SCS-C02 Security Logging and Monitoring • Complete Question Bank
Complete SCS-C02 Security Logging and Monitoring question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
```
{
"Records": [
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"arn": "arn:aws:iam::123456789012:root",
"accountId": "123456789012"
},
"eventTime": "2023-09-01T12:34:56Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"sourceIPAddress": "203.0.113.5",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"groupId": "sg-12345678",
"ipPermissions": {
"items": [
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"ipRanges": [
{
"cidrIp": "0.0.0.0/0"
}
]
}
]
}
},
"responseElements": null
}
]
}
```Refer to the exhibit.
```
{
"configuration": {
"name": "my-trail",
"s3BucketName": "my-cloudtrail-logs",
"includeGlobalServiceEvents": true,
"isMultiRegionTrail": true,
"enableLogFileValidation": true,
"cloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:aws-cloudtrail-logs:*",
"cloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role",
"kmsKeyId": null
}
}
```Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Control plane operations
Resource operations like S3 object access
Unusual activity detection
Invocation of Lambda function URLs
Drag a concept onto its matching description — or click a concept then click the description.
Automated vulnerability assessment
Threat detection service
Centralized security findings aggregation
Investigation and analysis of security issues
Resource configuration monitoring and compliance
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/AWSLogs/123456789012/*"
}
]
}Refer to the exhibit.
{
"MetricFilter": {
"filterName": "RootAccountUsage",
"filterPattern": "{ $.userIdentity.type = \"Root\" }"
}
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-trail-bucket/AWSLogs/*"
}
]
}2024-05-01T12:00:00Z us-east-1 eni-12345 10.0.1.5 10.0.2.10 443 12345 6 10 5000 1620144781 1620144782 ACCEPT OK
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}vpc-12345678 | eni-98765432 | 203.0.113.5 | 10.0.0.1 | 443 | 3389 | 6 | 25 | 300 | 1420 | ACCEPT | OK
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-public-bucket/*"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:GetObject"],
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::example-bucket/*"
},
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-trail-bucket/AWSLogs/123456789012/*"
}
]
}Refer to the exhibit. [2023-01-15 12:34:56] 10.0.1.5 203.0.113.5 22 443 6 10 1000 1234567890 1234567891 ACCEPT OK
Refer to the exhibit.
{
"trail": "management-events-trail",
"eventVersion": "1.08",
"eventTime": "2023-06-01T10:00:00Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"userIdentity": {
"type": "IAMUser",
"arn": "arn:aws:iam::123456789012:user/svc-account-admin"
},
"requestParameters": {
"groupId": "sg-12345",
"ipPermissions": {
"items": [
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"ipRanges": {
"items": [
{"cidrIp": "0.0.0.0/0"}
]
}
}
]
}
},
"responseElements": {
"requestId": "r-abc123"
}
}Refer to the exhibit.
CloudTrail log event (JSON):
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"arn": "arn:aws:sts::123456789012:assumed-role/AdminRole/User1",
"accountId": "123456789012",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"arn": "arn:aws:iam::123456789012:role/AdminRole"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2024-01-15T10:00:00Z"
}
}
},
"eventTime": "2024-01-15T10:05:00Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.5",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"groupId": "sg-0123456789abcdef0",
"ipPermissions": {
"items": [
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"ipRanges": {
"items": [
{"cidrIp": "0.0.0.0/0"}
]
}
}
]
}
},
"responseElements": {
"requestId": "r-12345678",
"_return": true
}
}Refer to the exhibit.
IAM Policy JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}Refer to the exhibit. CloudWatch Logs Insights query: fields @timestamp, @message | filter @message like /ERROR|WARN/ | sort @timestamp desc | limit 20
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/*"
}
]
}Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logs.amazonaws.com"
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:MyLogGroup:*"
}
]
}Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}Refer to the exhibit.
[container]
[service: my-app]
[log: access-log]
[log_group_name: /ecs/my-app]
[log_stream_prefix: access]
[datetime_format: %Y-%m-%dT%H:%M:%S]
[multi_line_start_pattern: {__START_PATTERN__}]{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-trail-bucket/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::my-trail-bucket"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}User: admin
Groups: Administrators
Policies:
- AdministratorAccess (attached via group)
- AllowSSH (inline policy)
Inline policy document for AllowSSH:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeSecurityGroups",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/SSH": "enabled"
}
}
}
]
}