Practice SCS-C02 Security Logging and Monitoring questions with full explanations on every answer.
Start practicing
Security Logging and Monitoring — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?
2A company uses AWS CloudTrail to log management events in all regions. The security team notices that some API calls made by an IAM user are not appearing in the CloudTrail event history. What is the most likely reason?
3A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?
4A security engineer needs to be alerted when an IAM user attempts to modify an S3 bucket policy. Which method is the MOST efficient?
5A company uses Amazon GuardDuty and wants to suppress low-severity findings that are known false positives. What is the recommended approach?
6A company stores sensitive data in Amazon S3 and wants to detect and alert on any public read access to objects. Which combination of services provides the most comprehensive solution?
7A security engineer needs to centrally collect and analyze AWS CloudTrail logs from multiple accounts. Which service is designed for this purpose?
8A company uses AWS CloudTrail and wants to ensure that any modification to the trail itself is detected immediately. What should be done?
9A security engineer needs to capture all network traffic between EC2 instances in a VPC for forensic analysis. Which TWO services should be used together? (Choose TWO.)
10A company wants to use AWS CloudTrail to monitor data events for all S3 buckets. Which THREE steps are necessary? (Choose THREE.)
11Which TWO AWS services provide native integration with Amazon CloudWatch Logs for real-time monitoring of application logs? (Choose TWO.)
12A security engineer needs to monitor cross-account access to resources. Which THREE AWS services can be used to log or detect such access? (Choose THREE.)
13Refer to the exhibit. A security engineer reviews a CloudTrail log entry. What is the MOST concerning security issue?
14Refer to the exhibit. A security engineer reviews the CloudTrail trail configuration. What is a security concern?
15A company runs a multi-account AWS environment using AWS Organizations. The security team needs to implement centralized logging for all AWS CloudTrail events across all accounts. They create a new trail in the management account with the following configuration: trail name 'central-trail', apply to all accounts in the organization, enable data events for all S3 buckets, and store logs in a centralized S3 bucket. After one week, they notice that some accounts are not delivering CloudTrail logs to the central bucket. The security engineer verifies that the trail is still configured to apply to all accounts and that the S3 bucket policy allows cross-account access. What is the MOST likely reason for the missing logs?
16A security engineer wants to receive real-time notifications when an AWS API call is made to delete an S3 bucket. Which service should be used to capture and forward these events to an Amazon SNS topic?
17A company is using AWS Organizations with multiple accounts. The security team needs to centrally monitor all root user API activity across all accounts and receive alerts within minutes. What is the MOST efficient solution?
18A company uses AWS CloudTrail to log all API calls. The security team notices that some expected log entries are missing for actions performed by an IAM role assumed by an EC2 instance. The instance has the required permissions. What is the MOST likely cause of the missing log entries?
19A security engineer is designing a monitoring solution for a multi-account AWS environment using AWS Organizations. The solution must provide a centralized view of all API activities and send alerts for suspicious events. Which TWO services together can achieve this? (Choose TWO.)
20A company runs a critical application on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The security team enabled VPC Flow Logs, CloudTrail, and CloudWatch Logs for the application tier. Recently, they noticed that some EC2 instances are being terminated unexpectedly by an unknown IAM user. The CloudTrail logs show the TerminateInstances API call, but the source IP address is from within the VPC CIDR range. The security team suspects the action is coming from an EC2 instance that has been compromised. They need to identify the specific compromised instance and the IAM role it used. Which combination of steps will provide the necessary information? (Choose TWO.)
21A security engineer needs to ensure that all API calls made in an AWS account are captured and retained for auditing purposes. The engineer must be able to query the logs for specific user activity over the past 90 days. Which AWS service should the engineer use to meet these requirements?
22A company is using AWS CloudTrail to monitor API activity in its AWS account. The security team needs to be alerted when unauthorized API calls are made to delete Amazon S3 buckets. Which TWO steps should the security team take to meet this requirement? (Choose TWO.)
23Refer to the exhibit. A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to get and put objects in the S3 bucket 'example-bucket' only from the IP range 203.0.113.0/24. However, the user reports that they are unable to put objects from an IP within that range. What is the most likely cause of this issue?
24Drag and drop the steps to set up AWS Shield Advanced with automatic application layer DDoS mitigation in the correct order.
25Drag and drop the steps to respond to a suspected AWS IAM credential compromise in the correct order.
26Match each AWS CloudTrail log type to its description.
27Match each AWS security tool to its purpose.
28A security engineer needs to monitor for suspicious API calls in near real-time and trigger an automated response. Which AWS service should be used to capture and analyze these API calls?
29A company uses AWS Organizations with multiple accounts. The security team wants to centralize security logs (CloudTrail, VPC Flow Logs, AWS Config) from all accounts into a single S3 bucket for analysis. What is the MOST secure way to set up this centralized logging?
30A company is using Amazon CloudWatch Logs to store application logs. The security team needs to retain logs for 7 years to comply with regulatory requirements. The logs are accessed infrequently after the first 90 days. What is the MOST cost-effective way to meet these retention and access requirements?
31A security engineer is troubleshooting an issue where Amazon GuardDuty is not generating findings for a specific EC2 instance that is known to be compromised. The instance is in a VPC with VPC Flow Logs enabled. What could be the reason for the lack of findings?
32A company wants to monitor failed SSH login attempts to its EC2 instances. Which AWS service should be used to collect and analyze these logs?
33A company uses Amazon S3 to store sensitive data. The security team needs to be alerted when an S3 bucket policy is changed to allow public access. Which combination of services should be used to meet this requirement?
34A security engineer is investigating a potential security incident involving an EC2 instance that was used to launch an outbound DDoS attack. The engineer needs to determine the source of the attack and the commands executed on the instance. Which logs should be analyzed?
35A company wants to detect and alert on suspicious IAM user behavior, such as accessing services that are not typically used. Which AWS service provides prebuilt anomaly detection for IAM users?
36A company has enabled AWS CloudTrail in all regions and is delivering logs to a central S3 bucket. The security team needs to ensure that any attempt to delete or modify CloudTrail logs is detected and alerted. What should be done?
37A company is using Amazon CloudWatch Logs to collect application logs. The security team wants to detect patterns that indicate security threats, such as multiple failed login attempts. Which TWO services can be used together to perform real-time log analysis and alerting?
38A company uses AWS Organizations and wants to enforce that all member accounts enable VPC Flow Logs for all VPCs. Which THREE services or features should be used to enforce this policy automatically?
39A security engineer is setting up monitoring for AWS API calls. Which TWO AWS services can be used to capture and analyze API activity?
40A security engineer is troubleshooting why CloudTrail logs are not being delivered to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured to log management events. However, no log files appear in the bucket. What is the MOST likely cause?
41A company uses AWS Config to track resource changes. They notice that a weekly compliance report shows an S3 bucket as non-compliant with a rule that checks for server-side encryption. However, the bucket has default encryption enabled. What is the MOST likely reason for this discrepancy?
42A company wants to centrally collect VPC Flow Logs from multiple accounts into a single S3 bucket in the security account. Which solution is the MOST operationally efficient?
