Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Logging and Monitoring practice sets

SCS-C02 Security Logging and Monitoring • Complete Question Bank

SCS-C02 Security Logging and Monitoring — All Questions With Answers

Complete SCS-C02 Security Logging and Monitoring question bank — all 0 questions with answers and detailed explanations.

323
Questions
Free
No signup
Certifications/SCS-C02/Practice Test/Security Logging and Monitoring/All Questions
Question 1easymultiple choice
Read the full DNS explanation →

A security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?

Question 2mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log management events in all regions. The security team notices that some API calls made by an IAM user are not appearing in the CloudTrail event history. What is the most likely reason?

Question 3hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?

Question 4easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to be alerted when an IAM user attempts to modify an S3 bucket policy. Which method is the MOST efficient?

Question 5mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon GuardDuty and wants to suppress low-severity findings that are known false positives. What is the recommended approach?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A company stores sensitive data in Amazon S3 and wants to detect and alert on any public read access to objects. Which combination of services provides the most comprehensive solution?

Question 7easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to centrally collect and analyze AWS CloudTrail logs from multiple accounts. Which service is designed for this purpose?

Question 8mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail and wants to ensure that any modification to the trail itself is detected immediately. What should be done?

Question 9mediummulti select
Read the full Security Logging and Monitoring explanation →

A security engineer needs to capture all network traffic between EC2 instances in a VPC for forensic analysis. Which TWO services should be used together? (Choose TWO.)

Question 10hardmulti select
Read the full Security Logging and Monitoring explanation →

A company wants to use AWS CloudTrail to monitor data events for all S3 buckets. Which THREE steps are necessary? (Choose THREE.)

Question 11easymulti select
Read the full NAT/PAT explanation →

Which TWO AWS services provide native integration with Amazon CloudWatch Logs for real-time monitoring of application logs? (Choose TWO.)

Question 12hardmulti select
Read the full Security Logging and Monitoring explanation →

A security engineer needs to monitor cross-account access to resources. Which THREE AWS services can be used to log or detect such access? (Choose THREE.)

Question 13hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer reviews a CloudTrail log entry. What is the MOST concerning security issue?

Exhibit

Refer to the exhibit.

```
{
  "Records": [
    {
      "eventVersion": "1.08",
      "userIdentity": {
        "type": "Root",
        "arn": "arn:aws:iam::123456789012:root",
        "accountId": "123456789012"
      },
      "eventTime": "2023-09-01T12:34:56Z",
      "eventSource": "ec2.amazonaws.com",
      "eventName": "AuthorizeSecurityGroupIngress",
      "sourceIPAddress": "203.0.113.5",
      "userAgent": "console.amazonaws.com",
      "requestParameters": {
        "groupId": "sg-12345678",
        "ipPermissions": {
          "items": [
            {
              "ipProtocol": "tcp",
              "fromPort": 22,
              "toPort": 22,
              "ipRanges": [
                {
                  "cidrIp": "0.0.0.0/0"
                }
              ]
            }
          ]
        }
      },
      "responseElements": null
    }
  ]
}
```
Question 14mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer reviews the CloudTrail trail configuration. What is a security concern?

Exhibit

Refer to the exhibit.

```
{
  "configuration": {
    "name": "my-trail",
    "s3BucketName": "my-cloudtrail-logs",
    "includeGlobalServiceEvents": true,
    "isMultiRegionTrail": true,
    "enableLogFileValidation": true,
    "cloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:aws-cloudtrail-logs:*",
    "cloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role",
    "kmsKeyId": null
  }
}
```
Question 15hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company runs a multi-account AWS environment using AWS Organizations. The security team needs to implement centralized logging for all AWS CloudTrail events across all accounts. They create a new trail in the management account with the following configuration: trail name 'central-trail', apply to all accounts in the organization, enable data events for all S3 buckets, and store logs in a centralized S3 bucket. After one week, they notice that some accounts are not delivering CloudTrail logs to the central bucket. The security engineer verifies that the trail is still configured to apply to all accounts and that the S3 bucket policy allows cross-account access. What is the MOST likely reason for the missing logs?

Question 16easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer wants to receive real-time notifications when an AWS API call is made to delete an S3 bucket. Which service should be used to capture and forward these events to an Amazon SNS topic?

Question 17mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using AWS Organizations with multiple accounts. The security team needs to centrally monitor all root user API activity across all accounts and receive alerts within minutes. What is the MOST efficient solution?

Question 18hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log all API calls. The security team notices that some expected log entries are missing for actions performed by an IAM role assumed by an EC2 instance. The instance has the required permissions. What is the MOST likely cause of the missing log entries?

Question 19easymulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is designing a monitoring solution for a multi-account AWS environment using AWS Organizations. The solution must provide a centralized view of all API activities and send alerts for suspicious events. Which TWO services together can achieve this? (Choose TWO.)

Question 20hardmulti select
Read the full NAT/PAT explanation →

A company runs a critical application on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The security team enabled VPC Flow Logs, CloudTrail, and CloudWatch Logs for the application tier. Recently, they noticed that some EC2 instances are being terminated unexpectedly by an unknown IAM user. The CloudTrail logs show the TerminateInstances API call, but the source IP address is from within the VPC CIDR range. The security team suspects the action is coming from an EC2 instance that has been compromised. They need to identify the specific compromised instance and the IAM role it used. Which combination of steps will provide the necessary information? (Choose TWO.)

Question 21easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to ensure that all API calls made in an AWS account are captured and retained for auditing purposes. The engineer must be able to query the logs for specific user activity over the past 90 days. Which AWS service should the engineer use to meet these requirements?

Question 22mediummulti select
Read the full Security Logging and Monitoring explanation →

A company is using AWS CloudTrail to monitor API activity in its AWS account. The security team needs to be alerted when unauthorized API calls are made to delete Amazon S3 buckets. Which TWO steps should the security team take to meet this requirement? (Choose TWO.)

Question 23hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to get and put objects in the S3 bucket 'example-bucket' only from the IP range 203.0.113.0/24. However, the user reports that they are unable to put objects from an IP within that range. What is the most likely cause of this issue?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 24mediumdrag order
Read the full Security Logging and Monitoring explanation →

Drag and drop the steps to set up AWS Shield Advanced with automatic application layer DDoS mitigation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 25mediumdrag order
Read the full Security Logging and Monitoring explanation →

Drag and drop the steps to respond to a suspected AWS IAM credential compromise in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 26mediummatching
Read the full Security Logging and Monitoring explanation →

Match each AWS CloudTrail log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Control plane operations

Resource operations like S3 object access

Unusual activity detection

Invocation of Lambda function URLs

Question 27mediummatching
Read the full Security Logging and Monitoring explanation →

Match each AWS security tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated vulnerability assessment

Threat detection service

Centralized security findings aggregation

Investigation and analysis of security issues

Resource configuration monitoring and compliance

Question 28easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to monitor for suspicious API calls in near real-time and trigger an automated response. Which AWS service should be used to capture and analyze these API calls?

Question 29mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centralize security logs (CloudTrail, VPC Flow Logs, AWS Config) from all accounts into a single S3 bucket for analysis. What is the MOST secure way to set up this centralized logging?

Question 30hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using Amazon CloudWatch Logs to store application logs. The security team needs to retain logs for 7 years to comply with regulatory requirements. The logs are accessed infrequently after the first 90 days. What is the MOST cost-effective way to meet these retention and access requirements?

Question 31mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is troubleshooting an issue where Amazon GuardDuty is not generating findings for a specific EC2 instance that is known to be compromised. The instance is in a VPC with VPC Flow Logs enabled. What could be the reason for the lack of findings?

Question 32easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to monitor failed SSH login attempts to its EC2 instances. Which AWS service should be used to collect and analyze these logs?

Question 33hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon S3 to store sensitive data. The security team needs to be alerted when an S3 bucket policy is changed to allow public access. Which combination of services should be used to meet this requirement?

Question 34mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential security incident involving an EC2 instance that was used to launch an outbound DDoS attack. The engineer needs to determine the source of the attack and the commands executed on the instance. Which logs should be analyzed?

Question 35easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to detect and alert on suspicious IAM user behavior, such as accessing services that are not typically used. Which AWS service provides prebuilt anomaly detection for IAM users?

Question 36mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has enabled AWS CloudTrail in all regions and is delivering logs to a central S3 bucket. The security team needs to ensure that any attempt to delete or modify CloudTrail logs is detected and alerted. What should be done?

Question 37mediummulti select
Read the full NAT/PAT explanation →

A company is using Amazon CloudWatch Logs to collect application logs. The security team wants to detect patterns that indicate security threats, such as multiple failed login attempts. Which TWO services can be used together to perform real-time log analysis and alerting?

Question 38hardmulti select
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations and wants to enforce that all member accounts enable VPC Flow Logs for all VPCs. Which THREE services or features should be used to enforce this policy automatically?

Question 39easymulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is setting up monitoring for AWS API calls. Which TWO AWS services can be used to capture and analyze API activity?

Question 40mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is troubleshooting why CloudTrail logs are not being delivered to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured to log management events. However, no log files appear in the bucket. What is the MOST likely cause?

Question 41hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Config to track resource changes. They notice that a weekly compliance report shows an S3 bucket as non-compliant with a rule that checks for server-side encryption. However, the bucket has default encryption enabled. What is the MOST likely reason for this discrepancy?

Question 42easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to centrally collect VPC Flow Logs from multiple accounts into a single S3 bucket in the security account. Which solution is the MOST operationally efficient?

Question 43mediummultiple choice
Read the full NAT/PAT explanation →

A security team needs to be alerted when an IAM user generates a console login failure. Which combination of AWS services should be used to meet this requirement?

