CCNA Security Logging and Monitoring Questions

75 of 323 questions · Page 4/5 · Security Logging and Monitoring · Answers revealed

226
Multi-Selecthard

A security team wants to detect and alert on suspicious network traffic patterns within their VPC. They need to capture traffic to and from an EC2 instance for analysis. Which THREE services should be used together to achieve this? (Choose three.)

Select 3 answers
A.AWS Network Firewall
B.Network Load Balancer
C.Amazon Detective
D.AWS WAF
E.VPC Traffic Mirroring
AnswersB, C, E

Distributes mirrored traffic to security appliances for analysis.

Why this answer

VPC Traffic Mirroring captures network traffic, which can be sent to a Network Load Balancer for distribution to security appliances, and then analyzed by Amazon Detective. Options A, B, and D are correct. Option C is wrong because AWS Network Firewall is for filtering, not capture.

Option E is wrong because AWS WAF is for web traffic filtering.

227
MCQhard

A company has a CloudTrail trail that logs management events for all regions in the management account. They want to also log data events for all S3 buckets in the organization. Which configuration change will meet this requirement with the LEAST operational overhead?

A.Use Amazon EventBridge to capture S3 events and forward them to CloudTrail.
B.Enable S3 server access logs for all buckets and aggregate them using Athena.
C.Create a new trail in each member account to log S3 data events and deliver to a central S3 bucket.
D.Modify the existing trail to add an event selector for S3 data events with a scope of all buckets.
AnswerD

Organization trails can log data events for all S3 buckets across the organization with a single configuration.

Why this answer

Option C is correct because a single organization trail can log data events for all S3 buckets across all accounts in the organization. Option A is wrong because creating a new trail in each member account adds overhead. Option B is wrong because CloudTrail supports data events for S3 buckets without needing an event selector per bucket; you can select all buckets.

Option D is wrong because CloudWatch Events is not needed; CloudTrail is the correct service.

228
MCQmedium

A company uses Amazon GuardDuty in a single AWS account to detect threats. The security team receives an alert that a specific EC2 instance is communicating with a known command and control (C2) server. The security engineer needs to immediately isolate the instance while preserving the root cause evidence. The engineer has access to the AWS Management Console. Which action should the engineer take FIRST?

A.Terminate the instance immediately to stop the communication.
B.Take a snapshot of the EBS volume and then isolate the instance by modifying the security group.
C.Modify the security group to block all outbound traffic.
D.Install the CloudWatch Logs agent on the instance to capture logs.
AnswerB

Snapshot preserves evidence, then isolation stops communication.

Why this answer

Option D is correct. Taking a snapshot of the EBS volume preserves evidence before isolation. Option A is wrong because terminating the instance loses evidence.

Option B is wrong because changing the security group may stop communication but evidence is not preserved. Option C is wrong because CloudWatch Logs agent is not installed and may not capture historical data.

229
MCQeasy

Refer to the exhibit. A security engineer finds this S3 bucket policy on a bucket that should be private. What is the most effective way to detect if this bucket was accessed by unauthorized users?

A.Enable S3 server access logs on the bucket.
B.Query AWS CloudTrail for GetObject API calls.
C.Use CloudWatch Logs to search for GetObject events.
D.Analyze VPC Flow Logs for traffic to the bucket.
AnswerB

CloudTrail logs all S3 API calls, including GetObject, and can be queried.

Why this answer

CloudTrail logs S3 API calls, including GetObject, and can be used to identify who accessed the bucket. Option A is wrong because S3 server access logs are not enabled by default. Option B is wrong because VPC Flow Logs do not capture S3 API calls.

Option C is wrong because CloudWatch Logs does not capture S3 API calls directly.

230
Multi-Selecthard

Which THREE AWS services can be used to detect and alert on suspicious network traffic patterns? (Choose three.)

Select 3 answers
A.AWS Network Firewall
B.Amazon VPC Flow Logs
C.AWS Systems Manager
D.AWS CloudTrail
E.Amazon GuardDuty
AnswersA, B, E

Network Firewall provides intrusion detection and prevention.

Why this answer

AWS Network Firewall is correct because it is a managed firewall service that can inspect network traffic at the VPC level using stateful and stateless rules. It can detect suspicious patterns such as port scans, malicious IP addresses, or protocol anomalies and generate alerts via Amazon CloudWatch metrics and logs, enabling real-time notification of suspicious network traffic.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (API logging) with network traffic monitoring, or assume AWS Systems Manager has security detection capabilities, when in fact neither service inspects network packet flows or traffic patterns.

231
Multi-Selectmedium

A security engineer is implementing centralized logging across multiple AWS accounts. Which TWO actions should the engineer take to ensure logs are securely stored and immutable? (Choose TWO.)

Select 2 answers
A.Enable S3 Transfer Acceleration on the bucket
B.Use AWS KMS with a customer managed key for encryption
C.Enable S3 Object Lock on the destination bucket
D.Enable CloudTrail log file validation
E.Enable MFA Delete on the bucket
AnswersB, C

KMS provides encryption and access control.

Why this answer

Option A is correct because enabling S3 Object Lock prevents log files from being deleted or overwritten. Option C is correct because using AWS KMS with a customer managed key provides encryption and fine-grained access control. Option B is wrong because CloudTrail log file validation ensures integrity but does not prevent deletion.

Option D is wrong because S3 Transfer Acceleration is for speed, not security. Option E is wrong because MFA Delete requires additional authentication but does not provide immutability; Object Lock is more appropriate.

232
Multi-Selectmedium

A security engineer is configuring logging for an application running on Amazon EC2 instances. The engineer needs to capture both operating system-level logs and application logs. Which TWO services can be used together to achieve this? (Choose two.)

Select 2 answers
A.AWS CloudTrail
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.Amazon CloudWatch agent
E.Amazon Inspector
AnswersC, D

Stores log data collected by the CloudWatch agent.

Why this answer

The CloudWatch agent can collect OS and application logs and send them to CloudWatch Logs. Options A and C are correct. Option B is wrong because VPC Flow Logs capture network traffic metadata.

Option D is wrong because AWS CloudTrail captures API calls. Option E is wrong because Amazon Inspector is for vulnerability assessment.

233
MCQhard

A security team notices that an S3 bucket containing sensitive data has been repeatedly accessed from an IP address outside the company's network. They need to set up a real-time alert when such access occurs. Which combination of services should they use?

A.VPC Flow Logs and Amazon QuickSight
B.AWS Config and Amazon SNS
C.CloudWatch Logs Insights and Amazon SES
D.Amazon GuardDuty and Amazon EventBridge
AnswerD

GuardDuty detects anomalies in S3 access and sends findings to EventBridge for alerting.

Why this answer

Option D is correct because Amazon GuardDuty can analyze CloudTrail management events and S3 data events to detect suspicious activity, and it can send alerts to Amazon EventBridge, which can trigger a notification. Option A is wrong because AWS Config evaluates resource configurations, not real-time access patterns. Option B is wrong because VPC Flow Logs would not capture S3 access from outside the VPC.

Option C is wrong because CloudWatch Logs Insights is used for querying logs, not for real-time alerting on its own.

234
MCQmedium

A security engineer is setting up centralized logging for an AWS organization. The engineer wants to collect CloudTrail logs, VPC Flow Logs, and AWS Config configuration items from all member accounts into a single S3 bucket in the management account. The engineer creates a new S3 bucket with a bucket policy that grants the required permissions. However, logs from member accounts are not being delivered. What is the most likely reason?

A.VPC Flow Logs cannot be delivered to an S3 bucket in a different account.
B.CloudTrail must be enabled in each member account individually.
C.The S3 bucket policy does not grant write permissions to the member accounts' service principals.
D.AWS Config must be enabled in the management account and configured to aggregate data from member accounts.
AnswerC

Bucket policy must allow cross-account writes.

Why this answer

Option D is correct because the S3 bucket policy must grant the necessary permissions to the member account's service principal (e.g., cloudtrail.amazonaws.com, vpc-flow-logs.amazonaws.com, config.amazonaws.com) to write objects. Option A is wrong because logging does not require AWS Config aggregation. Option B is wrong because CloudTrail organization trail does not need to be created in each account.

Option C is wrong because VPC Flow Logs can be delivered to a bucket in a different account.

235
MCQhard

A security engineer runs the CLI command above to investigate a console login event. The output shows: {"type":"Root","principalId":"123456789012","arn":"arn:aws:iam::123456789012:root"}. What does this indicate?

A.A federated user performed the console login.
B.An AWS service performed the console login.
C.An IAM user in the account performed the console login.
D.The AWS account root user performed the console login.
AnswerD

The userIdentity indicates root user.

Why this answer

Option B is correct because the principalId and arn show the root user of account 123456789012. Option A is wrong because it is the root user, not an IAM user. Option C is wrong because it is the root user, not a federated user.

Option D is wrong because the root user is not a service.

236
MCQeasy

A security team needs to detect unauthorized API calls made from a compromised IAM user. Which AWS service should be used to monitor and alert on specific API activities?