43A security team needs to be alerted when an IAM user generates a console login failure. Which combination of AWS services should be used to meet this requirement?
44A company has a CloudTrail trail that logs management events for all regions in the management account. They want to also log data events for all S3 buckets in the organization. Which configuration change will meet this requirement with the LEAST operational overhead?
45A security engineer needs to ensure that all S3 buckets in an AWS account have server access logging enabled. Which AWS service should be used to continuously monitor for compliance?
46A company is using Amazon Route 53 and wants to log DNS queries for investigative purposes. The logs must be stored in a centralized S3 bucket in the security account. What is the MOST efficient way to achieve this?
47A company uses AWS CloudTrail to log all API calls. The security team notices that some PutObject API calls are not appearing in the CloudTrail logs. The S3 bucket in question has server access logging enabled. What is the MOST likely reason for the missing CloudTrail events?
48A security engineer needs to detect when an EC2 instance is terminated in an AWS account. The solution must provide near-real-time notification. Which combination of services should be used?
49A company is designing a centralized logging solution for VPC Flow Logs across multiple AWS accounts. The solution must meet the following requirements: - Centralized storage in an S3 bucket in the security account. - Real-time analysis of flow logs. - Minimal operational overhead. Which TWO actions should the company take? (Choose two.)
50A security engineer is investigating a potential security incident. The engineer has enabled CloudTrail and VPC Flow Logs. Which THREE pieces of information can the engineer obtain from CloudTrail logs that are NOT available in VPC Flow Logs? (Choose three.)
51A company is using Amazon GuardDuty to detect threats. The security team wants to receive alerts for specific findings. Which TWO AWS services can be used to forward GuardDuty findings to a custom application for analysis? (Choose two.)
52A company wants to monitor for unauthorized API calls in real-time. The solution must meet the following requirements: - Detect calls that fail authentication (AccessDenied). - Detect calls that use a revoked IAM role. - Provide a centralized view across multiple accounts. Which THREE services should be used together to implement this solution? (Choose three.)
53A security engineer needs to detect unauthorized API calls in an AWS account. Which AWS service should be used to record and monitor API activity for auditing?
54A company needs to centralize security logs from multiple AWS accounts and on-premises servers. The logs must be encrypted at rest and stored in a cost-effective manner. Which solution meets these requirements?
55A Security Engineer is troubleshooting why AWS CloudTrail is not delivering logs to an S3 bucket. The bucket policy allows CloudTrail access. What is a likely cause of the issue?
56A company wants to monitor failed SSH login attempts to EC2 instances. Which approach should be used?
57A company uses AWS WAF to protect a web application. The security team needs to analyze blocked requests to identify attack patterns. Which service should be used to query and visualize WAF logs?
58A company has a CloudTrail trail that logs management events for all regions. The security team notices that some S3 data events are not being logged. How should the team enable logging for all S3 data events?
59A company needs to be alerted when root account credentials are used in their AWS account. Which service should be used to create a metric filter and alarm for this event?
60A company uses AWS Organizations to manage multiple accounts. The security team wants to enable CloudTrail for all accounts and centrally store logs. What is the most efficient way to achieve this?
61A security engineer needs to analyze VPC Flow Logs to identify traffic to a known malicious IP address. The logs are stored in Amazon S3. Which approach is the most cost-effective for querying the logs?
62A company wants to receive notifications when AWS CloudTrail logs are delivered to an S3 bucket. Which TWO AWS services can be used together to achieve this? (Choose TWO.)
63A security engineer needs to monitor DNS query logs for malicious domain names. Which THREE services can be used together to collect, analyze, and alert on DNS logs? (Choose THREE.)
64A company wants to ensure that all API calls in their AWS account are logged and immutable. Which TWO actions should be taken? (Choose TWO.)
65Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs. However, log delivery is failing. What is the most likely cause?
66Refer to the exhibit. The security team is investigating a security incident in us-west-2 region. They notice that management events from us-west-2 are not appearing in the CloudTrail logs. Based on the exhibit, what is the most likely reason?
67Refer to the exhibit. A security engineer creates this CloudWatch Logs metric filter on a CloudTrail log group to detect root account usage. However, no metrics are generated. What is the most likely issue?
68A company uses AWS CloudTrail to log all API calls in their AWS account. They need to ensure that log files are not tampered with after they are delivered to the S3 bucket. Which feature should be enabled to provide integrity validation?
69A security engineer is designing a monitoring solution for an AWS Lambda function that processes sensitive data. The function occasionally fails due to timeouts. The engineer needs to be alerted immediately when the function fails and also wants to analyze the error logs. Which combination of services should the engineer use?
70A company has a multi-account AWS environment using AWS Organizations. The security team wants to centralize all CloudTrail logs from all accounts into a single S3 bucket in the management account. The bucket policy allows cross-account access. However, logs from member accounts are not being delivered. What is the most likely cause?
71A company uses Amazon RDS for MySQL and wants to monitor database activity for security analysis. Which AWS service should be used to capture detailed database activity logs such as login attempts and query execution?
72A security engineer is configuring VPC Flow Logs for a VPC that hosts a web application. The engineer wants to capture all traffic to and from the internet. Which of the following is the most appropriate configuration?
73A security team wants to collect and analyze logs from multiple AWS services including CloudTrail, VPC Flow Logs, and AWS WAF. They need a centralized solution that can filter, transform, and route logs to multiple destinations in near real-time. Which AWS service should they use?
74A company wants to detect and alert on unauthorized API calls in their AWS account. Which AWS service can provide real-time notifications when specific API calls are made?
75A company uses AWS CloudTrail and wants to ensure that logs are encrypted at rest using a customer-managed KMS key. The CloudTrail trail is configured to deliver logs to an S3 bucket. After enabling SSE-KMS on the S3 bucket, the logs are not being delivered. What is the most likely cause?
76A security engineer is investigating a potential security incident. They suspect that an IAM user's credentials were compromised and used to launch EC2 instances in a region where the user normally does not operate. Which AWS service can help the engineer identify the source IP address and user agent of the API calls that launched the instances?
77Which TWO actions should a security engineer take to ensure that Amazon GuardDuty can effectively monitor for suspicious activity in a VPC? (Choose two.)
78Which THREE are best practices for securing AWS CloudTrail log files? (Choose three.)
79Which TWO AWS services can be used to monitor and detect unauthorized changes to Amazon S3 bucket policies? (Choose two.)
80A company uses AWS CloudTrail to log all API calls. The security team needs to be alerted when an IAM user creates a new access key. Which approach is most efficient?
81A security engineer needs to centralize logs from multiple AWS accounts into a single S3 bucket. Which solution is most secure?
82A company is using Amazon GuardDuty to detect threats. The security team notices that GuardDuty findings are not triggering the intended automated response via a CloudWatch Events rule. What is the most likely reason?
83A company wants to monitor for unauthorized changes to its Amazon S3 bucket policies. Which AWS service should be used to detect such changes?
84A security analyst needs to review all failed SSH login attempts to an EC2 instance. Which combination will provide this information?