Question 44hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a CloudTrail trail that logs management events for all regions in the management account. They want to also log data events for all S3 buckets in the organization. Which configuration change will meet this requirement with the LEAST operational overhead?

Question 45easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to ensure that all S3 buckets in an AWS account have server access logging enabled. Which AWS service should be used to continuously monitor for compliance?

Question 46mediummultiple choice
Read the full DNS explanation →

A company is using Amazon Route 53 and wants to log DNS queries for investigative purposes. The logs must be stored in a centralized S3 bucket in the security account. What is the MOST efficient way to achieve this?

Question 47hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log all API calls. The security team notices that some PutObject API calls are not appearing in the CloudTrail logs. The S3 bucket in question has server access logging enabled. What is the MOST likely reason for the missing CloudTrail events?

Question 48mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to detect when an EC2 instance is terminated in an AWS account. The solution must provide near-real-time notification. Which combination of services should be used?

Question 49mediummulti select
Read the full Security Logging and Monitoring explanation →

A company is designing a centralized logging solution for VPC Flow Logs across multiple AWS accounts. The solution must meet the following requirements: - Centralized storage in an S3 bucket in the security account. - Real-time analysis of flow logs. - Minimal operational overhead. Which TWO actions should the company take? (Choose two.)

Question 50hardmulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential security incident. The engineer has enabled CloudTrail and VPC Flow Logs. Which THREE pieces of information can the engineer obtain from CloudTrail logs that are NOT available in VPC Flow Logs? (Choose three.)

Question 51mediummulti select
Read the full Security Logging and Monitoring explanation →

A company is using Amazon GuardDuty to detect threats. The security team wants to receive alerts for specific findings. Which TWO AWS services can be used to forward GuardDuty findings to a custom application for analysis? (Choose two.)

Question 52hardmulti select
Read the full Security Logging and Monitoring explanation →

A company wants to monitor for unauthorized API calls in real-time. The solution must meet the following requirements: - Detect calls that fail authentication (AccessDenied). - Detect calls that use a revoked IAM role. - Provide a centralized view across multiple accounts. Which THREE services should be used together to implement this solution? (Choose three.)

Question 53easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to detect unauthorized API calls in an AWS account. Which AWS service should be used to record and monitor API activity for auditing?

Question 54mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company needs to centralize security logs from multiple AWS accounts and on-premises servers. The logs must be encrypted at rest and stored in a cost-effective manner. Which solution meets these requirements?

Question 55hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A Security Engineer is troubleshooting why AWS CloudTrail is not delivering logs to an S3 bucket. The bucket policy allows CloudTrail access. What is a likely cause of the issue?

Question 56easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to monitor failed SSH login attempts to EC2 instances. Which approach should be used?

Question 57mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS WAF to protect a web application. The security team needs to analyze blocked requests to identify attack patterns. Which service should be used to query and visualize WAF logs?

Question 58hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a CloudTrail trail that logs management events for all regions. The security team notices that some S3 data events are not being logged. How should the team enable logging for all S3 data events?

Question 59easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company needs to be alerted when root account credentials are used in their AWS account. Which service should be used to create a metric filter and alarm for this event?

Question 60mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to enable CloudTrail for all accounts and centrally store logs. What is the most efficient way to achieve this?

Question 61hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to analyze VPC Flow Logs to identify traffic to a known malicious IP address. The logs are stored in Amazon S3. Which approach is the most cost-effective for querying the logs?

Question 62easymulti select
Read the full Security Logging and Monitoring explanation →

A company wants to receive notifications when AWS CloudTrail logs are delivered to an S3 bucket. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Question 63mediummulti select
Read the full DNS explanation →

A security engineer needs to monitor DNS query logs for malicious domain names. Which THREE services can be used together to collect, analyze, and alert on DNS logs? (Choose THREE.)

Question 64hardmulti select
Read the full Security Logging and Monitoring explanation →

A company wants to ensure that all API calls in their AWS account are logged and immutable. Which TWO actions should be taken? (Choose TWO.)

Question 65mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs. However, log delivery is failing. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/AWSLogs/123456789012/*"
    }
  ]
}
Question 66hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. The security team is investigating a security incident in us-west-2 region. They notice that management events from us-west-2 are not appearing in the CloudTrail logs. Based on the exhibit, what is the most likely reason?

Network Topology
$ aws cloudtrail describe-trailstrail-name-list my-trailRefer to the exhibit."trailList": ["Name": "my-trail","S3BucketName": "my-bucket","IncludeGlobalServiceEvents": true,"IsMultiRegionTrail": false,"HomeRegion": "us-east-1","TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/my-trail","LogFileValidationEnabled": true,"HasCustomEventSelectors": false,"HasInsightSelectors": false
Question 67easymultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer creates this CloudWatch Logs metric filter on a CloudTrail log group to detect root account usage. However, no metrics are generated. What is the most likely issue?

Exhibit

Refer to the exhibit.

{
  "MetricFilter": {
    "filterName": "RootAccountUsage",
    "filterPattern": "{ $.userIdentity.type = \"Root\" }"
  }
}
Question 68easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log all API calls in their AWS account. They need to ensure that log files are not tampered with after they are delivered to the S3 bucket. Which feature should be enabled to provide integrity validation?

Question 69mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a monitoring solution for an AWS Lambda function that processes sensitive data. The function occasionally fails due to timeouts. The engineer needs to be alerted immediately when the function fails and also wants to analyze the error logs. Which combination of services should the engineer use?

Question 70hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centralize all CloudTrail logs from all accounts into a single S3 bucket in the management account. The bucket policy allows cross-account access. However, logs from member accounts are not being delivered. What is the most likely cause?

Question 71easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon RDS for MySQL and wants to monitor database activity for security analysis. Which AWS service should be used to capture detailed database activity logs such as login attempts and query execution?

Question 72mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring VPC Flow Logs for a VPC that hosts a web application. The engineer wants to capture all traffic to and from the internet. Which of the following is the most appropriate configuration?

Question 73hardmultiple choice
Read the full NAT/PAT explanation →

A security team wants to collect and analyze logs from multiple AWS services including CloudTrail, VPC Flow Logs, and AWS WAF. They need a centralized solution that can filter, transform, and route logs to multiple destinations in near real-time. Which AWS service should they use?

Question 74easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to detect and alert on unauthorized API calls in their AWS account. Which AWS service can provide real-time notifications when specific API calls are made?

Question 75mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail and wants to ensure that logs are encrypted at rest using a customer-managed KMS key. The CloudTrail trail is configured to deliver logs to an S3 bucket. After enabling SSE-KMS on the S3 bucket, the logs are not being delivered. What is the most likely cause?

Question 76hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential security incident. They suspect that an IAM user's credentials were compromised and used to launch EC2 instances in a region where the user normally does not operate. Which AWS service can help the engineer identify the source IP address and user agent of the API calls that launched the instances?

Question 77mediummulti select
Read the full Security Logging and Monitoring explanation →

Which TWO actions should a security engineer take to ensure that Amazon GuardDuty can effectively monitor for suspicious activity in a VPC? (Choose two.)

Question 78hardmulti select
Read the full Security Logging and Monitoring explanation →

Which THREE are best practices for securing AWS CloudTrail log files? (Choose three.)

Question 79easymulti select
Read the full Security Logging and Monitoring explanation →

Which TWO AWS services can be used to monitor and detect unauthorized changes to Amazon S3 bucket policies? (Choose two.)

Question 80mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log all API calls. The security team needs to be alerted when an IAM user creates a new access key. Which approach is most efficient?

Question 81easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to centralize logs from multiple AWS accounts into a single S3 bucket. Which solution is most secure?

Question 82hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using Amazon GuardDuty to detect threats. The security team notices that GuardDuty findings are not triggering the intended automated response via a CloudWatch Events rule. What is the most likely reason?

Question 83easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to monitor for unauthorized changes to its Amazon S3 bucket policies. Which AWS service should be used to detect such changes?

Question 84mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst needs to review all failed SSH login attempts to an EC2 instance. Which combination will provide this information?

Question 85hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has enabled AWS CloudTrail in all accounts and regions, with log file validation enabled. The security team needs to verify that a specific log file has not been modified since it was delivered. Which action should be taken?

Question 86easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to receive real-time notifications for every root user login to the AWS Management Console. Which service should be used?

Question 87mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer notices that an S3 bucket containing sensitive logs is publicly accessible. Which service should be used to automatically remediate this by applying a bucket policy?

Question 88hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using Amazon Macie to discover sensitive data in S3. The security team wants to be notified when Macie finds a high-severity alert. Which integration should be used?

Question 89mediummulti select
Read the full Security Logging and Monitoring explanation →

A security team needs to monitor for unauthorized API calls in their AWS account. Which TWO services can provide real-time alerts for such events?

Question 90hardmulti select
Read the full Security Logging and Monitoring explanation →

A company wants to ensure that all S3 buckets are encrypted at rest. Which THREE services can be used to detect and alert on unencrypted buckets?

Question 91easymulti select
Read the full Security Logging and Monitoring explanation →

A security engineer needs to collect and analyze operating system logs from EC2 instances. Which TWO services are required?

Question 92mediummulti select
Read the full Security Logging and Monitoring explanation →

Which THREE actions can be performed using AWS CloudTrail to enhance security monitoring?

Question 93easymultiple choice
Read the full DNS explanation →

A security engineer needs to capture all DNS queries made by EC2 instances in a VPC and send them to a security analytics tool. Which AWS service should be used to capture this traffic?