A.AWS CloudTrail
B.AWS Config
C.Amazon GuardDuty
D.VPC Flow Logs
AnswerA

CloudTrail logs all API calls for auditing and monitoring.

Why this answer

CloudTrail logs all API calls and can be used with CloudWatch Alarms to trigger alerts on specific actions. Option B is correct because CloudTrail is designed for API activity monitoring. Option A is wrong because Config tracks resource configuration changes, not API calls.

Option C is wrong because GuardDuty is for threat detection, not specific API monitoring. Option D is wrong because VPC Flow Logs capture network traffic, not API calls.

237
Multi-Selecteasy

A security engineer needs to ensure that all changes to IAM policies in an AWS account are logged and that the logs are immutable and cannot be deleted by any user, including the root user. Which actions should the engineer take? (Choose two.)

Select 2 answers
A.Enable default encryption with AWS KMS on the bucket.
B.Enable AWS CloudTrail to log IAM events.
C.Enable S3 Versioning on the bucket.
D.Enable multi-factor authentication (MFA) delete on the S3 bucket.
E.Enable S3 Object Lock in compliance mode on the bucket.
AnswersB, E

CloudTrail records all IAM API calls.

Why this answer

Correct options: A (CloudTrail) and D (S3 Object Lock). CloudTrail logs IAM policy changes. S3 Object Lock prevents log deletion.

Option B is wrong because MFA does not prevent deletion. Option C is wrong because S3 versioning alone does not prevent deletion. Option E is wrong because KMS encryption does not prevent deletion.

238
MCQhard

A company uses AWS Organizations and wants to centralize security logs from all member accounts into a single S3 bucket in the management account. The bucket policy allows only the management account's root user to write objects. However, logs are not being delivered from member accounts. What is the MOST likely cause?

A.S3 Transfer Acceleration is not enabled.
B.VPC endpoints are not configured for the logging service.
C.The S3 bucket uses an AWS KMS key, and the key policy does not grant decrypt permissions to the logging service.
D.The bucket policy denies write access to all principals except the management account's root user, preventing cross-account writes.
AnswerD

The bucket policy must allow the logging service principal (e.g., cloudtrail.amazonaws.com) to write objects, or allow the member account.

Why this answer

Option D is correct because S3 bucket policies that restrict writes to a specific root user will deny cross-account writes even if the logging service assumes a role. The logging service (e.g., CloudTrail, Config) in a member account must be able to write to the central bucket; the bucket policy must grant permissions to the logging service's service principal or to the member account. Option A is wrong because S3 Transfer Acceleration is not required.

Option B is wrong because KMS key policies might be an issue, but the question states the bucket policy is the restriction. Option C is wrong because VPC endpoints are not required for logging.

239
MCQeasy

A security engineer needs to ensure that all S3 buckets in an AWS account have server access logging enabled. Which AWS service should be used to continuously monitor for compliance?

A.AWS Config
B.Amazon GuardDuty
C.AWS IAM Access Analyzer
D.AWS CloudTrail
AnswerA

AWS Config has managed rules like 's3-bucket-logging-enabled' to check for server access logging.

Why this answer

AWS Config is the correct service because it provides continuous monitoring and evaluation of your AWS resource configurations against desired policies. You can create an AWS Config rule, such as the managed rule 's3-bucket-server-access-logging-enabled', which will automatically check all S3 buckets in your account and report any that do not have server access logging enabled, flagging them as noncompliant. This allows for ongoing, automated compliance auditing without manual intervention.

Exam trap

The trap here is that candidates often confuse AWS Config with AWS CloudTrail, mistakenly thinking that CloudTrail's logging of API calls can be used to continuously monitor compliance, but CloudTrail only records events and does not evaluate the current state of resources against a desired configuration.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because GuardDuty is a threat detection service that analyzes VPC flow logs, DNS logs, and CloudTrail events to identify malicious activity; it does not evaluate resource configurations for compliance with logging requirements. Option C (AWS IAM Access Analyzer) is wrong because it focuses on identifying resources shared with external entities by analyzing resource-based policies (e.g., S3 bucket policies), not on verifying whether server access logging is enabled. Option D (AWS CloudTrail) is wrong because CloudTrail records API calls made in your account for auditing and governance, but it does not continuously monitor the configuration state of S3 buckets to enforce compliance with logging settings.

240
MCQmedium

Refer to the exhibit. An AWS Config rule 's3-bucket-ssl-requests-only' evaluates whether S3 buckets deny HTTP requests. The exhibit shows the evaluation result and the bucket policy. Why is the bucket marked as NON_COMPLIANT despite having a Deny policy for HTTP requests?

A.The bucket policy is missing the 'aws:SecureTransport': 'false' condition for the bucket resource (without /*).
B.The policy uses 'Deny' but the rule expects an 'Allow' statement for HTTPS only.
C.The bucket policy only denies HTTP requests to objects, not to the bucket itself.
D.The annotation says 'Bucket does not have a policy that denies HTTP requests.' but the policy does have one, so this is a false positive.
AnswerA

The rule may check that the bucket itself (not just objects) denies HTTP requests. The policy only covers objects. Adding a statement for the bucket ARN 'arn:aws:s3:::my-bucket' would fix the compliance.

Why this answer

The Config rule likely evaluates the bucket-level policy. The current policy only denies HTTP requests to objects (/*), not to the bucket itself. To be compliant, the bucket must also have a Deny for the bucket resource ARN without the /*.

241
MCQhard

A security team wants to centrally collect and analyze VPC Flow Logs from multiple AWS accounts for security monitoring. Which solution is MOST scalable and cost-effective?

A.Aggregate logs in an EC2 instance running an ELK stack.
B.Use Amazon Kinesis Data Firehose to stream logs to an S3 bucket and process with AWS Lambda.
C.Configure VPC Flow Logs to send to a centralized CloudWatch Logs account using cross-account subscriptions.
D.Use AWS Organizations to centralize logging by delivering VPC Flow Logs to a centralized S3 bucket and query with Amazon Athena.
AnswerD

This approach is scalable, cost-effective, and uses managed services.

Why this answer

Option D is correct because using AWS Organizations with a centralized S3 bucket and Amazon Athena allows scalable querying of VPC Flow Logs across accounts without additional data transfer costs. Option A is wrong because sending logs to a centralized CloudWatch Logs account from multiple accounts requires cross-account subscriptions and incurs data transfer costs. Option B is wrong because Kinesis Data Firehose with Lambda adds complexity and cost.

Option C is wrong because using an EC2 instance for log analysis is not scalable or cost-effective.

242
MCQmedium

A company has enabled AWS CloudTrail in all regions and is delivering logs to a central S3 bucket. The security team needs to ensure that any attempt to delete or modify CloudTrail logs is detected and alerted. What should be done?

A.Enable S3 server access logging on the bucket and monitor for DELETE requests.
B.Enable S3 Object Lock in governance mode on the bucket.
C.Enable MFA Delete on the S3 bucket.
D.Use a bucket policy that denies s3:DeleteObject for all principals.
AnswerB

Object Lock prevents objects from being deleted or overwritten for a specified retention period.

Why this answer

Option D is correct because enabling S3 Object Lock on the bucket prevents deletion or modification of log files. Option A is wrong because MFA Delete alone does not prevent deletion by authorized users. Option B is wrong because S3 server access logs track access but do not prevent deletion.

Option C is wrong because bucket policies cannot prevent deletion by the bucket owner.

243
MCQeasy

A security engineer needs to capture all API calls made to AWS services for forensic analysis. Which AWS service should be used to store these logs durably and cost-effectively for long-term retention?

A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS Config
D.AWS CloudTrail
AnswerD

AWS CloudTrail logs all API calls and can deliver logs to S3.

Why this answer

Option C is correct because AWS CloudTrail logs all API calls and can be configured to deliver logs to an S3 bucket for durable, cost-effective storage. Option A is wrong because AWS Config records resource configuration changes, not API calls. Option B is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because Amazon GuardDuty is a threat detection service, not a logging service.

244
Multi-Selectmedium

Which TWO actions should a security engineer take to ensure that CloudTrail logs are protected from unauthorized deletion? (Choose two.)

Select 2 answers
A.Attach an S3 bucket policy that denies s3:DeleteObject to all principals except the CloudTrail service principal.
B.Enable S3 versioning on the log bucket.
C.Enable S3 default encryption with SSE-S3.
D.Configure CloudTrail to send logs to CloudWatch Logs.
E.Enable S3 MFA Delete on the log bucket.
AnswersA, E

This restricts deletion to only CloudTrail.

Why this answer

Option A is correct because enabling S3 MFA Delete requires MFA to delete objects. Option D is correct because a bucket policy denying s3:DeleteObject for all principals except the CloudTrail service ensures only CloudTrail can delete (which is rare). Option B is wrong because enabling SSE-S3 protects data at rest but not deletion.

Option C is wrong because logging to CloudWatch does not prevent deletion. Option E is wrong because versioning alone does not prevent deletion (delete markers can be created).

245
MCQhard

A company has enabled AWS CloudTrail in all accounts and regions, with log file validation enabled. The security team needs to verify that a specific log file has not been modified since it was delivered. Which action should be taken?

