20+ practice questions focused on Security Logging and Monitoring — one of the most tested topics on the AWS Certified Security Specialty SCS-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Security Logging and Monitoring PracticeA security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?
Explanation: Route 53 Resolver DNS Firewall with query logging is the correct choice because it is specifically designed to log all DNS queries made by EC2 instances that use the Route 53 Resolver. This service captures the domain names being queried, the source IP, and the response, enabling detection of DNS-based data exfiltration (e.g., DNS tunneling). It integrates directly with the VPC's DNS resolver, ensuring all outbound DNS traffic from EC2 instances is logged without additional agents.
A company uses AWS CloudTrail to log management events in all regions. The security team notices that some API calls made by an IAM user are not appearing in the CloudTrail event history. What is the most likely reason?
Explanation: D is correct because CloudTrail event history only retains the last 90 days of events. If the API calls were made more than 90 days ago, they would no longer appear in the event history, even though the trail itself may still be delivering log files to an S3 bucket for longer-term storage. The security team is likely looking at the event history rather than querying the S3 bucket or using Athena for older events.
A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?
Explanation: Option B is correct because it provides the lowest-latency path for real-time analysis: CloudTrail logs are delivered to CloudWatch Logs in near real-time, and a subscription filter streams them to Kinesis Data Firehose, which buffers and delivers directly to Amazon OpenSearch Service for immediate indexing and search. This architecture avoids batch processing, minimizes data movement overhead, and uses managed services that scale automatically, keeping both latency and cost low.
A security engineer needs to be alerted when an IAM user attempts to modify an S3 bucket policy. Which method is the MOST efficient?
Explanation: Option C is correct because Amazon CloudWatch Events (now Amazon EventBridge) can directly capture the PutBucketPolicy API call as a real-time event and trigger an SNS notification without any additional compute or polling. This is the most efficient method as it requires no log parsing, no custom code, and no additional infrastructure, providing immediate alerting with minimal overhead.
A company uses Amazon GuardDuty and wants to suppress low-severity findings that are known false positives. What is the recommended approach?
Explanation: GuardDuty filters allow you to automatically suppress low-severity findings that are known false positives by setting the filter action to 'ARCHIVE'. This prevents the findings from appearing in the active findings list without disabling detection or deleting data. Filters are the recommended approach because they are purpose-built for this use case and preserve the audit trail.
+15 more Security Logging and Monitoring questions available
Practice all Security Logging and Monitoring questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Security Logging and Monitoring. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Security Logging and Monitoring questions on the SCS-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Security Logging and Monitoring is tested as part of the AWS Certified Security Specialty SCS-C02 blueprint. Practicing with targeted Security Logging and Monitoring questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free SCS-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Security Logging and Monitoring is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Security Logging and Monitoring practice session with instant scoring and detailed explanations.
Start Security Logging and Monitoring Practice →