CCNA Security Logging Questions

75 of 323 questions · Page 2/5 · Security Logging topic · Answers revealed

76
MCQmedium

A security engineer is configuring AWS CloudTrail to log management events for all AWS regions. The engineer needs to ensure that log files are encrypted at rest and that access to the log files is logged. Which solution meets these requirements?

A.Enable CloudTrail with SSE-C encryption and enable AWS CloudTrail Insights to log access.
B.Enable CloudTrail with SSE-S3 encryption and enable S3 server access logging on the destination bucket.
C.Enable CloudTrail with default encryption and enable AWS Config to log access.
D.Enable CloudTrail with SSE-KMS encryption and enable S3 server access logging on the destination bucket.
AnswerD

CloudTrail supports SSE-KMS for encryption at rest, and S3 server access logs capture requests to the bucket.

Why this answer

Option C is correct because CloudTrail can be configured to use SSE-KMS for encryption, and S3 server access logs can log access to the log files. Option A is wrong because SSE-S3 does not provide access logging. Option B is wrong because SSE-C is not supported by CloudTrail.

Option D is wrong because CloudWatch Logs does not encrypt log files at rest by default.

77
MCQhard

A company uses Amazon Route 53 for DNS and wants to log all DNS queries made from its VPC. The logs must be stored in Amazon S3 for compliance purposes. Which solution meets these requirements?

A.Enable Route 53 Resolver query logging and publish to an S3 bucket.
B.Install a CloudWatch Logs agent on each EC2 instance and configure it to send DNS logs to CloudWatch Logs.
C.Enable AWS CloudTrail for DNS API calls and deliver to an S3 bucket.
D.Enable VPC Flow Logs and publish to an S3 bucket.
AnswerA

Route 53 Resolver query logging captures DNS queries made by resources in your VPC and can deliver logs to S3.

Why this answer

Option B is correct because Route 53 Resolver query logs can log DNS queries made by resources within a VPC and can be exported to S3. Option A is wrong because VPC Flow Logs capture IP traffic, not DNS queries. Option C is wrong because CloudWatch Logs can capture logs but not directly from Route 53 Resolver without additional configuration.

Option D is wrong because AWS CloudTrail does not log DNS query content.

78
MCQmedium

A security engineer is designing a monitoring solution for an AWS Lambda function that processes sensitive data. The function occasionally fails due to timeouts. The engineer needs to be alerted immediately when the function fails and also wants to analyze the error logs. Which combination of services should the engineer use?

A.Amazon CloudWatch Logs and Amazon Kinesis Data Firehose
B.Amazon CloudWatch Logs and CloudWatch Alarms with Amazon SNS
C.AWS CloudTrail and Amazon SNS
D.AWS Config and Amazon SNS
AnswerB

CloudWatch Logs stores logs, and CloudWatch Alarms trigger SNS notifications on errors.

Why this answer

Option D is correct because CloudWatch Logs captures Lambda execution logs, and CloudWatch Alarms can trigger SNS notifications based on metrics like errors. Option A is incorrect because CloudTrail records API calls, not function execution logs. Option B is incorrect because Config tracks resource configuration changes, not runtime errors.

Option C is incorrect because Kinesis Data Firehose is for data streaming, not real-time alerting.

79
MCQmedium

Refer to the exhibit. A security engineer finds this CloudTrail log entry. What is the most significant security concern indicated by this event?

A.The security group rule allows SSH access from any IP address (0.0.0.0/0).
B.The event is a normal administrative action and poses no security concern.
C.The user did not have MFA enabled when assuming the AdminRole.
D.The source IP address (203.0.113.5) is from an unusual location.
AnswerA

This exposes the instance to the internet on port 22.

Why this answer

The event shows a security group rule allowing SSH (port 22) from 0.0.0.0/0, which is a serious security risk. Additionally, the user did not use MFA despite having AdminRole privileges. Option A is correct because the open SSH access is the primary concern.

Option B is wrong because while MFA not used is a concern, the open port is more critical. Option C is wrong because there is no indication of a compromised account. Option D is wrong because the event itself is not unusual but the configuration is.

80
MCQhard

A security engineer is configuring a centralized logging solution for multiple AWS accounts. The engineer needs to ensure that log files are encrypted at rest and that access to the logs is audited. Which combination of services and features should be used?

A.Use S3 SSE-S3 and enable S3 access logs.
B.Use AWS KMS to encrypt the logs before uploading to S3.
C.Use S3 SSE-C and enable CloudTrail for S3 data events.
D.Use S3 SSE-KMS and enable CloudTrail for S3 data events.
AnswerD

SSE-KMS provides encryption and key management; CloudTrail audits access.

Why this answer

S3 SSE-KMS provides encryption at rest with key management, and CloudTrail logs all access to the S3 bucket. Option C is correct. Option A is wrong because SSE-S3 does not provide key management or access audit.

Option B is wrong because SSE-C requires customer-managed keys but does not provide audit. Option D is wrong because KMS alone without CloudTrail does not audit access.

81
MCQmedium

A company uses AWS CloudTrail to log management events. The security team wants to be alerted when an IAM user creates a new access key. Which solution would meet this requirement with the least operational overhead?

A.Create a CloudWatch Logs metric filter on the CloudTrail log group for CreateAccessKey events and set an alarm.
B.Create an Amazon EventBridge rule that matches the CreateAccessKey event and triggers an Amazon SNS notification.
C.Write a Python script that uses the CloudTrail LookupEvents API and run it on a scheduled basis using Amazon EventBridge Scheduler.
D.Develop a custom AWS Lambda function that queries CloudTrail logs in S3 every hour.
AnswerB

EventBridge provides near-real-time event matching with minimal overhead.

Why this answer

Option A is correct because CloudTrail events can be sent to CloudWatch Logs, and a metric filter with an alarm can detect the CreateAccessKey event. Option B is wrong because it requires custom code and is more overhead. Option C is wrong because EventBridge rules can directly match CloudTrail events without CloudWatch Logs.

Option D is wrong because Lambda is more overhead than a simple alarm.

82
MCQhard

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The security team has implemented a centralized logging solution using Amazon S3 for ALB access logs and AWS CloudTrail logs. Recently, the team noticed that some ALB access logs are missing for certain time periods. The ALB is configured to deliver logs every 5 minutes to an S3 bucket with a bucket policy that grants the ALB service principal write access. The CloudTrail logs show no errors related to the ALB or S3. The S3 bucket is in the same region as the ALB. What is the most likely cause of the missing logs?

A.The S3 bucket has versioning enabled, which causes log delivery failures.
B.The bucket policy does not allow the ALB to write logs.
C.The ALB is not configured to send logs to the S3 bucket.
D.The S3 bucket is in a different AWS region than the ALB.
AnswerD

ALB can only deliver access logs to an S3 bucket in the same region.

Why this answer

Option B is correct because if the S3 bucket is in a different region, ALB cannot deliver logs cross-region. Option A is wrong because CloudTrail logs are not related to ALB log delivery. Option C is wrong because bucket policy is correct.

Option D is wrong because enabling versioning does not affect log delivery.

83
MCQhard

Refer to the exhibit. A security engineer has attached this IAM policy to a user. What is the effect of this policy?

