CCNA Security Logging Questions

75 of 323 questions · Page 1/5 · Security Logging topic · Answers revealed

1
MCQhard

A security engineer notices that an S3 bucket containing sensitive data has been accessed from an IP address outside the allowed range. CloudTrail logs show the access was made using temporary credentials from an assumed role. What additional logging is needed to trace the access back to the original IAM user who assumed the role?

A.Enable CloudTrail to log data events for the S3 bucket.
B.Enable VPC Flow Logs for the VPC where the request originated.
C.Configure CloudWatch Logs to capture the EC2 instance's system logs.
D.Enable S3 server access logging for the bucket.
E.Enable AWS Config to record S3 bucket policies.
AnswerE

AWS Config does not record API calls; CloudTrail already records the session issuer in management events.

Why this answer

Option A is correct because CloudTrail logs include the 'sessionIssuer' field for assumed roles, which identifies the user who assumed the role. Option B is wrong because VPC Flow Logs do not contain IAM user information. Option C is wrong because CloudWatch Logs is a destination, not a source of identity info.

Option D is wrong because S3 server access logs do not include session issuer details. Option E is wrong because AWS Config does not record API calls.

2
Multi-Selecthard

A security engineer wants to detect and alert on AWS account root user activity. Which THREE services can be used together to achieve this? (Select THREE.)

Select 3 answers
A.AWS Config
B.Amazon CloudWatch Events (EventBridge)
C.AWS CloudTrail
D.Amazon CloudWatch Logs
E.Amazon GuardDuty
AnswersB, C, D

CloudWatch Events can filter and alert on root user events.

Why this answer

Amazon CloudWatch Events (EventBridge) is correct because it can be used to create a rule that matches specific API calls recorded by AWS CloudTrail. When the root user performs an action, CloudTrail logs the event, and EventBridge can trigger a notification (e.g., via SNS or Lambda) based on that event. This combination allows real-time detection and alerting of root user activity.

Exam trap

The trap here is that candidates may think Amazon GuardDuty is the correct choice because it detects threats, but it does not provide a native, customizable alerting mechanism for root user activity; instead, the combination of CloudTrail, EventBridge, and CloudWatch Logs is the standard AWS-recommended approach.

3
MCQhard

A financial services company has a multi-account AWS environment with over 200 accounts managed through AWS Organizations. The security team is responsible for monitoring all accounts for security incidents. They have enabled AWS CloudTrail in all accounts with trails that deliver logs to a centralized S3 bucket in the security account. Additionally, they have enabled Amazon GuardDuty in all accounts with the security account as the administrator. The team uses Amazon EventBridge to trigger automated responses to GuardDuty findings. Recently, they noticed that some GuardDuty findings from member accounts are not appearing in the security account. The security team verified that the findings are generated in the member accounts (they can see them in the member account GuardDuty console) but are not being sent to the administrator account. The CloudTrail logs are being delivered correctly. What is the MOST likely cause of this issue?

A.The member accounts have not accepted the invitation from the GuardDuty administrator account.
B.The S3 bucket policy in the centralized logging bucket is blocking GuardDuty findings from being written.
C.The EventBridge rules in the security account are not configured to receive events from member accounts.
D.The GuardDuty service-linked role in the member accounts does not have permissions to publish findings to the administrator account.
AnswerA

Each member account must explicitly accept the invitation to share findings. Without acceptance, findings remain local.

Why this answer

In GuardDuty multi-account setup, each member account must accept the invitation from the administrator account to enable sharing of findings. If a member account has not accepted the invitation, findings will not be sent to the administrator. This is a common misconfiguration.

4
MCQeasy

A security engineer notices that an Amazon S3 bucket has been accessed from an IP address outside the company's allowed range. The engineer needs to identify the IAM user who made the request. Which AWS service should be used to find this information?

A.S3 server access logs
B.AWS CloudTrail
C.VPC Flow Logs
D.Amazon CloudWatch Logs
AnswerB

CloudTrail records API calls and includes the identity of the caller.

Why this answer

AWS CloudTrail records API calls made to AWS services, including the identity of the caller. Option B is correct. Option A is wrong because VPC Flow Logs capture network traffic metadata but do not include IAM user details.

Option C is wrong because CloudWatch Logs can store logs but do not directly capture API caller identity. Option D is wrong because S3 server access logs contain requester information but are not as comprehensive as CloudTrail for IAM user identification.

5
MCQhard

A security engineer is troubleshooting why Amazon GuardDuty is not generating findings for suspicious S3 API calls made by an IAM role. The engineer has verified that GuardDuty is enabled in the account and region. What is a likely reason for the missing findings?

A.CloudTrail management events are not being logged for the IAM role.
B.VPC Flow Logs are not enabled for the VPC where the role is used.
C.The account is not a Delegated Admin for GuardDuty.
D.S3 data events are not enabled in CloudTrail.
AnswerA

GuardDuty relies on CloudTrail management events; if the trail excludes those events, findings may be missed.

Why this answer

Option C is correct because GuardDuty requires CloudTrail management events to be logged; if the trail is not logging management events for the role's API calls, GuardDuty cannot analyze them. Option A is wrong because GuardDuty can analyze S3 data events if enabled. Option B is wrong because Delegated Admin is for multi-account management, not single account.

Option D is wrong because VPC Flow Logs are not used for S3 API calls.

6
Multi-Selecthard

A company uses AWS Organizations and wants to enforce that all member accounts enable VPC Flow Logs for all VPCs. Which THREE services or features should be used to enforce this policy automatically?

Select 3 answers
A.AWS Service Catalog
B.AWS CloudTrail
C.AWS Organizations Service Control Policies (SCPs)
D.AWS CloudFormation StackSets
E.AWS Config Conformance Packs
AnswersC, D, E

SCPs can deny the creation of VPCs without VPC Flow Logs.

Why this answer

Options A, B, and D are correct because AWS Organizations can use SCPs to restrict actions, AWS Config Rules can evaluate compliance, and AWS CloudFormation StackSets can deploy VPC Flow Logs across accounts. Option C is wrong because AWS CloudTrail records API calls, not resource configurations. Option E is wrong because AWS Service Catalog is for creating and managing IT services, not for enforcing logging.

7
MCQeasy

A security engineer needs to identify which IAM users have been inactive for the past 90 days. Which AWS service should the engineer use?

A.AWS IAM Credential Report
B.Amazon CloudWatch Logs
C.AWS Config
D.AWS CloudTrail
AnswerA

The IAM credential report provides a CSV file with user activity, including password last used and access key last used dates.

Why this answer

Option B is correct because IAM provides credential reports that show last activity dates. Option A is wrong because CloudTrail logs API calls but requires analysis to determine inactivity. Option C is wrong because AWS Config tracks resource configuration.

Option D is wrong because CloudWatch Logs stores log data, not user activity summaries.

8
Multi-Selectmedium

A security engineer is troubleshooting an issue where CloudTrail is not delivering logs to an S3 bucket. The bucket policy appears correct. Which TWO additional steps should the engineer take to diagnose the issue? (Choose TWO.)

Select 2 answers
A.Verify that the S3 bucket exists and is in the correct region.
B.Check CloudWatch Logs for CloudTrail errors.
C.Create an IAM role for CloudTrail with S3 write permissions.
D.Enable S3 server access logging on the bucket.
E.Review the CloudTrail configuration in the AWS Management Console for error messages.
AnswersA, E

Basic check.

Why this answer

Options A and D are correct. Verifying that the bucket exists and checking the CloudTrail error messages in the CloudTrail console are standard troubleshooting steps. Option B is wrong because CloudWatch Logs is not required for S3 delivery.

Option C is wrong because S3 server access logs are separate. Option E is wrong because CloudTrail does not use IAM roles for S3 delivery.

9
MCQhard

A company uses AWS CloudTrail to log all API activity. They want to ensure that log files are tamper-proof and can be validated for forensic purposes. Which of the following should they enable?

A.AWS KMS server-side encryption on the S3 bucket
B.CloudTrail log file integrity validation
C.S3 bucket versioning
D.S3 Object Lock with governance mode
AnswerB

This feature creates a hash of each log file and signs it with a private key, enabling verification of file integrity.

Why this answer

CloudTrail log file integrity validation uses digital signatures (SHA-256) to verify that log files have not been modified after delivery. It also provides a digest file for validation.

10
Multi-Selecteasy

A company wants to monitor AWS account activity and receive real-time notifications for specific API calls. Which TWO services should the company use together? (Choose TWO.)

Select 2 answers
A.Amazon CloudWatch Logs
B.Amazon CloudWatch Events (Amazon EventBridge)
C.AWS Config
D.Amazon Simple Notification Service (SNS)
E.AWS CloudTrail
AnswersB, E

CloudWatch Events can match patterns from CloudTrail and trigger actions like SNS notifications.