A.Query the log files using Amazon CloudWatch Logs Insights.
B.Enable S3 server-side encryption with AWS KMS (SSE-KMS) on the CloudTrail bucket.
C.Enable S3 Object Lock on the bucket to prevent modifications.
D.Use the AWS CLI `validate-logs` command with the digest file from the S3 bucket.
AnswerD

The `validate-logs` command uses the digest file to verify the integrity of log files.

Why this answer

Option A is correct because CloudTrail provides a digest file that contains a hash of each log file; you can use the AWS CLI command `aws cloudtrail validate-logs` to verify integrity. Option B is incorrect because S3 server-side encryption does not provide integrity verification. Option C is incorrect because CloudWatch Logs Insights does not validate log file integrity.

Option D is incorrect because S3 Object Lock prevents deletion but not modification of existing objects; it does not verify integrity against a digest.

246
MCQmedium

A security engineer needs to detect when an EC2 instance is terminated in an AWS account. The solution must provide near-real-time notification. Which combination of services should be used?

A.VPC Flow Logs and Amazon CloudWatch Logs
B.AWS CloudTrail and Amazon EventBridge
C.AWS Config and Amazon SNS
D.Amazon CloudWatch Alarms and Amazon SNS
AnswerB

CloudTrail logs the TerminateInstances event, and EventBridge can trigger an SNS notification.

Why this answer

Option C is correct because CloudTrail logs the TerminateInstances API call, and CloudWatch Events (now Amazon EventBridge) can match the event and trigger a notification via SNS. Option A is wrong because AWS Config evaluates configuration changes, but it is not near-real-time for API calls. Option B is wrong because VPC Flow Logs do not capture EC2 instance termination.

Option D is wrong because CloudWatch Alarms monitor metrics, not API calls.

247
MCQhard

An organization wants to detect and alert on the use of root user credentials in their AWS accounts. They have multiple accounts managed via AWS Organizations. What is the most efficient way to centralize this monitoring?

A.Create an AWS CloudTrail trail in each account and aggregate logs to a central S3 bucket.
B.Use IAM Access Analyzer to find resources shared with external entities.
C.Use AWS Config rules to detect root user usage in each account.
D.Enable Amazon GuardDuty in the management account and use the delegated administrator feature.
AnswerD

GuardDuty centrally detects root user activity across accounts.

Why this answer

Amazon GuardDuty has a built-in finding type for root user activity (RootCredentialUsage). Enabling GuardDuty in the management account and delegating an administrator allows centralized monitoring across all accounts. Option D is correct.

Option A is wrong because CloudTrail trails must be created in each account individually, which is less efficient. Option B is wrong because AWS Config rules are per account and require custom logic. Option C is wrong because IAM Access Analyzer does not specifically detect root user activity.

248
Multi-Selecthard

A company wants to monitor for unauthorized API calls in real-time. The solution must meet the following requirements: - Detect calls that fail authentication (AccessDenied). - Detect calls that use a revoked IAM role. - Provide a centralized view across multiple accounts. Which THREE services should be used together to implement this solution? (Choose three.)

Select 3 answers
A.AWS Organizations
B.AWS CloudTrail
C.AWS IAM Access Analyzer
D.Amazon CloudWatch Logs
E.AWS Config
AnswersA, B, D

Organizations allows you to centrally manage trails across member accounts using a single organization trail.

Why this answer

Options A, B, and E are correct because CloudTrail logs API calls, CloudWatch Logs can filter for specific error codes, and AWS Organizations enables centralized management across accounts. Option C is wrong because AWS Config does not monitor API calls. Option D is wrong because IAM Access Analyzer analyzes resource policies, not API calls.

249
MCQhard

A company wants to monitor AWS API calls for suspicious activity and automatically remediate by revoking IAM roles in real time. Which combination of services should be used?

A.AWS CloudTrail and Amazon Inspector
B.AWS CloudTrail and AWS Config
C.Amazon GuardDuty and AWS Config
D.Amazon CloudWatch Events and AWS Lambda
AnswerD

CloudWatch Events can match API calls and trigger Lambda to revoke IAM roles.

Why this answer

Option A is correct because CloudWatch Events (now Amazon EventBridge) can trigger a Lambda function upon API call patterns, and Lambda can revoke permissions. Option B is wrong because GuardDuty does not directly trigger remediation. Option C is wrong because Config records resource changes but not real-time API calls.

Option D is wrong because CloudTrail alone cannot automate remediation.

250
MCQmedium

A company wants to centralize logging from multiple AWS accounts into a single logging account. The logs include AWS CloudTrail, AWS Config, and VPC Flow Logs. Which solution should the company implement to meet these requirements with minimal operational overhead?

A.Use Amazon Kinesis Data Firehose in each account to send logs to a central Amazon S3 bucket.
B.Configure each account to deliver logs to its own S3 bucket and use S3 cross-region replication to copy logs to the central bucket.
C.Use AWS Organizations to create a CloudTrail trail that applies to all accounts and delivers logs to a central S3 bucket.
D.Use AWS Lambda functions in each account to copy log files to a central S3 bucket.
AnswerC

With Organizations, you can create an organization trail that logs all accounts' management events to a single S3 bucket.

Why this answer

Option A is correct because AWS Organizations allows centralized management of accounts and can be used with CloudTrail to create a trail that logs all accounts. Option B is wrong because S3 cross-region replication replicates objects, not logs from multiple accounts automatically. Option C is wrong because Kinesis Data Firehose would require additional setup per account.

Option D is wrong because Lambda would require custom code and per-account setup.

251
MCQhard

A company is using Amazon Macie to discover sensitive data in S3. The security team wants to be notified when Macie finds a high-severity alert. Which integration should be used?

A.Configure Macie to store findings in an S3 bucket and enable S3 event notifications.
B.Integrate Macie with AWS Security Hub and create a custom action to send to SNS.
C.Create an Amazon EventBridge rule that matches Macie findings and targets an SNS topic.
D.Configure Macie to send findings to CloudWatch Logs and create a metric filter.
AnswerC

EventBridge is the native event bus for Macie findings, allowing real-time routing to SNS.

Why this answer

Option D is correct because Macie can publish findings to Amazon EventBridge (formerly CloudWatch Events), which can then trigger SNS notifications. Option A is incorrect because Macie does not send to CloudWatch Logs directly. Option B is incorrect because Macie does not send to S3 directly; it stores findings in its own service.

Option C is incorrect because Macie does not natively integrate with Security Hub for alerting; EventBridge is the direct method.

252
Drag & Dropmedium

Drag and drop the steps to set up AWS Shield Advanced with automatic application layer DDoS mitigation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Shield Advanced requires subscription first, then resource protection, WAF integration, mitigation rule, and health-based detection.

253
MCQmedium

A security engineer notices that CloudTrail logs for a production account are not being delivered to the S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?

A.The S3 bucket does not have versioning enabled.
B.The S3 bucket uses SSE-KMS encryption.
C.The bucket policy does not grant s3:GetBucketAcl to CloudTrail.
D.The S3 bucket contains existing objects before CloudTrail delivery started.
AnswerC

CloudTrail needs GetBucketAcl to verify bucket ownership.

Why this answer

Option C is correct because CloudTrail requires specific permissions including s3:GetBucketAcl to verify bucket ownership. Option A is wrong because SSE-S3 is supported. Option B is wrong because S3 versioning is not required.

Option D is wrong because CloudTrail can handle existing objects.

254
Multi-Selecthard

A security engineer is designing a logging strategy for a multi-account environment. The engineer needs to ensure that all API activity across accounts is logged and that logs are immutable and centrally accessible. Which THREE actions should the engineer take?

Select 3 answers
A.Stream logs to CloudWatch Logs for real-time monitoring.
B.Create an AWS CloudTrail organization trail that logs to a central S3 bucket.
C.Enable S3 Object Lock in Compliance mode on the central bucket.
D.Enable VPC Flow Logs in all accounts and send to the central bucket.
E.Grant the central bucket policy to allow only the CloudTrail service to write logs.
AnswersB, C, E

Organization trails log all accounts in the organization.

Why this answer

To log all API activity across accounts, use an organization trail with CloudTrail. To make logs immutable, enable S3 Object Lock in Compliance mode. To centralize access, store logs in a central S3 bucket.

Options A, B, and D are correct. Option C is wrong because CloudWatch Logs is not for immutable storage. Option E is wrong because VPC Flow Logs capture network traffic, not API calls.

255
MCQhard

A security engineer needs to analyze VPC Flow Logs to identify traffic to a known malicious IP address. The logs are stored in Amazon S3. Which approach is the most cost-effective for querying the logs?

A.Use Amazon Athena to query the logs in S3
B.Load the logs into an Amazon Redshift cluster
C.Use Amazon EMR to run Spark jobs
D.Use Amazon QuickSight to connect to S3
AnswerA

Athena is cost-effective for ad-hoc queries on S3 data.

Why this answer

Amazon Athena queries data in S3 directly, only paying for data scanned. QuickSight is for visualization. Redshift is expensive.