Question 94mediummultiple choice
Read the full Security Logging and Monitoring explanation →

An organization wants to detect and alert on any IAM user that creates a new access key without using multi-factor authentication (MFA). What is the MOST efficient way to achieve this?

Question 95hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations and wants to centralize security logs from all member accounts into a single S3 bucket in the management account. The bucket policy allows only the management account's root user to write objects. However, logs are not being delivered from member accounts. What is the MOST likely cause?

Question 96easymultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to monitor for failed SSH login attempts to EC2 instances and send alerts. Which combination of AWS services should be used?

Question 97mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log all API activity. A security analyst notices that some delete operations on S3 buckets are missing from the CloudTrail logs. What is the MOST likely reason?

Question 98hardmultiple choice
Read the full Security Logging and Monitoring explanation →

An organization has a requirement to retain all security logs for at least 7 years for compliance. The logs are stored in Amazon S3 and are rarely accessed. Which storage class is the MOST cost-effective for this retention period?

Question 99easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security team wants to receive real-time notifications when an IAM user makes a change to a security group. Which AWS service should be used to trigger the notification?

Question 100mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has multiple AWS accounts and wants to centrally aggregate VPC Flow Logs from all accounts into a single S3 bucket in the logging account. What is the MOST secure way to configure cross-account delivery?

Question 101hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to ensure that all objects uploaded to an S3 bucket are automatically scanned for malware before being made accessible to users. Which solution is MOST appropriate?

Question 102mediummulti select
Read the full Security Logging and Monitoring explanation →

Which TWO actions are valid ways to send application logs from an EC2 instance to Amazon CloudWatch Logs? (Select TWO.)

Question 103hardmulti select
Read the full Security Logging and Monitoring explanation →

Which THREE are features of Amazon GuardDuty that help with threat detection? (Select THREE.)

Question 104easymulti select
Read the full Security Logging and Monitoring explanation →

Which TWO AWS services can be used to centrally collect and analyze logs from multiple AWS accounts? (Select TWO.)

Question 105mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer configured this S3 bucket policy to allow CloudTrail to deliver logs. However, logs are not being delivered. What is the MOST likely reason?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-trail-bucket/AWSLogs/*"
    }
  ]
}
Question 106hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. This is a line from a VPC Flow Log. A security analyst notices that the log shows an ACCEPT record for a connection from 10.0.1.5 to 10.0.2.10 on port 443. However, the analyst expected the connection to be denied. Which field in the flow log record indicates that the connection was accepted?

Exhibit

2024-05-01T12:00:00Z us-east-1 eni-12345 10.0.1.5 10.0.2.10 443 12345 6 10 5000 1620144781 1620144782 ACCEPT OK
Question 107mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer ran this AWS CLI command to find when a specific CreateKeyPair API call was made. The command returns no results, even though the engineer knows the call was made. What is the MOST likely reason?

Network Topology
aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2024-01-01T00:00:00Zend-time 2024-01-31T23:59:59Z
Question 108hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer notices that S3 server access logs are not being delivered to the specified destination bucket. The source bucket has a bucket policy that grants s3:PutObject permission to the Log Delivery group. The destination bucket is in the same AWS account but a different region. What is the most likely cause of the failure?

Question 109easymultiple choice
Read the full NAT/PAT explanation →

A company wants to centrally collect CloudTrail logs from multiple AWS accounts and enable real-time analysis. Which combination of services should be used?

Question 110mediummultiple choice
Review the full subnetting walkthrough →

A DevOps engineer is configuring VPC Flow Logs for a subnet that contains a public-facing Application Load Balancer (ALB). The engineer wants to capture only accepted traffic for security analysis. What should the engineer do?

Question 111hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using AWS CloudTrail to monitor API activity. The security team wants to be alerted when an IAM user creates a new access key. Which CloudTrail event should be used to create a CloudWatch Events rule?

Question 112easymultiple choice
Read the full NAT/PAT explanation →

A security analyst wants to monitor unsuccessful login attempts to the AWS Management Console. Which AWS service and log combination should be used?

Question 113mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using AWS Config to track resource changes. They want to receive notifications when a security group is modified to allow inbound traffic from 0.0.0.0/0. What is the most efficient way to achieve this?

Question 114hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a requirement to retain CloudTrail logs for 7 years to meet regulatory compliance. They want to minimize storage costs while ensuring logs are immutable and cannot be deleted by anyone, including the root user. What should they do?

Question 115easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential security incident and needs to determine if an EC2 instance was launched with a specific AMI ID. Which AWS log should be examined?

Question 116mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon GuardDuty and wants to automatically isolate a compromised EC2 instance by removing it from the security group. Which approach should be used?

Question 117hardmulti select
Read the full Security Logging and Monitoring explanation →

A company is designing a centralized logging solution for multiple AWS accounts. The logs must be encrypted at rest and in transit, and access must be audited. Which TWO actions should be taken? (Choose TWO.)

Question 118easymulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a possible data exfiltration from an S3 bucket. Which THREE AWS services can be used to detect and alert on suspicious activity? (Choose THREE.)

Question 119mediummulti select
Read the full Security Logging and Monitoring explanation →

A company needs to ensure that all API calls made to AWS are logged and that the logs are immutable. Which TWO steps should be taken? (Choose TWO.)

Question 120hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer configured the above bucket policy for CloudTrail log delivery. However, logs are not being delivered. What is the most likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/123456789012/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Question 121mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security analyst is reviewing a VPC Flow Log entry. The analyst wants to determine if this flow represents a potentially malicious RDP connection. Based on the log, which conclusion is most accurate?

Exhibit

vpc-12345678 | eni-98765432 | 203.0.113.5 | 10.0.0.1 | 443 | 3389 | 6 | 25 | 300 | 1420 | ACCEPT | OK
Question 122easymultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer finds this S3 bucket policy on a bucket that should be private. What is the most effective way to detect if this bucket was accessed by unauthorized users?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-public-bucket/*"
    }
  ]
}
Question 123easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to capture all API calls made to AWS services for forensic analysis. Which AWS service should be used to store these logs durably and cost-effectively for long-term retention?

Question 124mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using AWS CloudTrail to log API calls and wants to ensure that log files are not tampered with after delivery to S3. Which feature should be enabled to validate the integrity of CloudTrail log files?

Question 125hardmultiple choice
Read the full NAT/PAT explanation →

A security team notices that an S3 bucket containing sensitive data has been repeatedly accessed from an IP address outside the company's network. They need to set up a real-time alert when such access occurs. Which combination of services should they use?

Question 126easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to monitor CPU utilization of their EC2 instances and receive an alert when utilization exceeds 80% for 5 consecutive minutes. Which AWS service should be used to set up this metric alarm?

Question 127mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is reviewing AWS CloudTrail logs and finds that an IAM user 'developer1' deleted an S3 bucket. The engineer needs to determine the source IP address of the delete operation. Which field in the CloudTrail log record contains this information?

Question 128hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations with multiple accounts. They want to centralize logging of all API calls across all accounts and store them in a single S3 bucket. Which configuration should be used?

Question 129easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security team needs to detect unauthorized attempts to access an S3 bucket that contains sensitive data. Which AWS service can automatically analyze S3 access logs and generate findings for suspicious activity?

Question 130mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using Amazon RDS for MySQL and needs to monitor database login attempts for security analysis. Which feature should be enabled to capture authentication events?

Question 131hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CloudTrail and wants to ensure that log files are encrypted at rest and that access to the logs is logged. Which combination of S3 features should be enabled on the destination bucket?

Question 132mediummulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is implementing centralized logging across multiple AWS accounts. Which TWO actions should the engineer take to ensure logs are securely stored and immutable? (Choose TWO.)

Question 133mediummulti select
Read the full Security Logging and Monitoring explanation →

A company wants to monitor for suspicious IAM activity, such as a user creating access keys without authorization. Which THREE AWS services can be used together to detect and alert on this activity in real-time? (Choose THREE.)

Question 134easymulti select
Read the full Security Logging and Monitoring explanation →

A security engineer needs to capture network traffic between EC2 instances in a VPC for analysis. Which TWO services can provide this capability? (Choose TWO.)

Question 135hardmulti select
Read the full Security Logging and Monitoring explanation →

A company is using AWS CloudTrail and wants to detect when an IAM user performs a specific action, such as stopping an EC2 instance. The security engineer needs to set up a real-time notification. Which THREE steps should the engineer take? (Choose THREE.)

Question 136mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. An IAM policy is attached to an IAM user. The user reports that they can upload objects to the S3 bucket but cannot list the contents of the bucket. Which statement explains this behavior?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:GetObject"],
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 137hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer runs the above AWS CLI command to search for CreateKeyPair events in CloudTrail. The command returns no results, but the engineer knows that a key pair was created during that time. What is the most likely reason for the missing events?

Network Topology
aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2023-06-01T00:00:00Zend-time 2023-06-30T23:59:59Z
Question 138hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team has enabled AWS CloudTrail with an organization trail that delivers logs to a centralized S3 bucket in the management account. They have also enabled Amazon GuardDuty in all accounts. Recently, they noticed that some EC2 instances in a member account are exhibiting unusual network behavior, such as outbound traffic to known malicious IP addresses. The security engineer needs to quickly determine the source of the traffic and identify which EC2 instances are affected. The engineer has access to the management account and the member account. Which course of action should the engineer take to most efficiently investigate this incident?

Question 139mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which configuration ensures that only the management account can delete the log files?

Question 140hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential data exfiltration from an EC2 instance. CloudTrail logs show that an IAM user created a new access key for an existing IAM role and used it to call S3 GetObject from an unfamiliar IP address. What is the MOST likely reason the CloudTrail logs captured this activity?