Why this answer

Options B and E are correct. CloudTrail logs API calls, and CloudWatch Events (now Amazon EventBridge) can trigger notifications based on patterns. Option A is wrong because CloudWatch Logs is for log storage, not event-driven notifications.

Option C is wrong because AWS Config is for resource tracking. Option D is wrong because SNS is a notification service but needs a source of events.

11
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team needs to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which configuration ensures that only the management account can delete the log files?

A.Enable S3 Object Lock on the bucket with governance mode.
B.Use an S3 bucket policy that denies s3:DeleteObject for all principals.
C.Enable MFA Delete on the S3 bucket.
D.Configure CloudTrail to automatically delete logs older than 90 days.
E.Use an S3 bucket policy that denies s3:DeleteObject unless the principal is the management account.
AnswerE

This policy ensures only the management account can delete objects.

Why this answer

Option D is correct because using a bucket policy with a condition that denies s3:DeleteObject unless the principal is the management account ensures that only the management account can delete objects. Option A is wrong because CloudTrail does not automatically delete logs. Option B is wrong because S3 bucket policies can be set to restrict deletion.

Option C is wrong because S3 Object Lock can prevent deletion but is not specific to the management account.

12
Multi-Selecteasy

A security engineer needs to capture network traffic between EC2 instances in a VPC for analysis. Which TWO services can provide this capability? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.VPC Flow Logs
D.AWS Config
E.Amazon GuardDuty
AnswersB, C

CloudWatch Logs can ingest and analyze VPC Flow Logs.

Why this answer

Amazon CloudWatch Logs can capture network traffic by using a unified CloudWatch agent or the EC2 instance's operating system to collect and forward log data, such as syslog or custom application logs that include network packet details. VPC Flow Logs capture metadata about IP traffic going to and from network interfaces in a VPC, including source/destination IPs, ports, protocols, and packet counts, but not the full packet payload. Together, these two services enable both detailed OS-level traffic logging (CloudWatch Logs) and network-level flow metadata (VPC Flow Logs) for comprehensive analysis.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs with capturing full packet contents, but they only capture metadata (Layer 3-4 headers), not the payload, while CloudWatch Logs can ingest actual packet data from the OS, making the pair complementary for traffic analysis.

13
Multi-Selecthard

A company is using AWS CloudTrail and wants to detect when an IAM user performs a specific action, such as stopping an EC2 instance. The security engineer needs to set up a real-time notification. Which THREE steps should the engineer take? (Choose THREE.)

Select 3 answers
A.Create a metric filter in CloudWatch Logs to match the StopInstances event
B.Create a CloudTrail trail that delivers logs to CloudWatch Logs
C.Use Amazon QuickSight to visualize CloudTrail logs
D.Create a CloudWatch alarm on the metric and configure it to send an SNS notification
E.Use Amazon Athena to query CloudTrail logs in S3
AnswersA, B, D

Metric filter extracts metrics from logs.

Why this answer

Options A, B, and C are correct. Create a CloudTrail trail to log events, create a CloudWatch Logs metric filter to detect the specific API call (StopInstances), and create a CloudWatch alarm that triggers an SNS notification. Option D is wrong because Amazon Athena is used for querying data in S3, not for real-time alerting.

Option E is wrong because Amazon QuickSight is for visualization, not alerting.

14
Multi-Selecthard

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer needs to ensure that all findings from member accounts are visible in the administrator account. Additionally, the engineer wants to receive real-time notifications for high-severity findings. Which TWO actions should the engineer take? (Choose TWO.)

Select 2 answers
A.Enable Amazon Detective to analyze GuardDuty findings.
B.Designate an administrator account in GuardDuty to manage the multi-account environment.
C.Create an Amazon EventBridge rule that triggers an SNS notification for high-severity GuardDuty findings.
D.Enable AWS CloudTrail in all member accounts to log GuardDuty API calls.
E.Use AWS Config to monitor GuardDuty configuration.
AnswersB, C

The administrator account can view findings from all member accounts.

Why this answer

Option A is correct because designating an administrator account in GuardDuty allows centralized viewing of findings. Option C is correct because creating an EventBridge rule that matches GuardDuty findings and sends to SNS enables real-time notifications. Option B is wrong because enabling CloudTrail does not aggregate GuardDuty findings.

Option D is wrong because Amazon Detective is for deeper investigation, not real-time notifications. Option E is wrong because AWS Config does not provide real-time notifications for GuardDuty findings.

15
Multi-Selectmedium

A company is using AWS CloudTrail to monitor API activity in its AWS account. The security team needs to be alerted when unauthorized API calls are made to delete Amazon S3 buckets. Which TWO steps should the security team take to meet this requirement? (Choose TWO.)

Select 2 answers
A.Enable Amazon VPC Flow Logs to capture API calls and use Amazon Athena to query for DeleteBucket events.
B.Create an AWS CloudTrail trail that monitors Amazon CloudWatch Logs for DeleteBucket API calls.
C.Create an AWS Config rule to detect DeleteBucket API calls and send an SNS notification.
D.Configure CloudTrail to deliver logs to Amazon CloudWatch Logs and create a metric filter for the DeleteBucket API call.
E.Create an Amazon CloudWatch Events rule that matches the DeleteBucket API call and triggers an Amazon SNS notification.
AnswersD, E

CloudTrail can deliver to CloudWatch Logs, and a metric filter can trigger an alarm.

Why this answer

Option D is correct because CloudTrail can be configured to deliver logs to Amazon CloudWatch Logs, and a metric filter can be created to match the `DeleteBucket` API call. This metric can then trigger an alarm that sends an SNS notification, alerting the security team to unauthorized API calls. Option E is correct because Amazon CloudWatch Events (now Amazon EventBridge) can directly match the `DeleteBucket` API call from CloudTrail and trigger an SNS notification without needing a metric filter or alarm.

Exam trap

The trap here is that candidates may confuse AWS Config (which evaluates resource configurations) with CloudTrail (which records API activity), or think VPC Flow Logs can capture API-level events instead of network flows.

16
MCQeasy

A security engineer needs to detect unauthorized API calls in an AWS account. Which AWS service should be used to record and monitor API activity for auditing?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Config
D.Amazon GuardDuty
AnswerA

CloudTrail records API activity for auditing.

Why this answer

AWS CloudTrail is the correct service because it is specifically designed to record API activity across AWS services, capturing details such as the identity of the caller, the time of the call, the source IP address, and the request parameters. This audit log is essential for detecting unauthorized API calls, as it provides a complete history of all management and data plane operations for security analysis and compliance.

Exam trap

The trap here is that candidates often confuse CloudWatch Logs (which stores logs) with CloudTrail (which records API activity), or they assume GuardDuty's threat detection capability includes native API logging, when in fact GuardDuty consumes CloudTrail logs rather than generating them.

How to eliminate wrong answers

Option B (Amazon CloudWatch Logs) is wrong because it is a service for monitoring, storing, and accessing log files from various sources (e.g., applications, EC2 instances), but it does not natively record AWS API calls; it can only ingest CloudTrail logs if configured as a destination. Option C (AWS Config) is wrong because it evaluates and records resource configuration changes and compliance rules, not API activity; it focuses on the state of resources rather than the actions that modify them. Option D (Amazon GuardDuty) is wrong because it is a threat detection service that analyzes CloudTrail logs, VPC Flow Logs, and DNS logs for malicious activity, but it does not itself record or store API call history for auditing purposes.

17
MCQhard

A financial services company has a production AWS account with hundreds of EC2 instances running a mix of Linux and Windows workloads. The security team is responsible for detecting and responding to security incidents. They have enabled CloudTrail, VPC Flow Logs, and GuardDuty. Recently, GuardDuty generated a finding indicating that an EC2 instance is communicating with a known malicious IP address. The security engineer needs to investigate the incident. The engineer examines the GuardDuty finding and sees the affected resource is an EC2 instance ID. The engineer wants to identify which user or role launched the instance and what security groups were associated with it at launch time. Which approach should the engineer take to gather this information?

A.Log in to the EC2 console and view the instance details under the 'Security' tab.
B.Use AWS Systems Manager Inventory to collect metadata about the instance.
C.Search CloudTrail logs for the RunInstances event that created the instance, using the instance ID to filter.
D.Use AWS Config to view the configuration history of the EC2 instance and check the security group changes.
AnswerC

CloudTrail captures the API call with user identity and parameters.

Why this answer

Option A is correct because CloudTrail logs the RunInstances API call which includes the user identity, instance ID, and security group IDs. Option B is wrong because AWS Config records the configuration but not the user who launched it. Option C is wrong because EC2 console does not provide historical launch details.

Option D is wrong because Systems Manager Inventory does not track launch user or initial security groups.