A.Allows uploads with KMS encryption or without encryption.
B.Allows uploads only when encryption is not specified.
C.Denies uploads when encryption is not provided.
D.Allows uploads only when using KMS encryption.
AnswerA

Both conditions are covered by the two statements.

Why this answer

The policy allows s3:PutObject only if encryption is set to aws:kms OR if no encryption header is provided (Null condition). Option D is correct because the two statements together allow both encrypted and unencrypted uploads. Option A is wrong because the first statement allows only KMS encryption, but the second allows unencrypted.

Option B is wrong because the policy does not explicitly deny unencrypted uploads. Option C is wrong because the second statement allows missing encryption header.

84
MCQmedium

A company has a CloudTrail trail that logs management events and delivers them to an S3 bucket. The security team notices that some expected API calls are missing from the logs. They suspect that the calls were made by a service that is not tracked by CloudTrail. Which AWS service is NOT tracked by CloudTrail?

A.AWS Lambda
B.Amazon CloudFront
C.Amazon S3
D.Amazon EC2
AnswerB

CloudFront does not support CloudTrail logging; it provides its own access logs.

Why this answer

Option D is correct because Amazon CloudFront does not log management events via CloudTrail; it uses its own access logs. Option A, B, and C are all tracked by CloudTrail.

85
MCQeasy

A security team needs to audit all changes to IAM policies in their AWS account. Which AWS service should be used?

A.AWS Config
B.Amazon CloudWatch
C.IAM Access Analyzer
D.AWS CloudTrail
AnswerD

CloudTrail logs all API calls for auditing.

Why this answer

Option B is correct because AWS CloudTrail records all API calls including IAM policy changes. Option A is wrong because AWS Config records resource state but not API calls. Option C is wrong because CloudWatch is for metrics and alarms.

Option D is wrong because IAM Access Analyzer finds external access, not change history.

86
Multi-Selectmedium

A security team wants to detect and alert on potential security threats such as compromised instances or malicious activity within their AWS environment. Which TWO AWS services should be used together to provide comprehensive threat detection?

Select 2 answers
A.AWS Security Hub
B.AWS CloudTrail
C.Amazon Inspector
D.AWS Config
E.Amazon GuardDuty
AnswersA, E

Aggregates and prioritizes security findings.

Why this answer

Amazon GuardDuty provides intelligent threat detection, and AWS Security Hub aggregates findings from multiple services including GuardDuty. Option A and Option C are correct. Option B is wrong because CloudTrail is for logging, not threat detection.

Option D is wrong because Inspector is for vulnerability assessments. Option E is wrong because Config is for configuration compliance.

87
Multi-Selecthard

Which THREE are features of Amazon GuardDuty that help with threat detection? (Select THREE.)

Select 3 answers
A.Analyzes AWS Config configuration history.
B.Analyzes S3 object content for malware.
C.Analyzes VPC Flow Logs.
D.Analyzes DNS query logs.
E.Analyzes AWS CloudTrail management events.
AnswersC, D, E

GuardDuty uses VPC Flow Logs for network analysis.

Why this answer

Options A, B, and D are correct. GuardDuty uses machine learning and threat intelligence to detect threats. It analyzes CloudTrail events, VPC Flow Logs, and DNS logs.

Option C is wrong because GuardDuty does not analyze Config rules; that is AWS Config. Option E is wrong because GuardDuty does not inspect S3 object content; it analyzes S3 data events.

88
MCQmedium

A company has a multi-account AWS environment managed by AWS Organizations. The security team wants to enable a centralized logging solution where all VPC flow logs, CloudTrail logs, and AWS Config configuration items are sent to a single S3 bucket in the security account. The team has already created the S3 bucket with appropriate bucket policies to allow cross-account writes. However, logs are not appearing from all accounts. What is the MOST likely reason for this issue?

A.The security account is not the master account of the AWS Organization.
B.The S3 bucket policy does not grant write access to the root user of each member account.
C.The member accounts do not have the required IAM roles to allow the logging services to write to the central bucket.
D.The S3 bucket is encrypted with SSE-KMS and the KMS key policy does not allow cross-account access.
AnswerC

Each member account needs a service-linked role (e.g., AWSServiceRoleForCloudTrail) to enable cross-account logging.

Why this answer

When using AWS Organizations, you can enable trusted access for CloudTrail, Config, and VPC Flow Logs to centrally manage logging. However, the service-linked roles must be created in each member account to allow the logging service to write to the central bucket. Option A is correct because the member accounts need the appropriate IAM roles.

Option B is wrong because Organizations does not need to be the master account for logging; a designated account can serve as the central logging account. Option C is wrong because the bucket policy should allow the logging service principal, not the account root. Option D is wrong because KMS encryption is not required for cross-account logging.

89
MCQmedium

A company is using Amazon Route 53 and wants to log DNS queries for investigative purposes. The logs must be stored in a centralized S3 bucket in the security account. What is the MOST efficient way to achieve this?

A.Enable VPC Flow Logs and analyze DNS traffic.
B.Enable CloudWatch Logs for Route 53 and stream to a Lambda function that writes to S3.
C.Configure Route 53 Resolver query logging to deliver to the central S3 bucket.
D.Use a custom Lambda function to poll Route 53 logs and write to S3.
AnswerC

Route 53 Resolver query logging supports direct delivery to S3, and you can use cross-account bucket policies.

Why this answer

Option B is correct because Route 53 resolver query logs can be sent directly to S3, and by using AWS Organizations, you can centralize logging. Option A is wrong because CloudWatch Logs adds an extra step. Option C is wrong because VPC Flow Logs are for network traffic, not DNS queries.

Option D is wrong because Route 53 does not have a built-in Lambda integration for this purpose.

90
MCQhard

A company requires real-time analysis of AWS CloudTrail logs to detect unauthorized API calls. The logs are stored in Amazon S3. Which architecture minimizes latency and cost?

A.Use AWS Glue to crawl S3 and load into Amazon Redshift for analysis
B.Send CloudTrail logs to Amazon CloudWatch Logs, then use a subscription filter to Amazon Kinesis Data Firehose delivering to Amazon OpenSearch Service
C.Query CloudTrail logs directly using Amazon Athena
D.Configure S3 event notifications to invoke an AWS Lambda function that writes to Amazon OpenSearch Service
AnswerB

Enables near real-time streaming.

Why this answer

Option B is correct because it provides the lowest-latency path for real-time analysis: CloudTrail logs are delivered to CloudWatch Logs in near real-time, and a subscription filter streams them to Kinesis Data Firehose, which buffers and delivers directly to Amazon OpenSearch Service for immediate indexing and search. This architecture avoids batch processing, minimizes data movement overhead, and uses managed services that scale automatically, keeping both latency and cost low.

Exam trap

The trap here is that candidates often assume S3 event notifications (Option D) are the fastest path for real-time processing, but they overlook the inherent delivery delay of CloudTrail to S3 (up to 15 minutes) and the risk of Lambda concurrency limits causing dropped events under high log volume.

