policy in the security account allows CloudTrail to write from all accounts. The engineer also checks the CloudTrail console and sees that the trail status is 'Logging'. What is the MOST likely cause of the intermittent log delivery?

153

A company uses Amazon GuardDuty in a single AWS account to detect threats. The security team receives an alert that a specific EC2 instance is communicating with a known command and control (C2) server. The security engineer needs to immediately isolate the instance while preserving the root cause evidence. The engineer has access to the AWS Management Console. Which action should the engineer take FIRST?

154

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. The security team notices that an object was accessed from an IP address outside the allowed VPC. CloudTrail logs show that the access was made using temporary credentials from an assumed role. The role was assumed by an EC2 instance in the allowed VPC. What is the MOST likely reason the access was allowed despite the bucket policy restriction?

155

A security engineer is investigating a potential data exfiltration incident. The engineer needs to determine whether an IAM user in account A accessed an S3 bucket in account B. The engineer has access to both accounts. Which combination of steps should the engineer take to identify the cross-account access?

156

A security engineer is configuring an Amazon S3 bucket to store CloudTrail logs. The engineer must ensure that the logs are encrypted at rest using an AWS KMS customer managed key (CMK) and that only the CloudTrail service has permission to decrypt the logs. Which bucket policy statement should the engineer add?

157

A security engineer needs to monitor for unauthorized changes to security group rules in an AWS account. The engineer wants to receive real-time notifications when a security group rule is added, modified, or removed. Which AWS service should the engineer use to capture these API calls?

158

A company uses AWS Organizations with multiple accounts. The security team needs to centrally monitor all API calls made in the member accounts. The team wants to ensure that all CloudTrail logs are delivered to a centralized S3 bucket in the management account. Which configuration should the security team implement?

159

A security engineer is investigating a potential compromise. The engineer notices that an EC2 instance is sending outbound traffic to an unknown IP address on port 443. The engineer needs to determine if the instance is communicating with a known command and control (C2) server. Which AWS service can the engineer use to check the reputation of the destination IP address?

160

A security engineer is designing a logging solution for an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The engineer needs to capture and store the following logs for analysis: (1) HTTP request logs from the ALB, (2) operating system logs from the EC2 instances, and (3) network traffic logs for the VPC. Which combination of AWS services should the engineer use? (Choose three.)

161

A company has a requirement to detect and alert on anomalous IAM user behavior, such as a user logging in from an unusual geographic location. The company uses AWS Organizations and has multiple accounts. Which services should the company use to meet this requirement? (Choose two.)

162

A security engineer needs to ensure that all changes to IAM policies in an AWS account are logged and that the logs are immutable and cannot be deleted by any user, including the root user. Which actions should the engineer take? (Choose two.)

163

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The security team has implemented a centralized logging solution using Amazon S3 for ALB access logs and AWS CloudTrail logs. Recently, the team noticed that some ALB access logs are missing for certain time periods. The ALB is configured to deliver logs every 5 minutes to an S3 bucket with a bucket policy that grants the ALB service principal write access. The CloudTrail logs show no errors related to the ALB or S3. The S3 bucket is in the same region as the ALB. What is the most likely cause of the missing logs?

164

A financial services company uses AWS CloudTrail to log all API calls in their account. They store the logs in an S3 bucket with server-side encryption using AWS KMS (SSE-KMS). The security team needs to ensure that only authorized users can decrypt and read the logs. They have created a KMS key with a key policy that grants decrypt permissions to the security team's IAM roles. However, when a security engineer tries to download a log file from the S3 bucket using the AWS CLI, they receive an 'AccessDenied' error. The engineer has s3:GetObject permission on the bucket. What is the most likely cause?

165

A company uses Amazon GuardDuty to monitor for malicious activity in their AWS account. The security team receives a GuardDuty finding that indicates an EC2 instance is communicating with a known cryptocurrency mining pool. The team needs to investigate the finding and determine which security group rules allowed the outbound traffic. The EC2 instance is in a VPC with a single security group attached. Which AWS service should the security team use to review the outbound traffic details?