18
MCQhard

A security team has enabled AWS CloudTrail in all regions and is delivering logs to an S3 bucket. The team has also enabled S3 server access logging for the CloudTrail bucket. The team needs to detect any unauthorized access to the CloudTrail logs. Which combination of services should the team use to achieve near-real-time detection?

A.AWS CloudTrail Insights and Amazon CloudWatch
B.Amazon GuardDuty and Amazon CloudWatch Events
C.Amazon Athena and Amazon QuickSight
D.AWS Config and Amazon SNS
AnswerB

GuardDuty can monitor S3 access logs for malicious activity and generate findings that can trigger CloudWatch Events for notification.

Why this answer

Option D is correct because Amazon GuardDuty can monitor S3 access logs for suspicious activity, and CloudWatch Events can trigger a notification. Option A is wrong because AWS Config does not analyze S3 access logs in real time. Option B is wrong because Athena is for querying, not real-time detection.

Option C is wrong because CloudTrail Insights focuses on API activity, not S3 data events.

19
MCQmedium

A company uses AWS CloudTrail and wants to ensure that logs are encrypted at rest using a customer-managed KMS key. The CloudTrail trail is configured to deliver logs to an S3 bucket. After enabling SSE-KMS on the S3 bucket, the logs are not being delivered. What is the most likely cause?

A.CloudTrail does not support SSE-KMS.
B.The KMS key is in a different AWS account.
C.The S3 bucket policy does not allow CloudTrail to write logs.
D.The KMS key policy does not grant CloudTrail permission to use the key.
AnswerD

CloudTrail must have kms:GenerateDataKey and kms:Decrypt permissions.

Why this answer

Option A is correct because CloudTrail needs explicit permissions to use the KMS key for encrypting log files. Option B is incorrect because CloudTrail can use KMS keys from other accounts. Option C is incorrect because CloudTrail supports SSE-KMS.

Option D is incorrect because bucket policies for CloudTrail must allow `s3:PutObject`.

20
MCQeasy

A company wants to receive an alert when an IAM user creates a new access key. Which AWS service should be used to trigger the alert?

A.Amazon CloudWatch Logs
B.Amazon GuardDuty
C.AWS CloudTrail and Amazon CloudWatch Events
D.AWS Config
AnswerC

CloudTrail logs the event, CloudWatch Events can trigger an alert.

Why this answer

Option C is correct because CloudTrail logs IAM CreateAccessKey events. A CloudWatch Events rule can match this event and trigger an SNS notification. Option A is wrong because Config evaluates resource compliance, not API events.

Option B is wrong because CloudWatch Logs requires logs to be sent, but CloudTrail is the source. Option D is wrong because GuardDuty detects threats, not specific API calls.

21
MCQhard

A company has a requirement to retain CloudTrail logs for 7 years to meet regulatory compliance. They want to minimize storage costs while ensuring logs are immutable and cannot be deleted by anyone, including the root user. What should they do?

A.Configure the S3 bucket with MFA Delete enabled.
B.Use CloudTrail log file validation and enable AWS CloudTrail Insights.
C.Store the logs in Amazon S3 Glacier Deep Archive with a vault lock policy.
D.Enable S3 Object Lock in Compliance mode on the destination bucket.
AnswerD

Compliance mode prevents any user from deleting objects until the retention period expires.

Why this answer

S3 Object Lock with Compliance mode ensures that objects cannot be deleted or overwritten by any user, including the root user, for the specified retention period. Governance mode allows some users to override. Option A is wrong because MFA Delete does not prevent deletion by root.

Option C is wrong because S3 Glacier Deep Archive is a storage class, not immutability. Option D is wrong because CloudTrail does not provide immutability.

22
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. The security team needs to implement centralized logging for all AWS CloudTrail events across all accounts. They create a new trail in the management account with the following configuration: trail name 'central-trail', apply to all accounts in the organization, enable data events for all S3 buckets, and store logs in a centralized S3 bucket. After one week, they notice that some accounts are not delivering CloudTrail logs to the central bucket. The security engineer verifies that the trail is still configured to apply to all accounts and that the S3 bucket policy allows cross-account access. What is the MOST likely reason for the missing logs?

A.The member accounts have not enabled CloudTrail Insights
B.The S3 bucket policy does not grant the correct permissions to the member accounts
C.The trail is not configured as a multi-region trail
D.Some accounts were added to the organization after the trail was created, and the trail was not updated to include them
AnswerD

When new accounts join, the trail must be updated or they need to enable the trail manually.

Why this answer

When a trail is created in the management account with 'apply to all accounts in the organization', it automatically includes all current member accounts. However, if new accounts are added to the AWS Organization after the trail is created, the trail does not automatically extend to those new accounts. The trail must be updated (e.g., via the CloudTrail console or API) to include the newly added accounts, or the organization trail feature must be re-enabled.

This is why logs from accounts added after trail creation are missing.

Exam trap

The trap here is that candidates assume 'apply to all accounts' means the trail dynamically includes any account added later, but in reality, the trail only applies to accounts that were members at the time of creation and must be manually updated for new accounts.

How to eliminate wrong answers

Option A is wrong because CloudTrail Insights is an optional feature that analyzes management events for unusual activity; it is not required for log delivery and its absence does not prevent logs from being delivered. Option B is wrong because the security engineer already verified that the S3 bucket policy allows cross-account access, so the policy is not the issue. Option C is wrong because the question does not mention any requirement for multi-region logging; the missing logs are from specific accounts, not from specific regions, and a single-region trail would still deliver logs from the home region of each account.

23
MCQeasy

A company wants to receive real-time notifications for every root user login to the AWS Management Console. Which service should be used?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon CloudWatch Events
D.AWS Config
AnswerC

CloudWatch Events can create a rule that matches the root login event from CloudTrail and sends to SNS.

Why this answer

Option B is correct because CloudWatch Events can match the RootLogin event from CloudTrail and trigger an SNS notification. Option A is incorrect because CloudTrail itself does not send notifications. Option C is incorrect because GuardDuty may detect unusual root activity but is not designed for real-time notifications of all root logins.

Option D is incorrect because AWS Config does not monitor root logins.

24
Multi-Selecteasy

Which TWO AWS services can be used to detect and alert on suspicious activity in near real-time?

Select 2 answers
A.Amazon CloudWatch Events
B.Amazon Inspector
C.Amazon GuardDuty
D.AWS CloudTrail
E.AWS Config
AnswersA, C

CloudWatch Events can trigger on suspicious patterns.

Why this answer

Options A and D are correct. Amazon GuardDuty provides near real-time threat detection, and Amazon CloudWatch Events can trigger alerts based on patterns. Option B (Config) is for compliance, not threat detection.

Option C (CloudTrail) is for logging, not real-time alerting. Option E (Inspector) is for vulnerability scanning.

25
MCQhard

Refer to the exhibit. A security engineer configured the above bucket policy for CloudTrail log delivery. However, logs are not being delivered. What is the most likely cause?

A.The Action should be 's3:PutObjectAcl' instead of 's3:PutObject'.
B.The Principal is incorrect; it should be the CloudTrail service principal for the region.
C.The condition requires 'bucket-owner-full-control' ACL, but CloudTrail does not set this ACL when delivering to the same account.
D.The Resource ARN is missing the account ID in the path.
AnswerC

CloudTrail sets the ACL only for cross-account delivery; for same account, the ACL is not set, causing the condition to fail.

Why this answer

The bucket policy requires the 'bucket-owner-full-control' canned ACL, but CloudTrail by default uses 'bucket-owner-full-control' only when delivering to a different account. For same-account delivery, the ACL is not set, causing a mismatch. Option A is wrong because the principal is correct.

Option B is wrong because the resource ARN is correct. Option D is wrong because the action is correct.

26
MCQhard

A security engineer is configuring an Amazon S3 bucket to store CloudTrail logs. The engineer must ensure that the logs are encrypted at rest using an AWS KMS customer managed key (CMK) and that only the CloudTrail service has permission to decrypt the logs. Which bucket policy statement should the engineer add?

A.{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"kms:Encrypt","Resource":"*"}
B.{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"kms:Decrypt","Resource":"*"}
C.{"Effect":"Allow","Principal":"*","Action":"kms:Decrypt","Resource":"*"}
D.{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"kms:Decrypt","Resource":"*"}
AnswerB

This grants the CloudTrail service principal permission to decrypt using the CMK.

Why this answer

Option A is correct because it grants the CloudTrail service principal the necessary decrypt permission. Option B is wrong because the root user is not the CloudTrail service. Option C is wrong because it grants decrypt to all principals, which is too permissive.

Option D is wrong because the CMK key policy, not bucket policy, controls KMS permissions.

27
Multi-Selectmedium

A company is using Amazon CloudWatch Logs to collect application logs. The security team wants to detect patterns that indicate security threats, such as multiple failed login attempts. Which TWO services can be used together to perform real-time log analysis and alerting?