EMR is overkill.

256
MCQmedium

A security engineer notices that an EC2 instance is sending outbound traffic to an unknown IP address. The engineer needs to capture and analyze the network traffic to determine what data is being exfiltrated. Which AWS service should be used to capture the traffic for analysis?

A.Amazon Inspector
B.Amazon GuardDuty
C.VPC Flow Logs
D.AWS CloudTrail
AnswerC

VPC Flow Logs capture IP traffic metadata for analysis.

Why this answer

Option C is correct because VPC Flow Logs capture IP traffic information for network interfaces, including source/destination IPs, ports, protocols, and packet counts, which can be used to analyze outbound traffic. Option A is wrong because AWS CloudTrail records API calls, not network traffic. Option B is wrong because Amazon GuardDuty detects threats but does not capture raw traffic.

Option D is wrong because Amazon Inspector assesses vulnerabilities, not network traffic.

257
MCQhard

A company's security team is investigating a potential security incident. They have enabled CloudTrail and CloudWatch Logs. They want to receive real-time alerts when an IAM user creates a new access key. Which combination of services should be used to achieve this?

A.AWS Config rules with an SNS topic
B.Amazon GuardDuty with an SNS topic
C.CloudTrail with CloudWatch Logs, metric filter, alarm, and SNS topic
D.CloudTrail with Lambda function invocation
AnswerC

Correct end-to-end solution.

Why this answer

Option D is correct. CloudTrail logs the CreateAccessKey API call to CloudWatch Logs. A CloudWatch Logs metric filter can match that event and trigger a CloudWatch Alarm, which publishes to an SNS topic to send notifications.

Option A is wrong because Config is not real-time and does not evaluate API calls. Option B is wrong because GuardDuty detects threats but does not monitor specific API calls. Option C is wrong because Lambda cannot directly read CloudTrail logs without a subscription.

258
MCQmedium

A security engineer is investigating a potential data exfiltration incident. They see that an EC2 instance with an IAM role is making API calls to S3 to download objects. The IAM role has an S3 bucket policy that allows access from that role. However, CloudTrail logs show that the calls are being made from an IP address outside the company's network. What is the most likely explanation?

A.The IAM role credentials were stolen and are being used from an external machine.
B.The EC2 instance has a public IP and the calls are originating from the instance itself.
C.CloudTrail is logging the IP address of the AWS service endpoint, not the client.
D.The S3 bucket policy allows public access.
AnswerA

Stolen credentials can be used from anywhere; the source IP in CloudTrail reflects the actual client IP.

Why this answer

The correct answer is A because the CloudTrail logs show the API calls originating from an IP address outside the company's network, which indicates that the IAM role credentials (temporary security credentials from the instance metadata) have been compromised and are being used from an external machine. The S3 bucket policy allows access from the IAM role, but the source IP in the logs is external, confirming the credentials are being used outside the EC2 instance.

Exam trap

The trap here is that candidates may assume the external IP is due to a NAT gateway or AWS service endpoint, but CloudTrail always logs the actual client IP, not the service endpoint IP.

How to eliminate wrong answers

Option B is wrong because if the EC2 instance has a public IP and the calls originate from the instance itself, the source IP in CloudTrail would be the instance's public IP or the NAT gateway IP, not an IP outside the company's network. Option C is wrong because CloudTrail logs the source IP address of the client making the API call, not the AWS service endpoint IP; this is a fundamental behavior of CloudTrail logging. Option D is wrong because the S3 bucket policy allows access from the IAM role, not public access; a public access policy would allow anonymous requests, but the logs show the calls are made with the IAM role's credentials, not anonymously.

259
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to ensure that all CloudTrail trails are enabled in all accounts and log to a central S3 bucket. What is the MOST efficient way to enforce this?

A.Use AWS Lambda to check each account and enable CloudTrail if missing.
B.Use AWS Config aggregator to verify compliance and send alerts.
C.Create a service control policy (SCP) that requires CloudTrail.
D.Use AWS CloudFormation StackSets to deploy a CloudTrail template to all accounts.
AnswerD

StackSets can deploy and manage resources across accounts.

Why this answer

Option C is correct because AWS CloudFormation StackSets can deploy CloudTrail across all accounts in an organization. Option A is wrong because Config aggregator does not deploy resources. Option B is wrong because Service Control Policies (SCPs) can deny disabling CloudTrail but not enable it.

Option D is wrong because Lambda functions need to be triggered and are less efficient.

260
MCQhard

A company uses AWS Organizations with multiple accounts. They want to centralize logging of all API calls across all accounts and store them in a single S3 bucket. Which configuration should be used?

A.Use AWS Config to record API calls across all accounts
B.Create a separate CloudTrail trail in each account and aggregate logs using Amazon Athena
C.Create an organization trail in the management account
D.Enable VPC Flow Logs in each account and send to a central S3 bucket
AnswerC

Organization trails log events for all accounts and deliver to a single bucket.

Why this answer

Option C is correct because CloudTrail supports organization trails that log events for all accounts in the organization and deliver them to a single S3 bucket. Option A is wrong because individual trails per account would require manual aggregation. Option B is wrong because AWS Config does not log API calls.

Option D is wrong because VPC Flow Logs capture network traffic, not API calls.

261
Multi-Selectmedium

A security engineer is designing a logging solution for an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The engineer needs to capture and store the following logs for analysis: (1) HTTP request logs from the ALB, (2) operating system logs from the EC2 instances, and (3) network traffic logs for the VPC. Which combination of AWS services should the engineer use? (Choose three.)

Select 3 answers
A.Enable access logging on the ALB and store logs in an S3 bucket.
B.Enable VPC Flow Logs to capture network traffic metadata.
C.Enable S3 server access logging for the application's S3 buckets.
D.Enable AWS CloudTrail to capture API calls.
E.Install the CloudWatch Logs agent on EC2 instances to send OS logs to CloudWatch Logs.
AnswersA, B, E

ALB access logs capture HTTP request details.

Why this answer

Correct options: A (ALB access logs), B (CloudWatch Logs agent for OS logs), D (VPC Flow Logs). Option C is wrong because CloudTrail does not capture OS logs. Option E is wrong because S3 server access logs are for S3 buckets, not network traffic.

262
MCQmedium

A company has an S3 bucket that stores sensitive data. The bucket policy allows access only from a specific VPC endpoint. The security team notices that an object was accessed from an IP address outside the allowed VPC. CloudTrail logs show that the access was made using temporary credentials from an assumed role. The role was assumed by an EC2 instance in the allowed VPC. What is the MOST likely reason the access was allowed despite the bucket policy restriction?

A.The bucket policy does not require encryption in transit.
B.The bucket policy allows access from the VPC endpoint, and the request was made through that endpoint.
C.The bucket policy has a syntax error that makes it ineffective.
D.The IAM role used by the EC2 instance has permissions that override the bucket policy.
AnswerB

The VPC endpoint condition allows access from any IP if the request goes through the endpoint.

Why this answer

Option A is correct. If the bucket policy only checks the VPC endpoint condition, but the request came through the VPC endpoint, it would be allowed even if the source IP is outside the VPC because the VPC endpoint condition overrides IP-based restrictions. Option B is wrong because the role is allowed.

Option C is wrong because there is no encryption requirement. Option D is wrong because the bucket policy is not malformed.

263
MCQmedium

A security engineer needs to monitor for unauthorized changes to IAM roles and policies in an AWS account. The engineer wants to receive an email notification whenever an IAM policy is attached to a role. Which AWS services should be combined to achieve this?

A.Amazon GuardDuty and Amazon Simple Email Service (SES)
B.AWS CloudTrail and Amazon CloudWatch Events (Amazon EventBridge)
C.AWS Config and Amazon Simple Notification Service (SNS)
D.Amazon Inspector and Amazon CloudWatch Logs
AnswerB

CloudTrail logs the API call; EventBridge triggers SNS notification.

Why this answer

Option A is correct: CloudTrail records the AttachRolePolicy API call, and CloudWatch Events (EventBridge) can trigger an SNS notification when that event occurs. Option B is wrong because AWS Config can detect configuration changes but does not directly send email; it can integrate with SNS but CloudTrail is more straightforward for API-specific events. Option C is wrong because Amazon Inspector does not monitor IAM changes.

Option D is wrong because Amazon GuardDuty detects threats, not specific API calls.

264
MCQmedium

A company runs a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group, and an RDS MySQL database. The security team wants to monitor for SQL injection attempts. They have enabled AWS WAF on the ALB and are logging all requests. The security engineer needs to analyze the WAF logs to identify if any SQL injection attacks have been attempted. The logs are stored in an S3 bucket. The engineer needs to query the logs for patterns like 'SELECT * FROM' or 'DROP TABLE' in the URI. Which service should the engineer use to perform this analysis?

A.Amazon Kinesis Data Analytics
B.Amazon QuickSight
C.CloudWatch Logs Insights
D.Amazon Athena
AnswerD

Athena can query WAF logs in S3 directly.