85A company has enabled AWS CloudTrail in all accounts and regions, with log file validation enabled. The security team needs to verify that a specific log file has not been modified since it was delivered. Which action should be taken?
86A company wants to receive real-time notifications for every root user login to the AWS Management Console. Which service should be used?
87A security engineer notices that an S3 bucket containing sensitive logs is publicly accessible. Which service should be used to automatically remediate this by applying a bucket policy?
88A company is using Amazon Macie to discover sensitive data in S3. The security team wants to be notified when Macie finds a high-severity alert. Which integration should be used?
89A security team needs to monitor for unauthorized API calls in their AWS account. Which TWO services can provide real-time alerts for such events?
90A company wants to ensure that all S3 buckets are encrypted at rest. Which THREE services can be used to detect and alert on unencrypted buckets?
91A security engineer needs to collect and analyze operating system logs from EC2 instances. Which TWO services are required?
92Which THREE actions can be performed using AWS CloudTrail to enhance security monitoring?
93A security engineer needs to capture all DNS queries made by EC2 instances in a VPC and send them to a security analytics tool. Which AWS service should be used to capture this traffic?
94An organization wants to detect and alert on any IAM user that creates a new access key without using multi-factor authentication (MFA). What is the MOST efficient way to achieve this?
95A company uses AWS Organizations and wants to centralize security logs from all member accounts into a single S3 bucket in the management account. The bucket policy allows only the management account's root user to write objects. However, logs are not being delivered from member accounts. What is the MOST likely cause?
96A security engineer needs to monitor for failed SSH login attempts to EC2 instances and send alerts. Which combination of AWS services should be used?
97A company uses AWS CloudTrail to log all API activity. A security analyst notices that some delete operations on S3 buckets are missing from the CloudTrail logs. What is the MOST likely reason?
98An organization has a requirement to retain all security logs for at least 7 years for compliance. The logs are stored in Amazon S3 and are rarely accessed. Which storage class is the MOST cost-effective for this retention period?
99A security team wants to receive real-time notifications when an IAM user makes a change to a security group. Which AWS service should be used to trigger the notification?
100A company has multiple AWS accounts and wants to centrally aggregate VPC Flow Logs from all accounts into a single S3 bucket in the logging account. What is the MOST secure way to configure cross-account delivery?
101A security engineer needs to ensure that all objects uploaded to an S3 bucket are automatically scanned for malware before being made accessible to users. Which solution is MOST appropriate?
102Which TWO actions are valid ways to send application logs from an EC2 instance to Amazon CloudWatch Logs? (Select TWO.)
103Which THREE are features of Amazon GuardDuty that help with threat detection? (Select THREE.)
104Which TWO AWS services can be used to centrally collect and analyze logs from multiple AWS accounts? (Select TWO.)
105Refer to the exhibit. A security engineer configured this S3 bucket policy to allow CloudTrail to deliver logs. However, logs are not being delivered. What is the MOST likely reason?
106Refer to the exhibit. This is a line from a VPC Flow Log. A security analyst notices that the log shows an ACCEPT record for a connection from 10.0.1.5 to 10.0.2.10 on port 443. However, the analyst expected the connection to be denied. Which field in the flow log record indicates that the connection was accepted?
107Refer to the exhibit. A security engineer ran this AWS CLI command to find when a specific CreateKeyPair API call was made. The command returns no results, even though the engineer knows the call was made. What is the MOST likely reason?
108A security engineer notices that S3 server access logs are not being delivered to the specified destination bucket. The source bucket has a bucket policy that grants s3:PutObject permission to the Log Delivery group. The destination bucket is in the same AWS account but a different region. What is the most likely cause of the failure?
109A company wants to centrally collect CloudTrail logs from multiple AWS accounts and enable real-time analysis. Which combination of services should be used?
110A DevOps engineer is configuring VPC Flow Logs for a subnet that contains a public-facing Application Load Balancer (ALB). The engineer wants to capture only accepted traffic for security analysis. What should the engineer do?
111A company is using AWS CloudTrail to monitor API activity. The security team wants to be alerted when an IAM user creates a new access key. Which CloudTrail event should be used to create a CloudWatch Events rule?
112A security analyst wants to monitor unsuccessful login attempts to the AWS Management Console. Which AWS service and log combination should be used?
113A company is using AWS Config to track resource changes. They want to receive notifications when a security group is modified to allow inbound traffic from 0.0.0.0/0. What is the most efficient way to achieve this?
114A company has a requirement to retain CloudTrail logs for 7 years to meet regulatory compliance. They want to minimize storage costs while ensuring logs are immutable and cannot be deleted by anyone, including the root user. What should they do?
115A security engineer is investigating a potential security incident and needs to determine if an EC2 instance was launched with a specific AMI ID. Which AWS log should be examined?
116A company uses Amazon GuardDuty and wants to automatically isolate a compromised EC2 instance by removing it from the security group. Which approach should be used?
117A company is designing a centralized logging solution for multiple AWS accounts. The logs must be encrypted at rest and in transit, and access must be audited. Which TWO actions should be taken? (Choose TWO.)
118A security engineer is investigating a possible data exfiltration from an S3 bucket. Which THREE AWS services can be used to detect and alert on suspicious activity? (Choose THREE.)
119A company needs to ensure that all API calls made to AWS are logged and that the logs are immutable. Which TWO steps should be taken? (Choose TWO.)
120Refer to the exhibit. A security engineer configured the above bucket policy for CloudTrail log delivery. However, logs are not being delivered. What is the most likely cause?
121Refer to the exhibit. A security analyst is reviewing a VPC Flow Log entry. The analyst wants to determine if this flow represents a potentially malicious RDP connection. Based on the log, which conclusion is most accurate?
122Refer to the exhibit. A security engineer finds this S3 bucket policy on a bucket that should be private. What is the most effective way to detect if this bucket was accessed by unauthorized users?
123A security engineer needs to capture all API calls made to AWS services for forensic analysis. Which AWS service should be used to store these logs durably and cost-effectively for long-term retention?
124A company is using AWS CloudTrail to log API calls and wants to ensure that log files are not tampered with after delivery to S3. Which feature should be enabled to validate the integrity of CloudTrail log files?
125A security team notices that an S3 bucket containing sensitive data has been repeatedly accessed from an IP address outside the company's network. They need to set up a real-time alert when such access occurs. Which combination of services should they use?
126A company wants to monitor CPU utilization of their EC2 instances and receive an alert when utilization exceeds 80% for 5 consecutive minutes. Which AWS service should be used to set up this metric alarm?
127A security engineer is reviewing AWS CloudTrail logs and finds that an IAM user 'developer1' deleted an S3 bucket. The engineer needs to determine the source IP address of the delete operation. Which field in the CloudTrail log record contains this information?
128A company uses AWS Organizations with multiple accounts. They want to centralize logging of all API calls across all accounts and store them in a single S3 bucket. Which configuration should be used?
129A security team needs to detect unauthorized attempts to access an S3 bucket that contains sensitive data. Which AWS service can automatically analyze S3 access logs and generate findings for suspicious activity?