Select 2 answers
A.Amazon Kinesis Data Analytics
B.Amazon OpenSearch Service
C.AWS Lambda
D.AWS Glue
E.Amazon Athena
AnswersB, C

CloudWatch Logs can stream logs to OpenSearch Service for analysis and visualization.

Why this answer

Options A and C are correct because CloudWatch Logs can stream logs to Amazon OpenSearch Service for analysis, and CloudWatch Logs can also be used with subscription filters to invoke a Lambda function for real-time processing. Option B is wrong because Amazon Athena is for querying data in S3, not real-time streaming. Option D is wrong because Kinesis Data Analytics is for streaming data but requires a Kinesis stream; it is not directly integrated with CloudWatch Logs as a destination.

Option E is wrong because AWS Glue is a batch ETL service, not for real-time.

28
MCQhard

Refer to the exhibit. A security engineer runs the above AWS CLI command to search for CreateKeyPair events in CloudTrail. The command returns no results, but the engineer knows that a key pair was created during that time. What is the most likely reason for the missing events?

A.CreateKeyPair is a data event and not recorded by CloudTrail.
B.The command was run in a different region than where the key pair was created.
C.CloudTrail events are only available after 24 hours.
D.CloudTrail is not enabled for management events.
AnswerB

CloudTrail events are regional; if the command runs in a different region, it won't see events from another region.

Why this answer

Option C is correct because CloudTrail events are delivered within about 15 minutes of the API call. The command looks for events in the past, so delivery time is not an issue. However, the most common reason for missing events is that the command is run in a different region than where the event occurred, or the trail is not logging management events.

Option A is wrong because CloudTrail logs management events by default. Option B is wrong because key pair creation is a management event. Option D is wrong because events are delivered quickly.

29
Multi-Selecthard

A company has a requirement to detect and alert on anomalous IAM user behavior, such as a user logging in from an unusual geographic location. The company uses AWS Organizations and has multiple accounts. Which services should the company use to meet this requirement? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS Config
C.Amazon GuardDuty
D.IAM Access Analyzer
E.AWS CloudTrail
AnswersC, D

GuardDuty can detect unusual IAM user behavior, such as anomalous login locations.

Why this answer

Correct options: B (GuardDuty) and C (IAM Access Analyzer). GuardDuty can detect unusual login locations. IAM Access Analyzer helps identify external access.

Option A is wrong because CloudTrail is a logging service, not a detection service. Option D is wrong because Config is for resource configuration. Option E is wrong because CloudWatch Logs alone does not detect anomalies.

30
Multi-Selecthard

A company wants to ensure that all API calls in their AWS account are logged and immutable. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Enable MFA delete on the S3 bucket
B.Use AWS Config rules to monitor CloudTrail configuration
C.Enable S3 Object Lock on the CloudTrail S3 bucket
D.Encrypt the S3 bucket with AWS KMS
E.Enable AWS CloudTrail for all regions
AnswersC, E

Object Lock prevents log deletion or modification.

Why this answer

CloudTrail logs API calls. To ensure immutability, S3 Object Lock prevents deletion or overwriting. MFA delete adds protection.

Config does not prevent log tampering. KMS encrypts but does not prevent deletion.

31
Multi-Selectmedium

A company is designing a centralized logging solution for VPC Flow Logs across multiple AWS accounts. The solution must meet the following requirements: - Centralized storage in an S3 bucket in the security account. - Real-time analysis of flow logs. - Minimal operational overhead. Which TWO actions should the company take? (Choose two.)

Select 2 answers
A.Use AWS Organizations to enable VPC Flow Logs in all accounts and deliver to a central S3 bucket.
B.Create a single VPC Flow Log subscription in the security account that captures logs from all VPCs.
C.Use Amazon Kinesis Data Firehose to deliver flow logs to the central S3 bucket.
D.Create a CloudWatch Logs subscription filter in each account to stream logs to the security account.
E.Configure S3 replication from each account's bucket to the central bucket.
AnswersA, C

Organizations allows you to deploy flow log configurations across accounts using StackSets.

Why this answer

Option A is correct because AWS Organizations allows you to centrally manage flow log subscriptions. Option C is correct because Amazon Kinesis Data Firehose can stream flow logs to S3 and enable real-time analysis via Kinesis Analytics. Option B is wrong because CloudWatch Logs subscription filter is not the most efficient for real-time analysis.

Option D is wrong because S3 replication adds complexity and is not real-time. Option E is wrong because cross-account flow logs cannot be delivered directly via a single subscription from the security account; each account must create its own flow log.

32
MCQeasy

A company is experiencing unauthorized access attempts to an S3 bucket. Which AWS service can be used to detect and alert on such events in real time?

A.Amazon Macie
B.AWS Config
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerD

GuardDuty provides real-time threat detection for S3 access.

Why this answer

Option B is correct because Amazon GuardDuty uses threat intelligence to detect suspicious activity, including unauthorized S3 access attempts. Option A is wrong because AWS CloudTrail is for logging, not real-time detection. Option C is wrong because Amazon Macie is for data classification.

Option D is wrong because AWS Config is for compliance.

33
MCQhard

A security team wants to collect and analyze logs from multiple AWS services including CloudTrail, VPC Flow Logs, and AWS WAF. They need a centralized solution that can filter, transform, and route logs to multiple destinations in near real-time. Which AWS service should they use?

A.Amazon CloudWatch Logs Insights
B.Amazon CloudWatch Logs subscription filters with AWS Lambda
C.Amazon Kinesis Data Streams combined with Amazon Kinesis Data Firehose
D.Amazon S3 with S3 Event Notifications
AnswerC

Kinesis Data Streams ingests real-time data, and Firehose can deliver to multiple destinations.

Why this answer

Option D is correct because Amazon CloudWatch Logs subscription filter can send logs to Lambda for transformation, but not route to multiple destinations easily. Option A is correct because Amazon Kinesis Data Streams can ingest logs and then use Kinesis Data Analytics for transformation and Kinesis Data Firehose for routing to multiple destinations. Option B is incorrect because S3 is a storage destination, not a processing and routing service.

Option C is incorrect because CloudWatch Logs Insights is for querying, not real-time routing.

34
MCQmedium

A company uses Amazon CloudWatch Logs to collect application logs from EC2 instances. The security team wants to create an alarm that triggers when a specific error pattern appears in the logs. They have set up a metric filter and an alarm. However, the alarm is not triggering even though the error pattern exists in the logs. What is the most likely cause?

A.The log group retention period is set to 1 day.
B.The metric filter uses a custom namespace that is not allowed.
C.The metric filter was created before the log group.
D.The metric filter is only applied to log events that occur after the filter is created.
AnswerD

Metric filters do not backfill; they only apply to new log events.

Why this answer

Option B is correct because metric filters are evaluated on incoming log events, not on historical data. If the error pattern existed before the filter was created, it will not be counted. Option A is wrong because the filter can be created after logs are ingested.

Option C is wrong because the metric namespace does not affect filtering. Option D is wrong because the log group retention does not affect metric evaluation.

35
MCQmedium

A company is using Amazon RDS for MySQL and needs to monitor database login attempts for security analysis. Which feature should be enabled to capture authentication events?

A.Enable VPC Flow Logs for the RDS subnet
B.Enable RDS MySQL audit logs
C.Enable AWS CloudTrail data events for RDS
D.Enable the '--log_queries_not_using_indexes' parameter
AnswerB

Audit logs capture database login attempts and other events.

Why this answer

Option D is correct because RDS MySQL supports general logs and audit logs that can capture login attempts. Enabling the '--log_queries_not_using_indexes' parameter logs queries without indexes, not login attempts. Option B is wrong because VPC Flow Logs capture network traffic.

Option C is wrong because CloudTrail does not log database-level events.

36
MCQmedium

Refer to the exhibit. A security engineer is analyzing a VPC Flow Log entry from an EC2 instance with private IP 10.0.1.5. The log shows an outbound connection to IP 203.0.113.5 on port 443 from source port 22. The connection was accepted. What is the most likely scenario?

A.The instance is responding to an inbound SSH connection from the remote IP.
B.The instance is connecting to a remote server on the internal network.
C.The instance is receiving an SSH connection from the remote IP.
D.The instance is making an HTTPS request to a web server.
AnswerA

Flow logs capture both directions; source port 22 indicates reply.

Why this answer

Option C is correct. VPC Flow Logs record connections from the perspective of the network interface. The source IP and port are the instance's private IP and ephemeral port.

Here, the source port is 22 (SSH), which is unusual for an outbound connection. This suggests the entry might be a reply to an inbound SSH connection (since flow logs capture both directions). The instance is likely replying to an SSH session initiated from the remote IP.

Option A is wrong because port 22 is SSH, not HTTPS. Option B is wrong because the instance is the source in the log, not the destination. Option D is wrong because the remote IP is not private.