How to eliminate wrong answers

Option A is wrong because AWS Glue crawling S3 and loading into Amazon Redshift introduces significant batch processing latency (minutes to hours) and incurs high costs for Redshift compute and storage, making it unsuitable for real-time analysis. Option C is wrong because querying CloudTrail logs directly with Amazon Athena requires scanning the entire S3 object set per query, which adds seconds to minutes of latency and incurs per-scan costs that become prohibitive for continuous real-time detection. Option D is wrong because S3 event notifications for CloudTrail logs are typically delivered with a delay (up to 15 minutes) and invoking a Lambda function per object to write to OpenSearch Service creates a tight coupling that can lead to throttling, data loss under high volume, and higher operational overhead compared to the managed streaming pipeline in B.

91
Matchingmedium

Match each AWS security tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated vulnerability assessment

Threat detection service

Centralized security findings aggregation

Investigation and analysis of security issues

Resource configuration monitoring and compliance

Why these pairings

These tools cover different aspects of security monitoring.

92
MCQhard

Refer to the exhibit. A security engineer is configuring the Amazon CloudWatch agent to collect logs from an Amazon ECS task. The configuration shown is used. However, the logs are not appearing in CloudWatch Logs. What is the most likely cause?

A.The multi_line_start_pattern is missing a closing delimiter.
B.The datetime_format is incorrect for the logs.
C.The configuration file is missing the 'logs' section at the top level.
D.The CloudWatch agent is not installed in the ECS task.
AnswerC

The CloudWatch agent configuration requires a 'logs' section containing the log definitions.

Why this answer

The configuration uses `log_group_name` but in the CloudWatch agent configuration for ECS, the correct key is `log_group_name` (lowercase) but more commonly the issue is that the agent requires `logs.region` and `logs.endpoint` to be set, or the IAM role is missing permissions. However, the exhibit uses `log_group_name` which is correct for the standalone agent, but for the ECS agent, the configuration is passed as environment variables or in the task definition. The most typical mistake is that the `log_group_name` is not properly nested under `logs`.

Option C is correct. Option A is wrong because the ECS agent can use CloudWatch agent. Option B is wrong because the format is standard.

Option D is wrong because the pattern is optional.

93
MCQeasy

A company uses AWS CloudTrail to log API activity. The security team wants to ensure that any modification to CloudTrail configuration is logged and that the logs are tamper-proof. Which feature should be enabled?

A.S3 MFA Delete on the CloudTrail S3 bucket
B.S3 Versioning on the CloudTrail S3 bucket
C.CloudTrail Log File Integrity Validation
D.CloudWatch Logs log stream encryption
AnswerC

Provides tamper-proofing.

Why this answer

Option B is correct because CloudTrail Log File Integrity Validation uses SHA-256 hashing and digital signatures to detect tampering. Option A is wrong because S3 Versioning does not prevent tampering of logs. Option C is wrong because MFA Delete protects against deletion, not modification.

Option D is wrong because CloudWatch Logs does not provide integrity validation.

94
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all API activity across all accounts is logged and immutable. CloudTrail is enabled in all accounts, but the logs are stored in individual account buckets. The team wants to centralize logs and prevent any account from disabling logging. What should they do?

A.Create a new CloudTrail trail for each account and configure S3 bucket policies to allow cross-account access.
B.Enable S3 MFA Delete on each account's log bucket and require MFA for IAM users.
C.Use CloudWatch Logs to aggregate logs and set a retention policy of 10 years.
D.Apply an SCP to deny cloudtrail:StopLogging and cloudtrail:DeleteTrail, and create an organization trail that delivers logs to a central S3 bucket with a bucket policy that prevents deletion.
AnswerD

SCPs prevent disabling, and organization trail centralizes logs.

Why this answer

Option D is correct because using an SCP to deny cloudtrail:StopLogging and cloudtrail:DeleteTrail prevents disabling, and creating an organization trail ensures logs are delivered to a central bucket. Option A is wrong because an organization trail already covers all accounts. Option B is wrong because S3 MFA Delete alone doesn't prevent CloudTrail disabling.

Option C is wrong because CloudWatch Logs doesn't provide immutable storage.

95
MCQhard

A company is using Amazon GuardDuty to detect threats in its AWS environment. The security team notices that GuardDuty is generating a high number of 'UnauthorizedAccess:IAMUser/MaliciousIPCaller' findings for an IAM user that is used by a legacy application. The security team has verified that the IP addresses flagged are not malicious but are legitimate IPs used by the application's third-party service. The company wants to suppress these findings without disabling GuardDuty entirely. Which solution is the MOST effective and secure?

A.Disable the specific finding type in GuardDuty settings.
B.Create a GuardDuty suppression rule that automatically archives findings for that IAM user.
C.Create a VPC flow log filter to exclude traffic from those IP addresses.
D.Modify the IAM user's permissions to restrict the IP addresses it can use.
AnswerB

Suppression rules allow you to filter out known false positives based on specific criteria.

Why this answer

GuardDuty supports suppression rules that allow you to automatically archive findings that match certain criteria. You can create a suppression rule based on the finding type and the IAM user's ARN to automatically archive these false positives. Option C is correct because it uses GuardDuty's built-in suppression feature.

Option A is wrong because disabling the finding type would suppress all similar findings for all users, which is too broad. Option B is wrong because modifying the IAM user's permissions does not affect GuardDuty findings. Option D is wrong because creating a VPC flow log filter does not suppress GuardDuty findings.

96
MCQeasy

A security engineer needs to monitor AWS account activity for suspicious API calls and receive alerts. Which AWS service should the engineer use to meet this requirement?

A.VPC Flow Logs
B.AWS Config with AWS Config Rules
C.AWS CloudTrail with CloudWatch Alarms
D.Amazon GuardDuty
AnswerC

CloudTrail logs API calls, and CloudWatch Alarms can trigger on metric filters for specific API activity.

Why this answer

Option C is correct because CloudTrail logs API activity and can be integrated with CloudWatch Alarms for alerts. Option A is wrong because GuardDuty focuses on threat detection from various data sources, not specifically API monitoring. Option B is wrong because VPC Flow Logs capture network traffic.

Option D is wrong because AWS Config tracks configuration changes.

97
MCQmedium

A security engineer is investigating a potential security incident. CloudTrail logs show that an IAM user 'admin' deleted an S3 bucket at 2023-01-15T10:30:00Z. The engineer needs to find the source IP address and user agent of the request. Which CloudTrail log field contains this information?

A.eventID
B.requestParameters
C.userAgent and sourceIPAddress
D.resources
AnswerC

These fields contain the required information.

Why this answer

Option B is correct because the user agent is stored in the userAgent field and the source IP in sourceIPAddress. Option A is wrong because eventID is a unique identifier. Option C is wrong because requestParameters contains API parameters.

Option D is wrong because resources contains ARNs of affected resources.

98
MCQeasy

A security team wants to receive real-time notifications when an IAM user makes a change to a security group. Which AWS service should be used to trigger the notification?

A.AWS Config
B.AWS CloudTrail with Amazon CloudWatch Events
C.Amazon S3 event notifications
D.Amazon GuardDuty
AnswerB

CloudTrail logs the API call and CloudWatch Events can trigger an alert.

Why this answer

Option D is correct because CloudTrail logs the API call, and CloudWatch Events can create a rule that matches the event and sends to SNS. Option A is wrong because Config evaluates resource configurations, not real-time API calls. Option B is wrong because S3 event notifications are for S3 objects.