130A company is using Amazon RDS for MySQL and needs to monitor database login attempts for security analysis. Which feature should be enabled to capture authentication events?
131A company uses AWS CloudTrail and wants to ensure that log files are encrypted at rest and that access to the logs is logged. Which combination of S3 features should be enabled on the destination bucket?
132A security engineer is implementing centralized logging across multiple AWS accounts. Which TWO actions should the engineer take to ensure logs are securely stored and immutable? (Choose TWO.)
133A company wants to monitor for suspicious IAM activity, such as a user creating access keys without authorization. Which THREE AWS services can be used together to detect and alert on this activity in real-time? (Choose THREE.)
134A security engineer needs to capture network traffic between EC2 instances in a VPC for analysis. Which TWO services can provide this capability? (Choose TWO.)
135A company is using AWS CloudTrail and wants to detect when an IAM user performs a specific action, such as stopping an EC2 instance. The security engineer needs to set up a real-time notification. Which THREE steps should the engineer take? (Choose THREE.)
136Refer to the exhibit. An IAM policy is attached to an IAM user. The user reports that they can upload objects to the S3 bucket but cannot list the contents of the bucket. Which statement explains this behavior?
137Refer to the exhibit. A security engineer runs the above AWS CLI command to search for CreateKeyPair events in CloudTrail. The command returns no results, but the engineer knows that a key pair was created during that time. What is the most likely reason for the missing events?
138A company has a multi-account AWS environment using AWS Organizations. The security team has enabled AWS CloudTrail with an organization trail that delivers logs to a centralized S3 bucket in the management account. They have also enabled Amazon GuardDuty in all accounts. Recently, they noticed that some EC2 instances in a member account are exhibiting unusual network behavior, such as outbound traffic to known malicious IP addresses. The security engineer needs to quickly determine the source of the traffic and identify which EC2 instances are affected. The engineer has access to the management account and the member account. Which course of action should the engineer take to most efficiently investigate this incident?
139A company uses AWS Organizations with multiple accounts. The security team needs to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which configuration ensures that only the management account can delete the log files?
140A security engineer is investigating a potential data exfiltration from an EC2 instance. CloudTrail logs show that an IAM user created a new access key for an existing IAM role and used it to call S3 GetObject from an unfamiliar IP address. What is the MOST likely reason the CloudTrail logs captured this activity?
141A company is required to retain CloudTrail logs for 7 years for compliance. Which solution meets this requirement with the LEAST operational overhead?
142A company has enabled AWS Config to record resource changes. The security team needs to be notified when a security group is modified to allow inbound SSH from 0.0.0.0/0. Which AWS service should be used to evaluate the Config rules and trigger notifications?
143A security engineer notices that an S3 bucket containing sensitive data has been accessed from an IP address outside the allowed range. CloudTrail logs show the access was made using temporary credentials from an assumed role. What additional logging is needed to trace the access back to the original IAM user who assumed the role?
144A company uses Amazon GuardDuty for threat detection. The security team wants to automatically isolate an EC2 instance that is communicating with a known malicious IP address. Which combination of services should be used?
145A company is required to audit all changes to IAM policies. Which AWS service should be used to record these changes?
146A security engineer needs to monitor AWS API calls for potential unauthorized access. The engineer wants to be alerted when a specific IAM user performs a high-risk action like deleting a CloudTrail trail. What is the MOST efficient way to achieve this?
147A company wants to detect and alert on SSH brute force attacks on EC2 instances. Which AWS service should be used?
148A security engineer is designing a centralized logging solution for multiple AWS accounts. Which TWO services should be used to aggregate logs from all accounts into a single account? (Choose TWO.)
149A company is using AWS Organizations and wants to enable a central security team to view API activity across all member accounts. Which THREE steps are required? (Choose THREE.)
150A security engineer is investigating a potential security incident. Which TWO AWS services can be used to analyze historical network traffic patterns? (Choose TWO.)
151Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot upload objects to the S3 bucket 'example-bucket' using the AWS CLI from a remote location. What is the MOST likely cause?
152A company has a multi-account AWS environment with 50 accounts. The security team uses AWS CloudTrail to log management events in each account and delivers logs to a centralized S3 bucket in the security account. Recently, the team noticed that some CloudTrail logs are missing from the central bucket for a few accounts. The logs appear to be delivered intermittently. The security engineer checks the CloudTrail configuration in one of the affected accounts and sees that the trail is configured to deliver to the central bucket. The bucket policy in the security account allows CloudTrail to write from all accounts. The engineer also checks the CloudTrail console and sees that the trail status is 'Logging'. What is the MOST likely cause of the intermittent log delivery?
153A company uses Amazon GuardDuty in a single AWS account to detect threats. The security team receives an alert that a specific EC2 instance is communicating with a known command and control (C2) server. The security engineer needs to immediately isolate the instance while preserving the root cause evidence. The engineer has access to the AWS Management Console. Which action should the engineer take FIRST?
154A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. The security team notices that an object was accessed from an IP address outside the allowed VPC. CloudTrail logs show that the access was made using temporary credentials from an assumed role. The role was assumed by an EC2 instance in the allowed VPC. What is the MOST likely reason the access was allowed despite the bucket policy restriction?
155A security engineer is investigating a potential data exfiltration incident. The engineer needs to determine whether an IAM user in account A accessed an S3 bucket in account B. The engineer has access to both accounts. Which combination of steps should the engineer take to identify the cross-account access?
156A security engineer is configuring an Amazon S3 bucket to store CloudTrail logs. The engineer must ensure that the logs are encrypted at rest using an AWS KMS customer managed key (CMK) and that only the CloudTrail service has permission to decrypt the logs. Which bucket policy statement should the engineer add?
157A security engineer needs to monitor for unauthorized changes to security group rules in an AWS account. The engineer wants to receive real-time notifications when a security group rule is added, modified, or removed. Which AWS service should the engineer use to capture these API calls?
158A company uses AWS Organizations with multiple accounts. The security team needs to centrally monitor all API calls made in the member accounts. The team wants to ensure that all CloudTrail logs are delivered to a centralized S3 bucket in the management account. Which configuration should the security team implement?
159A security engineer is investigating a potential compromise. The engineer notices that an EC2 instance is sending outbound traffic to an unknown IP address on port 443. The engineer needs to determine if the instance is communicating with a known command and control (C2) server. Which AWS service can the engineer use to check the reputation of the destination IP address?
160A security engineer is designing a logging solution for an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The engineer needs to capture and store the following logs for analysis: (1) HTTP request logs from the ALB, (2) operating system logs from the EC2 instances, and (3) network traffic logs for the VPC. Which combination of AWS services should the engineer use? (Choose three.)
161A company has a requirement to detect and alert on anomalous IAM user behavior, such as a user logging in from an unusual geographic location. The company uses AWS Organizations and has multiple accounts. Which services should the company use to meet this requirement? (Choose two.)
162A security engineer needs to ensure that all changes to IAM policies in an AWS account are logged and that the logs are immutable and cannot be deleted by any user, including the root user. Which actions should the engineer take? (Choose two.)