166

A company has a requirement to retain CloudTrail logs for 7 years for compliance. They currently store logs in an S3 bucket with standard storage. The security team wants to minimize storage costs while meeting the retention requirement. The logs must be available for retrieval within 24 hours of a request. Which storage class should the team use for the logs after the first 30 days?

167

A security engineer is troubleshooting an issue where CloudTrail logs for a single AWS account are not being delivered to the centralized S3 bucket in the logging account. The engineer has verified that the CloudTrail trail is enabled, the S3 bucket policy allows CloudTrail to write, and the bucket exists. However, no log files have been delivered for the past 6 hours. The engineer checks the CloudTrail console and sees that the trail status shows 'Logging' but the latest log file time is from 8 hours ago. The engineer suspects a permission issue but cannot find any explicit deny in the bucket policy. What is the MOST likely cause of this issue?

168

A company is using Amazon GuardDuty to detect threats in its AWS environment. The security team notices that GuardDuty is generating a high number of 'UnauthorizedAccess:IAMUser/MaliciousIPCaller' findings for an IAM user that is used by a legacy application. The security team has verified that the IP addresses flagged are not malicious but are legitimate IPs used by the application's third-party service. The company wants to suppress these findings without disabling GuardDuty entirely. Which solution is the MOST effective and secure?

169

A security engineer is responsible for monitoring AWS account activity. The engineer needs to receive real-time notifications when specific API calls are made, such as 'DeleteTrail' or 'UpdateTrail'. The engineer wants to use AWS services to achieve this with minimal latency. Which combination of services should the engineer use?

170

A company has a multi-account AWS environment managed by AWS Organizations. The security team wants to enable a centralized logging solution where all VPC flow logs, CloudTrail logs, and AWS Config configuration items are sent to a single S3 bucket in the security account. The team has already created the S3 bucket with appropriate bucket policies to allow cross-account writes. However, logs are not appearing from all accounts. What is the MOST likely reason for this issue?

171

A security engineer is configuring CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are delivered to an S3 bucket owned by a separate AWS account for centralized auditing. Which additional configuration is required to allow the S3 bucket in the other account to receive these logs?

172

A company uses AWS Organizations with multiple accounts. The security team wants to centralize VPC Flow Logs from all accounts into a single S3 bucket in the security account. The flow logs are created in the member accounts and sent to the centralized bucket. However, the security team notices that flow logs from some member accounts are not being delivered. What is the most likely cause?

173

A company's security team is investigating a potential security incident. They have enabled CloudTrail and CloudWatch Logs. They want to receive real-time alerts when an IAM user creates a new access key. Which combination of services should be used to achieve this?

174

A company is using Amazon GuardDuty to monitor for malicious activity. The security team wants to automatically isolate an EC2 instance that is flagged for outbound communication with a known malicious IP address. Which approach is the most efficient and scalable?

175

A company uses AWS CloudTrail to log API activity. The security team wants to ensure that any modification to CloudTrail configuration is logged and that the logs are tamper-proof. Which feature should be enabled?

176

A security engineer is setting up centralized logging for an AWS organization. The engineer wants to collect CloudTrail logs, VPC Flow Logs, and AWS Config configuration items from all member accounts into a single S3 bucket in the management account. The engineer creates a new S3 bucket with a bucket policy that grants the required permissions. However, logs from member accounts are not being delivered. What is the most likely reason?

177

A company is using Amazon CloudWatch Logs to centralize application logs from EC2 instances. The security team wants to encrypt the log data at rest using a customer-managed KMS key. After enabling encryption on the log group, they notice that new log events are being encrypted, but existing log events are not encrypted. What should the team do to encrypt the existing log events?

178

A security engineer is configuring Amazon GuardDuty for the first time. The engineer wants to receive alerts when GuardDuty generates a finding of severity HIGH or higher. What is the simplest way to achieve this?

179

A company uses AWS CloudTrail to log all API calls. The security team wants to ensure that any attempt to disable CloudTrail logging is detected and alerted within minutes. Which solution should they implement?