Option C is wrong because GuardDuty is a threat detection service.

99
MCQhard

A security engineer is configuring Amazon GuardDuty in a multi-account environment using AWS Organizations. The engineer wants to ensure that all member accounts send findings to the delegated administrator account. However, some member accounts are not sending findings. What is the most likely cause?

A.The GuardDuty service-linked role is missing in the member accounts.
B.AWS CloudTrail is not enabled in the member accounts.
C.GuardDuty is not enabled in the member accounts, or they have not accepted the invitation.
D.VPC Flow Logs are not enabled in the member accounts.
AnswerC

Each member account must enable GuardDuty and accept the invitation.

Why this answer

GuardDuty must be enabled in each member account, and they must explicitly accept the invitation from the administrator account. Option C is correct. Option A is wrong because GuardDuty does not require VPC Flow Logs to be enabled.

Option B is wrong because the service-linked role is automatically created when GuardDuty is enabled. Option D is wrong because CloudTrail is not required for GuardDuty to send findings.

100
MCQmedium

A security engineer is reviewing AWS CloudTrail logs and finds that an IAM user 'developer1' deleted an S3 bucket. The engineer needs to determine the source IP address of the delete operation. Which field in the CloudTrail log record contains this information?

A.userIdentity
B.requestParameters
C.eventTime
D.sourceIPAddress
AnswerD

sourceIPAddress contains the IP address from which the call was made.

Why this answer

Option B is correct because the 'sourceIPAddress' field in CloudTrail logs contains the IP address from which the API call was made. Option A is wrong because 'userIdentity' contains details about the IAM user or role, not the IP address. Option C is wrong because 'eventTime' is the timestamp of the event.

Option D is wrong because 'requestParameters' contains the parameters of the request, not the IP address.

101
MCQmedium

A security engineer needs to monitor for unusual outbound network traffic from an EC2 instance. Which AWS service provides this capability?

A.Amazon CloudWatch Logs agent
B.VPC Flow Logs
C.Amazon Inspector
D.AWS Config
AnswerB

VPC Flow Logs capture network traffic metadata.

Why this answer

Option B is correct because VPC Flow Logs capture network traffic metadata, including source and destination IPs, ports, and protocols. Option A is wrong because CloudWatch Logs agent collects logs, not network flows. Option C is wrong because AWS Config records configuration changes.

Option D is wrong because Amazon Inspector is for vulnerability assessments.

102
Multi-Selectmedium

A company is implementing a security monitoring solution for its AWS environment. Which TWO services can be used to detect and alert on suspicious API activity? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Inspector
D.AWS Config
E.VPC Flow Logs
AnswersA, B

GuardDuty analyzes CloudTrail events and other data sources to detect suspicious API activity.

Why this answer

Options B and D are correct. CloudTrail logs API activity and can trigger CloudWatch Alarms. GuardDuty uses machine learning to detect suspicious API calls.

Option A is wrong because VPC Flow Logs capture network traffic. Option C is wrong because AWS Config evaluates resource configurations. Option E is wrong because Inspector scans for vulnerabilities, not API activity.

103
MCQhard

A security engineer needs to ensure that all objects uploaded to an S3 bucket are automatically scanned for malware before being made accessible to users. Which solution is MOST appropriate?

A.Enable VPC Flow Logs to capture all access to the bucket.
B.Enable S3 Object Lock on the bucket.
C.Configure Amazon CloudWatch Logs to monitor S3 access logs.
D.Use S3 event notifications to invoke an AWS Lambda function that runs a malware scanning solution.
AnswerD

Lambda can process each object as it is uploaded.

Why this answer

Option C is correct because S3 events can trigger a Lambda function that runs a third-party malware scanner. Option A is wrong because S3 Object Lock is for write-once-read-many, not scanning. Option B is wrong because VPC Flow Logs are network logs.

Option D is wrong because CloudWatch Logs are for log storage, not scanning.

104
MCQmedium

A company uses AWS Organizations and wants to enable Amazon GuardDuty across all member accounts. The security team wants to centrally manage findings and automate responses. What is the MOST efficient way to achieve this?

A.Designate a Delegated Administrator account for GuardDuty in AWS Organizations and enable GuardDuty for all accounts from that account.
B.Use AWS CloudFormation StackSets to deploy a GuardDuty detector in each account.
C.Enable AWS Security Hub in the management account and configure it to ingest GuardDuty findings from member accounts.
D.Enable GuardDuty in each member account individually and configure cross-account access to a central S3 bucket.
AnswerA

This allows centralized management and automatic enablement of new accounts.

Why this answer

Option B is correct because GuardDuty supports multi-account management via a Delegated Administrator, which can enable GuardDuty in all accounts and aggregate findings. Option A is wrong because it requires manual steps. Option C is wrong because Security Hub aggregates findings but does not enable GuardDuty.

Option D is wrong because CloudFormation StackSets can deploy but are less efficient for enabling a service across many accounts.

105
MCQeasy

A security engineer needs to monitor for unauthorized changes to security group rules in an AWS account. Which AWS service can evaluate security group rules against a desired configuration and alert on changes?

A.AWS Security Hub
B.AWS Config
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerB

Evaluates resources against desired configurations and alerts on changes.

Why this answer

AWS Config can monitor security group rules and trigger notifications when they change from the desired configuration. Option C is correct. Option A is wrong because CloudTrail logs API calls but does not evaluate configuration against a desired state.

Option B is wrong because GuardDuty is for threat detection, not configuration monitoring. Option D is wrong because Security Hub aggregates findings but does not directly monitor security groups.

106
MCQmedium

A company has multiple AWS accounts and wants to centrally aggregate VPC Flow Logs from all accounts into a single S3 bucket in the logging account. What is the MOST secure way to configure cross-account delivery?

A.Use AWS CloudTrail to log flow logs and deliver to the central bucket.
B.Create VPC Flow Logs in each account, specifying the central S3 bucket ARN as the destination, and configure the bucket policy to allow the flow logs service principal to write.
C.Share the central bucket's access key with each account to write directly.
D.Use Amazon Kinesis Data Firehose to stream flow logs from each account to the central S3 bucket.
AnswerB

This is the standard cross-account flow log delivery method.

Why this answer

Option A is correct because VPC Flow Logs can be published to a central S3 bucket by specifying the bucket ARN in the flow log creation, and the bucket policy must grant the flow logs service principal (delivery.logs.amazonaws.com) permission to write objects. Option B is wrong because CloudTrail is for API logging, not VPC Flow Logs. Option C is wrong because Kinesis Data Firehose is not directly supported for VPC Flow Logs delivery.

Option D is wrong because sharing the bucket access key is insecure.

107
MCQhard

A company has a multi-account AWS environment with 50 accounts. The security team uses AWS CloudTrail to log management events in each account and delivers logs to a centralized S3 bucket in the security account. Recently, the team noticed that some CloudTrail logs are missing from the central bucket for a few accounts. The logs appear to be delivered intermittently. The security engineer checks the CloudTrail configuration in one of the affected accounts and sees that the trail is configured to deliver to the central bucket. The bucket policy in the security account allows CloudTrail to write from all accounts. The engineer also checks the CloudTrail console and sees that the trail status is 'Logging'. What is the MOST likely cause of the intermittent log delivery?