37
MCQhard

A company uses AWS CloudTrail to log all API activity. The security team wants to ensure that logs are immutable after they are delivered to Amazon S3. Which combination of actions should be taken to meet this requirement? (Choose the best single answer that includes all necessary steps.)

A.Enable S3 Object Lock in governance mode on the bucket.
B.Enable MFA Delete on the bucket.
C.Enable versioning on the bucket.
D.Create a bucket policy that denies s3:DeleteObject actions.
AnswerA

Prevents objects from being deleted or overwritten for a specified retention period.

Why this answer

Enabling S3 Object Lock in governance mode provides immutability for logs against deletion or overwrite. Option A is correct. Option B is wrong because MFA Delete alone does not prevent overwrites.

Option C is wrong because bucket policies do not prevent deletion by authorized users. Option D is wrong because enabling versioning alone does not prevent deletion of all versions.

38
MCQeasy

A company needs to monitor for root account usage and receive immediate notifications. Which combination of AWS services should be used?

A.AWS Config and AWS Lambda
B.Amazon GuardDuty and AWS Lambda
C.S3 server access logs and Amazon Inspector
D.AWS CloudTrail, Amazon CloudWatch Logs, and Amazon SNS
AnswerD

CloudTrail logs root activity, CloudWatch monitors, SNS alerts.

Why this answer

Option A is correct because CloudTrail can be configured to send events to CloudWatch Logs, and a CloudWatch metric filter can detect root account activity, triggering an SNS notification. Option B is wrong because GuardDuty does not specifically monitor root account usage. Option C is wrong because Config records resource changes, not API calls.

Option D is wrong because S3 server access logs are for S3 access, not root usage.

39
MCQeasy

A company wants to detect and alert on SSH brute force attacks on EC2 instances. Which AWS service should be used?

A.AWS Config
B.Amazon GuardDuty
C.Amazon Inspector
D.AWS CloudTrail
E.AWS Shield
AnswerB

GuardDuty uses threat intelligence to detect brute force attacks.

Why this answer

Option B is correct because GuardDuty can analyze VPC Flow Logs and DNS logs to detect brute force attempts. Option A is wrong because CloudTrail does not monitor network traffic. Option C is wrong because Inspector is for vulnerability scanning.

Option D is wrong because Config is for configuration compliance. Option E is wrong because Shield is for DDoS protection.

40
MCQmedium

A financial services company uses AWS CloudTrail to log all API calls in their account. They store the logs in an S3 bucket with server-side encryption using AWS KMS (SSE-KMS). The security team needs to ensure that only authorized users can decrypt and read the logs. They have created a KMS key with a key policy that grants decrypt permissions to the security team's IAM roles. However, when a security engineer tries to download a log file from the S3 bucket using the AWS CLI, they receive an 'AccessDenied' error. The engineer has s3:GetObject permission on the bucket. What is the most likely cause?

A.The CloudTrail trail is not configured to use SSE-KMS.
B.The S3 bucket has a bucket policy that denies access to the engineer's IAM role.
C.The S3 bucket policy does not allow the engineer to read objects.
D.The KMS key policy does not grant the engineer's role permission to decrypt.
AnswerD

The engineer needs kms:Decrypt permission on the KMS key to read encrypted objects.

Why this answer

Option C is correct because the KMS key policy must grant the engineer's role kms:Decrypt permission. Option A is wrong because the error is not about S3 permissions. Option B is wrong because S3 bucket policy does not control KMS permissions.

Option D is wrong because CloudTrail does not need decrypt permission for reading logs.

41
MCQmedium

A company uses Amazon GuardDuty and wants to automatically isolate a compromised EC2 instance by removing it from the security group. Which approach should be used?

A.Set up an AWS Config rule to detect the finding and remediate.
B.Configure GuardDuty to directly modify the security group.
C.Create an Amazon EventBridge rule that triggers an AWS Lambda function to remove the instance from the security group.
D.Use AWS Systems Manager Automation to automatically modify the security group based on GuardDuty findings.
AnswerC

EventBridge can capture GuardDuty findings and invoke Lambda for automated remediation.

Why this answer

GuardDuty can send findings to EventBridge, which triggers a Lambda function to modify the security group. Option A is wrong because GuardDuty does not have native remediation actions. Option C is wrong because Systems Manager Automation is possible but requires a runbook.

Option D is wrong because AWS Config does not react to GuardDuty findings.

42
MCQmedium

A security engineer is troubleshooting why CloudTrail logs are not being delivered to an S3 bucket. The bucket policy allows CloudTrail to write objects, and the trail is configured to log management events. However, no log files appear in the bucket. What is the MOST likely cause?

A.The trail is not logging data events.
B.The S3 bucket uses SSE-KMS encryption and the trail does not have permission to use the KMS key.
C.The S3 bucket is in a different AWS account.
D.The bucket policy is missing a Deny statement.
AnswerB

CloudTrail requires kms:Decrypt and kms:GenerateDataKey permissions on the KMS key to deliver logs to an encrypted bucket.

Why this answer

Option C is correct because if the S3 bucket is using SSE-KMS encryption, CloudTrail requires explicit permissions to use the KMS key. Option A is wrong because CloudTrail can deliver logs to buckets in different accounts with proper cross-account permissions. Option B is wrong because management events are logged by default.

Option D is wrong because the bucket policy is not missing.

43
MCQmedium

A company uses AWS CloudTrail to log all API calls. The security team needs to be alerted when an IAM user creates a new access key. Which approach is most efficient?

A.Enable AWS Config managed rule to detect access key creation and trigger an SNS notification.
B.Create a CloudWatch Events rule that matches the CreateAccessKey event and targets an SNS topic.
C.Use CloudWatch Logs Insights to run a query every minute on CloudTrail logs and send results to SNS.
D.Configure CloudTrail to send logs to an S3 bucket and enable S3 event notifications to an SNS topic.
AnswerB

CloudWatch Events can filter specific API calls in real-time and trigger actions like SNS notifications.

Why this answer

Option B is correct because CloudWatch Events can filter specific API calls and trigger a Lambda function to send notifications. Option A is incorrect because CloudTrail does not natively send alerts; it delivers logs to S3. Option C is incorrect because CloudWatch Logs Insights requires querying logs manually, not real-time alerting.

Option D is incorrect because Config records resource changes but is not optimized for API call alerts.

44
MCQeasy

A security engineer needs to capture all DNS queries made by EC2 instances in a VPC and send them to a security analytics tool. Which AWS service should be used to capture this traffic?

A.AWS Network Firewall
B.VPC Flow Logs
C.AWS CloudTrail
D.Amazon GuardDuty
AnswerA

AWS Network Firewall can capture DNS logs by enabling DNS inspection.

Why this answer

Option C is correct because VPC Flow Logs capture IP traffic metadata but not DNS queries. AWS CloudTrail does not capture DNS queries. Amazon GuardDuty is a threat detection service.

AWS Network Firewall can capture DNS logs. Option A is wrong because VPC Flow Logs do not include DNS query details. Option B is wrong because CloudTrail records API calls, not DNS queries.

Option D is wrong because GuardDuty uses DNS logs from other sources.

45
Multi-Selecthard

A security engineer needs to monitor cross-account access to resources. Which THREE AWS services can be used to log or detect such access? (Choose THREE.)

Select 3 answers
A.AWS CloudTrail
B.Amazon VPC Flow Logs
C.Amazon GuardDuty
D.AWS Config
E.Amazon Inspector
AnswersA, C, D

Logs API calls including cross-account access.

Why this answer

AWS CloudTrail is correct because it logs all API calls made to the AWS environment, including cross-account access events such as AssumeRole, GetFederationToken, or any action performed by an IAM role from another account. These logs capture the source identity, target resource, and request parameters, enabling security engineers to detect and audit cross-account activity.

Exam trap

The trap here is that candidates often confuse network-level logging (VPC Flow Logs) with API-level logging (CloudTrail) or assume vulnerability scanners (Inspector) can detect access events, but only CloudTrail, GuardDuty, and Config provide the necessary identity and resource-level visibility for cross-account access monitoring.

46
MCQmedium

A company is using AWS Config to track resource changes. They want to receive notifications when a security group is modified to allow inbound traffic from 0.0.0.0/0. What is the most efficient way to achieve this?

A.Use IAM Access Analyzer to detect publicly accessible security groups.
B.Enable Amazon GuardDuty and use its findings for security group changes.
C.Create a custom AWS Config rule with an AWS Lambda function that checks for public inbound traffic.
D.Create a CloudTrail trail and filter on AuthorizeSecurityGroupIngress events.
AnswerC

AWS Config can continuously evaluate security group rules and trigger actions.

Why this answer

AWS Config rules can evaluate resources against desired configurations. A custom AWS Config rule using a Lambda function can check security group rules and trigger notifications via SNS. Option A is wrong because CloudTrail logs API calls but requires parsing.