180

A security engineer is troubleshooting an issue where CloudTrail is not delivering logs to an S3 bucket. The bucket policy appears correct. Which TWO additional steps should the engineer take to diagnose the issue? (Choose TWO.)

181

A company has enabled Amazon GuardDuty in multiple AWS accounts. The security team wants to centralize GuardDuty findings into a single account for analysis. Which THREE steps are required to achieve this? (Choose THREE.)

182

A security engineer is configuring VPC Flow Logs to capture network traffic metadata. Which TWO attributes can be captured in VPC Flow Logs? (Choose TWO.)

183

Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs from account 123456789012 to the bucket my-trail-bucket. However, CloudTrail logs are not being delivered. What is the most likely reason?

184

Refer to the exhibit. A security engineer is analyzing a VPC Flow Log entry from an EC2 instance with private IP 10.0.1.5. The log shows an outbound connection to IP 203.0.113.5 on port 443 from source port 22. The connection was accepted. What is the most likely scenario?

185

Refer to the exhibit. A security engineer is reviewing a CloudTrail event. What security concern does this event raise?

186

A security team needs to detect unauthorized API calls made from a compromised IAM user. Which AWS service should be used to monitor and alert on specific API activities?

187

A company has enabled CloudTrail in all regions and is logging to a single S3 bucket. The security team needs to ensure that any attempted deletion of CloudTrail logs generates an immediate alert. Which solution meets this requirement?

188

A security engineer is investigating a potential data exfiltration incident. The engineer has enabled VPC Flow Logs for the VPC and CloudTrail for the account. Which combination of actions would provide the most comprehensive visibility into network traffic and API calls?

189

A company wants to centrally collect and analyze logs from multiple AWS accounts. Which AWS service should be used to aggregate logs from various sources for monitoring and alerting?

190

A security team needs to monitor for failed login attempts to an EC2 instance running Linux. The team wants to send a real-time alert when more than 10 failed SSH attempts occur within 5 minutes. Which solution is the most efficient?

191

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. Which solution meets these requirements?

192

A security analyst needs to receive an alert when an IAM user attempts to perform an action they are not authorized to perform. Which AWS service can be used to monitor and alert on such authorization failures?

193

A company has a requirement to retain CloudTrail logs for 7 years for compliance. The logs are stored in an S3 bucket. The security team needs to ensure that logs are not deleted before the retention period ends, even by users with full S3 permissions. Which action should be taken?

194

A security engineer is configuring a centralized logging solution for multiple AWS accounts. The engineer needs to ensure that log files are encrypted at rest and that access to the logs is audited. Which combination of services and features should be used?

195

A security team wants to detect and alert on potential security threats such as compromised instances or malicious activity within their AWS environment. Which TWO AWS services should be used together to provide comprehensive threat detection?

196

A security engineer is designing a logging strategy for a multi-account environment. The engineer needs to ensure that all API activity across accounts is logged and that logs are immutable and centrally accessible. Which THREE actions should the engineer take?

197

A company wants to monitor for unauthorized changes to security group rules in their VPC. Which TWO AWS services can be used together to detect and alert on such changes?

198

Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most significant security concern indicated by this event?

199

Refer to the exhibit. A security engineer has attached this IAM policy to a user. What is the effect of this policy?

200

Refer to the exhibit. A security engineer runs this CloudWatch Logs Insights query on a log group. What is the purpose of this query?

201

A security engineer is configuring AWS CloudTrail to log management events for all AWS regions. The engineer needs to ensure that log files are encrypted at rest and that access to the log files is logged. Which solution meets these requirements?

202

A DevOps engineer needs to monitor failed SSH login attempts to Amazon EC2 instances. Which AWS service should the engineer use to collect and analyze the login events?

203

A security team has enabled AWS CloudTrail in all regions and is delivering logs to an S3 bucket. The team has also enabled S3 server access logging for the CloudTrail bucket. The team needs to detect any unauthorized access to the CloudTrail logs. Which combination of services should the team use to achieve near-real-time detection?