Why this answer

Option B is correct because Amazon Athena can query WAF logs stored in S3 using SQL. Option A is wrong because CloudWatch Logs Insights works with CloudWatch Logs, not S3. Option C is wrong because QuickSight is for visualization, not direct querying.

Option D is wrong because Kinesis Data Analytics is for real-time streaming, not static S3 logs.

265
Multi-Selectmedium

A security team is designing a logging solution for a multi-account AWS environment using AWS Organizations. They need to collect CloudTrail logs, VPC Flow Logs, and DNS logs from all accounts. Which TWO services can be used to centralize this logging?

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail (Organization Trail)
C.AWS Config
D.Amazon GuardDuty
E.Amazon S3
AnswersB, E

Organization Trail collects CloudTrail logs from all accounts into a single S3 bucket.

Why this answer

CloudTrail Organization Trail centralizes CloudTrail logs. Amazon S3 is the standard destination for VPC Flow Logs and DNS logs (via Route 53 Resolver query logs). AWS Config is configuration management, not log collection.

CloudWatch Logs can be used but is not the primary centralization service for cross-account logs; S3 is more cost-effective for long-term storage.

266
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to centrally monitor all API calls made in the member accounts. The team wants to ensure that all CloudTrail logs are delivered to a centralized S3 bucket in the management account. Which configuration should the security team implement?

A.Configure CloudWatch cross-account subscription to send logs from member accounts to the management account.
B.Enable CloudTrail in each member account and configure each trail to deliver logs to the same S3 bucket.
C.Create an organization trail in the management account with the S3 bucket in the management account.
D.Use Amazon S3 replication to copy logs from member account buckets to the management account bucket.
AnswerC

An organization trail automatically applies to all accounts and delivers logs to a central bucket.

Why this answer

Option A is correct because an organization trail can be created in the management account that automatically applies to all member accounts. Option B is wrong because enabling CloudTrail in each account is not centralized. Option C is wrong because S3 replication does not guarantee all logs are captured.

Option D is wrong because CloudWatch cross-account subscription is not the standard method for centralizing logs.

267
Multi-Selecteasy

A security engineer needs to collect and analyze operating system logs from EC2 instances. Which TWO services are required?

Select 2 answers
A.Amazon VPC Flow Logs
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon CloudWatch Agent
E.AWS CloudTrail
AnswersC, D

CloudWatch Logs stores and analyzes log data from the CloudWatch agent.

Why this answer

Options B and E are correct. The CloudWatch agent must be installed on the EC2 instance to collect OS logs and send them to CloudWatch Logs. Option A is incorrect because CloudTrail logs API calls, not OS logs.

Option C is incorrect because VPC Flow Logs capture network traffic, not OS logs. Option D is incorrect because AWS Config does not collect OS logs.

268
MCQhard

A company is using Amazon CloudWatch Logs to centralize application logs from EC2 instances. The security team wants to encrypt the log data at rest using a customer-managed KMS key. After enabling encryption on the log group, they notice that new log events are being encrypted, but existing log events are not encrypted. What should the team do to encrypt the existing log events?

A.Use the AWS CLI to update the log group's encryption configuration to re-encrypt existing data.
B.Export the existing logs to S3, encrypt them with the KMS key, and re-import them into a new log group.
C.Enable KMS automatic key rotation on the customer-managed key to encrypt existing logs.
D.Change the KMS key to an AWS managed key to automatically encrypt existing logs.
AnswerB

Only way to encrypt existing logs.

Why this answer

Option C is correct because CloudWatch Logs does not support encrypting existing log events retroactively. The only way to encrypt them is to export them, re-encrypt, and re-import. Option A is wrong because there is no built-in re-encryption.

Option B is wrong because you cannot change the KMS key on an existing log group. Option D is wrong because re-encryption is not supported.

269
Multi-Selectmedium

Which THREE actions can be performed using AWS CloudTrail to enhance security monitoring?

Select 3 answers
A.Monitor SSH login attempts to EC2 instances.
B.Detect unauthorized API calls by analyzing CloudTrail logs.
C.Monitor changes to S3 bucket policies.
D.Capture all network traffic to and from EC2 instances.
E.Track changes to IAM user permissions.
AnswersB, C, E

CloudTrail logs all API calls, enabling detection of unauthorized access.

Why this answer

Options A, C, and E are correct. CloudTrail logs can be used to detect unusual API activity, monitor IAM user activity, and track S3 bucket policy changes. Option B is incorrect because CloudTrail does not capture operating system logs.

Option D is incorrect because CloudTrail does not capture network traffic.

270
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The security team wants to analyze web request logs to identify potential SQL injection attacks. Which AWS service should be used to collect and analyze the ALB access logs?

A.VPC Flow Logs
B.AWS WAF
C.Amazon CloudWatch Logs Insights
D.Amazon Athena
AnswerD

Athena can query ALB access logs in S3 with SQL to detect SQL injection patterns.

Why this answer

Option D is correct because Amazon Athena can query ALB access logs stored in S3 using standard SQL, allowing analysis for SQL injection patterns. Option A is wrong because Amazon CloudWatch Logs Insights can query CloudWatch Logs but ALB access logs are typically stored in S3, not CloudWatch Logs. Option B is wrong because VPC Flow Logs capture network traffic metadata, not HTTP request details.

Option C is wrong because AWS WAF provides web application firewall capabilities but does not analyze stored logs; it can generate logs but analysis would require another service like Athena.

271
MCQeasy

A company is required to retain CloudTrail logs for 7 years for compliance. Which solution meets this requirement with the LEAST operational overhead?

A.Store logs in CloudWatch Logs with a retention period of 7 years.
B.Configure CloudTrail to automatically delete logs older than 7 years.
C.Use an AWS Lambda function to delete logs older than 7 years.
D.Configure an S3 Lifecycle policy to transition logs to S3 Glacier Deep Archive after 90 days and expire after 7 years.
E.Export logs to AWS Snowball for offline archival.
AnswerD

Lifecycle policies automate retention and minimize costs.

Why this answer

Option D is correct because it uses an S3 Lifecycle policy to automatically transition CloudTrail logs to S3 Glacier Deep Archive after 90 days (reducing storage costs) and then expire (delete) the objects after 7 years, meeting the retention requirement with zero ongoing operational effort. This is the least operational overhead solution as it is fully automated within S3, requiring no custom code, manual intervention, or additional services.

Exam trap

The trap here is that candidates may think CloudTrail itself manages log retention (Option B) or that CloudWatch Logs is the simplest option (Option A), but AWS explicitly requires you to manage retention at the destination, and S3 Lifecycle policies are the native, automated, and lowest-overhead solution for long-term archival and deletion.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs has a maximum retention period of 10 years, but storing 7 years of CloudTrail logs in CloudWatch Logs incurs high ingestion and storage costs compared to S3, and requires manual or automated export for long-term archival, increasing operational overhead. Option B is wrong because CloudTrail does not have a built-in feature to automatically delete logs older than a specified period; log retention and deletion must be managed at the destination (e.g., S3 Lifecycle policies). Option C is wrong because using a Lambda function to delete logs older than 7 years introduces custom code, potential execution failures, and ongoing maintenance, which is higher operational overhead than a native S3 Lifecycle policy.

Option E is wrong because exporting logs to AWS Snowball for offline archival is designed for large-scale data transfer and physical shipping, not for routine 7-year retention, and it adds significant operational overhead and latency.

272
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team notices that some PutObject API calls are not appearing in the CloudTrail logs. The S3 bucket in question has server access logging enabled. What is the MOST likely reason for the missing CloudTrail events?

A.CloudTrail was not configured to log data events for S3.
B.Server access logs are interfering with CloudTrail.
C.The PutObject calls were made via the AWS Management Console.
D.The S3 bucket policy denies CloudTrail from logging.
AnswerA

Data events (like PutObject) are not logged by default; they require explicit configuration in the trail.

Why this answer

Option A is correct because CloudTrail data events for S3 must be explicitly enabled; by default, only management events are logged. Option B is wrong because server access logs are separate from CloudTrail. Option C is wrong because S3 events are logged regardless of whether the request is from the console or CLI.

Option D is wrong because the bucket policy does not affect CloudTrail logging; CloudTrail logs all API calls that it is configured to log.

273
MCQmedium

A security analyst needs to review all failed SSH login attempts to an EC2 instance. Which combination will provide this information?

A.Use AWS Config to record EC2 instance configuration and check for security group changes.
B.Install the CloudWatch agent on the EC2 instance to collect /var/log/secure and stream to CloudWatch Logs.
C.Enable AWS CloudTrail and search for EC2-related events.
D.Enable VPC Flow Logs for the subnet and query the logs in CloudWatch Logs Insights for rejected traffic on port 22.
AnswerD

VPC Flow Logs capture metadata of network traffic, including rejected connections; SSH login failures typically show as rejected TCP connections on port 22.

Why this answer

Option B is correct because VPC Flow Logs capture network traffic metadata including destination port and action (accept/reject), and CloudWatch Logs Insights can query for SSH traffic (port 22) that was rejected. Option A is incorrect because CloudTrail logs API calls, not OS-level login attempts. Option C is incorrect because CloudWatch agent can collect OS logs but is not the simplest way; VPC Flow Logs are more straightforward.