163A company runs a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The security team has implemented a centralized logging solution using Amazon S3 for ALB access logs and AWS CloudTrail logs. Recently, the team noticed that some ALB access logs are missing for certain time periods. The ALB is configured to deliver logs every 5 minutes to an S3 bucket with a bucket policy that grants the ALB service principal write access. The CloudTrail logs show no errors related to the ALB or S3. The S3 bucket is in the same region as the ALB. What is the most likely cause of the missing logs?
164A financial services company uses AWS CloudTrail to log all API calls in their account. They store the logs in an S3 bucket with server-side encryption using AWS KMS (SSE-KMS). The security team needs to ensure that only authorized users can decrypt and read the logs. They have created a KMS key with a key policy that grants decrypt permissions to the security team's IAM roles. However, when a security engineer tries to download a log file from the S3 bucket using the AWS CLI, they receive an 'AccessDenied' error. The engineer has s3:GetObject permission on the bucket. What is the most likely cause?
165A company uses Amazon GuardDuty to monitor for malicious activity in their AWS account. The security team receives a GuardDuty finding that indicates an EC2 instance is communicating with a known cryptocurrency mining pool. The team needs to investigate the finding and determine which security group rules allowed the outbound traffic. The EC2 instance is in a VPC with a single security group attached. Which AWS service should the security team use to review the outbound traffic details?
166A company has a requirement to retain CloudTrail logs for 7 years for compliance. They currently store logs in an S3 bucket with standard storage. The security team wants to minimize storage costs while meeting the retention requirement. The logs must be available for retrieval within 24 hours of a request. Which storage class should the team use for the logs after the first 30 days?
167A security engineer is troubleshooting an issue where CloudTrail logs for a single AWS account are not being delivered to the centralized S3 bucket in the logging account. The engineer has verified that the CloudTrail trail is enabled, the S3 bucket policy allows CloudTrail to write, and the bucket exists. However, no log files have been delivered for the past 6 hours. The engineer checks the CloudTrail console and sees that the trail status shows 'Logging' but the latest log file time is from 8 hours ago. The engineer suspects a permission issue but cannot find any explicit deny in the bucket policy. What is the MOST likely cause of this issue?
168A company is using Amazon GuardDuty to detect threats in its AWS environment. The security team notices that GuardDuty is generating a high number of 'UnauthorizedAccess:IAMUser/MaliciousIPCaller' findings for an IAM user that is used by a legacy application. The security team has verified that the IP addresses flagged are not malicious but are legitimate IPs used by the application's third-party service. The company wants to suppress these findings without disabling GuardDuty entirely. Which solution is the MOST effective and secure?
169A security engineer is responsible for monitoring AWS account activity. The engineer needs to receive real-time notifications when specific API calls are made, such as 'DeleteTrail' or 'UpdateTrail'. The engineer wants to use AWS services to achieve this with minimal latency. Which combination of services should the engineer use?
170A company has a multi-account AWS environment managed by AWS Organizations. The security team wants to enable a centralized logging solution where all VPC flow logs, CloudTrail logs, and AWS Config configuration items are sent to a single S3 bucket in the security account. The team has already created the S3 bucket with appropriate bucket policies to allow cross-account writes. However, logs are not appearing from all accounts. What is the MOST likely reason for this issue?
171A security engineer is configuring CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are delivered to an S3 bucket owned by a separate AWS account for centralized auditing. Which additional configuration is required to allow the S3 bucket in the other account to receive these logs?
172A company uses AWS Organizations with multiple accounts. The security team wants to centralize VPC Flow Logs from all accounts into a single S3 bucket in the security account. The flow logs are created in the member accounts and sent to the centralized bucket. However, the security team notices that flow logs from some member accounts are not being delivered. What is the most likely cause?
173A company's security team is investigating a potential security incident. They have enabled CloudTrail and CloudWatch Logs. They want to receive real-time alerts when an IAM user creates a new access key. Which combination of services should be used to achieve this?
174A company is using Amazon GuardDuty to monitor for malicious activity. The security team wants to automatically isolate an EC2 instance that is flagged for outbound communication with a known malicious IP address. Which approach is the most efficient and scalable?
175A company uses AWS CloudTrail to log API activity. The security team wants to ensure that any modification to CloudTrail configuration is logged and that the logs are tamper-proof. Which feature should be enabled?
176A security engineer is setting up centralized logging for an AWS organization. The engineer wants to collect CloudTrail logs, VPC Flow Logs, and AWS Config configuration items from all member accounts into a single S3 bucket in the management account. The engineer creates a new S3 bucket with a bucket policy that grants the required permissions. However, logs from member accounts are not being delivered. What is the most likely reason?
177A company is using Amazon CloudWatch Logs to centralize application logs from EC2 instances. The security team wants to encrypt the log data at rest using a customer-managed KMS key. After enabling encryption on the log group, they notice that new log events are being encrypted, but existing log events are not encrypted. What should the team do to encrypt the existing log events?
178A security engineer is configuring Amazon GuardDuty for the first time. The engineer wants to receive alerts when GuardDuty generates a finding of severity HIGH or higher. What is the simplest way to achieve this?
179A company uses AWS CloudTrail to log all API calls. The security team wants to ensure that any attempt to disable CloudTrail logging is detected and alerted within minutes. Which solution should they implement?
180A security engineer is troubleshooting an issue where CloudTrail is not delivering logs to an S3 bucket. The bucket policy appears correct. Which TWO additional steps should the engineer take to diagnose the issue? (Choose TWO.)
181A company has enabled Amazon GuardDuty in multiple AWS accounts. The security team wants to centralize GuardDuty findings into a single account for analysis. Which THREE steps are required to achieve this? (Choose THREE.)
182A security engineer is configuring VPC Flow Logs to capture network traffic metadata. Which TWO attributes can be captured in VPC Flow Logs? (Choose TWO.)
183Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs from account 123456789012 to the bucket my-trail-bucket. However, CloudTrail logs are not being delivered. What is the most likely reason?
184Refer to the exhibit. A security engineer is analyzing a VPC Flow Log entry from an EC2 instance with private IP 10.0.1.5. The log shows an outbound connection to IP 203.0.113.5 on port 443 from source port 22. The connection was accepted. What is the most likely scenario?
185Refer to the exhibit. A security engineer is reviewing a CloudTrail event. What security concern does this event raise?
186A security team needs to detect unauthorized API calls made from a compromised IAM user. Which AWS service should be used to monitor and alert on specific API activities?
187A company has enabled CloudTrail in all regions and is logging to a single S3 bucket. The security team needs to ensure that any attempted deletion of CloudTrail logs generates an immediate alert. Which solution meets this requirement?
188A security engineer is investigating a potential data exfiltration incident. The engineer has enabled VPC Flow Logs for the VPC and CloudTrail for the account. Which combination of actions would provide the most comprehensive visibility into network traffic and API calls?
189A company wants to centrally collect and analyze logs from multiple AWS accounts. Which AWS service should be used to aggregate logs from various sources for monitoring and alerting?