204

A company wants to centralize logging from multiple AWS accounts into a single logging account. The logs include AWS CloudTrail, AWS Config, and VPC Flow Logs. Which solution should the company implement to meet these requirements with minimal operational overhead?

205

A company uses Amazon Route 53 for DNS and wants to log all DNS queries made from its VPC. The logs must be stored in Amazon S3 for compliance purposes. Which solution meets these requirements?

206

A security engineer needs to monitor AWS account activity for suspicious API calls and receive alerts. Which AWS service should the engineer use to meet this requirement?

207

A company has a requirement to retain AWS CloudTrail logs for 7 years for compliance. The logs are stored in an S3 bucket. The company wants to reduce storage costs by automatically moving older logs to a cheaper storage class. Which solution should the company implement?

208

A company is using Amazon CloudWatch Logs to collect logs from its EC2 instances. The security team wants to ensure that logs are encrypted at rest and that access to the logs is controlled. Which solution should the team implement?

209

A security engineer needs to identify which IAM users have been inactive for the past 90 days. Which AWS service should the engineer use?

210

A company is implementing a security monitoring solution for its AWS environment. Which TWO services can be used to detect and alert on suspicious API activity? (Choose TWO.)

211

A security team wants to implement a centralized logging solution for multiple AWS accounts. The team needs to collect VPC Flow Logs, CloudTrail logs, and DNS query logs from all accounts. Which THREE services should the team use to aggregate these logs? (Choose THREE.)

212

A company wants to monitor AWS account activity and receive real-time notifications for specific API calls. Which TWO services should the company use together? (Choose TWO.)

213

A security engineer needs to ensure that all API calls made to AWS are logged and retained for at least 7 years for compliance. Which AWS service should be enabled to meet this requirement?

214

A company is experiencing unauthorized access attempts to an S3 bucket. Which AWS service can be used to detect and alert on such events in real time?

215

A security team wants to centrally collect and analyze VPC Flow Logs from multiple AWS accounts for security monitoring. Which solution is MOST scalable and cost-effective?

216

A company needs to monitor for root account usage and receive immediate notifications. Which combination of AWS services should be used?

217

A security engineer is troubleshooting an issue where CloudTrail logs are not being delivered to the specified S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?

218

A company uses AWS CloudTrail to log all management events and data events for S3. The security team wants to detect any PutObject API calls that upload objects with server-side encryption disabled. Which solution is MOST efficient?

219

A company wants to receive an alert when an IAM user creates a new access key. Which AWS service should be used to trigger the alert?

220

A security engineer needs to monitor for unusual outbound network traffic from an EC2 instance. Which AWS service provides this capability?

221

A company is using AWS CloudTrail to log all management events and has enabled log file validation. What additional security benefit does log file validation provide?

222

A company needs to monitor for unauthorized changes to security group rules. Which TWO AWS services can be used together to achieve this?

223

A security engineer is designing a centralized logging solution for 10 AWS accounts. Which THREE AWS services should be used to aggregate, store, and analyze logs?

224

Which TWO AWS services can be used to detect and alert on suspicious activity in near real-time?

225

A security engineer configured the S3 bucket policy shown above for CloudTrail log delivery, but CloudTrail is not delivering logs. What is the MOST likely reason?

226

A security engineer runs the CLI command above to investigate a console login event. The output shows: {"type":"Root","principalId":"123456789012","arn":"arn:aws:iam::123456789012:root"}. What does this indicate?

227

The IAM policy above is attached to a role used by an EC2 instance to send logs to CloudWatch Logs. The instance is unable to send logs. What is the MOST likely issue?

228

A security engineer notices that an EC2 instance is sending outbound traffic to an unknown IP address. The engineer needs to capture and analyze the network traffic to determine what data is being exfiltrated. Which AWS service should be used to capture the traffic for analysis?