Option C is wrong because IAM Access Analyzer focuses on resource policies. Option D is wrong because GuardDuty is for threat detection.

47
MCQhard

Refer to the exhibit. A security engineer investigates a potential unauthorized deletion of an AWS CloudTrail trail. The engineer runs the command and receives the output shown. Which additional step should the engineer take to determine if the trail deletion was unauthorized?

A.Enable AWS Config rules to monitor CloudTrail configuration changes and cross-reference the event time with an approved change window.
B.Check the source IP address 203.0.113.50 against a list of approved corporate IP ranges.
C.Review the IAM user 'admin' permissions to see if they have the cloudtrail:DeleteTrail permission.
D.Use CloudTrail Insights to detect unusual API activity for the DeleteTrail event.
AnswerA

Cross-referencing with an approved change window helps determine if the deletion was planned and authorized, addressing the authorization aspect directly.

Why this answer

The engineer needs to determine if the deletion was unauthorized. Checking the source IP or permissions may not be sufficient. The best approach is to verify if the deletion occurred within an approved change window, which can be tracked via AWS Config or change management processes.

48
Multi-Selecthard

A security engineer is configuring Amazon GuardDuty in a multi-account environment. The engineer wants to enable GuardDuty in the management account and automatically enable it for all member accounts. Which THREE steps are required?

Select 3 answers
A.Have each member account manually enable GuardDuty.
B.Create an S3 bucket for GuardDuty findings in each member account.
C.Configure GuardDuty to automatically enable for all accounts in the organization via the Organizations integration.
D.Accept the invitation from the administrator account in each member account.
E.Enable GuardDuty in the management account.
AnswersC, D, E

This allows automatic enablement for new accounts.

Why this answer

GuardDuty must be enabled in the management account first. Then, using Organizations, GuardDuty can be automatically enabled for all existing and new accounts. Member accounts must also accept the invitation to join the GuardDuty administrator account.

49
MCQeasy

A security analyst needs to receive an alert when an IAM user attempts to perform an action they are not authorized to perform. Which AWS service can be used to monitor and alert on such authorization failures?

A.AWS Organizations SCPs
B.AWS CloudTrail with CloudWatch metric filter and alarm
C.AWS IAM Access Analyzer
D.AWS Config
AnswerB

CloudTrail logs API errors, and CloudWatch can alert on them.

Why this answer

CloudTrail logs all API calls, including AccessDenied errors. A CloudWatch metric filter on CloudTrail logs can trigger an alarm. Option C is correct.

Option A is wrong because IAM Access Analyzer is for external access analysis. Option B is wrong because Service Control Policies are for organizations. Option D is wrong because Config does not monitor API calls.

50
Multi-Selecteasy

Which TWO AWS services provide native integration with Amazon CloudWatch Logs for real-time monitoring of application logs? (Choose TWO.)

Select 2 answers
A.Amazon S3
B.Amazon Route 53
C.Amazon EC2
D.AWS Lambda
E.AWS CloudTrail
AnswersC, D

EC2 can use the CloudWatch agent to send logs.

Why this answer

Amazon EC2 is correct because it can be configured to send application logs to CloudWatch Logs via the CloudWatch Logs agent or unified CloudWatch agent, enabling real-time monitoring, search, and alerting on log data. AWS Lambda is correct because it natively integrates with CloudWatch Logs: every Lambda function execution automatically streams its logs to a CloudWatch Logs group, providing real-time visibility into function output and errors.

Exam trap

Cisco often tests the distinction between services that natively produce or stream application logs to CloudWatch Logs versus services that can only send logs via additional configuration or are limited to audit/API logs, leading candidates to mistakenly select CloudTrail or S3 as native integrations.

51
MCQmedium

Refer to the exhibit. A security engineer reviews the CloudTrail trail configuration. What is a security concern?

A.The trail is not multi-region
B.The logs are not encrypted with a customer-managed KMS key
C.Log file validation is not enabled
D.CloudWatch Logs integration is missing
AnswerB

kmsKeyId is null, so SSE-S3 is used, which is less secure.

Why this answer

The security concern is that the CloudTrail logs are not encrypted with a customer-managed KMS key. By default, CloudTrail encrypts log files using SSE-S3 (S3-managed keys), which does not provide the customer with control over key rotation, access policies, or the ability to audit key usage. Using a customer-managed KMS key ensures that only authorized principals can decrypt the logs, and it enables fine-grained access control and audit trails via CloudTrail and CloudWatch Logs, which is critical for compliance and security monitoring.

Exam trap

Cisco often tests the misconception that default encryption (SSE-S3) is sufficient for compliance, but the exam expects you to recognize that customer-managed KMS keys provide additional control and auditability, making the lack of SSE-KMS a security concern.

How to eliminate wrong answers

Option A is wrong because a multi-region trail is not a mandatory security requirement; it is a configuration choice for aggregating logs from all regions, but the absence of multi-region does not directly expose logs to unauthorized access or tampering. Option C is wrong because log file validation provides integrity verification via hash digests, but it does not address encryption at rest; the lack of validation is a concern for integrity, not confidentiality, and the question specifically asks about a security concern related to the trail configuration shown. Option D is wrong because CloudWatch Logs integration is an optional feature for real-time monitoring and alerting, but its absence does not represent a direct security vulnerability; the primary concern is that logs are not encrypted with a customer-managed KMS key, which is a fundamental control for protecting sensitive audit data.

52
MCQeasy

A security engineer is configuring Amazon GuardDuty for the first time. The engineer wants to receive alerts when GuardDuty generates a finding of severity HIGH or higher. What is the simplest way to achieve this?

A.Create an Amazon EventBridge rule that matches GuardDuty findings and triggers an SNS topic.
B.Configure CloudWatch Logs to monitor GuardDuty logs and create a metric filter for high-severity findings.
C.Set up an S3 event notification on the GuardDuty findings bucket.
D.Configure GuardDuty to send email notifications for all findings.
AnswerA

Simple and effective.

Why this answer

Option B is correct because GuardDuty can send findings directly to CloudWatch Events (EventBridge), which can then invoke a Lambda function or send to an SNS topic. Option A is wrong because GuardDuty does not have native email alerts. Option C is wrong because GuardDuty does not use CloudWatch Logs directly.

Option D is wrong because GuardDuty findings are not stored in S3 by default.

53
MCQeasy

A company wants to monitor failed SSH login attempts to EC2 instances. Which approach should be used?

A.Use the CloudWatch Logs agent to send /var/log/auth.log to CloudWatch Logs
B.Enable AWS CloudTrail for EC2 instances
C.Enable VPC Flow Logs
D.Use AWS Config to detect SSH access
AnswerA

The agent collects OS logs and sends them to CloudWatch Logs.

Why this answer

Publish OS-level logs to CloudWatch Logs using the CloudWatch agent. CloudTrail does not capture OS login attempts. VPC Flow Logs capture network traffic, not OS events.

Config is for resource compliance.

54
Multi-Selecthard

A security team wants to implement a centralized logging solution for multiple AWS accounts. The team needs to collect VPC Flow Logs, CloudTrail logs, and DNS query logs from all accounts. Which THREE services should the team use to aggregate these logs? (Choose THREE.)

Select 3 answers
A.AWS CloudHSM
B.AWS Config
C.Amazon Route 53 Resolver query logging
D.AWS CloudTrail
E.VPC Flow Logs
AnswersC, D, E

Resolver query logs can be published to a central S3 bucket for DNS query logs.

Why this answer

Options A, B, and D are correct. CloudTrail can be set up with an organization trail to aggregate management events. Route 53 Resolver query logging can publish to a central S3 bucket.

VPC Flow Logs can be published to a central S3 bucket or CloudWatch Logs. Option C is wrong because AWS Config does not aggregate logs. Option E is wrong because CloudHSM is a hardware security module, not for log aggregation.

55
Multi-Selecteasy

A security engineer is configuring VPC Flow Logs to capture network traffic metadata. Which TWO attributes can be captured in VPC Flow Logs? (Choose TWO.)

Select 2 answers
A.Packet payload
B.Source IP address
C.IAM user ID
D.Destination port
E.DNS query name
AnswersB, D

Captured.

Why this answer

VPC Flow Logs capture metadata about network traffic, including the source IP address (option B) and destination port (option D). The source IP address identifies the origin of the traffic, while the destination port indicates the application or service being targeted. These are standard fields in the flow log record format, as defined by AWS for capturing IP traffic metadata.

Exam trap

The trap here is that candidates often confuse network metadata with application-layer data, mistakenly thinking VPC Flow Logs can capture packet payloads or DNS query names, which are not part of the flow log record format.

56
Multi-Selectmedium

A company needs to monitor for unauthorized changes to security group rules. Which TWO AWS services can be used together to achieve this?