A.The S3 bucket has default encryption enabled, which interferes with CloudTrail writes.
B.The S3 bucket has a Lifecycle policy that deletes objects prematurely.
C.The CloudTrail trail is using Kinesis Data Firehose for delivery, which has a throughput limit.
D.The CloudTrail trail in each account is not associated with an SQS queue, causing delivery failures.
AnswerD

Cross-account delivery requires an SQS queue to buffer logs.

Why this answer

Option A is correct. CloudTrail uses SQS to deliver logs from multiple accounts to a central bucket. If the SQS queue is not configured properly or is throttled, logs may be lost.

Option B is wrong because CloudTrail does not use Kinesis. Option C is wrong because S3 Lifecycle policies do not affect delivery. Option D is wrong because the issue is not about encryption.

108
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team has enabled AWS CloudTrail with an organization trail that delivers logs to a centralized S3 bucket in the management account. They have also enabled Amazon GuardDuty in all accounts. Recently, they noticed that some EC2 instances in a member account are exhibiting unusual network behavior, such as outbound traffic to known malicious IP addresses. The security engineer needs to quickly determine the source of the traffic and identify which EC2 instances are affected. The engineer has access to the management account and the member account. Which course of action should the engineer take to most efficiently investigate this incident?

A.Use AWS Config to review the configuration changes of the EC2 instances and identify any anomalies.
B.Use Amazon Detective to investigate the GuardDuty findings and analyze VPC Flow Logs to identify the affected instances.
C.Use Amazon Inspector to scan the EC2 instances for vulnerabilities and correlate with network traffic.
D.Query the VPC Flow Logs stored in the centralized S3 bucket using Amazon Athena to find the source IP and affected instances.
AnswerB

Detective provides a consolidated investigation experience across logs and findings.

Why this answer

Option A is correct because Amazon Detective can automatically analyze VPC Flow Logs, CloudTrail logs, and GuardDuty findings to provide a visual investigation of the incident, including identifying the affected EC2 instances and the source of the traffic. Option B is wrong because manually querying VPC Flow Logs with Athena is time-consuming and less efficient. Option C is wrong because AWS Config does not provide network traffic analysis.

Option D is wrong because Amazon Inspector is for vulnerability assessment, not network traffic analysis.

109
MCQeasy

A company is required to audit all changes to IAM policies. Which AWS service should be used to record these changes?

A.AWS Config
B.Amazon CloudWatch Logs
C.Amazon S3
D.AWS CloudTrail
E.IAM Access Analyzer
AnswerD

CloudTrail records management events including IAM policy changes.

Why this answer

AWS CloudTrail is the correct service because it records API activity in your AWS account, including all IAM policy changes made via the AWS Management Console, SDKs, CLI, or AWS services. Each event is captured as a CloudTrail event with details such as the identity making the request, the time of the request, and the request parameters, enabling a complete audit trail of IAM policy modifications.

Exam trap

The trap here is that candidates often confuse AWS Config's ability to track configuration changes with CloudTrail's ability to record API-level audit trails, but Config only shows the state of resources over time without the identity and context of who made the change.

How to eliminate wrong answers

Option A is wrong because AWS Config is a configuration management service that evaluates resource configurations against desired policies and records configuration changes, but it does not capture the API-level audit trail of who made the change and when. Option B is wrong because Amazon CloudWatch Logs is used for monitoring, storing, and accessing log files from various sources, but it does not natively record IAM policy changes unless CloudTrail logs are sent to it. Option C is wrong because Amazon S3 is an object storage service that can store CloudTrail log files, but it does not itself record or generate audit logs of IAM policy changes.

Option E is wrong because IAM Access Analyzer helps identify resources shared with external entities by analyzing resource-based policies, but it does not record a history of policy changes.

110
MCQhard

A security engineer is configuring Amazon Inspector to assess EC2 instances for software vulnerabilities. The engineer has installed the SSM Agent on all instances and ensured that the instances have internet access. However, Amazon Inspector shows the instances as 'Unmanaged'. What is the MOST likely cause?

A.The IAM role attached to the EC2 instance does not have permissions to publish metrics to CloudWatch.
B.The security group attached to the instance blocks outbound traffic to the Amazon Inspector service.
C.The instance does not have the EC2 instance metadata service enabled.
D.The SSM Agent is not running or is not registered with AWS Systems Manager.
AnswerD

Inspector relies on SSM Agent for inventory and assessment; an unregistered agent results in 'Unmanaged' status.

Why this answer

Option B is correct because Amazon Inspector requires the SSM Agent to communicate with the SSM service; if the agent is not running or not registered, the instance cannot be managed. Option A is wrong because IAM permissions for the agent are not the issue; the agent communicates via SSM. Option C is wrong because security groups control network traffic but not agent registration.

Option D is wrong because instance metadata service is not required for Inspector.

111
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centralize all CloudTrail logs from all accounts into a single S3 bucket in the management account. They have enabled CloudTrail in the management account with an organization trail that delivers logs to an S3 bucket. However, logs from member accounts are not appearing. The S3 bucket policy includes permissions for CloudTrail to write logs, but it does not explicitly grant access to member accounts. What should the team do to ensure that member account CloudTrail logs are delivered to the central S3 bucket?

A.Ask each member account to create a new trail that delivers logs to the same S3 bucket.
B.Disable the organization trail and recreate it, ensuring that all member accounts are selected.
C.Verify that the organization trail is configured correctly with the 'Include all accounts in my organization' option enabled, and that the S3 bucket policy allows CloudTrail to write from all accounts.
D.Modify the S3 bucket policy to grant write access to the CloudTrail service principal for each member account's AWS account ID.
AnswerC

An organization trail requires proper configuration and bucket policy to allow access from member account CloudTrail services.

Why this answer

The correct answer is C. An organization trail automatically delivers logs from all accounts without needing separate trails in each account. If logs are not appearing, the issue is likely that the organization trail is not properly configured or member accounts are not enabled.

Option A is incorrect because member trails cannot write to a bucket in another account without proper cross-account permissions, and this approach is not recommended. Option B is incorrect because disabling and re-enabling might not fix the underlying issue. Option D is incorrect because the bucket policy must allow CloudTrail from all accounts, but the primary cause is often the organization trail setup.

112
MCQmedium

A security engineer is investigating a potential data exfiltration incident. The engineer needs to determine whether an IAM user in account A accessed an S3 bucket in account B. The engineer has access to both accounts. Which combination of steps should the engineer take to identify the cross-account access?

A.Enable S3 server access logging on the bucket in account B and check the logs.
B.Enable CloudTrail in account B and check the S3 event history for the bucket.
C.Enable CloudTrail in account A and check the S3 event history.
D.Enable CloudWatch Logs in account A and check the S3 access logs.
AnswerB

CloudTrail in the bucket owner account records all S3 API calls, including cross-account access, with the full IAM user ARN.

Why this answer

Option C is correct because CloudTrail logs in the bucket owner account (account B) will record cross-account access with the user ARN. Option A is wrong because the accessing account's CloudTrail does not record cross-account S3 operations. Option B is wrong because S3 server access logs do not include IAM user details.

Option D is wrong because CloudWatch Logs does not store S3 access logs by default.