229

A company uses AWS Organizations with multiple accounts. The security team wants to centrally monitor and analyze all CloudTrail logs from all accounts. The logs must be stored in a centralized S3 bucket with encryption and access logging enabled. Additionally, the team needs to detect anomalous API activity across accounts using machine learning. Which combination of services meets these requirements?

230

A company wants to receive real-time notifications when specific API calls are made in their AWS account, such as IAM user creation or S3 bucket policy changes. Which AWS service should be used to trigger notifications based on these API events?

231

A company uses AWS CloudTrail to log all API activity and delivers logs to an S3 bucket with server-side encryption (SSE-S3). The security team needs to ensure that only authorized personnel can access the logs and that any unauthorized access attempts are logged and alerted. Additionally, the team wants to prevent the logs from being deleted for at least one year. Which combination of actions should be taken?

232

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to analyze web request logs to identify potential SQL injection attacks. Which AWS service should be used to collect and analyze the ALB access logs?

233

A security engineer needs to monitor for unauthorized changes to IAM roles and policies in an AWS account. The engineer wants to receive an email notification whenever an IAM policy is attached to a role. Which AWS services should be combined to achieve this?

234

A company has enabled AWS CloudTrail in all regions and is delivering logs to an S3 bucket. The security team wants to ensure that any attempt to disable CloudTrail logging is detected and alerted. Which approach should be used?

235

A company uses Amazon RDS for MySQL and needs to monitor database activity for suspicious queries, such as unauthorized access attempts or SQL injection. The security team wants to centralize the logs from multiple RDS instances and analyze them in near real-time. Which solution should be implemented?

236

A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to determine if any unauthorized SSH keys were added to the instance's authorized_keys file. Which AWS service should be used to detect this change?

237

A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet the following requirements: 1) Logs from all accounts must be stored in a centralized S3 bucket. 2) The logs must be encrypted at rest using AWS KMS. 3) Access to the logs must be logged and monitored. Which TWO services should be used to meet the requirements? (Choose TWO.)

238

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer needs to ensure that all findings from member accounts are visible in the administrator account. Additionally, the engineer wants to receive real-time notifications for high-severity findings. Which TWO actions should the engineer take? (Choose TWO.)

239

A company needs to monitor its AWS environment for compliance with the CIS AWS Foundations Benchmark. The security team wants to automatically check for non-compliant resources and receive reports. Which THREE services should be used together to meet these requirements? (Choose THREE.)

240

A company uses AWS CloudTrail to log API activity across multiple accounts. The security team wants to ensure that any S3 bucket created with public read access is detected within minutes. Which solution is MOST efficient?

241

A security engineer is investigating a potential compromise. They notice that an IAM user 'svc-backup' has been making unusual API calls from an IP address outside the company's VPC. The engineer wants to ensure all future API calls from this user are logged with full event details. However, the current CloudTrail trail is set to log only management events. What should the engineer do to capture the required details?

242

A company wants to centralize security logs from multiple AWS accounts into a single S3 bucket. The logging accounts (e.g., security, production) each have their own CloudTrail trails. Which configuration is required to allow cross-account log delivery?

243

A security engineer is troubleshooting why Amazon GuardDuty is not generating findings for suspicious S3 API calls made by an IAM role. The engineer has verified that GuardDuty is enabled in the account and region. What is a likely reason for the missing findings?

244

A company uses AWS Organizations and wants to enable Amazon GuardDuty across all member accounts. The security team wants to centrally manage findings and automate responses. What is the MOST efficient way to achieve this?

245

A company is using Amazon CloudWatch Logs to store application logs. The security team needs to ensure that logs are encrypted at rest using a customer-managed KMS key (CMK). What configuration is required?

246

A company has a CloudTrail trail that logs management events and delivers them to an S3 bucket. The security team notices that some expected API calls are missing from the logs. They suspect that the calls were made by a service that is not tracked by CloudTrail. Which AWS service is NOT tracked by CloudTrail?

247

A security engineer is configuring Amazon Inspector to assess EC2 instances for software vulnerabilities. The engineer has installed the SSM Agent on all instances and ensured that the instances have internet access. However, Amazon Inspector shows the instances as 'Unmanaged'. What is the MOST likely cause?