190A security team needs to monitor for failed login attempts to an EC2 instance running Linux. The team wants to send a real-time alert when more than 10 failed SSH attempts occur within 5 minutes. Which solution is the most efficient?
191A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. Which solution meets these requirements?
192A security analyst needs to receive an alert when an IAM user attempts to perform an action they are not authorized to perform. Which AWS service can be used to monitor and alert on such authorization failures?
193A company has a requirement to retain CloudTrail logs for 7 years for compliance. The logs are stored in an S3 bucket. The security team needs to ensure that logs are not deleted before the retention period ends, even by users with full S3 permissions. Which action should be taken?
194A security engineer is configuring a centralized logging solution for multiple AWS accounts. The engineer needs to ensure that log files are encrypted at rest and that access to the logs is audited. Which combination of services and features should be used?
195A security team wants to detect and alert on potential security threats such as compromised instances or malicious activity within their AWS environment. Which TWO AWS services should be used together to provide comprehensive threat detection?
196A security engineer is designing a logging strategy for a multi-account environment. The engineer needs to ensure that all API activity across accounts is logged and that logs are immutable and centrally accessible. Which THREE actions should the engineer take?
197A company wants to monitor for unauthorized changes to security group rules in their VPC. Which TWO AWS services can be used together to detect and alert on such changes?
198Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most significant security concern indicated by this event?
199Refer to the exhibit. A security engineer has attached this IAM policy to a user. What is the effect of this policy?
200Refer to the exhibit. A security engineer runs this CloudWatch Logs Insights query on a log group. What is the purpose of this query?
201A security engineer is configuring AWS CloudTrail to log management events for all AWS regions. The engineer needs to ensure that log files are encrypted at rest and that access to the log files is logged. Which solution meets these requirements?
202A DevOps engineer needs to monitor failed SSH login attempts to Amazon EC2 instances. Which AWS service should the engineer use to collect and analyze the login events?
203A security team has enabled AWS CloudTrail in all regions and is delivering logs to an S3 bucket. The team has also enabled S3 server access logging for the CloudTrail bucket. The team needs to detect any unauthorized access to the CloudTrail logs. Which combination of services should the team use to achieve near-real-time detection?
204A company wants to centralize logging from multiple AWS accounts into a single logging account. The logs include AWS CloudTrail, AWS Config, and VPC Flow Logs. Which solution should the company implement to meet these requirements with minimal operational overhead?
205A company uses Amazon Route 53 for DNS and wants to log all DNS queries made from its VPC. The logs must be stored in Amazon S3 for compliance purposes. Which solution meets these requirements?
206A security engineer needs to monitor AWS account activity for suspicious API calls and receive alerts. Which AWS service should the engineer use to meet this requirement?
207A company has a requirement to retain AWS CloudTrail logs for 7 years for compliance. The logs are stored in an S3 bucket. The company wants to reduce storage costs by automatically moving older logs to a cheaper storage class. Which solution should the company implement?
208A company is using Amazon CloudWatch Logs to collect logs from its EC2 instances. The security team wants to ensure that logs are encrypted at rest and that access to the logs is controlled. Which solution should the team implement?
209A security engineer needs to identify which IAM users have been inactive for the past 90 days. Which AWS service should the engineer use?
210A company is implementing a security monitoring solution for its AWS environment. Which TWO services can be used to detect and alert on suspicious API activity? (Choose TWO.)
211A security team wants to implement a centralized logging solution for multiple AWS accounts. The team needs to collect VPC Flow Logs, CloudTrail logs, and DNS query logs from all accounts. Which THREE services should the team use to aggregate these logs? (Choose THREE.)
212A company wants to monitor AWS account activity and receive real-time notifications for specific API calls. Which TWO services should the company use together? (Choose TWO.)
213A security engineer needs to ensure that all API calls made to AWS are logged and retained for at least 7 years for compliance. Which AWS service should be enabled to meet this requirement?
214A company is experiencing unauthorized access attempts to an S3 bucket. Which AWS service can be used to detect and alert on such events in real time?
215A security team wants to centrally collect and analyze VPC Flow Logs from multiple AWS accounts for security monitoring. Which solution is MOST scalable and cost-effective?
216A company needs to monitor for root account usage and receive immediate notifications. Which combination of AWS services should be used?
217A security engineer is troubleshooting an issue where CloudTrail logs are not being delivered to the specified S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?
218A company uses AWS CloudTrail to log all management events and data events for S3. The security team wants to detect any PutObject API calls that upload objects with server-side encryption disabled. Which solution is MOST efficient?
219A company wants to receive an alert when an IAM user creates a new access key. Which AWS service should be used to trigger the alert?
220A security engineer needs to monitor for unusual outbound network traffic from an EC2 instance. Which AWS service provides this capability?
221A company is using AWS CloudTrail to log all management events and has enabled log file validation. What additional security benefit does log file validation provide?
222A company needs to monitor for unauthorized changes to security group rules. Which TWO AWS services can be used together to achieve this?
223A security engineer is designing a centralized logging solution for 10 AWS accounts. Which THREE AWS services should be used to aggregate, store, and analyze logs?
224Which TWO AWS services can be used to detect and alert on suspicious activity in near real-time?
225A security engineer configured the S3 bucket policy shown above for CloudTrail log delivery, but CloudTrail is not delivering logs. What is the MOST likely reason?
226A security engineer runs the CLI command above to investigate a console login event. The output shows: {"type":"Root","principalId":"123456789012","arn":"arn:aws:iam::123456789012:root"}. What does this indicate?
227The IAM policy above is attached to a role used by an EC2 instance to send logs to CloudWatch Logs. The instance is unable to send logs. What is the MOST likely issue?
228A security engineer notices that an EC2 instance is sending outbound traffic to an unknown IP address. The engineer needs to capture and analyze the network traffic to determine what data is being exfiltrated. Which AWS service should be used to capture the traffic for analysis?
229A company uses AWS Organizations with multiple accounts. The security team wants to centrally monitor and analyze all CloudTrail logs from all accounts. The logs must be stored in a centralized S3 bucket with encryption and access logging enabled. Additionally, the team needs to detect anomalous API activity across accounts using machine learning. Which combination of services meets these requirements?
230A company wants to receive real-time notifications when specific API calls are made in their AWS account, such as IAM user creation or S3 bucket policy changes. Which AWS service should be used to trigger notifications based on these API events?
231A company uses AWS CloudTrail to log all API activity and delivers logs to an S3 bucket with server-side encryption (SSE-S3). The security team needs to ensure that only authorized personnel can access the logs and that any unauthorized access attempts are logged and alerted. Additionally, the team wants to prevent the logs from being deleted for at least one year. Which combination of actions should be taken?
232A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to analyze web request logs to identify potential SQL injection attacks. Which AWS service should be used to collect and analyze the ALB access logs?
233A security engineer needs to monitor for unauthorized changes to IAM roles and policies in an AWS account. The engineer wants to receive an email notification whenever an IAM policy is attached to a role. Which AWS services should be combined to achieve this?