113
Multi-Selectmedium

Which TWO of the following are valid sources for Amazon CloudWatch Logs? (Select TWO.)

Select 2 answers
A.Amazon RDS for MySQL logs
B.VPC Flow Logs delivered to S3
C.Amazon S3 access logs
D.On-premises servers via the CloudWatch agent
E.AWS CloudTrail log file delivery
AnswersD, E

The CloudWatch agent can send logs from on-premises to CloudWatch Logs.

Why this answer

On-premises servers can send logs to Amazon CloudWatch Logs by installing and configuring the CloudWatch agent. The agent collects system and application logs from the server and forwards them to CloudWatch Logs for centralized monitoring, alerting, and storage. This is a valid and common hybrid monitoring pattern.

Exam trap

The trap here is that candidates often assume all AWS service logs (like RDS logs, S3 access logs, or VPC Flow Logs) are automatically sent to CloudWatch Logs, when in fact many require explicit configuration or are delivered to S3 by default, requiring additional steps to ingest into CloudWatch Logs.

114
MCQmedium

A security engineer is investigating a potential security incident involving an EC2 instance. The engineer needs to capture network traffic to and from the instance for analysis. Which method should be used to capture this traffic without installing any software on the instance?

A.Enable VPC Flow Logs for the subnet.
B.Configure AWS Network Firewall in the VPC.
C.Install the Amazon CloudWatch agent on the instance.
D.Use VPC Traffic Mirroring.
AnswerD

Captures full network packets without installing software.

Why this answer

VPC Traffic Mirroring allows capturing network traffic from an EC2 instance without installing agents. Option D is correct. Option A is wrong because the agent must be installed on the instance.

Option B is wrong because VPC Flow Logs only capture metadata, not the full packet payload. Option C is wrong because AWS Network Firewall does not capture traffic; it filters it.

115
MCQmedium

A company has enabled AWS Config to record resource changes. The security team needs to be notified when a security group is modified to allow inbound SSH from 0.0.0.0/0. Which AWS service should be used to evaluate the Config rules and trigger notifications?

A.AWS Lambda
B.AWS Security Hub
C.Amazon GuardDuty
D.AWS CloudTrail
E.AWS Config with a custom rule that triggers an SNS notification
AnswerE

AWS Config rules evaluate configurations and can invoke SNS.

Why this answer

Option B is correct because AWS Config rules evaluate resource configurations and can trigger SNS notifications. Option A is wrong because CloudTrail logs API calls but does not evaluate rules. Option C is wrong because Lambda can be used as a remediation action but not the trigger itself.

Option D is wrong because GuardDuty is for threat detection. Option E is wrong because Security Hub centralizes findings but does not directly evaluate Config rules.

116
MCQmedium

A security engineer is troubleshooting an issue where Amazon GuardDuty is not generating findings for a specific EC2 instance that is known to be compromised. The instance is in a VPC with VPC Flow Logs enabled. What could be the reason for the lack of findings?

A.CloudTrail is not enabled in the account.
B.AWS Config is not enabled for the EC2 instance.
C.VPC Flow Logs are only enabled for the subnet, not the instance's ENI.
D.VPC Flow Logs are not being delivered to CloudWatch Logs.
AnswerD

GuardDuty analyzes VPC Flow Logs data from CloudWatch Logs; without delivery, it cannot generate findings.

Why this answer

Option C is correct because GuardDuty requires VPC Flow Logs to be enabled and delivered to CloudWatch Logs to analyze network traffic. Option A is wrong because CloudTrail logs management events, not network traffic. Option B is wrong because subnet flow logs are not a concept; flow logs are at the VPC, subnet, or ENI level.

Option D is wrong because GuardDuty does not require AWS Config to be enabled.

117
MCQmedium

Refer to the exhibit. An IAM policy is attached to an IAM user. The user reports that they can upload objects to the S3 bucket but cannot list the contents of the bucket. Which statement explains this behavior?

A.The policy does not include the s3:ListBucket action.
B.The policy includes s3:ListBucket but is missing the bucket ARN.
C.The policy denies the s3:ListBucket action.
D.The policy explicitly denies s3:ListBucket.
AnswerA

The policy only allows PutObject and GetObject, not ListBucket.

Why this answer

Option A is correct because the policy only grants s3:PutObject and s3:GetObject actions, but does not grant s3:ListBucket. The ListBucket action is required to list objects in the bucket. Option B is wrong because the policy allows PutObject and GetObject, not Deny.

Option C is wrong because the policy does not include s3:ListBucket. Option D is wrong because the policy does not explicitly deny ListBucket; it just does not allow it.

118
MCQmedium

A company uses Amazon GuardDuty for threat detection. The security team wants to automatically isolate an EC2 instance that is communicating with a known malicious IP address. Which combination of services should be used?

A.GuardDuty -> AWS Config -> Lambda -> modify security group
B.GuardDuty -> CloudWatch Alarm -> Lambda -> modify security group
C.GuardDuty -> EventBridge -> Lambda -> modify security group
D.GuardDuty -> AWS Shield -> modify security group
E.GuardDuty -> AWS Systems Manager -> modify security group
AnswerC

EventBridge can receive GuardDuty findings and trigger Lambda.

Why this answer

Option B is correct because GuardDuty findings can be sent to EventBridge, which triggers a Lambda function to modify the security group. Option A is wrong because CloudWatch Alarms do not directly process GuardDuty findings. Option C is wrong because AWS Config is for configuration management.

Option D is wrong because Systems Manager is for patch management. Option E is wrong because AWS Shield is for DDoS protection.

119
Multi-Selectmedium

A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet the following requirements: 1) Logs from all accounts must be stored in a centralized S3 bucket. 2) The logs must be encrypted at rest using AWS KMS. 3) Access to the logs must be logged and monitored. Which TWO services should be used to meet the requirements? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.AWS CloudTrail
C.Amazon Macie
D.S3 server access logs
E.AWS Config
AnswersB, D

CloudTrail can deliver logs from multiple accounts to a centralized S3 bucket.

Why this answer

Option B is correct because AWS CloudTrail can be configured to deliver logs from multiple accounts to a centralized S3 bucket. Option C is correct because S3 server access logs record requests made to the bucket, providing access logging. Option A is wrong because Amazon Macie is for sensitive data discovery, not centralizing logs.

Option D is wrong because AWS Config tracks resource configurations, not log delivery. Option E is wrong because Amazon GuardDuty provides threat detection, not centralized logging.

120
MCQeasy

A security analyst wants to receive a notification whenever a new security group is created in their AWS account. Which AWS service should they use to trigger an SNS notification based on the CloudTrail event?

A.Amazon GuardDuty
B.AWS Config
C.Amazon EventBridge (CloudWatch Events)
D.AWS Lambda
AnswerC

EventBridge can filter CloudTrail events and invoke SNS topics.

Why this answer

Amazon EventBridge (formerly CloudWatch Events) can match events from CloudTrail (e.g., CreateSecurityGroup) and route them to targets like SNS.

121
MCQeasy

Refer to the exhibit. A security engineer creates this CloudWatch Logs metric filter on a CloudTrail log group to detect root account usage. However, no metrics are generated. What is the most likely issue?