248

A company uses AWS CloudTrail to log management events. The security team wants to be alerted when an IAM user creates a new access key. Which solution would meet this requirement with the least operational overhead?

249

A security engineer needs to ensure that all API calls in an AWS account are logged for auditing purposes. Which TWO services should the engineer enable? (Select TWO.)

250

A company wants to detect and respond to potential security threats in near real-time. Which THREE AWS services should the company use together? (Select THREE.)

251

A security engineer is investigating a potential data breach. The engineer wants to analyze historical API calls made by a specific IAM user. Which TWO AWS services can be used together to achieve this? (Select TWO.)

252

A security engineer has attached the above IAM policy to a role used by an application to write logs to an S3 bucket. However, the application is unable to write logs. What is the MOST likely reason?

253

A security engineer needs to ensure that all S3 object-level API calls (e.g., GetObject, PutObject) on the bucket 'my-bucket' are logged. The current CloudTrail configuration is as shown in the exhibit. What change should the engineer make?

254

A security engineer is configuring a multi-account CloudTrail setup. The above bucket policy is attached to the central logging bucket. Despite the policy, CloudTrail in the member account (123456789012) cannot deliver logs. What is the MOST likely issue?

255

A security engineer notices that an Amazon S3 bucket has been accessed from an IP address outside the company's allowed range. The engineer needs to identify the IAM user who made the request. Which AWS service should be used to find this information?

256

A company uses AWS Organizations with multiple accounts. The security team wants to centralize the collection of VPC Flow Logs and AWS CloudTrail logs from all accounts into a single Amazon S3 bucket in the management account. The S3 bucket policy must allow cross-account log delivery. Which condition in the bucket policy should be used to restrict log delivery to only the organization's accounts?

257

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to ensure that all member accounts send findings to the delegated administrator account. However, some member accounts are not sending findings. What is the most likely cause?

258

A company wants to receive real-time notifications when specific API calls are made in their AWS account, such as creating a new IAM user. Which AWS service should be used to trigger a notification based on CloudTrail events?

259

A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to capture network traffic to and from the instance for analysis. Which method should be used to capture this traffic without installing any software on the instance?

260

A company uses AWS CloudTrail to log all API activity. The security team wants to ensure that logs are immutable after they are delivered to Amazon S3. Which combination of actions should be taken to meet this requirement? (Choose the best single answer that includes all necessary steps.)

261

A security engineer needs to monitor for unauthorized changes to security group rules in an AWS account. Which AWS service can evaluate security group rules against a desired configuration and alert on changes?

262

A company uses AWS CloudTrail and wants to ensure that all log files are encrypted at rest using a customer-managed AWS KMS key. The CloudTrail trail is configured to use a KMS key, but some log files appear to be encrypted with the default Amazon S3 managed key (SSE-S3). What is the most likely cause?

263

An organization wants to detect and alert on the use of root user credentials in their AWS accounts. They have multiple accounts managed via AWS Organizations. What is the most efficient way to centralize this monitoring?

264

A security engineer is configuring logging for an application running on Amazon EC2 instances. The engineer needs to capture both operating system-level logs and application logs. Which TWO services can be used together to achieve this? (Choose two.)

265

A security team wants to detect and alert on suspicious network traffic patterns within their VPC. They need to capture traffic to and from an EC2 instance for analysis. Which THREE services should be used together to achieve this? (Choose three.)

266

A company needs to monitor for unauthorized changes to its Amazon S3 bucket policies. Which TWO services can be used together to achieve this? (Choose two.)

267

Refer to the exhibit. A security engineer has created an S3 bucket policy to allow AWS CloudTrail and VPC Flow Logs to deliver logs to the bucket. However, CloudTrail logs are not being delivered, but VPC Flow Logs are delivered successfully. What is the most likely cause?

268

Refer to the exhibit. A security engineer is configuring the Amazon CloudWatch agent to collect logs from an Amazon ECS task. The configuration shown is used. However, the logs are not appearing in CloudWatch Logs. What is the most likely cause?