234A company has enabled AWS CloudTrail in all regions and is delivering logs to an S3 bucket. The security team wants to ensure that any attempt to disable CloudTrail logging is detected and alerted. Which approach should be used?
235A company uses Amazon RDS for MySQL and needs to monitor database activity for suspicious queries, such as unauthorized access attempts or SQL injection. The security team wants to centralize the logs from multiple RDS instances and analyze them in near real-time. Which solution should be implemented?
236A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to determine if any unauthorized SSH keys were added to the instance's authorized_keys file. Which AWS service should be used to detect this change?
237A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet the following requirements: 1) Logs from all accounts must be stored in a centralized S3 bucket. 2) The logs must be encrypted at rest using AWS KMS. 3) Access to the logs must be logged and monitored. Which TWO services should be used to meet the requirements? (Choose TWO.)
238A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer needs to ensure that all findings from member accounts are visible in the administrator account. Additionally, the engineer wants to receive real-time notifications for high-severity findings. Which TWO actions should the engineer take? (Choose TWO.)
239A company needs to monitor its AWS environment for compliance with the CIS AWS Foundations Benchmark. The security team wants to automatically check for non-compliant resources and receive reports. Which THREE services should be used together to meet these requirements? (Choose THREE.)
240A company uses AWS CloudTrail to log API activity across multiple accounts. The security team wants to ensure that any S3 bucket created with public read access is detected within minutes. Which solution is MOST efficient?
241A security engineer is investigating a potential compromise. They notice that an IAM user 'svc-backup' has been making unusual API calls from an IP address outside the company's VPC. The engineer wants to ensure all future API calls from this user are logged with full event details. However, the current CloudTrail trail is set to log only management events. What should the engineer do to capture the required details?
242A company wants to centralize security logs from multiple AWS accounts into a single S3 bucket. The logging accounts (e.g., security, production) each have their own CloudTrail trails. Which configuration is required to allow cross-account log delivery?
243A security engineer is troubleshooting why Amazon GuardDuty is not generating findings for suspicious S3 API calls made by an IAM role. The engineer has verified that GuardDuty is enabled in the account and region. What is a likely reason for the missing findings?
244A company uses AWS Organizations and wants to enable Amazon GuardDuty across all member accounts. The security team wants to centrally manage findings and automate responses. What is the MOST efficient way to achieve this?
245A company is using Amazon CloudWatch Logs to store application logs. The security team needs to ensure that logs are encrypted at rest using a customer-managed KMS key (CMK). What configuration is required?
246A company has a CloudTrail trail that logs management events and delivers them to an S3 bucket. The security team notices that some expected API calls are missing from the logs. They suspect that the calls were made by a service that is not tracked by CloudTrail. Which AWS service is NOT tracked by CloudTrail?
247A security engineer is configuring Amazon Inspector to assess EC2 instances for software vulnerabilities. The engineer has installed the SSM Agent on all instances and ensured that the instances have internet access. However, Amazon Inspector shows the instances as 'Unmanaged'. What is the MOST likely cause?
248A company uses AWS CloudTrail to log management events. The security team wants to be alerted when an IAM user creates a new access key. Which solution would meet this requirement with the least operational overhead?
249A security engineer needs to ensure that all API calls in an AWS account are logged for auditing purposes. Which TWO services should the engineer enable? (Select TWO.)
250A company wants to detect and respond to potential security threats in near real-time. Which THREE AWS services should the company use together? (Select THREE.)
251A security engineer is investigating a potential data breach. The engineer wants to analyze historical API calls made by a specific IAM user. Which TWO AWS services can be used together to achieve this? (Select TWO.)
252A security engineer has attached the above IAM policy to a role used by an application to write logs to an S3 bucket. However, the application is unable to write logs. What is the MOST likely reason?
253A security engineer needs to ensure that all S3 object-level API calls (e.g., GetObject, PutObject) on the bucket 'my-bucket' are logged. The current CloudTrail configuration is as shown in the exhibit. What change should the engineer make?
254A security engineer is configuring a multi-account CloudTrail setup. The above bucket policy is attached to the central logging bucket. Despite the policy, CloudTrail in the member account (123456789012) cannot deliver logs. What is the MOST likely issue?
255A security engineer notices that an Amazon S3 bucket has been accessed from an IP address outside the company's allowed range. The engineer needs to identify the IAM user who made the request. Which AWS service should be used to find this information?
256A company uses AWS Organizations with multiple accounts. The security team wants to centralize the collection of VPC Flow Logs and AWS CloudTrail logs from all accounts into a single Amazon S3 bucket in the management account. The S3 bucket policy must allow cross-account log delivery. Which condition in the bucket policy should be used to restrict log delivery to only the organization's accounts?
257A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to ensure that all member accounts send findings to the delegated administrator account. However, some member accounts are not sending findings. What is the most likely cause?
258A company wants to receive real-time notifications when specific API calls are made in their AWS account, such as creating a new IAM user. Which AWS service should be used to trigger a notification based on CloudTrail events?
259A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to capture network traffic to and from the instance for analysis. Which method should be used to capture this traffic without installing any software on the instance?
260A company uses AWS CloudTrail to log all API activity. The security team wants to ensure that logs are immutable after they are delivered to Amazon S3. Which combination of actions should be taken to meet this requirement? (Choose the best single answer that includes all necessary steps.)
261A security engineer needs to monitor for unauthorized changes to security group rules in an AWS account. Which AWS service can evaluate security group rules against a desired configuration and alert on changes?
262A company uses AWS CloudTrail and wants to ensure that all log files are encrypted at rest using a customer-managed AWS KMS key. The CloudTrail trail is configured to use a KMS key, but some log files appear to be encrypted with the default Amazon S3 managed key (SSE-S3). What is the most likely cause?
263An organization wants to detect and alert on the use of root user credentials in their AWS accounts. They have multiple accounts managed via AWS Organizations. What is the most efficient way to centralize this monitoring?
264A security engineer is configuring logging for an application running on Amazon EC2 instances. The engineer needs to capture both operating system-level logs and application logs. Which TWO services can be used together to achieve this? (Choose two.)
265A security team wants to detect and alert on suspicious network traffic patterns within their VPC. They need to capture traffic to and from an EC2 instance for analysis. Which THREE services should be used together to achieve this? (Choose three.)
266A company needs to monitor for unauthorized changes to its Amazon S3 bucket policies. Which TWO services can be used together to achieve this? (Choose two.)
267Refer to the exhibit. A security engineer has created an S3 bucket policy to allow AWS CloudTrail and VPC Flow Logs to deliver logs to the bucket. However, CloudTrail logs are not being delivered, but VPC Flow Logs are delivered successfully. What is the most likely cause?
268Refer to the exhibit. A security engineer is configuring the Amazon CloudWatch agent to collect logs from an Amazon ECS task. The configuration shown is used. However, the logs are not appearing in CloudWatch Logs. What is the most likely cause?
269Refer to the exhibit. A security engineer uses the AWS CLI command shown to investigate a console login event. What type of user performed the login?
270A security engineer is troubleshooting why CloudTrail is not delivering logs to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured with the correct bucket name. However, no log files appear. What is the most likely cause?