Select 2 answers
A.Amazon GuardDuty
B.AWS Config
C.Amazon Inspector
D.AWS CloudTrail
E.Amazon CloudWatch Events
AnswersB, E

Config tracks resource configuration changes.

Why this answer

Options B and D are correct. AWS Config can track changes to security group rules, and Amazon CloudWatch Events can trigger a notification when a config change is detected. Option A (GuardDuty) is for threat detection.

Option C (CloudTrail) logs API calls but is not the best for rule-level changes. Option E (Inspector) is for vulnerability scanning.

57
MCQhard

A security team uses Amazon Macie to discover sensitive data in S3. They have configured Macie to run automated sensitive data discovery jobs. After reviewing the findings, they notice that some S3 objects containing personally identifiable information (PII) are not being flagged. What is the most likely cause?

A.The Macie service-linked role does not have permissions to read the objects.
B.The S3 bucket is in a different AWS Region than the Macie job.
C.The S3 objects are encrypted with SSE-S3.
D.The PII is in a format that Macie's managed data identifiers do not recognize, and no custom data identifier is configured.
AnswerD

Managed identifiers cover common patterns; custom identifiers are needed for proprietary or less common formats.

Why this answer

Macie uses managed data identifiers for common PII types. If the PII is in a format not covered (e.g., custom formats), it may not be detected. Macie also supports custom data identifiers that must be configured.

58
Multi-Selecthard

A company wants to ensure that all S3 buckets are encrypted at rest. Which THREE services can be used to detect and alert on unencrypted buckets?

Select 3 answers
A.AWS Config
B.Amazon CloudWatch Logs Insights
C.Amazon VPC Flow Logs
D.AWS Security Hub
E.AWS CloudTrail with Amazon CloudWatch Events
AnswersA, D, E

Config has a managed rule to check if S3 buckets have encryption enabled.

Why this answer

Options A, B, and C are correct. AWS Config has a managed rule 's3-bucket-server-side-encryption-enabled' to detect unencrypted buckets. CloudTrail logs PutBucketEncryption API calls, and you can set up CloudWatch Events to alert when encryption is not enabled.

Security Hub aggregates findings from multiple services including Config and GuardDuty, and can generate alerts. Option D is incorrect because VPC Flow Logs do not relate to S3 encryption. Option E is incorrect because CloudWatch Logs Insights is a query tool, not a detection service.

59
Multi-Selectmedium

A company is using Amazon GuardDuty to detect threats. The security team wants to receive alerts for specific findings. Which TWO AWS services can be used to forward GuardDuty findings to a custom application for analysis? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Events (Amazon EventBridge)
B.Amazon Kinesis Data Streams
C.Amazon Simple Queue Service (SQS)
D.AWS Lambda
E.Amazon S3
AnswersA, E

GuardDuty publishes findings to EventBridge, which can then route to various targets.

Why this answer

Options B and D are correct because GuardDuty can send findings to CloudWatch Events (EventBridge) and also to S3 via CloudWatch Events or directly. Option A is wrong because GuardDuty does not natively send to SQS; you need EventBridge. Option C is wrong because GuardDuty does not send to Kinesis directly; you need EventBridge.

Option E is wrong because Lambda is not a destination; it can be a target of EventBridge.

60
Multi-Selectmedium

A security engineer is designing a centralized logging solution for multiple AWS accounts. Which TWO services should be used to aggregate logs from all accounts into a single account? (Choose TWO.)

Select 2 answers
A.AWS Config
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.Amazon S3
E.AWS CloudTrail
AnswersC, E

CloudWatch Logs can use cross-account subscription filters.

Why this answer

Option A and Option C are correct. CloudTrail can be configured to deliver logs to a central S3 bucket across accounts, and CloudWatch Logs can use subscription filters to send logs to a central account. Option B is wrong because AWS Config can aggregate config data but not logs.

Option D is wrong because VPC Flow Logs can be sent to S3 or CloudWatch, but not directly to a central account. Option E is wrong because S3 is a destination, not an aggregation service.

61
MCQeasy

A company uses Amazon GuardDuty to detect threats. The security team wants to receive real-time notifications for all GuardDuty findings with a severity of HIGH or CRITICAL. What is the MOST efficient way to achieve this?

A.Create a CloudWatch Events rule that matches GuardDuty findings with severity HIGH or CRITICAL and targets an SNS topic.
B.Use the GuardDuty console to set up email alerts for high-severity findings.
C.Configure GuardDuty to export findings to an S3 bucket and use S3 event notifications to trigger an SNS topic.
D.Stream GuardDuty findings to CloudWatch Logs and create a metric filter to trigger an alarm.
AnswerA

CloudWatch Events provides real-time event filtering and notification.

Why this answer

Option C is correct because GuardDuty can send findings to CloudWatch Events, which can then trigger an SNS notification based on severity. Option A is wrong because GuardDuty findings are not sent to S3 directly. Option B is wrong because GuardDuty does not have a built-in notification feature.

Option D is wrong because CloudWatch Logs does not parse GuardDuty findings natively.

62
MCQhard

A company uses Amazon GuardDuty to monitor for malicious activity in its AWS environment. The security team receives a high number of findings, many of which are false positives. They want to reduce noise by suppressing findings for known benign activities, such as internal vulnerability scans performed by the security team. GuardDuty has a feature to create suppression rules based on finding criteria. However, the team also wants to ensure that if a new type of threat is detected, it is immediately escalated. What is the MOST effective way to manage GuardDuty findings?

A.Set GuardDuty to only generate findings for medium and high severity, ignoring low severity findings.
B.Create a suppression rule that blocks all findings from the internal IP range used by the security team.
C.Disable the specific GuardDuty finding types that generate false positives.
D.Create suppression rules that automatically archive findings matching the known benign activity criteria, and periodically review the suppressed findings.
AnswerD

Suppression rules target specific criteria and allow for periodic review to ensure no missed threats.

Why this answer

The correct answer is C. GuardDuty suppression rules automatically archive findings that match certain criteria, reducing noise. However, the team should still review suppressed findings periodically to ensure no actual threats are missed.

Option A is incorrect because disabling the entire finding type would miss genuine threats. Option B is incorrect because lowering the severity threshold would increase noise. Option D is incorrect because a blanket suppression rule might miss important variations of the threat.

63
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to enable CloudTrail for all accounts and centrally store logs. What is the most efficient way to achieve this?

A.Use an S3 bucket policy to allow cross-account log delivery
B.Create a CloudTrail trail in the management account and apply it to all accounts in the organization
C.Use AWS Lambda to create trails in each account
D.Ask each account admin to create their own CloudTrail trail and deliver to a central S3 bucket
AnswerB

Organization trails log all accounts centrally.

Why this answer

AWS Organizations can create a trail in the management account that logs all accounts. Deleting existing trails is not required. Each account creating its own trail is inefficient.

S3 bucket policy alone does not enable logging.

64
MCQhard

A company uses Amazon RDS for MySQL and needs to monitor database activity for suspicious queries, such as unauthorized access attempts or SQL injection. The security team wants to centralize the logs from multiple RDS instances and analyze them in near real-time. Which solution should be implemented?

A.Enable RDS Enhanced Monitoring and stream the metrics to Amazon CloudWatch.
B.Enable VPC Flow Logs for the RDS instances and analyze the logs using Amazon Athena.
C.Enable AWS CloudTrail for RDS API calls and use Amazon GuardDuty to analyze the logs.
D.Enable database audit logs on each RDS instance, stream them to Amazon CloudWatch Logs, and use CloudWatch Logs Insights to query the logs.
AnswerD

Audit logs capture SQL queries; CloudWatch Logs provides centralized storage and analysis.

Why this answer

Option C is correct because enabling RDS Enhanced Monitoring provides OS-level metrics, not SQL queries, so it is not suitable. Option A is correct: RDS provides database audit logs that can be streamed to CloudWatch Logs, and CloudWatch Logs Insights allows querying and analyzing logs in near real-time. Option B is wrong because VPC Flow Logs capture network traffic, not SQL queries.

Option D is wrong because AWS CloudTrail records API calls, not database queries.

65
MCQmedium

A company uses AWS CloudTrail to log API activity across multiple accounts. The security team wants to ensure that any S3 bucket created with public read access is detected within minutes. Which solution is MOST efficient?

A.Create an Amazon EventBridge rule that matches CloudTrail CreateBucket API calls and triggers a Lambda function that inspects the bucket's public access settings and alerts if public.
B.Use AWS Config rules to check S3 bucket public access settings and trigger an AWS Lambda function to send alerts.
C.Use S3 server access logs and run a daily script to parse the logs for PutBucketAcl actions.
D.Enable CloudTrail log file validation and use Athena to query logs hourly for CreateBucket events with public ACLs.
AnswerA

EventBridge events are near-real-time, and the Lambda can immediately check and alert.