269

Refer to the exhibit. A security engineer uses the AWS CLI command shown to investigate a console login event. What type of user performed the login?

270

A security engineer is troubleshooting why CloudTrail is not delivering logs to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured with the correct bucket name. However, no log files appear. What is the most likely cause?

271

A company uses Amazon GuardDuty to monitor for threats. The security team receives a high-severity finding: 'UnauthorizedAccess:EC2/SSHBruteForce'. The finding indicates a single EC2 instance with a public IP is receiving SSH connection attempts from multiple external IPs. The instance is part of an Auto Scaling group and is fronted by an Application Load Balancer (ALB). The security team wants to block the attacking IPs without disrupting legitimate traffic. What is the MOST effective approach?

272

A company wants to detect and alert on changes to IAM roles and policies in their AWS account. Which combination of AWS services should they use?

273

A DevOps engineer notices that an EC2 instance's CloudWatch agent is not sending custom metrics to CloudWatch. The agent is installed and the configuration file is valid. The instance has an IAM role attached. What is the most likely reason for the failure?

274

A security team uses Amazon Macie to discover sensitive data in S3. They have configured Macie to run automated sensitive data discovery jobs. After reviewing the findings, they notice that some S3 objects containing personally identifiable information (PII) are not being flagged. What is the most likely cause?

275

A company wants to centralize logs from multiple AWS accounts into a single S3 bucket for analysis. The accounts are part of an AWS Organizations organization. Which set of steps will accomplish this?

276

A security engineer is investigating a potential data exfiltration incident. They see that an EC2 instance with an IAM role is making API calls to S3 to download objects. The IAM role has an S3 bucket policy that allows access from that role. However, CloudTrail logs show that the calls are being made from an IP address outside the company's network. What is the most likely explanation?

277

A company uses AWS CloudTrail to log all API activity. They want to ensure that log files are tamper-proof and can be validated for forensic purposes. Which of the following should they enable?

278

A security analyst wants to receive a notification whenever a new security group is created in their AWS account. Which AWS service should they use to trigger an SNS notification based on the CloudTrail event?

279

A security team is designing a logging solution for a multi-account AWS environment using AWS Organizations. They need to collect CloudTrail logs, VPC Flow Logs, and DNS logs from all accounts. Which TWO services can be used to centralize this logging?

280

A security engineer is configuring Amazon GuardDuty in a multi-account environment. The engineer wants to enable GuardDuty in the management account and automatically enable it for all member accounts. Which THREE steps are required?

281

A company wants to monitor unauthorized API calls in their AWS account. Which TWO AWS services can provide real-time alerting on such events?

282

A financial services company has a multi-account AWS environment with over 200 accounts managed through AWS Organizations. The security team is responsible for monitoring all accounts for security incidents. They have enabled AWS CloudTrail in all accounts with trails that deliver logs to a centralized S3 bucket in the security account. Additionally, they have enabled Amazon GuardDuty in all accounts with the security account as the administrator. The team uses Amazon EventBridge to trigger automated responses to GuardDuty findings. Recently, they noticed that some GuardDuty findings from member accounts are not appearing in the security account. The security team verified that the findings are generated in the member accounts (they can see them in the member account GuardDuty console) but are not being sent to the administrator account. The CloudTrail logs are being delivered correctly. What is the MOST likely cause of this issue?

283

A security engineer notices that an IAM user in the company's AWS account is making API calls from an IP address outside the allowed corporate network. The engineer needs to be alerted immediately when such activity occurs. Which solution meets these requirements with the least operational overhead?

284

A company wants to centralize CloudTrail logs from multiple AWS accounts into a single S3 bucket for security analysis. The logs must be encrypted at rest and access must be logged. What is the MOST secure way to grant cross-account access to the central S3 bucket?

285

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a central S3 bucket. A new member account is created and the security engineer wants to enforce this configuration automatically. Which approach meets these requirements with the least operational overhead?