Question 141easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company is required to retain CloudTrail logs for 7 years for compliance. Which solution meets this requirement with the LEAST operational overhead?

Question 142mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has enabled AWS Config to record resource changes. The security team needs to be notified when a security group is modified to allow inbound SSH from 0.0.0.0/0. Which AWS service should be used to evaluate the Config rules and trigger notifications?

Question 143hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer notices that an S3 bucket containing sensitive data has been accessed from an IP address outside the allowed range. CloudTrail logs show the access was made using temporary credentials from an assumed role. What additional logging is needed to trace the access back to the original IAM user who assumed the role?

Question 144mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon GuardDuty for threat detection. The security team wants to automatically isolate an EC2 instance that is communicating with a known malicious IP address. Which combination of services should be used?

Question 145easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company is required to audit all changes to IAM policies. Which AWS service should be used to record these changes?

Question 146hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to monitor AWS API calls for potential unauthorized access. The engineer wants to be alerted when a specific IAM user performs a high-risk action like deleting a CloudTrail trail. What is the MOST efficient way to achieve this?

Question 147easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to detect and alert on SSH brute force attacks on EC2 instances. Which AWS service should be used?

Question 148mediummulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is designing a centralized logging solution for multiple AWS accounts. Which TWO services should be used to aggregate logs from all accounts into a single account? (Choose TWO.)

Question 149hardmulti select
Read the full Security Logging and Monitoring explanation →

A company is using AWS Organizations and wants to enable a central security team to view API activity across all member accounts. Which THREE steps are required? (Choose THREE.)

Question 150mediummulti select
Read the full NAT/PAT explanation →

A security engineer is investigating a potential security incident. Which TWO AWS services can be used to analyze historical network traffic patterns? (Choose TWO.)

Question 151hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot upload objects to the S3 bucket 'example-bucket' using the AWS CLI from a remote location. What is the MOST likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*"
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 152hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a multi-account AWS environment with 50 accounts. The security team uses AWS CloudTrail to log management events in each account and delivers logs to a centralized S3 bucket in the security account. Recently, the team noticed that some CloudTrail logs are missing from the central bucket for a few accounts. The logs appear to be delivered intermittently. The security engineer checks the CloudTrail configuration in one of the affected accounts and sees that the trail is configured to deliver to the central bucket. The bucket policy in the security account allows CloudTrail to write from all accounts. The engineer also checks the CloudTrail console and sees that the trail status is 'Logging'. What is the MOST likely cause of the intermittent log delivery?

Question 153mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon GuardDuty in a single AWS account to detect threats. The security team receives an alert that a specific EC2 instance is communicating with a known command and control (C2) server. The security engineer needs to immediately isolate the instance while preserving the root cause evidence. The engineer has access to the AWS Management Console. Which action should the engineer take FIRST?

Question 154mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. The security team notices that an object was accessed from an IP address outside the allowed VPC. CloudTrail logs show that the access was made using temporary credentials from an assumed role. The role was assumed by an EC2 instance in the allowed VPC. What is the MOST likely reason the access was allowed despite the bucket policy restriction?

Question 155mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is investigating a potential data exfiltration incident. The engineer needs to determine whether an IAM user in account A accessed an S3 bucket in account B. The engineer has access to both accounts. Which combination of steps should the engineer take to identify the cross-account access?

Question 156hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring an Amazon S3 bucket to store CloudTrail logs. The engineer must ensure that the logs are encrypted at rest using an AWS KMS customer managed key (CMK) and that only the CloudTrail service has permission to decrypt the logs. Which bucket policy statement should the engineer add?

Question 157easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to monitor for unauthorized changes to security group rules in an AWS account. The engineer wants to receive real-time notifications when a security group rule is added, modified, or removed. Which AWS service should the engineer use to capture these API calls?

Question 158mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to centrally monitor all API calls made in the member accounts. The team wants to ensure that all CloudTrail logs are delivered to a centralized S3 bucket in the management account. Which configuration should the security team implement?

Question 159hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is investigating a potential compromise. The engineer notices that an EC2 instance is sending outbound traffic to an unknown IP address on port 443. The engineer needs to determine if the instance is communicating with a known command and control (C2) server. Which AWS service can the engineer use to check the reputation of the destination IP address?

Question 160mediummulti select
Read the full NAT/PAT explanation →

A security engineer is designing a logging solution for an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The engineer needs to capture and store the following logs for analysis: (1) HTTP request logs from the ALB, (2) operating system logs from the EC2 instances, and (3) network traffic logs for the VPC. Which combination of AWS services should the engineer use? (Choose three.)

Question 161hardmulti select
Read the full Security Logging and Monitoring explanation →

A company has a requirement to detect and alert on anomalous IAM user behavior, such as a user logging in from an unusual geographic location. The company uses AWS Organizations and has multiple accounts. Which services should the company use to meet this requirement? (Choose two.)

Question 162easymulti select
Read the full Security Logging and Monitoring explanation →

A security engineer needs to ensure that all changes to IAM policies in an AWS account are logged and that the logs are immutable and cannot be deleted by any user, including the root user. Which actions should the engineer take? (Choose two.)

Question 163hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The security team has implemented a centralized logging solution using Amazon S3 for ALB access logs and AWS CloudTrail logs. Recently, the team noticed that some ALB access logs are missing for certain time periods. The ALB is configured to deliver logs every 5 minutes to an S3 bucket with a bucket policy that grants the ALB service principal write access. The CloudTrail logs show no errors related to the ALB or S3. The S3 bucket is in the same region as the ALB. What is the most likely cause of the missing logs?

Question 164mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A financial services company uses AWS CloudTrail to log all API calls in their account. They store the logs in an S3 bucket with server-side encryption using AWS KMS (SSE-KMS). The security team needs to ensure that only authorized users can decrypt and read the logs. They have created a KMS key with a key policy that grants decrypt permissions to the security team's IAM roles. However, when a security engineer tries to download a log file from the S3 bucket using the AWS CLI, they receive an 'AccessDenied' error. The engineer has s3:GetObject permission on the bucket. What is the most likely cause?

Question 165easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon GuardDuty to monitor for malicious activity in their AWS account. The security team receives a GuardDuty finding that indicates an EC2 instance is communicating with a known cryptocurrency mining pool. The team needs to investigate the finding and determine which security group rules allowed the outbound traffic. The EC2 instance is in a VPC with a single security group attached. Which AWS service should the security team use to review the outbound traffic details?

Question 166mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a requirement to retain CloudTrail logs for 7 years for compliance. They currently store logs in an S3 bucket with standard storage. The security team wants to minimize storage costs while meeting the retention requirement. The logs must be available for retrieval within 24 hours of a request. Which storage class should the team use for the logs after the first 30 days?

Question 167hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is troubleshooting an issue where CloudTrail logs for a single AWS account are not being delivered to the centralized S3 bucket in the logging account. The engineer has verified that the CloudTrail trail is enabled, the S3 bucket policy allows CloudTrail to write, and the bucket exists. However, no log files have been delivered for the past 6 hours. The engineer checks the CloudTrail console and sees that the trail status shows 'Logging' but the latest log file time is from 8 hours ago. The engineer suspects a permission issue but cannot find any explicit deny in the bucket policy. What is the MOST likely cause of this issue?

Question 168hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using Amazon GuardDuty to detect threats in its AWS environment. The security team notices that GuardDuty is generating a high number of 'UnauthorizedAccess:IAMUser/MaliciousIPCaller' findings for an IAM user that is used by a legacy application. The security team has verified that the IP addresses flagged are not malicious but are legitimate IPs used by the application's third-party service. The company wants to suppress these findings without disabling GuardDuty entirely. Which solution is the MOST effective and secure?

Question 169easymultiple choice
Read the full NAT/PAT explanation →

A security engineer is responsible for monitoring AWS account activity. The engineer needs to receive real-time notifications when specific API calls are made, such as 'DeleteTrail' or 'UpdateTrail'. The engineer wants to use AWS services to achieve this with minimal latency. Which combination of services should the engineer use?

Question 170mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a multi-account AWS environment managed by AWS Organizations. The security team wants to enable a centralized logging solution where all VPC flow logs, CloudTrail logs, and AWS Config configuration items are sent to a single S3 bucket in the security account. The team has already created the S3 bucket with appropriate bucket policies to allow cross-account writes. However, logs are not appearing from all accounts. What is the MOST likely reason for this issue?

Question 171easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are delivered to an S3 bucket owned by a separate AWS account for centralized auditing. Which additional configuration is required to allow the S3 bucket in the other account to receive these logs?

Question 172mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centralize VPC Flow Logs from all accounts into a single S3 bucket in the security account. The flow logs are created in the member accounts and sent to the centralized bucket. However, the security team notices that flow logs from some member accounts are not being delivered. What is the most likely cause?

Question 173hardmultiple choice
Read the full NAT/PAT explanation →

A company's security team is investigating a potential security incident. They have enabled CloudTrail and CloudWatch Logs. They want to receive real-time alerts when an IAM user creates a new access key. Which combination of services should be used to achieve this?

Question 174mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using Amazon GuardDuty to monitor for malicious activity. The security team wants to automatically isolate an EC2 instance that is flagged for outbound communication with a known malicious IP address. Which approach is the most efficient and scalable?

Question 175easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log API activity. The security team wants to ensure that any modification to CloudTrail configuration is logged and that the logs are tamper-proof. Which feature should be enabled?

Question 176mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is setting up centralized logging for an AWS organization. The engineer wants to collect CloudTrail logs, VPC Flow Logs, and AWS Config configuration items from all member accounts into a single S3 bucket in the management account. The engineer creates a new S3 bucket with a bucket policy that grants the required permissions. However, logs from member accounts are not being delivered. What is the most likely reason?