271A company uses Amazon GuardDuty to monitor for threats. The security team receives a high-severity finding: 'UnauthorizedAccess:EC2/SSHBruteForce'. The finding indicates a single EC2 instance with a public IP is receiving SSH connection attempts from multiple external IPs. The instance is part of an Auto Scaling group and is fronted by an Application Load Balancer (ALB). The security team wants to block the attacking IPs without disrupting legitimate traffic. What is the MOST effective approach?
272A company wants to detect and alert on changes to IAM roles and policies in their AWS account. Which combination of AWS services should they use?
273A DevOps engineer notices that an EC2 instance's CloudWatch agent is not sending custom metrics to CloudWatch. The agent is installed and the configuration file is valid. The instance has an IAM role attached. What is the most likely reason for the failure?
274A security team uses Amazon Macie to discover sensitive data in S3. They have configured Macie to run automated sensitive data discovery jobs. After reviewing the findings, they notice that some S3 objects containing personally identifiable information (PII) are not being flagged. What is the most likely cause?
275A company wants to centralize logs from multiple AWS accounts into a single S3 bucket for analysis. The accounts are part of an AWS Organizations organization. Which set of steps will accomplish this?
276A security engineer is investigating a potential data exfiltration incident. They see that an EC2 instance with an IAM role is making API calls to S3 to download objects. The IAM role has an S3 bucket policy that allows access from that role. However, CloudTrail logs show that the calls are being made from an IP address outside the company's network. What is the most likely explanation?
277A company uses AWS CloudTrail to log all API activity. They want to ensure that log files are tamper-proof and can be validated for forensic purposes. Which of the following should they enable?
278A security analyst wants to receive a notification whenever a new security group is created in their AWS account. Which AWS service should they use to trigger an SNS notification based on the CloudTrail event?
279A security team is designing a logging solution for a multi-account AWS environment using AWS Organizations. They need to collect CloudTrail logs, VPC Flow Logs, and DNS logs from all accounts. Which TWO services can be used to centralize this logging?
280A security engineer is configuring Amazon GuardDuty in a multi-account environment. The engineer wants to enable GuardDuty in the management account and automatically enable it for all member accounts. Which THREE steps are required?
281A company wants to monitor unauthorized API calls in their AWS account. Which TWO AWS services can provide real-time alerting on such events?
282A financial services company has a multi-account AWS environment with over 200 accounts managed through AWS Organizations. The security team is responsible for monitoring all accounts for security incidents. They have enabled AWS CloudTrail in all accounts with trails that deliver logs to a centralized S3 bucket in the security account. Additionally, they have enabled Amazon GuardDuty in all accounts with the security account as the administrator. The team uses Amazon EventBridge to trigger automated responses to GuardDuty findings. Recently, they noticed that some GuardDuty findings from member accounts are not appearing in the security account. The security team verified that the findings are generated in the member accounts (they can see them in the member account GuardDuty console) but are not being sent to the administrator account. The CloudTrail logs are being delivered correctly. What is the MOST likely cause of this issue?
283A security engineer notices that an IAM user in the company's AWS account is making API calls from an IP address outside the allowed corporate network. The engineer needs to be alerted immediately when such activity occurs. Which solution meets these requirements with the least operational overhead?
284A company wants to centralize CloudTrail logs from multiple AWS accounts into a single S3 bucket for security analysis. The logs must be encrypted at rest and access must be logged. What is the MOST secure way to grant cross-account access to the central S3 bucket?
285A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a central S3 bucket. A new member account is created and the security engineer wants to enforce this configuration automatically. Which approach meets these requirements with the least operational overhead?
286A security engineer is investigating a potential security incident. CloudTrail logs show that an IAM user 'admin' deleted an S3 bucket at 2023-01-15T10:30:00Z. The engineer needs to find the source IP address and user agent of the request. Which CloudTrail log field contains this information?
287A company uses Amazon GuardDuty to detect threats. The security team wants to receive real-time notifications for all GuardDuty findings with a severity of HIGH or CRITICAL. What is the MOST efficient way to achieve this?
288A company has a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all API activity across all accounts is logged and immutable. CloudTrail is enabled in all accounts, but the logs are stored in individual account buckets. The team wants to centralize logs and prevent any account from disabling logging. What should they do?
289A company uses Amazon RDS for MySQL and wants to monitor database activity for suspicious queries. The security team needs to capture all SQL statements executed against the database, including SELECT queries. Which AWS service should they use?
290A security engineer is reviewing CloudTrail logs and notices an event with the key 'eventType' set to 'AwsServiceEvent'. What does this indicate?
291A company uses Amazon S3 to store sensitive data. The security team wants to detect when objects are made publicly accessible. Which combination of services provides the MOST comprehensive detection with minimal false positives?
292Which TWO AWS services can be used to centrally collect and analyze logs from multiple AWS accounts? (Choose two.)
293Which TWO actions should a security engineer take to ensure that CloudTrail logs are protected from unauthorized deletion? (Choose two.)
294Which THREE AWS services can be used to detect and alert on suspicious network traffic patterns? (Choose three.)
295A financial services company has a production AWS account with hundreds of EC2 instances running a mix of Linux and Windows workloads. The security team is responsible for detecting and responding to security incidents. They have enabled CloudTrail, VPC Flow Logs, and GuardDuty. Recently, GuardDuty generated a finding indicating that an EC2 instance is communicating with a known malicious IP address. The security engineer needs to investigate the incident. The engineer examines the GuardDuty finding and sees the affected resource is an EC2 instance ID. The engineer wants to identify which user or role launched the instance and what security groups were associated with it at launch time. Which approach should the engineer take to gather this information?
296A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an RDS MySQL database. The security team wants to monitor for SQL injection attempts. They have enabled AWS WAF on the ALB and are logging all requests. The security engineer needs to analyze the WAF logs to identify if any SQL injection attacks have been attempted. The logs are stored in an S3 bucket. The engineer needs to query the logs for patterns like 'SELECT * FROM' or 'DROP TABLE' in the URI. Which service should the engineer use to perform this analysis?
297A company uses AWS Organizations to manage multiple accounts. The security team needs to implement a centralized logging solution where all VPC Flow Logs from all accounts are sent to a central S3 bucket in the security account. The flow logs must be encrypted with a customer-managed KMS key (CMK) that is owned by the security account. The security engineer has enabled VPC Flow Logs in each account and configured the destination to be the central S3 bucket. However, the flow logs are not being delivered. The engineer checks the S3 bucket policy and confirms that it grants the required permissions to the Flow Logs service principal. What is the MOST likely cause of the failure?
298A security engineer notices that CloudTrail logs for a production account are not being delivered to the S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?
299A company wants to monitor AWS API calls for suspicious activity and automatically remediate by revoking IAM roles in real time. Which combination of services should be used?
300A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should be used?
The Security Logging and Monitoring domain covers the key concepts tested in this area of the SCS-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SCS-C02 domains — no account required.
The Courseiva SCS-C02 question bank contains 300 questions in the Security Logging and Monitoring domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Logging and Monitoring domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included