286

A security engineer is investigating a potential security incident. CloudTrail logs show that an IAM user 'admin' deleted an S3 bucket at 2023-01-15T10:30:00Z. The engineer needs to find the source IP address and user agent of the request. Which CloudTrail log field contains this information?

287

A company uses Amazon GuardDuty to detect threats. The security team wants to receive real-time notifications for all GuardDuty findings with a severity of HIGH or CRITICAL. What is the MOST efficient way to achieve this?

288

A company has a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all API activity across all accounts is logged and immutable. CloudTrail is enabled in all accounts, but the logs are stored in individual account buckets. The team wants to centralize logs and prevent any account from disabling logging. What should they do?

289

A company uses Amazon RDS for MySQL and wants to monitor database activity for suspicious queries. The security team needs to capture all SQL statements executed against the database, including SELECT queries. Which AWS service should they use?

290

A security engineer is reviewing CloudTrail logs and notices an event with the key 'eventType' set to 'AwsServiceEvent'. What does this indicate?

291

A company uses Amazon S3 to store sensitive data. The security team wants to detect when objects are made publicly accessible. Which combination of services provides the MOST comprehensive detection with minimal false positives?

292

Which TWO AWS services can be used to centrally collect and analyze logs from multiple AWS accounts? (Choose two.)

293

Which TWO actions should a security engineer take to ensure that CloudTrail logs are protected from unauthorized deletion? (Choose two.)

294

Which THREE AWS services can be used to detect and alert on suspicious network traffic patterns? (Choose three.)

295

A financial services company has a production AWS account with hundreds of EC2 instances running a mix of Linux and Windows workloads. The security team is responsible for detecting and responding to security incidents. They have enabled CloudTrail, VPC Flow Logs, and GuardDuty. Recently, GuardDuty generated a finding indicating that an EC2 instance is communicating with a known malicious IP address. The security engineer needs to investigate the incident. The engineer examines the GuardDuty finding and sees the affected resource is an EC2 instance ID. The engineer wants to identify which user or role launched the instance and what security groups were associated with it at launch time. Which approach should the engineer take to gather this information?

296

A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an RDS MySQL database. The security team wants to monitor for SQL injection attempts. They have enabled AWS WAF on the ALB and are logging all requests. The security engineer needs to analyze the WAF logs to identify if any SQL injection attacks have been attempted. The logs are stored in an S3 bucket. The engineer needs to query the logs for patterns like 'SELECT * FROM' or 'DROP TABLE' in the URI. Which service should the engineer use to perform this analysis?

297

A company uses AWS Organizations to manage multiple accounts. The security team needs to implement a centralized logging solution where all VPC Flow Logs from all accounts are sent to a central S3 bucket in the security account. The flow logs must be encrypted with a customer-managed KMS key (CMK) that is owned by the security account. The security engineer has enabled VPC Flow Logs in each account and configured the destination to be the central S3 bucket. However, the flow logs are not being delivered. The engineer checks the S3 bucket policy and confirms that it grants the required permissions to the Flow Logs service principal. What is the MOST likely cause of the failure?

298

A security engineer notices that CloudTrail logs for a production account are not being delivered to the S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?

299

A company wants to monitor AWS API calls for suspicious activity and automatically remediate by revoking IAM roles in real time. Which combination of services should be used?

300

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should be used?

Practice all 300 Security Logging and Monitoring questions

Other SCS-C02 exam domains

Threat Detection and Incident ResponseIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Frequently asked questions

What does the Security Logging and Monitoring domain cover on the SCS-C02 exam?

The Security Logging and Monitoring domain covers the key concepts tested in this area of the SCS-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SCS-C02 domains — no account required.

How many Security Logging and Monitoring questions are in the SCS-C02 question bank?

The Courseiva SCS-C02 question bank contains 300 questions in the Security Logging and Monitoring domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Logging and Monitoring for SCS-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Logging and Monitoring questions for SCS-C02?

Yes — the session launcher on this page draws questions exclusively from the Security Logging and Monitoring domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SCS-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03SY0-701CISSP