A.The log group does not exist
B.CloudTrail is not enabled for the account
C.The metric namespace is invalid
D.The metric filter pattern is incorrectly formatted
AnswerD

The pattern should not have backslashes and proper parentheses.

Why this answer

The filter pattern syntax is incorrect. CloudWatch Logs filter patterns for JSON use a different syntax, e.g., { ($.userIdentity.type = "Root") }. The backslashes are not needed.

122
MCQeasy

A company wants to receive real-time notifications when specific API calls are made in their AWS account, such as IAM user creation or S3 bucket policy changes. Which AWS service should be used to trigger notifications based on these API events?

A.Amazon CloudWatch Events (Amazon EventBridge)
B.Amazon GuardDuty
C.Amazon Simple Notification Service (SNS)
D.AWS Config
AnswerA

EventBridge can filter CloudTrail events and trigger actions.

Why this answer

Option A is correct because Amazon CloudWatch Events (now Amazon EventBridge) can match CloudTrail API events and trigger notifications via SNS or Lambda. Option B is wrong because Amazon SNS is a notification service but cannot directly filter API events. Option C is wrong because AWS Config evaluates resource configurations, not API calls.

Option D is wrong because Amazon GuardDuty detects threats but does not provide custom event filtering for API calls.

123
Multi-Selectmedium

A company wants to monitor for suspicious IAM activity, such as a user creating access keys without authorization. Which THREE AWS services can be used together to detect and alert on this activity in real-time? (Choose THREE.)

Select 3 answers
A.Amazon CloudWatch Logs
B.Amazon Inspector
C.AWS CloudTrail
D.AWS Trusted Advisor
E.Amazon Simple Notification Service (SNS)
AnswersA, C, E

CloudWatch Logs can filter CloudTrail events and trigger alarms.

Why this answer

Options A, D, and E are correct. AWS CloudTrail logs the API call (CreateAccessKey). Amazon CloudWatch Logs can receive CloudTrail logs, and a metric filter can detect the specific event.

An alarm can then trigger an SNS notification. Option B is wrong because Amazon Inspector is for vulnerability assessment. Option C is wrong because AWS Trusted Advisor provides recommendations, not real-time alerting.

124
MCQeasy

A company wants to detect and alert on changes to IAM roles and policies in their AWS account. Which combination of AWS services should they use?

A.Amazon GuardDuty and AWS Shield
B.Amazon CloudWatch Logs and AWS Lambda
C.AWS CloudTrail and Amazon EventBridge (CloudWatch Events)
D.AWS Config and Amazon Inspector
AnswerC

CloudTrail records IAM API calls, and EventBridge can create rules to match specific events and send alerts via SNS.

Why this answer

CloudTrail logs all IAM API calls, and CloudWatch Events (now Amazon EventBridge) can filter for specific events (e.g., PutRolePolicy) and trigger an SNS notification or Lambda function.

125
MCQmedium

Refer to the exhibit. A security engineer created this S3 bucket policy to allow CloudTrail to deliver logs. However, log delivery is failing. What is the most likely cause?

A.The bucket is not in the same region as the trail
B.The bucket policy does not specify a condition
C.The bucket is encrypted with SSE-KMS
D.The bucket policy does not allow s3:GetBucketAcl
AnswerD

CloudTrail needs GetBucketAcl to verify bucket ownership.

Why this answer

CloudTrail requires s3:GetBucketAcl to verify bucket ownership. The bucket policy must also grant that action. The other options are not missing.

126
MCQmedium

A security engineer is configuring VPC Flow Logs for a VPC that hosts a web application. The engineer wants to capture all traffic to and from the internet. Which of the following is the most appropriate configuration?

A.Configure Flow Logs at the VPC level and publish to CloudWatch Logs with a log group name.
B.Configure Flow Logs at the subnet level and set the traffic type to 'Reject'.
C.Configure Flow Logs at the VPC level and set the traffic type to 'All'.
D.Configure Flow Logs at the subnet level and set the traffic type to 'Accepted'.
AnswerA

VPC-level Flow Logs capture all traffic, and CloudWatch Logs is a valid destination.

Why this answer

Option C is correct because VPC Flow Logs can capture all traffic types, including accepted and rejected traffic. Option A is incorrect because Flow Logs can capture both accepted and rejected traffic. Option B is incorrect because Flow Logs can be published to CloudWatch Logs or S3.

Option D is incorrect because Flow Logs are not real-time; they are published periodically.

127
Multi-Selectmedium

Which TWO AWS services can be used to centrally collect and analyze logs from multiple AWS accounts? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.Amazon Kinesis Data Firehose
D.Amazon Athena
E.Amazon S3
AnswersA, E

CloudWatch Logs can aggregate logs via cross-account subscriptions.

Why this answer

Option A is correct because Amazon S3 can serve as a central log repository. Option C is correct because Amazon CloudWatch Logs can aggregate logs from multiple accounts using cross-account subscriptions. Option B is wrong because Amazon Athena is a query service, not a collector.

Option D is wrong because AWS CloudTrail is a log generator, not a central collector. Option E is wrong because Amazon Kinesis Data Firehose is a delivery service, not a storage/analysis service.

128
MCQmedium

A company is using AWS Organizations with multiple accounts. The security team needs to centrally monitor all root user API activity across all accounts and receive alerts within minutes. What is the MOST efficient solution?

A.Create an organization trail in CloudTrail that logs all accounts. Use CloudWatch Logs metric filters and alarms to detect root login events.
B.Enable CloudTrail in each account and aggregate logs to a centralized S3 bucket. Use Athena queries to detect root activity and send alerts via SNS.
C.Use AWS Lambda functions in each account to poll CloudTrail logs and send root activity to a central SQS queue.
D.Enable AWS Config rules in each account to detect root user activity and send notifications to a central SNS topic.
AnswerA

An organization trail logs all accounts centrally. CloudWatch Logs metric filters can detect root activity and trigger alarms in near real-time.

Why this answer

Option A is correct because an organization trail in AWS CloudTrail logs API activity for all accounts in AWS Organizations from a single point, eliminating the need to manage per-account trails. By sending these logs to CloudWatch Logs, you can create metric filters to detect root user login events (e.g., the 'RootLogin' event) and configure CloudWatch Alarms to trigger SNS notifications within minutes, meeting the requirement for centralized monitoring and rapid alerts.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing per-account setups (B, C, D) instead of leveraging the native AWS Organizations integration with CloudTrail, which provides a single, centralized trail for all accounts.

How to eliminate wrong answers

Option B is wrong because while aggregating logs to a centralized S3 bucket is possible, using Athena queries to detect root activity is not efficient for real-time alerts within minutes; Athena is designed for ad-hoc querying of historical data, not for streaming or low-latency alerting. Option C is wrong because using Lambda functions in each account to poll CloudTrail logs introduces unnecessary complexity, latency, and cost; CloudTrail can deliver logs directly to CloudWatch Logs without polling, and a centralized solution is more efficient. Option D is wrong because AWS Config rules are designed for evaluating resource configurations against desired policies, not for monitoring API activity like root user logins; Config does not natively capture CloudTrail events and cannot provide real-time alerts for root API activity.

129
MCQhard

A company uses AWS CloudTrail to log all management events and data events for S3. The security team wants to detect any PutObject API calls that upload objects with server-side encryption disabled. Which solution is MOST efficient?