Question 177hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using Amazon CloudWatch Logs to centralize application logs from EC2 instances. The security team wants to encrypt the log data at rest using a customer-managed KMS key. After enabling encryption on the log group, they notice that new log events are being encrypted, but existing log events are not encrypted. What should the team do to encrypt the existing log events?

Question 178easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring Amazon GuardDuty for the first time. The engineer wants to receive alerts when GuardDuty generates a finding of severity HIGH or higher. What is the simplest way to achieve this?

Question 179mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log all API calls. The security team wants to ensure that any attempt to disable CloudTrail logging is detected and alerted within minutes. Which solution should they implement?

Question 180mediummulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is troubleshooting an issue where CloudTrail is not delivering logs to an S3 bucket. The bucket policy appears correct. Which TWO additional steps should the engineer take to diagnose the issue? (Choose TWO.)

Question 181hardmulti select
Read the full Security Logging and Monitoring explanation →

A company has enabled Amazon GuardDuty in multiple AWS accounts. The security team wants to centralize GuardDuty findings into a single account for analysis. Which THREE steps are required to achieve this? (Choose THREE.)

Question 182easymulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring VPC Flow Logs to capture network traffic metadata. Which TWO attributes can be captured in VPC Flow Logs? (Choose TWO.)

Question 183hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs from account 123456789012 to the bucket my-trail-bucket. However, CloudTrail logs are not being delivered. What is the most likely reason?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-trail-bucket/AWSLogs/123456789012/*"
    }
  ]
}
Question 184mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer is analyzing a VPC Flow Log entry from an EC2 instance with private IP 10.0.1.5. The log shows an outbound connection to IP 203.0.113.5 on port 443 from source port 22. The connection was accepted. What is the most likely scenario?

Exhibit

Refer to the exhibit.
[2023-01-15 12:34:56] 10.0.1.5 203.0.113.5 22 443 6 10 1000 1234567890 1234567891 ACCEPT OK
Question 185hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer is reviewing a CloudTrail event. What security concern does this event raise?

Exhibit

Refer to the exhibit.
{
  "trail": "management-events-trail",
  "eventVersion": "1.08",
  "eventTime": "2023-06-01T10:00:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "AuthorizeSecurityGroupIngress",
  "userIdentity": {
    "type": "IAMUser",
    "arn": "arn:aws:iam::123456789012:user/svc-account-admin"
  },
  "requestParameters": {
    "groupId": "sg-12345",
    "ipPermissions": {
      "items": [
        {
          "ipProtocol": "tcp",
          "fromPort": 22,
          "toPort": 22,
          "ipRanges": {
            "items": [
              {"cidrIp": "0.0.0.0/0"}
            ]
          }
        }
      ]
    }
  },
  "responseElements": {
    "requestId": "r-abc123"
  }
}
Question 186easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security team needs to detect unauthorized API calls made from a compromised IAM user. Which AWS service should be used to monitor and alert on specific API activities?

Question 187mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has enabled CloudTrail in all regions and is logging to a single S3 bucket. The security team needs to ensure that any attempted deletion of CloudTrail logs generates an immediate alert. Which solution meets this requirement?

Question 188hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is investigating a potential data exfiltration incident. The engineer has enabled VPC Flow Logs for the VPC and CloudTrail for the account. Which combination of actions would provide the most comprehensive visibility into network traffic and API calls?

Question 189easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to centrally collect and analyze logs from multiple AWS accounts. Which AWS service should be used to aggregate logs from various sources for monitoring and alerting?

Question 190mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security team needs to monitor for failed login attempts to an EC2 instance running Linux. The team wants to send a real-time alert when more than 10 failed SSH attempts occur within 5 minutes. Which solution is the most efficient?

Question 191hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. Which solution meets these requirements?

Question 192easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security analyst needs to receive an alert when an IAM user attempts to perform an action they are not authorized to perform. Which AWS service can be used to monitor and alert on such authorization failures?

Question 193mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a requirement to retain CloudTrail logs for 7 years for compliance. The logs are stored in an S3 bucket. The security team needs to ensure that logs are not deleted before the retention period ends, even by users with full S3 permissions. Which action should be taken?

Question 194hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is configuring a centralized logging solution for multiple AWS accounts. The engineer needs to ensure that log files are encrypted at rest and that access to the logs is audited. Which combination of services and features should be used?

Question 195mediummulti select
Read the full Security Logging and Monitoring explanation →

A security team wants to detect and alert on potential security threats such as compromised instances or malicious activity within their AWS environment. Which TWO AWS services should be used together to provide comprehensive threat detection?

Question 196hardmulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is designing a logging strategy for a multi-account environment. The engineer needs to ensure that all API activity across accounts is logged and that logs are immutable and centrally accessible. Which THREE actions should the engineer take?

Question 197easymulti select
Read the full Security Logging and Monitoring explanation →

A company wants to monitor for unauthorized changes to security group rules in their VPC. Which TWO AWS services can be used together to detect and alert on such changes?

Question 198mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most significant security concern indicated by this event?

Exhibit

Refer to the exhibit.

CloudTrail log event (JSON):
{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "AssumedRole",
    "arn": "arn:aws:sts::123456789012:assumed-role/AdminRole/User1",
    "accountId": "123456789012",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "arn": "arn:aws:iam::123456789012:role/AdminRole"
      },
      "webIdFederationData": {},
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2024-01-15T10:00:00Z"
      }
    }
  },
  "eventTime": "2024-01-15T10:05:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "AuthorizeSecurityGroupIngress",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.5",
  "userAgent": "console.amazonaws.com",
  "requestParameters": {
    "groupId": "sg-0123456789abcdef0",
    "ipPermissions": {
      "items": [
        {
          "ipProtocol": "tcp",
          "fromPort": 22,
          "toPort": 22,
          "ipRanges": {
            "items": [
              {"cidrIp": "0.0.0.0/0"}
            ]
          }
        }
      ]
    }
  },
  "responseElements": {
    "requestId": "r-12345678",
    "_return": true
  }
}
Question 199hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer has attached this IAM policy to a user. What is the effect of this policy?

Exhibit

Refer to the exhibit.

IAM Policy JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}
Question 200easymultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer runs this CloudWatch Logs Insights query on a log group. What is the purpose of this query?

Exhibit

Refer to the exhibit.

CloudWatch Logs Insights query:
fields @timestamp, @message
| filter @message like /ERROR|WARN/
| sort @timestamp desc
| limit 20
Question 201mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring AWS CloudTrail to log management events for all AWS regions. The engineer needs to ensure that log files are encrypted at rest and that access to the log files is logged. Which solution meets these requirements?

Question 202easymultiple choice
Read the full Security Logging and Monitoring explanation →

A DevOps engineer needs to monitor failed SSH login attempts to Amazon EC2 instances. Which AWS service should the engineer use to collect and analyze the login events?

Question 203hardmultiple choice
Read the full NAT/PAT explanation →

A security team has enabled AWS CloudTrail in all regions and is delivering logs to an S3 bucket. The team has also enabled S3 server access logging for the CloudTrail bucket. The team needs to detect any unauthorized access to the CloudTrail logs. Which combination of services should the team use to achieve near-real-time detection?

Question 204mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to centralize logging from multiple AWS accounts into a single logging account. The logs include AWS CloudTrail, AWS Config, and VPC Flow Logs. Which solution should the company implement to meet these requirements with minimal operational overhead?

Question 205hardmultiple choice
Read the full DNS explanation →

A company uses Amazon Route 53 for DNS and wants to log all DNS queries made from its VPC. The logs must be stored in Amazon S3 for compliance purposes. Which solution meets these requirements?

Question 206easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to monitor AWS account activity for suspicious API calls and receive alerts. Which AWS service should the engineer use to meet this requirement?

Question 207mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a requirement to retain AWS CloudTrail logs for 7 years for compliance. The logs are stored in an S3 bucket. The company wants to reduce storage costs by automatically moving older logs to a cheaper storage class. Which solution should the company implement?

Question 208hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using Amazon CloudWatch Logs to collect logs from its EC2 instances. The security team wants to ensure that logs are encrypted at rest and that access to the logs is controlled. Which solution should the team implement?

Question 209easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to identify which IAM users have been inactive for the past 90 days. Which AWS service should the engineer use?

Question 210mediummulti select
Read the full Security Logging and Monitoring explanation →

A company is implementing a security monitoring solution for its AWS environment. Which TWO services can be used to detect and alert on suspicious API activity? (Choose TWO.)

Question 211hardmulti select
Read the full DNS explanation →

A security team wants to implement a centralized logging solution for multiple AWS accounts. The team needs to collect VPC Flow Logs, CloudTrail logs, and DNS query logs from all accounts. Which THREE services should the team use to aggregate these logs? (Choose THREE.)

Question 212easymulti select
Read the full Security Logging and Monitoring explanation →

A company wants to monitor AWS account activity and receive real-time notifications for specific API calls. Which TWO services should the company use together? (Choose TWO.)

Question 213mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to ensure that all API calls made to AWS are logged and retained for at least 7 years for compliance. Which AWS service should be enabled to meet this requirement?

Question 214easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company is experiencing unauthorized access attempts to an S3 bucket. Which AWS service can be used to detect and alert on such events in real time?

Question 215hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security team wants to centrally collect and analyze VPC Flow Logs from multiple AWS accounts for security monitoring. Which solution is MOST scalable and cost-effective?

Question 216easymultiple choice
Read the full NAT/PAT explanation →

A company needs to monitor for root account usage and receive immediate notifications. Which combination of AWS services should be used?

Question 217mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is troubleshooting an issue where CloudTrail logs are not being delivered to the specified S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?