Option D is incorrect because Config does not monitor OS logs.

274
MCQmedium

A security engineer needs to monitor for AWS account root user login events and automatically send a notification to the security team. The engineer has enabled CloudTrail and is sending logs to CloudWatch Logs. What is the least effort way to achieve this?

A.Enable Amazon GuardDuty and use its finding for root user activity.
B.Create a metric filter on the CloudWatch Logs group and a CloudWatch alarm.
C.Create a CloudWatch Events rule that matches the event and triggers an SNS topic.
D.Use AWS Config managed rule to detect root user activity.
AnswerC

EventBridge can directly match events and send to SNS.

Why this answer

Option A is correct because CloudWatch Events (EventBridge) can filter for root user login events (userIdentity.type = Root) and trigger an SNS topic for notification. Option B is wrong because a metric filter and alarm would require additional steps. Option C is wrong because Config is for resource configuration, not API call monitoring.

Option D is wrong because GuardDuty does not alert on root user login by default.

275
MCQmedium

A company needs to centralize security logs from multiple AWS accounts and on-premises servers. The logs must be encrypted at rest and stored in a cost-effective manner. Which solution meets these requirements?

A.Use Amazon S3 Glacier with Vault Lock
B.Use Amazon S3 with server-side encryption (SSE-S3)
C.Use Amazon Kinesis Data Firehose to deliver logs to Amazon Redshift
D.Use Amazon CloudWatch Logs with KMS encryption
AnswerB

S3 provides cost-effective encrypted storage.

Why this answer

Amazon S3 with SSE-S3 provides cost-effective encrypted storage. CloudWatch Logs is more expensive. Kinesis Firehose can deliver to S3 but adds cost.

Glacier is for archival, not active logging.

276
MCQeasy

A security engineer wants to capture all DNS queries made by EC2 instances to detect potential data exfiltration. Which AWS service should be used to log the DNS requests?

A.Use Route 53 Resolver DNS Firewall with query logging
B.Use Amazon GuardDuty
C.Enable VPC Flow Logs
D.Enable AWS CloudTrail
AnswerA

DNS Firewall can log DNS queries for VPCs.

Why this answer

Route 53 Resolver DNS Firewall with query logging is the correct choice because it is specifically designed to log all DNS queries made by EC2 instances that use the Route 53 Resolver. This service captures the domain names being queried, the source IP, and the response, enabling detection of DNS-based data exfiltration (e.g., DNS tunneling). It integrates directly with the VPC's DNS resolver, ensuring all outbound DNS traffic from EC2 instances is logged without additional agents.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (which show IP-level metadata) with DNS query logs, not realizing that DNS exfiltration requires the actual domain names being queried, which only DNS-specific logging provides.

How to eliminate wrong answers

Option B is wrong because Amazon GuardDuty is a threat detection service that analyzes DNS logs from Route 53 Resolver DNS Firewall or other sources, but it does not itself capture or log raw DNS queries; it relies on existing logs. Option C is wrong because VPC Flow Logs capture metadata about IP traffic (source/destination IP, ports, protocol) but do not log the actual DNS query names or payloads, making them insufficient for detecting DNS exfiltration. Option D is wrong because AWS CloudTrail logs API calls to AWS services (e.g., Route 53 API calls) but does not capture the DNS queries made by EC2 instances to external domains.

277
MCQmedium

Refer to the exhibit. A security engineer applies this S3 bucket policy to enforce server-side encryption. However, users report that they can still upload objects without encryption. What is the most likely reason the policy is not working as intended?

A.The bucket policy does not apply to objects uploaded by the bucket owner when using the AWS Management Console.
B.The bucket policy uses 'Deny' instead of 'Allow', which is incorrect for enforcing encryption.
C.The policy does not include 's3:PutObjectAcl' action, so users can bypass encryption via ACLs.
D.The 's3:x-amz-server-side-encryption' condition key is misspelled; it should be 's3:x-amz-server-side-encryption-customer-algorithm'.
AnswerA

Bucket policies do not apply to the bucket owner's AWS account root user or when using the console if the user has full S3 permissions; the policy is overridden by IAM permissions.

Why this answer

S3 bucket policies are not evaluated for requests made by the AWS account root user or by IAM users with full S3 access when using the console; they rely on IAM permissions. To enforce encryption, use an IAM policy or S3 default encryption.

278
MCQeasy

A security engineer is responsible for monitoring AWS account activity. The engineer needs to receive real-time notifications when specific API calls are made, such as 'DeleteTrail' or 'UpdateTrail'. The engineer wants to use AWS services to achieve this with minimal latency. Which combination of services should the engineer use?

A.CloudTrail -> Amazon EventBridge -> Amazon SNS
B.CloudTrail -> Amazon S3 -> S3 event notification -> AWS Lambda -> Amazon SNS
C.CloudTrail -> CloudWatch Logs -> CloudWatch Logs subscription filter -> AWS Lambda -> Amazon SNS
D.CloudTrail -> CloudWatch Logs -> CloudWatch metric filter -> CloudWatch alarm -> Amazon SNS
AnswerD

This architecture provides near real-time alerting based on API calls.

Why this answer

CloudTrail delivers events to CloudWatch Logs in near real-time. You can then create a CloudWatch Logs metric filter to match specific API calls and set up a CloudWatch alarm that triggers an SNS notification. This provides real-time alerts.

Option A is correct. Option B is wrong because EventBridge can directly receive CloudTrail events, but CloudTrail logs are not automatically sent to EventBridge; you need to set up a rule. Option C is wrong because CloudWatch Logs subscription filters are for streaming to other services, not for real-time alarms.

Option D is wrong because S3 event notifications are not real-time and are for object-level events.

279
MCQhard

A company is migrating its on-premises log aggregation system to AWS. They have multiple applications running on EC2 instances that generate logs in JSON format. The security team needs a centralized logging solution that can ingest logs from all instances, store them durably, and allow real-time searching and alerting. The team also needs to retain logs for at least one year for compliance. The current plan is to use Amazon CloudWatch Logs for ingestion and search, but the team is concerned about the cost of long-term storage and the need for ad-hoc querying. Which solution meets the requirements with the LEAST operational overhead?

A.Send all logs to CloudWatch Logs and set a retention policy of one year.
B.Send logs directly to an S3 bucket and use Amazon Athena to query logs in real time.
C.Use the CloudWatch agent to send logs to CloudWatch Logs for real-time monitoring, then export logs to Amazon S3 daily, and use S3 lifecycle policies to expire logs after one year.
D.Send logs to Amazon OpenSearch Service (formerly Elasticsearch) with a one-year retention policy.
AnswerC

This provides real-time monitoring via CloudWatch Logs and cost-effective long-term storage in S3.

Why this answer

The correct answer is B. Sending logs to CloudWatch Logs for real-time monitoring and then exporting them to S3 for long-term, low-cost storage is a common pattern. S3 lifecycle policies can manage retention.

Option A is incorrect because CloudWatch Logs alone for one year would be expensive. Option C is incorrect because S3 alone does not provide real-time search capabilities. Option D is incorrect because Amazon ES (OpenSearch) could work but adds operational overhead for cluster management, and the requirement is least overhead.

280
Multi-Selecteasy

A company wants to monitor unauthorized API calls in their AWS account. Which TWO AWS services can provide real-time alerting on such events?

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Trusted Advisor
E.Amazon Inspector
AnswersB, C

CloudTrail logs all API calls, including those that return AccessDenied errors.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to the AWS environment, including unauthorized ones (e.g., AccessDenied errors). By configuring CloudTrail to deliver logs to Amazon CloudWatch Logs and setting up a metric filter with an alarm, you can receive real-time alerts when unauthorized API calls occur. This directly meets the requirement for monitoring and alerting on such events.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance alerts (which are not real-time and focus on resource drift) with CloudTrail's API-level event monitoring, or they mistakenly think GuardDuty is the only service for security alerts, but GuardDuty uses anomaly detection and threat intelligence rather than direct API call logging.

281
Multi-Selectmedium

A security team needs to monitor for unauthorized API calls in their AWS account. Which TWO services can provide real-time alerts for such events?

Select 2 answers
A.Amazon CloudWatch Logs Insights
B.AWS CloudTrail with Amazon CloudWatch Events
C.Amazon VPC Flow Logs
D.AWS Config
E.Amazon GuardDuty
AnswersB, E

CloudTrail logs API calls, and CloudWatch Events can trigger alerts in real-time.

Why this answer

Options A and D are correct. CloudTrail logs API calls, and when combined with CloudWatch Events, can trigger real-time alerts. GuardDuty also detects suspicious API activity and can generate findings in real-time.

Option B is incorrect because AWS Config evaluates resource configurations, not API calls. Option C is incorrect because VPC Flow Logs capture network traffic, not API calls. Option E is incorrect because CloudWatch Logs Insights is a query tool, not a real-time alerting service.

282
MCQhard

A company uses AWS CloudTrail and wants to ensure that log files are encrypted at rest and that access to the logs is logged. Which combination of S3 features should be enabled on the destination bucket?