Why this answer

Option C is correct because using CloudTrail with an Amazon EventBridge rule on CreateBucket events combined with S3 public access checks via AWS Config or direct API calls allows near-real-time detection. Option A is wrong because it relies on CloudTrail log file delivery to S3, which can have delays. Option B is wrong because it only reports current state, not immediate changes.

Option D is wrong because it requires manual setup and polling.

66
MCQmedium

A security engineer is troubleshooting an issue where CloudTrail logs are not being delivered to the specified S3 bucket. The bucket policy allows CloudTrail to write objects. What is the MOST likely cause?

A.The S3 bucket uses server-side encryption with customer-provided keys (SSE-C).
B.The S3 bucket has a bucket policy that denies access to the CloudTrail service principal.
C.The S3 bucket does not have versioning enabled.
D.The S3 bucket is in a different AWS account.
AnswerB

An explicit deny in the bucket policy would override the allow.

Why this answer

Option B is correct because S3 bucket policies that explicitly deny access to AWS services can override allows. Option A is wrong because CloudTrail does not require SSE-C; it supports SSE-S3. Option C is wrong because versioning is not required for CloudTrail log delivery.

Option D is wrong because CloudTrail can deliver logs across accounts with proper permissions.

67
MCQhard

Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs from account 123456789012 to the bucket my-trail-bucket. However, CloudTrail logs are not being delivered. What is the most likely reason?

A.The Principal should be the CloudTrail service principal for the specific region.
B.The Action should be s3:PutObjectAcl instead of s3:PutObject.
C.The resource ARN does not include the bucket name.
D.The policy is missing s3:GetBucketAcl permission.
AnswerD

Required by CloudTrail.

Why this answer

Option D is correct. The bucket policy must also grant the s3:GetBucketAcl permission to allow CloudTrail to verify the bucket's ACL. Without it, CloudTrail will fail.

Option A is wrong because the ARN is correct. Option B is wrong because the Action is correct. Option C is wrong because the Principal is correct.

68
MCQeasy

A security engineer is investigating a potential security incident and needs to determine if an EC2 instance was launched with a specific AMI ID. Which AWS log should be examined?

A.AWS Config timeline
B.VPC Flow Logs
C.AWS CloudTrail
D.Amazon CloudWatch Logs (EC2 agent logs)
AnswerC

CloudTrail logs the RunInstances API call with AMI ID.

Why this answer

CloudTrail logs API calls, including RunInstances, which contains the AMI ID. Option A is wrong because VPC Flow Logs do not contain instance metadata. Option B is wrong because CloudWatch Logs does not capture EC2 launch events by default.

Option D is wrong because AWS Config records resource configurations but not the API call details.

69
MCQmedium

A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to determine if any unauthorized SSH keys were added to the instance's authorized_keys file. Which AWS service should be used to detect this change?

A.Amazon Inspector
B.AWS CloudTrail
C.Amazon GuardDuty
D.AWS Config
AnswerD

AWS Config can track file changes via Systems Manager Inventory or custom rules.

Why this answer

Option C is correct because AWS Config can track changes to EC2 instance configurations, including file changes if using AWS Systems Manager Inventory or custom rules, but more directly, AWS Config can monitor for changes to security groups and IAM roles, not file contents. However, for file changes, AWS Systems Manager (SSM) Inventory can track file changes. Option A is wrong because AWS CloudTrail records API calls, not file changes.

Option B is wrong because Amazon GuardDuty detects threats based on network and API activity. Option D is wrong because Amazon Inspector assesses vulnerabilities, not file integrity. The correct answer is actually not listed perfectly, but among the options, AWS Config with a custom rule can monitor for changes to the authorized_keys file if integrated with SSM.

However, the best answer is AWS Config (option C) because it can be used with SSM to detect file changes. Option D is wrong because Inspector does not detect file changes.

70
MCQhard

Refer to the exhibit. An IAM policy is attached to a user. The user reports that they cannot upload objects to the S3 bucket 'example-bucket' using the AWS CLI from a remote location. What is the MOST likely cause?

A.The CLI is using HTTP instead of HTTPS.
B.The bucket policy denies access.
C.The bucket requires server-side encryption.
D.The user is not authorized to upload to the bucket.
E.The user does not have s3:PutObject permission.
AnswerA

The Deny statement blocks non-HTTPS requests.

Why this answer

Option B is correct. The Deny statement with condition aws:SecureTransport false blocks requests that are not using HTTPS. If the CLI is not configured to use HTTPS, the request will be denied.

Option A is wrong because the user has s3:PutObject permission. Option C is wrong because there is no encryption requirement. Option D is wrong because there is no bucket policy blocking.

Option E is wrong because the user has permission to upload.

71
MCQmedium

A security engineer configured the S3 bucket policy shown above for CloudTrail log delivery, but CloudTrail is not delivering logs. What is the MOST likely reason?

A.The policy does not include s3:GetBucketAcl permission.
B.The bucket is in the wrong region.
C.The resource ARN is incorrect.
D.The bucket does not have default encryption enabled.
AnswerA

CloudTrail needs GetBucketAcl to verify bucket ACL.

Why this answer

Option C is correct because the bucket policy must also grant the s3:GetBucketAcl action for CloudTrail to verify the bucket ACL. Option A is wrong because encryption is not required. Option B is wrong because the region is not specified in the policy.

Option D is wrong because the resource ARN is correct for CloudTrail logs.

72
MCQeasy

A company needs to be alerted when root account credentials are used in their AWS account. Which service should be used to create a metric filter and alarm for this event?

A.Amazon GuardDuty
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerD

CloudWatch Logs can create metric filters and alarms on CloudTrail logs.

Why this answer

CloudWatch Logs can monitor CloudTrail logs for root account usage. A metric filter and alarm can be set up. GuardDuty has a finding for root usage but the requirement is to create a custom alarm.

Config evaluates resources.

73
Multi-Selecthard

Which THREE are best practices for securing AWS CloudTrail log files? (Choose three.)

Select 3 answers
A.Restrict access to the S3 bucket using a bucket policy that requires MFA and encryption.
B.Enable CloudTrail log file integrity validation.
C.Enable server-side encryption (SSE) for the S3 bucket.
D.Deliver logs to an S3 bucket in the same region as the trail.
E.Set a lifecycle policy to delete logs after 30 days.
AnswersA, B, C

Limits access to authorized users only.

Why this answer

Option A is correct because encrypting logs at rest protects confidentiality. Option C is correct because enabling log file integrity validation ensures tamper detection. Option D is correct because limiting access to the S3 bucket using bucket policies ensures only authorized principals can access logs.

Option B is incorrect because CloudTrail logs should be retained for at least one year, not 30 days. Option E is incorrect because CloudTrail does not support cross-region delivery to a single bucket automatically without additional configuration.

74
MCQhard

A company uses AWS CloudTrail to log all API calls across multiple accounts in AWS Organizations. The security team notices that management events are being logged, but data events for Amazon S3 are not appearing in the CloudTrail logs for any account. The team needs to enable data event logging for S3 across all accounts. Currently, the organization trail is configured in the management account, and all member accounts have default CloudTrail configurations. What is the MOST efficient way to enable S3 data event logging for all current and future accounts in the organization?

A.Ask each member account to create a new trail in their own account with S3 data events enabled.
B.Update the existing organization trail's event selectors in the management account to include S3 data events for all accounts.
C.Enable S3 server access logging on all S3 buckets across the organization and aggregate logs in a central S3 bucket.
D.Create a new organization trail in the management account with S3 data events enabled, and share it with member accounts.
AnswerB

Updating the organization trail applies changes to all current and future accounts automatically.

Why this answer

The correct answer is C. By updating the organization trail's event selectors to include S3 data events, CloudTrail will automatically apply this configuration to all accounts in the organization, including future accounts. Option A is incorrect because member accounts cannot modify an organization trail.

Option B is incorrect because creating a new trail in each account is inefficient and does not leverage the organization trail. Option D is incorrect because S3 server access logs are a different feature and do not capture data events via CloudTrail.

75
MCQeasy

A company wants to monitor CPU utilization of their EC2 instances and receive an alert when utilization exceeds 80% for 5 consecutive minutes. Which AWS service should be used to set up this metric alarm?

A.Amazon CloudWatch Alarms
B.Amazon Inspector
C.AWS Config
D.AWS CloudTrail
AnswerA

CloudWatch Alarms monitor metrics and trigger actions based on thresholds.

Why this answer

Option A is correct because CloudWatch Alarms can monitor any CloudWatch metric and trigger actions when a threshold is breached. Option B is wrong because AWS CloudTrail logs API calls. Option C is wrong because AWS Config monitors configuration changes.

Option D is wrong because Amazon Inspector is a vulnerability assessment service.

Page 1 of 5 · 323 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Logging questions.