Question 218hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log all management events and data events for S3. The security team wants to detect any PutObject API calls that upload objects with server-side encryption disabled. Which solution is MOST efficient?

Question 219easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to receive an alert when an IAM user creates a new access key. Which AWS service should be used to trigger the alert?

Question 220mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to monitor for unusual outbound network traffic from an EC2 instance. Which AWS service provides this capability?

Question 221hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using AWS CloudTrail to log all management events and has enabled log file validation. What additional security benefit does log file validation provide?

Question 222mediummulti select
Read the full Security Logging and Monitoring explanation →

A company needs to monitor for unauthorized changes to security group rules. Which TWO AWS services can be used together to achieve this?

Question 223hardmulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is designing a centralized logging solution for 10 AWS accounts. Which THREE AWS services should be used to aggregate, store, and analyze logs?

Question 224easymulti select
Read the full Security Logging and Monitoring explanation →

Which TWO AWS services can be used to detect and alert on suspicious activity in near real-time?

Question 225mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer configured the S3 bucket policy shown above for CloudTrail log delivery, but CloudTrail is not delivering logs. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/*"
    }
  ]
}
Question 226hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer runs the CLI command above to investigate a console login event. The output shows: {"type":"Root","principalId":"123456789012","arn":"arn:aws:iam::123456789012:root"}. What does this indicate?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamequery 'Events[*].CloudTrailEvent'output textRefer to the exhibit.
Question 227easymultiple choice
Read the full Security Logging and Monitoring explanation →

The IAM policy above is attached to a role used by an EC2 instance to send logs to CloudWatch Logs. The instance is unable to send logs. What is the MOST likely issue?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "logs.amazonaws.com"
      },
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:MyLogGroup:*"
    }
  ]
}
Question 228mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer notices that an EC2 instance is sending outbound traffic to an unknown IP address. The engineer needs to capture and analyze the network traffic to determine what data is being exfiltrated. Which AWS service should be used to capture the traffic for analysis?

Question 229hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centrally monitor and analyze all CloudTrail logs from all accounts. The logs must be stored in a centralized S3 bucket with encryption and access logging enabled. Additionally, the team needs to detect anomalous API activity across accounts using machine learning. Which combination of services meets these requirements?

Question 230easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to receive real-time notifications when specific API calls are made in their AWS account, such as IAM user creation or S3 bucket policy changes. Which AWS service should be used to trigger notifications based on these API events?

Question 231hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CloudTrail to log all API activity and delivers logs to an S3 bucket with server-side encryption (SSE-S3). The security team needs to ensure that only authorized personnel can access the logs and that any unauthorized access attempts are logged and alerted. Additionally, the team wants to prevent the logs from being deleted for at least one year. Which combination of actions should be taken?

Question 232mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to analyze web request logs to identify potential SQL injection attacks. Which AWS service should be used to collect and analyze the ALB access logs?

Question 233mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to monitor for unauthorized changes to IAM roles and policies in an AWS account. The engineer wants to receive an email notification whenever an IAM policy is attached to a role. Which AWS services should be combined to achieve this?

Question 234easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company has enabled AWS CloudTrail in all regions and is delivering logs to an S3 bucket. The security team wants to ensure that any attempt to disable CloudTrail logging is detected and alerted. Which approach should be used?

Question 235hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon RDS for MySQL and needs to monitor database activity for suspicious queries, such as unauthorized access attempts or SQL injection. The security team wants to centralize the logs from multiple RDS instances and analyze them in near real-time. Which solution should be implemented?

Question 236mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to determine if any unauthorized SSH keys were added to the instance's authorized_keys file. Which AWS service should be used to detect this change?

Question 237mediummulti select
Read the full Security Logging and Monitoring explanation →

A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet the following requirements: 1) Logs from all accounts must be stored in a centralized S3 bucket. 2) The logs must be encrypted at rest using AWS KMS. 3) Access to the logs must be logged and monitored. Which TWO services should be used to meet the requirements? (Choose TWO.)

Question 238hardmulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer needs to ensure that all findings from member accounts are visible in the administrator account. Additionally, the engineer wants to receive real-time notifications for high-severity findings. Which TWO actions should the engineer take? (Choose TWO.)

Question 239easymulti select
Read the full Security Logging and Monitoring explanation →

A company needs to monitor its AWS environment for compliance with the CIS AWS Foundations Benchmark. The security team wants to automatically check for non-compliant resources and receive reports. Which THREE services should be used together to meet these requirements? (Choose THREE.)

Question 240mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log API activity across multiple accounts. The security team wants to ensure that any S3 bucket created with public read access is detected within minutes. Which solution is MOST efficient?

Question 241hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential compromise. They notice that an IAM user 'svc-backup' has been making unusual API calls from an IP address outside the company's VPC. The engineer wants to ensure all future API calls from this user are logged with full event details. However, the current CloudTrail trail is set to log only management events. What should the engineer do to capture the required details?

Question 242easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to centralize security logs from multiple AWS accounts into a single S3 bucket. The logging accounts (e.g., security, production) each have their own CloudTrail trails. Which configuration is required to allow cross-account log delivery?

Question 243hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is troubleshooting why Amazon GuardDuty is not generating findings for suspicious S3 API calls made by an IAM role. The engineer has verified that GuardDuty is enabled in the account and region. What is a likely reason for the missing findings?

Question 244mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations and wants to enable Amazon GuardDuty across all member accounts. The security team wants to centrally manage findings and automate responses. What is the MOST efficient way to achieve this?

Question 245easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company is using Amazon CloudWatch Logs to store application logs. The security team needs to ensure that logs are encrypted at rest using a customer-managed KMS key (CMK). What configuration is required?

Question 246mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a CloudTrail trail that logs management events and delivers them to an S3 bucket. The security team notices that some expected API calls are missing from the logs. They suspect that the calls were made by a service that is not tracked by CloudTrail. Which AWS service is NOT tracked by CloudTrail?

Question 247hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring Amazon Inspector to assess EC2 instances for software vulnerabilities. The engineer has installed the SSM Agent on all instances and ensured that the instances have internet access. However, Amazon Inspector shows the instances as 'Unmanaged'. What is the MOST likely cause?

Question 248mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log management events. The security team wants to be alerted when an IAM user creates a new access key. Which solution would meet this requirement with the least operational overhead?

Question 249easymulti select
Read the full Security Logging and Monitoring explanation →

A security engineer needs to ensure that all API calls in an AWS account are logged for auditing purposes. Which TWO services should the engineer enable? (Select TWO.)

Question 250mediummulti select
Read the full Security Logging and Monitoring explanation →

A company wants to detect and respond to potential security threats in near real-time. Which THREE AWS services should the company use together? (Select THREE.)

Question 251hardmulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential data breach. The engineer wants to analyze historical API calls made by a specific IAM user. Which TWO AWS services can be used together to achieve this? (Select TWO.)

Question 252hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer has attached the above IAM policy to a role used by an application to write logs to an S3 bucket. However, the application is unable to write logs. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Question 253mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to ensure that all S3 object-level API calls (e.g., GetObject, PutObject) on the bucket 'my-bucket' are logged. The current CloudTrail configuration is as shown in the exhibit. What change should the engineer make?

Network Topology
aws cloudtrail get-event-selectorstrail-name my-trailRefer to the exhibit."EventSelectors": ["ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": ["Type": "AWS::S3::Object","Values": ["arn:aws:s3:::my-bucket/logs/"]],"ExcludeManagementEventSources": []"AdvancedEventSelectors": []
Question 254easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring a multi-account CloudTrail setup. The above bucket policy is attached to the central logging bucket. Despite the policy, CloudTrail in the member account (123456789012) cannot deliver logs. What is the MOST likely issue?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/123456789012/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Question 255easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer notices that an Amazon S3 bucket has been accessed from an IP address outside the company's allowed range. The engineer needs to identify the IAM user who made the request. Which AWS service should be used to find this information?

Question 256mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to centralize the collection of VPC Flow Logs and AWS CloudTrail logs from all accounts into a single Amazon S3 bucket in the management account. The S3 bucket policy must allow cross-account log delivery. Which condition in the bucket policy should be used to restrict log delivery to only the organization's accounts?

Question 257hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to ensure that all member accounts send findings to the delegated administrator account. However, some member accounts are not sending findings. What is the most likely cause?

Question 258easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to receive real-time notifications when specific API calls are made in their AWS account, such as creating a new IAM user. Which AWS service should be used to trigger a notification based on CloudTrail events?

Question 259mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to capture network traffic to and from the instance for analysis. Which method should be used to capture this traffic without installing any software on the instance?

Question 260hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CloudTrail to log all API activity. The security team wants to ensure that logs are immutable after they are delivered to Amazon S3. Which combination of actions should be taken to meet this requirement? (Choose the best single answer that includes all necessary steps.)

Question 261easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to monitor for unauthorized changes to security group rules in an AWS account. Which AWS service can evaluate security group rules against a desired configuration and alert on changes?

Question 262mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail and wants to ensure that all log files are encrypted at rest using a customer-managed AWS KMS key. The CloudTrail trail is configured to use a KMS key, but some log files appear to be encrypted with the default Amazon S3 managed key (SSE-S3). What is the most likely cause?

Question 263hardmultiple choice
Read the full Security Logging and Monitoring explanation →

An organization wants to detect and alert on the use of root user credentials in their AWS accounts. They have multiple accounts managed via AWS Organizations. What is the most efficient way to centralize this monitoring?

Question 264mediummulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring logging for an application running on Amazon EC2 instances. The engineer needs to capture both operating system-level logs and application logs. Which TWO services can be used together to achieve this? (Choose two.)