A.S3 Transfer Acceleration and default encryption
B.MFA Delete and versioning
C.Default encryption and server access logging
D.S3 Object Lock and versioning
AnswerC

Default encryption provides encryption at rest; server access logs log access requests.

Why this answer

Option A is correct because enabling default encryption (SSE-S3 or SSE-KMS) encrypts logs at rest, and enabling server access logs on the bucket logs access to the bucket. Option B is wrong because MFA Delete is for deletion protection, not encryption. Option C is wrong because S3 Object Lock prevents deletion but does not encrypt.

Option D is wrong because S3 Transfer Acceleration is for faster uploads, not security.

283
MCQmedium

A security engineer is troubleshooting why CloudTrail is not delivering logs to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured with the correct bucket name. However, no log files appear. What is the most likely cause?

A.The S3 bucket has an S3 Object Lock configuration that prevents writes.
B.The S3 bucket is in a different AWS Region from the trail.
C.CloudTrail is not enabled in the AWS Region where the S3 bucket resides.
D.The S3 bucket uses AWS KMS server-side encryption (SSE-KMS) and the KMS key policy does not grant CloudTrail permission to use the key.
AnswerD

CloudTrail must have kms:GenerateDataKey and kms:Decrypt permissions on the KMS key to encrypt/decrypt log files.

Why this answer

CloudTrail requires specific permissions to write to S3, including s3:PutObject and s3:GetBucketAcl. If the KMS key policy does not allow CloudTrail to use it, log delivery fails silently.

284
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to centrally monitor and analyze all CloudTrail logs from all accounts. The logs must be stored in a centralized S3 bucket with encryption and access logging enabled. Additionally, the team needs to detect anomalous API activity across accounts using machine learning. Which combination of services meets these requirements?

A.AWS CloudTrail to deliver logs to a centralized S3 bucket with default encryption; AWS Config to monitor API activity; S3 server access logs enabled.
B.AWS CloudTrail to deliver logs to a centralized S3 bucket with default encryption; Amazon Macie to detect anomalous API activity; S3 server access logs enabled.
C.AWS CloudTrail to deliver logs to a centralized S3 bucket with default encryption; Amazon Detective to analyze API activity; S3 server access logs enabled.
D.AWS CloudTrail to deliver logs to a centralized S3 bucket with default encryption and S3 server access logs; Amazon GuardDuty enabled in all accounts.
AnswerD

CloudTrail logs to S3, GuardDuty provides ML-based anomaly detection across accounts, and S3 server access logs provide request logging.

Why this answer

Option B is correct because Amazon Macie uses ML to discover sensitive data in S3, not to detect anomalous API activity. Option A is correct: CloudTrail delivers logs to a centralized S3 bucket, Amazon GuardDuty uses ML to detect anomalous API activity across accounts, and S3 server access logs record requests to the bucket. Option C is wrong because AWS Config tracks resource configuration changes, not API activity.

Option D is wrong because Amazon Detective analyzes security data but does not provide ML-based anomaly detection for API activity like GuardDuty.

285
MCQhard

Refer to the exhibit. A security engineer is reviewing a CloudTrail event. What security concern does this event raise?

A.The user is revoking a security group rule.
B.The event is not being logged by CloudTrail.
C.The user is using the AWS root account.
D.The user is opening SSH access to the world.
AnswerD

0.0.0.0/0 is public access.

Why this answer

Option B is correct. The event shows an IAM user adding an inbound rule to security group sg-12345 that allows SSH (port 22) from any IP (0.0.0.0/0). This is a security best practice violation because it exposes the instance to the internet.

Option A is wrong because the user is an IAM user, not root. Option C is wrong because the event is logged, which is good. Option D is wrong because the API is AuthorizeSecurityGroupIngress, not Revoke.

286
MCQeasy

A security engineer is configuring a multi-account CloudTrail setup. The above bucket policy is attached to the central logging bucket. Despite the policy, CloudTrail in the member account (123456789012) cannot deliver logs. What is the MOST likely issue?

A.The Principal should be the CloudTrail service principal of the member account.
B.The condition s3:x-amz-acl is not required; CloudTrail does not set that ACL.
C.The Action should be s3:PutObjectAcl instead of s3:PutObject.
D.The resource ARN must include the source account ID in the path.
AnswerB

CloudTrail uses a different ACL; removing the condition solves the issue.

Why this answer

Option B is correct because the resource path includes the account ID, but the condition requires the ACL to be set to bucket-owner-full-control, which CloudTrail does not set by default. Option A is wrong because the principal is correct. Option C is wrong because the bucket policy does not need to specify the source account explicitly; the path includes it.

Option D is wrong because the action is correct.

287
MCQeasy

Refer to the exhibit. A security engineer uses the AWS CLI command shown to investigate a console login event. What type of user performed the login?

A.AWS service
B.Assumed role
C.Root user
D.IAM user
AnswerD

The userIdentity type is 'IAMUser'.

Why this answer

The `userIdentity` in the CloudTrail event shows `type: IAMUser`, indicating an IAM user logged in. Option B is correct. Option A is wrong because the type is IAMUser, not Root.

Option C is wrong because the type is not AssumedRole. Option D is wrong because it is not an AWS service.

288
MCQhard

A company uses AWS CloudTrail to log all API calls. The security team notices that some expected log entries are missing for actions performed by an IAM role assumed by an EC2 instance. The instance has the required permissions. What is the MOST likely cause of the missing log entries?

A.The EC2 instance is in a VPC that has a VPC endpoint for CloudTrail, but the endpoint policy denies logging.
B.CloudTrail is not logging read-only API calls by default; the trail must be configured to log read events.
C.CloudTrail trail is not configured to log data events for EC2.
D.The IAM role used by the EC2 instance has a permissions boundary that excludes cloudtrail:PutLogEvents.
AnswerD

If a permissions boundary denies cloudtrail:PutLogEvents, CloudTrail cannot deliver log files for that role's actions, resulting in missing entries.

Why this answer

Option D is correct because CloudTrail logs are delivered to an S3 bucket, and the IAM role must have permissions to write logs via `cloudtrail:PutLogEvents`. If a permissions boundary on the role explicitly denies this action, the role cannot deliver log entries to CloudTrail, even if the role has other required permissions. This explains why expected log entries are missing despite the instance having the necessary permissions to perform the API calls.

Exam trap

The trap here is that candidates assume missing log entries are due to CloudTrail configuration (e.g., data events or read-only settings) rather than recognizing that the IAM role itself may lack the specific permission to deliver logs to CloudTrail, which is a subtle but critical requirement.

How to eliminate wrong answers

Option A is wrong because a VPC endpoint for CloudTrail is used to send log data from CloudTrail to S3, not to log API calls; the endpoint policy would affect delivery, not the logging of actions performed by the EC2 instance. Option B is wrong because CloudTrail logs all API calls (both read and write) by default when management events are enabled; read-only events are not excluded unless the trail is explicitly configured to log only write events. Option C is wrong because the missing log entries are for management API calls (e.g., EC2 actions), not data events (e.g., S3 object-level operations); data events are an additional configuration and are not required for logging standard EC2 API actions.

289
MCQhard

A security engineer needs to monitor AWS API calls for potential unauthorized access. The engineer wants to be alerted when a specific IAM user performs a high-risk action like deleting a CloudTrail trail. What is the MOST efficient way to achieve this?

A.Configure CloudTrail to send logs to CloudWatch Logs and create a metric filter with an alarm.
B.Enable VPC Flow Logs and analyze with Elasticsearch.
C.Use Amazon Athena to query CloudTrail logs daily for the action.
D.Enable Amazon GuardDuty with a custom threat list.
E.Create a CloudWatch Events rule that matches the API call and sends an SNS notification.
AnswerE

CloudWatch Events can filter CloudTrail events in real-time.

Why this answer

Option A is correct because CloudWatch Events can filter for specific API calls and trigger an SNS notification. Option B is wrong because CloudTrail does not have built-in alerting. Option C is wrong because Athena is for querying logs, not real-time alerting.

Option D is wrong because GuardDuty does not monitor for specific API calls by a user. Option E is wrong because VPC Flow Logs are for network traffic.

290
Multi-Selecteasy

A security engineer needs to ensure that all API calls in an AWS account are logged for auditing purposes. Which TWO services should the engineer enable? (Select TWO.)

Select 2 answers
A.VPC Flow Logs
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.Amazon GuardDuty
E.AWS Config
AnswersB, E

CloudTrail logs API calls for governance and auditing.

Why this answer

Option A and Option D are correct. CloudTrail logs API activity, and AWS Config records resource configuration changes for auditing. Option B is wrong because VPC Flow Logs capture network traffic, not API calls.

Option C is wrong because CloudWatch Logs stores log data but does not log API calls by itself. Option E is wrong because GuardDuty is a threat detection service, not a logging service.

291
MCQhard

A company has a CloudTrail trail that logs management events for all regions. The security team notices that some S3 data events are not being logged. How should the team enable logging for all S3 data events?