Question 265hardmulti select
Read the full NAT/PAT explanation →

A security team wants to detect and alert on suspicious network traffic patterns within their VPC. They need to capture traffic to and from an EC2 instance for analysis. Which THREE services should be used together to achieve this? (Choose three.)

Question 266easymulti select
Read the full Security Logging and Monitoring explanation →

A company needs to monitor for unauthorized changes to its Amazon S3 bucket policies. Which TWO services can be used together to achieve this? (Choose two.)

Question 267mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer has created an S3 bucket policy to allow AWS CloudTrail and VPC Flow Logs to deliver logs to the bucket. However, CloudTrail logs are not being delivered, but VPC Flow Logs are delivered successfully. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/AWSLogs/123456789012/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/AWSLogs/123456789012/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Question 268hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer is configuring the Amazon CloudWatch agent to collect logs from an Amazon ECS task. The configuration shown is used. However, the logs are not appearing in CloudWatch Logs. What is the most likely cause?

Exhibit

Refer to the exhibit.

[container]
  [service: my-app]
    [log: access-log]
      [log_group_name: /ecs/my-app]
      [log_stream_prefix: access]
      [datetime_format: %Y-%m-%dT%H:%M:%S]
      [multi_line_start_pattern: {__START_PATTERN__}]
Question 269easymultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer uses the AWS CLI command shown to investigate a console login event. What type of user performed the login?

Network Topology
$ aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamemax-results 1Refer to the exhibit."Events": ["EventId": "example-event-id","EventName": "ConsoleLogin","ReadOnly": "False","Username": "example-user","EventTime": "2024-01-15T12:00:00Z","CloudTrailEvent": "{\"userIdentity\":{\"type\":\"IAMUser\",\"arn\":\"arn:aws:iam::123456789012:user/example-user\"}}"
Question 270mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is troubleshooting why CloudTrail is not delivering logs to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured with the correct bucket name. However, no log files appear. What is the most likely cause?

Question 271hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon GuardDuty to monitor for threats. The security team receives a high-severity finding: 'UnauthorizedAccess:EC2/SSHBruteForce'. The finding indicates a single EC2 instance with a public IP is receiving SSH connection attempts from multiple external IPs. The instance is part of an Auto Scaling group and is fronted by an Application Load Balancer (ALB). The security team wants to block the attacking IPs without disrupting legitimate traffic. What is the MOST effective approach?

Question 272easymultiple choice
Read the full NAT/PAT explanation →

A company wants to detect and alert on changes to IAM roles and policies in their AWS account. Which combination of AWS services should they use?

Question 273mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A DevOps engineer notices that an EC2 instance's CloudWatch agent is not sending custom metrics to CloudWatch. The agent is installed and the configuration file is valid. The instance has an IAM role attached. What is the most likely reason for the failure?

Question 274hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A security team uses Amazon Macie to discover sensitive data in S3. They have configured Macie to run automated sensitive data discovery jobs. After reviewing the findings, they notice that some S3 objects containing personally identifiable information (PII) are not being flagged. What is the most likely cause?

Question 275easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to centralize logs from multiple AWS accounts into a single S3 bucket for analysis. The accounts are part of an AWS Organizations organization. Which set of steps will accomplish this?

Question 276mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is investigating a potential data exfiltration incident. They see that an EC2 instance with an IAM role is making API calls to S3 to download objects. The IAM role has an S3 bucket policy that allows access from that role. However, CloudTrail logs show that the calls are being made from an IP address outside the company's network. What is the most likely explanation?

Question 277hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log all API activity. They want to ensure that log files are tamper-proof and can be validated for forensic purposes. Which of the following should they enable?

Question 278easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security analyst wants to receive a notification whenever a new security group is created in their AWS account. Which AWS service should they use to trigger an SNS notification based on the CloudTrail event?

Question 279mediummulti select
Read the full DNS explanation →

A security team is designing a logging solution for a multi-account AWS environment using AWS Organizations. They need to collect CloudTrail logs, VPC Flow Logs, and DNS logs from all accounts. Which TWO services can be used to centralize this logging?

Question 280hardmulti select
Read the full Security Logging and Monitoring explanation →

A security engineer is configuring Amazon GuardDuty in a multi-account environment. The engineer wants to enable GuardDuty in the management account and automatically enable it for all member accounts. Which THREE steps are required?

Question 281easymulti select
Read the full Security Logging and Monitoring explanation →

A company wants to monitor unauthorized API calls in their AWS account. Which TWO AWS services can provide real-time alerting on such events?

Question 282hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A financial services company has a multi-account AWS environment with over 200 accounts managed through AWS Organizations. The security team is responsible for monitoring all accounts for security incidents. They have enabled AWS CloudTrail in all accounts with trails that deliver logs to a centralized S3 bucket in the security account. Additionally, they have enabled Amazon GuardDuty in all accounts with the security account as the administrator. The team uses Amazon EventBridge to trigger automated responses to GuardDuty findings. Recently, they noticed that some GuardDuty findings from member accounts are not appearing in the security account. The security team verified that the findings are generated in the member accounts (they can see them in the member account GuardDuty console) but are not being sent to the administrator account. The CloudTrail logs are being delivered correctly. What is the MOST likely cause of this issue?

Question 283mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer notices that an IAM user in the company's AWS account is making API calls from an IP address outside the allowed corporate network. The engineer needs to be alerted immediately when such activity occurs. Which solution meets these requirements with the least operational overhead?

Question 284easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to centralize CloudTrail logs from multiple AWS accounts into a single S3 bucket for security analysis. The logs must be encrypted at rest and access must be logged. What is the MOST secure way to grant cross-account access to the central S3 bucket?

Question 285hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a central S3 bucket. A new member account is created and the security engineer wants to enforce this configuration automatically. Which approach meets these requirements with the least operational overhead?

Question 286mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is investigating a potential security incident. CloudTrail logs show that an IAM user 'admin' deleted an S3 bucket at 2023-01-15T10:30:00Z. The engineer needs to find the source IP address and user agent of the request. Which CloudTrail log field contains this information?

Question 287easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon GuardDuty to detect threats. The security team wants to receive real-time notifications for all GuardDuty findings with a severity of HIGH or CRITICAL. What is the MOST efficient way to achieve this?

Question 288hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all API activity across all accounts is logged and immutable. CloudTrail is enabled in all accounts, but the logs are stored in individual account buckets. The team wants to centralize logs and prevent any account from disabling logging. What should they do?

Question 289mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon RDS for MySQL and wants to monitor database activity for suspicious queries. The security team needs to capture all SQL statements executed against the database, including SELECT queries. Which AWS service should they use?

Question 290easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer is reviewing CloudTrail logs and notices an event with the key 'eventType' set to 'AwsServiceEvent'. What does this indicate?

Question 291hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon S3 to store sensitive data. The security team wants to detect when objects are made publicly accessible. Which combination of services provides the MOST comprehensive detection with minimal false positives?

Question 292mediummulti select
Read the full Security Logging and Monitoring explanation →

Which TWO AWS services can be used to centrally collect and analyze logs from multiple AWS accounts? (Choose two.)

Question 293mediummulti select
Read the full Security Logging and Monitoring explanation →

Which TWO actions should a security engineer take to ensure that CloudTrail logs are protected from unauthorized deletion? (Choose two.)

Question 294hardmulti select
Read the full NAT/PAT explanation →

Which THREE AWS services can be used to detect and alert on suspicious network traffic patterns? (Choose three.)

Question 295hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A financial services company has a production AWS account with hundreds of EC2 instances running a mix of Linux and Windows workloads. The security team is responsible for detecting and responding to security incidents. They have enabled CloudTrail, VPC Flow Logs, and GuardDuty. Recently, GuardDuty generated a finding indicating that an EC2 instance is communicating with a known malicious IP address. The security engineer needs to investigate the incident. The engineer examines the GuardDuty finding and sees the affected resource is an EC2 instance ID. The engineer wants to identify which user or role launched the instance and what security groups were associated with it at launch time. Which approach should the engineer take to gather this information?

Question 296mediummultiple choice
Read the full NAT/PAT explanation →

A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an RDS MySQL database. The security team wants to monitor for SQL injection attempts. They have enabled AWS WAF on the ALB and are logging all requests. The security engineer needs to analyze the WAF logs to identify if any SQL injection attacks have been attempted. The logs are stored in an S3 bucket. The engineer needs to query the logs for patterns like 'SELECT * FROM' or 'DROP TABLE' in the URI. Which service should the engineer use to perform this analysis?

Question 297hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations to manage multiple accounts. The security team needs to implement a centralized logging solution where all VPC Flow Logs from all accounts are sent to a central S3 bucket in the security account. The flow logs must be encrypted with a customer-managed KMS key (CMK) that is owned by the security account. The security engineer has enabled VPC Flow Logs in each account and configured the destination to be the central S3 bucket. However, the flow logs are not being delivered. The engineer checks the S3 bucket policy and confirms that it grants the required permissions to the Flow Logs service principal. What is the MOST likely cause of the failure?

Question 298mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer notices that CloudTrail logs for a production account are not being delivered to the S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?

Question 299hardmultiple choice
Read the full NAT/PAT explanation →

A company wants to monitor AWS API calls for suspicious activity and automatically remediate by revoking IAM roles in real time. Which combination of services should be used?

Question 300easymultiple choice
Read the full Security Logging and Monitoring explanation →

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should be used?

Question 301hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all CloudTrail trails are enabled in all accounts and log to a central S3 bucket. What is the MOST efficient way to enforce this?

Question 302easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company needs to monitor for unauthorized S3 bucket deletions. Which CloudWatch Logs metric filter should be used on CloudTrail logs?