A.Update the existing CloudTrail trail to include data events for S3
B.Create a new CloudTrail trail that logs only data events
C.Use Amazon GuardDuty to monitor S3 access
D.Enable S3 server access logging on each bucket
AnswerA

Existing trails can be updated to include data events.

Why this answer

CloudTrail data events must be explicitly enabled. The existing trail can be updated to include data events. Creating a new trail with management events only would not capture data events.

S3 server access logs are separate.

292
MCQhard

A company uses Amazon GuardDuty to monitor for threats. The security team receives a high-severity finding: 'UnauthorizedAccess:EC2/SSHBruteForce'. The finding indicates a single EC2 instance with a public IP is receiving SSH connection attempts from multiple external IPs. The instance is part of an Auto Scaling group and is fronted by an Application Load Balancer (ALB). The security team wants to block the attacking IPs without disrupting legitimate traffic. What is the MOST effective approach?

A.Stop the EC2 instance and launch a new one in a different subnet.
B.Modify the security group of the EC2 instance to deny inbound SSH from the attacking IPs.
C.Create a network ACL rule on the subnet to deny inbound traffic from the attacking IPs.
D.Configure AWS WAF on the ALB to block the attacking IPs using an IP set rule.
AnswerD

AWS WAF can filter incoming requests to the ALB, blocking malicious IPs while allowing legitimate traffic. This can be automated via GuardDuty findings triggering a Lambda function.

Why this answer

GuardDuty can automatically update AWS WAF web ACLs via CloudWatch Events and Lambda. Since the ALB is the entry point, blocking at the WAF level prevents attacks before they reach the instance.

293
MCQhard

An organization has a requirement to retain all security logs for at least 7 years for compliance. The logs are stored in Amazon S3 and are rarely accessed. Which storage class is the MOST cost-effective for this retention period?

A.S3 Glacier Deep Archive
B.S3 Standard
C.S3 One Zone-IA
D.S3 Intelligent-Tiering
AnswerA

Lowest cost for long-term archival with retrieval time of 12 hours.

Why this answer

Option C is correct because S3 Glacier Deep Archive is designed for long-term retention of data that is accessed rarely, with a retrieval time of 12 hours, and is the lowest cost storage class. Option A is wrong because S3 Standard is for frequently accessed data and is expensive. Option B is wrong because S3 Intelligent-Tiering is for data with unknown access patterns but still not cheapest for 7 years.

Option D is wrong because S3 One Zone-IA is for infrequent access but not designed for long-term archival.

294
MCQmedium

A company is using Amazon GuardDuty to monitor for malicious activity. The security team wants to automatically isolate an EC2 instance that is flagged for outbound communication with a known malicious IP address. Which approach is the most efficient and scalable?

A.Use a CloudWatch Alarm to directly invoke a Lambda function to isolate the instance.
B.Use AWS Config to automatically terminate the instance when a GuardDuty finding is reported.
C.Use Amazon EventBridge to invoke an AWS Lambda function that modifies the instance's security group.
D.Create a CloudWatch alarm on GuardDuty findings and modify the subnet's network ACL to block the traffic.
AnswerC

Scalable and targeted.

Why this answer

Option C is correct because GuardDuty can send findings to EventBridge, which can trigger a Lambda function to modify the instance's security group to isolate it. Option A is wrong because modifying the NACL would affect the entire subnet, not just the instance. Option B is wrong because terminating the instance is too drastic and may cause data loss.

Option D is wrong because CloudWatch Alarms cannot directly trigger Lambda for GuardDuty findings.

295
MCQhard

Refer to the exhibit. A security engineer reviews IAM permissions for the 'admin' user. The user is a member of the 'Administrators' group, which has the 'AdministratorAccess' managed policy attached. Additionally, the user has an inline policy named 'AllowSSH'. The engineer wants to ensure that the user can only start SSM sessions on instances with the tag 'SSH: enabled'. However, the user can still start sessions on any instance. What is the most likely reason?

A.The inline policy does not include 'ec2:DescribeInstances' for the SSM session, so it cannot start sessions.
B.The condition 'aws:ResourceTag/SSH' should be 'aws:RequestTag/SSH' to check the request tag.
C.The inline policy uses 'Allow' instead of 'Deny' for instances without the tag, so it does not restrict access.
D.The inline policy 'AllowSSH' is not effective because it is overridden by the group policy 'AdministratorAccess'.
AnswerC

The inline policy allows SSM StartSession only on tagged instances, but since the group policy allows all actions, the effective permission is still 'Allow' on all instances. To restrict, a 'Deny' statement is needed for instances without the tag.

Why this answer

The group policy 'AdministratorAccess' grants full access, including ssm:StartSession on all resources. The inline policy's Allow with condition is not restrictive; it only adds an additional Allow path. To restrict, a Deny statement must be used to explicitly block instances without the tag.

296
Multi-Selecteasy

Which TWO AWS services can be used to monitor network traffic for malicious activity? (Select TWO.)

Select 2 answers
A.AWS Network Firewall
B.Amazon GuardDuty
C.AWS Shield
D.AWS WAF
E.Amazon Inspector
AnswersA, B

Network Firewall provides stateful inspection and threat detection.

Why this answer

Options A and C are correct. Amazon GuardDuty analyzes VPC Flow Logs, DNS logs, and CloudTrail for threats. AWS Network Firewall provides stateful inspection to detect malicious traffic.

Option B is wrong because AWS WAF is for web application firewalls. Option D is wrong because AWS Shield is for DDoS protection. Option E is wrong because Amazon Inspector is for vulnerability assessment.

297
MCQhard

Refer to the exhibit. A security engineer wants to monitor a Lambda function for errors and create a CloudWatch alarm when errors exceed a threshold. The engineer notices the log group exists but has no metric filters. What should the engineer do to set up the alarm?

A.Enable CloudWatch Contributor Insights for the Lambda function to automatically detect errors.
B.Create a metric filter on the log group to count occurrences of 'ERROR' in log streams, then create an alarm based on that metric.
C.Configure the Lambda function to publish custom metrics for errors instead of relying on logs.
D.Use CloudWatch Logs Insights to query logs for errors and create an alarm directly from the query results.
AnswerB

This is the standard approach: define a metric filter to extract error counts from logs, then create an alarm.

Why this answer

The exhibit shows no metric filters exist. To alarm on errors, the engineer must create a metric filter that parses logs for error patterns and emits a metric, then create an alarm on that metric.

298
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. Which solution meets these requirements?

A.Write a script that runs in each account using AWS Lambda to enable CloudTrail and point to the central bucket.
B.Use AWS Config rules in each account to check CloudTrail status and remediate via Lambda.
C.Use AWS CloudTrail with Organizations to create an organization trail that logs all accounts to the central bucket.
D.Create an IAM role that each account assumes to enable CloudTrail and log to the central bucket.
AnswerC

Organization trails automatically apply to all accounts in the organization.

Why this answer

Using CloudTrail with AWS Organizations, you can create a trail that applies to all accounts in the organization, logging to a single S3 bucket. Option D is correct. Option A is wrong because manual per-account setup is not scalable.

Option B is wrong because Config does not enable CloudTrail. Option C is wrong because Lambda functions would be complex and not native.

299
MCQmedium

A company is using AWS CloudTrail to log API calls and wants to ensure that log files are not tampered with after delivery to S3. Which feature should be enabled to validate the integrity of CloudTrail log files?

A.Enable CloudTrail log file validation
B.Enable MFA Delete on the S3 bucket
C.Enable S3 Versioning on the bucket
D.Enable S3 bucket default encryption
AnswerA

Log file validation uses hash-based validation to detect tampering.

Why this answer

Option B is correct because CloudTrail log file validation creates a hash for each log file, allowing you to verify that the log files have not been modified. Option A is wrong because S3 Versioning helps recover from accidental deletion or overwriting, but does not validate integrity. Option C is wrong because S3 Server-Side Encryption encrypts data at rest, but does not provide integrity validation.

Option D is wrong because MFA Delete adds an extra layer of protection for deletion, but does not validate integrity.

300
MCQeasy

A company wants to centralize CloudTrail logs from multiple AWS accounts into a single S3 bucket for security analysis. The logs must be encrypted at rest and access must be logged. What is the MOST secure way to grant cross-account access to the central S3 bucket?

A.Create an S3 bucket policy that grants s3:PutObject to everyone, and rely on CloudTrail to restrict access.
B.Create an IAM role in the central account that each member account can assume to write logs.
C.Create an S3 bucket policy that grants CloudTrail service principal permission to write objects, with a condition checking the source account ID.
D.Use an S3 bucket with default encryption enabled and share the KMS key with the other accounts.
AnswerC

This restricts cross-account writes to only those accounts specified.

Why this answer

Option A is correct because using a bucket policy with a condition for CloudTrail service principal and source account ensures only CloudTrail from allowed accounts can write. Option B is wrong because KMS encryption does not control write access. Option C is wrong because IAM roles are not used by CloudTrail for cross-account delivery.

Option D is wrong because a bucket policy without account restriction would allow any CloudTrail to write.

← PreviousPage 4 of 5 · 323 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Logging and Monitoring questions.