Question 303mediummulti select
Read the full Security Logging and Monitoring explanation →

Which TWO of the following are valid sources for Amazon CloudWatch Logs? (Select TWO.)

Question 304hardmulti select
Read the full Security Logging and Monitoring explanation →

A security engineer wants to detect and alert on AWS account root user activity. Which THREE services can be used together to achieve this? (Select THREE.)

Question 305easymulti select
Read the full Security Logging and Monitoring explanation →

Which TWO AWS services can be used to monitor network traffic for malicious activity? (Select TWO.)

Question 306mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer configured this S3 bucket policy for CloudTrail, but CloudTrail logs are not being delivered. What is the MOST likely missing permission?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-trail-bucket/AWSLogs/123456789012/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::my-trail-bucket"
    }
  ]
}
Question 307hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a multi-account AWS Organization with 50 accounts. The security team wants to monitor for unauthorized IAM role assumption across all accounts. They have enabled AWS CloudTrail in all accounts and are delivering logs to a central S3 bucket in the security account. They also have Amazon GuardDuty enabled in all accounts. The security team wants a centralized dashboard to visualize cross-account role assumption events. They have limited budget and want to use existing services. What should they do?

Question 308hardmultiple choice
Review the full subnetting walkthrough →

A security engineer is investigating a potential data exfiltration incident. They suspect that an EC2 instance was compromised and used to transfer large amounts of data from an S3 bucket to an external IP address. The engineer has enabled VPC Flow Logs for the subnet where the EC2 instance resides, but the logs are not capturing traffic to the external IP. What is the most likely reason?

Question 309easymultiple choice
Read the full Security Logging and Monitoring explanation →

A company wants to ensure that all API calls made to their AWS account are logged and immutable. They have enabled AWS CloudTrail and are delivering logs to an S3 bucket. The security team requires that logs cannot be deleted or modified by anyone, including the root user. What should they do?

Question 310mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Amazon CloudWatch Logs to collect application logs from EC2 instances. The security team wants to create an alarm that triggers when a specific error pattern appears in the logs. They have set up a metric filter and an alarm. However, the alarm is not triggering even though the error pattern exists in the logs. What is the most likely cause?

Question 311mediummultiple choice
Read the full Security Logging and Monitoring explanation →

A security engineer needs to monitor for AWS account root user login events and automatically send a notification to the security team. The engineer has enabled CloudTrail and is sending logs to CloudWatch Logs. What is the least effort way to achieve this?

Question 312hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company stores sensitive data in an S3 bucket with SSE-KMS encryption. The security team wants to log all access attempts to the bucket, including successful and denied requests. They have enabled S3 server access logs and are delivering them to a different bucket. However, they notice that some access attempts are not logged. What is the most likely reason?

Question 313mediummultiple choice
Read the full NAT/PAT explanation →

A security team wants to detect and alert when an EC2 instance is terminated. They have enabled CloudTrail and are sending logs to CloudWatch Logs. Which combination of services should they use to achieve this with minimal latency?

Question 314hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses AWS CloudTrail to log all API calls across multiple accounts in AWS Organizations. The security team notices that management events are being logged, but data events for Amazon S3 are not appearing in the CloudTrail logs for any account. The team needs to enable data event logging for S3 across all accounts. Currently, the organization trail is configured in the management account, and all member accounts have default CloudTrail configurations. What is the MOST efficient way to enable S3 data event logging for all current and future accounts in the organization?

Question 315hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group. The security team needs to monitor for unauthorized changes to security groups. They have enabled AWS Config with the security-group-change detection rule. However, they notice that changes are being detected but not all changes trigger a notification. The team wants to ensure that every security group modification (create, delete, or rule change) sends an alert to the security operations center via Amazon SNS. The current setup: AWS Config rules evaluate resources periodically, and SNS notifications are sent only when the rule compliance status changes. What should the team do to achieve real-time alerts for all security group changes?

Question 316hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company is migrating its on-premises log aggregation system to AWS. They have multiple applications running on EC2 instances that generate logs in JSON format. The security team needs a centralized logging solution that can ingest logs from all instances, store them durably, and allow real-time searching and alerting. The team also needs to retain logs for at least one year for compliance. The current plan is to use Amazon CloudWatch Logs for ingestion and search, but the team is concerned about the cost of long-term storage and the need for ad-hoc querying. Which solution meets the requirements with the LEAST operational overhead?

Question 317hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centralize all CloudTrail logs from all accounts into a single S3 bucket in the management account. They have enabled CloudTrail in the management account with an organization trail that delivers logs to an S3 bucket. However, logs from member accounts are not appearing. The S3 bucket policy includes permissions for CloudTrail to write logs, but it does not explicitly grant access to member accounts. What should the team do to ensure that member account CloudTrail logs are delivered to the central S3 bucket?

Question 318hardmultiple choice
Read the full Security Logging and Monitoring explanation →

A company uses Amazon GuardDuty to monitor for malicious activity in its AWS environment. The security team receives a high number of findings, many of which are false positives. They want to reduce noise by suppressing findings for known benign activities, such as internal vulnerability scans performed by the security team. GuardDuty has a feature to create suppression rules based on finding criteria. However, the team also wants to ensure that if a new type of threat is detected, it is immediately escalated. What is the MOST effective way to manage GuardDuty findings?

Question 319hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer investigates a potential unauthorized deletion of an AWS CloudTrail trail. The engineer runs the command and receives the output shown. Which additional step should the engineer take to determine if the trail deletion was unauthorized?

Network Topology
aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2023-01-01T00:00:00Zend-time 2023-01-02T00:00:00Zregion us-east-1"Events": ["EventId": "example1","EventName": "DeleteTrail","ReadOnly": "false","Username": "admin","EventTime": "2023-01-01T12:00:00Z","CloudTrailEvent": "{\"userIdentity\":{\"type\":\"IAMUser\",\"arn\":\"arn:aws:iam::123456789012:user/admin\"},\"sourceIPAddress\":\"203.0.113.50\",\"requestParameters\":{\"name\":\"MyTrail\"},\"responseElements\":null,\"additionalEventData\":{\"x-amz-id-2\":\"example\"}}"
Question 320mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer applies this S3 bucket policy to enforce server-side encryption. However, users report that they can still upload objects without encryption. What is the most likely reason the policy is not working as intended?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 321hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer wants to monitor a Lambda function for errors and create a CloudWatch alarm when errors exceed a threshold. The engineer notices the log group exists but has no metric filters. What should the engineer do to set up the alarm?

Network Topology
aws logs describe-log-groupslog-group-name-prefix /aws/lambda/my-functionaws logs describe-metric-filterslog-group-name /aws/lambda/my-function"logGroups": ["logGroupName": "/aws/lambda/my-function","creationTime": 1672531200000,"metricFilterCount": 0,"arn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/my-function:*","storedBytes": 0,"retentionInDays": 7"metricFilters": []
Question 322hardmultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. A security engineer reviews IAM permissions for the 'admin' user. The user is a member of the 'Administrators' group, which has the 'AdministratorAccess' managed policy attached. Additionally, the user has an inline policy named 'AllowSSH'. The engineer wants to ensure that the user can only start SSM sessions on instances with the tag 'SSH: enabled'. However, the user can still start sessions on any instance. What is the most likely reason?

Exhibit

User: admin
  Groups: Administrators
  Policies:
    - AdministratorAccess (attached via group)
    - AllowSSH (inline policy)

Inline policy document for AllowSSH:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeInstances",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeSecurityGroups",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ssm:StartSession",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/SSH": "enabled"
        }
      }
    }
  ]
}
Question 323mediummultiple choice
Read the full Security Logging and Monitoring explanation →

Refer to the exhibit. An AWS Config rule 's3-bucket-ssl-requests-only' evaluates whether S3 buckets deny HTTP requests. The exhibit shows the evaluation result and the bucket policy. Why is the bucket marked as NON_COMPLIANT despite having a Deny policy for HTTP requests?

Network Topology
aws configservice get-compliance-details-by-config-ruleconfig-rule-name s3-bucket-ssl-requests-onlycompliance-types NON_COMPLIANT"EvaluationResults": ["ComplianceResourceType": "AWS::S3::Bucket","ComplianceResourceId": "my-bucket","ComplianceType": "NON_COMPLIANT",Bucket policy for my-bucket:"Version": "2012-10-17","Statement": ["Effect": "Deny","Principal": "*","Action": "s3:*","Resource": "arn:aws:s3:::my-bucket/*","Condition": {"Bool": {"aws:SecureTransport": "false"

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SCS-C02 Practice Test 1 — 10 Questions→SCS-C02 Practice Test 2 — 10 Questions→SCS-C02 Practice Test 3 — 10 Questions→SCS-C02 Practice Test 4 — 10 Questions→SCS-C02 Practice Test 5 — 10 Questions→SCS-C02 Practice Exam 1 — 20 Questions→SCS-C02 Practice Exam 2 — 20 Questions→SCS-C02 Practice Exam 3 — 20 Questions→SCS-C02 Practice Exam 4 — 20 Questions→Free SCS-C02 Practice Test 1 — 30 Questions→Free SCS-C02 Practice Test 2 — 30 Questions→Free SCS-C02 Practice Test 3 — 30 Questions→SCS-C02 Practice Questions 1 — 50 Questions→SCS-C02 Practice Questions 2 — 50 Questions→SCS-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Threat Detection and Incident ResponseSecurity Logging and MonitoringIdentity and Access ManagementManagement and Security GovernanceInfrastructure SecurityData Protection

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Logging and Monitoring setsAll Security Logging and Monitoring questionsSCS-C02 Practice Hub