A.Use Amazon GuardDuty to detect unencrypted uploads.
B.Use Amazon Macie to scan S3 objects for missing encryption.
C.Enable S3 server access logs and parse them with Amazon Athena.
D.Enable CloudTrail data events for S3 and create a CloudWatch metric filter to alert on PutObject calls without the x-amz-server-side-encryption header.
AnswerD

CloudTrail logs the encryption header, and CloudWatch alarms can alert.

Why this answer

Option C is correct because CloudTrail data events log S3 PutObject calls, and a CloudWatch Logs metric filter can parse the requestParameters for x-amz-server-side-encryption header to detect missing encryption. Option A is wrong because S3 server access logs are text-based and not as easy to filter. Option B is wrong because GuardDuty does not check encryption headers.

Option D is wrong because Macie detects sensitive data, not encryption status.

130
MCQeasy

A company needs to monitor for unauthorized S3 bucket deletions. Which CloudWatch Logs metric filter should be used on CloudTrail logs?

A.eventName = GetBucketAcl
B.eventName = DeleteBucket
C.eventName = PutBucketPolicy
D.eventName = ListBuckets
AnswerB

DeleteBucket is the API call for deleting a bucket.

Why this answer

Option B is correct because the CloudTrail event `DeleteBucket` is logged when an S3 bucket is deleted. By creating a CloudWatch Logs metric filter that matches `eventName = DeleteBucket` on the CloudTrail log group, you can trigger an alarm or automated response to detect unauthorized bucket deletions. This directly addresses the monitoring requirement.

Exam trap

The trap here is that candidates may confuse read-only or policy-modifying events (like `GetBucketAcl`, `PutBucketPolicy`, or `ListBuckets`) with the actual deletion event, failing to recognize that only `DeleteBucket` directly corresponds to bucket removal.

How to eliminate wrong answers

Option A is wrong because `GetBucketAcl` retrieves the bucket's access control list, not a deletion event, so it would not detect bucket deletions. Option C is wrong because `PutBucketPolicy` modifies the bucket policy, which could lead to unauthorized access but is not a deletion action. Option D is wrong because `ListBuckets` enumerates all buckets in the account and is a read-only operation, not a deletion.

131
MCQeasy

A security engineer is configuring CloudTrail to log all management events across all regions. The engineer wants to ensure that log files are delivered to an S3 bucket owned by a separate AWS account for centralized auditing. Which additional configuration is required to allow the S3 bucket in the other account to receive these logs?

A.Create an S3 bucket policy on the source account's bucket to allow cross-account access.
B.Enable S3 server-side encryption with KMS on the destination bucket.
C.Create an IAM role in the source account and attach a trust policy for CloudTrail.
D.Add a bucket policy to the destination S3 bucket that allows CloudTrail to write objects.
AnswerD

Required for cross-account delivery.

Why this answer

Option A is correct because cross-account S3 delivery requires a bucket policy on the destination bucket that grants CloudTrail (the service principal) permission to write objects. Option B is wrong because the bucket policy goes on the destination bucket, not the source. Option C is wrong because KMS encryption is not required for cross-account delivery.

Option D is wrong because CloudTrail does not use IAM roles for cross-account delivery.

132
MCQhard

A company uses AWS CloudTrail to log all API activity and delivers logs to an S3 bucket with server-side encryption (SSE-S3). The security team needs to ensure that only authorized personnel can access the logs and that any unauthorized access attempts are logged and alerted. Additionally, the team wants to prevent the logs from being deleted for at least one year. Which combination of actions should be taken?

A.Enable S3 Object Lock with a retention period of one year; enable S3 server access logs; use a bucket policy with a condition that allows access only from authorized IAM roles or users.
B.Enable S3 default encryption (SSE-S3) on the bucket; enable S3 server access logs; attach an IAM policy that allows only authorized users to access the bucket.
C.Enable MFA Delete on the bucket; enable CloudTrail log file validation; use bucket ACLs to restrict access.
D.Enable S3 Inventory to track objects; enable CloudTrail to log S3 API calls; use a bucket policy with a deny effect for unauthorized users.
AnswerA

Object Lock prevents deletion; server access logs record all requests; bucket policy with conditions restricts access.

Why this answer

Option C is correct because enabling S3 Object Lock with a retention period prevents deletion, enabling S3 server access logs records all requests, and using bucket policies with conditions restricts access to authorized users. Option A is wrong because S3 default encryption (SSE-S3) does not prevent deletion; S3 server access logs record requests, not access attempts; and IAM policies alone are not sufficient to restrict access if bucket policies are permissive. Option B is wrong because MFA Delete prevents deletion but requires additional setup; CloudTrail logs already record API calls; bucket ACLs are not recommended for access control.

Option D is wrong because S3 Inventory lists objects but does not prevent deletion; CloudWatch Logs can monitor but S3 Object Lock is more direct for preventing deletion.

133
Multi-Selecteasy

A company wants to receive notifications when AWS CloudTrail logs are delivered to an S3 bucket. Which TWO AWS services can be used together to achieve this? (Choose TWO.)

Select 2 answers
A.Amazon S3 Event Notifications
B.AWS CloudTrail
C.AWS Lambda
D.Amazon Simple Queue Service (SQS)
E.Amazon Simple Notification Service (SNS)
AnswersA, E

S3 can send event notifications when objects are created.

Why this answer

S3 Event Notifications can be sent to SNS, which can then send notifications. SQS is for queueing, not direct notifications. CloudWatch Events (now Amazon EventBridge) can also trigger on S3 events.

CloudTrail does not send notifications directly.

134
MCQeasy

A security team needs to detect unauthorized attempts to access an S3 bucket that contains sensitive data. Which AWS service can automatically analyze S3 access logs and generate findings for suspicious activity?

A.Amazon Macie
B.Amazon GuardDuty
C.AWS Trusted Advisor
D.Amazon Detective
AnswerB

GuardDuty analyzes S3 data events for suspicious activity.

Why this answer

Option B is correct because Amazon GuardDuty can analyze S3 data events (via CloudTrail) and generate findings for suspicious access patterns. Option A is wrong because Amazon Macie is for discovering sensitive data, not analyzing access logs. Option C is wrong because AWS Trusted Advisor provides cost and performance recommendations.

Option D is wrong because Amazon Detective investigates security incidents but does not automatically analyze S3 access logs for suspicious activity.

135
MCQhard

A security engineer is investigating a potential data exfiltration incident. They suspect that an EC2 instance was compromised and used to transfer large amounts of data from an S3 bucket to an external IP address. The engineer has enabled VPC Flow Logs for the subnet where the EC2 instance resides, but the logs are not capturing traffic to the external IP. What is the most likely reason?

A.The EC2 instance's security group is blocking the traffic.
B.VPC Flow Logs only capture rejected traffic.
C.VPC Flow Logs only capture traffic to and from other VPC resources.
D.The traffic is routed through a NAT gateway, and flow logs are not enabled on the NAT gateway's subnet.
AnswerD

Flow Logs need to be enabled on the subnet where the NAT gateway resides to capture its traffic.

Why this answer

Option C is correct because VPC Flow Logs do not capture traffic to external IPs that is routed through a NAT gateway if the flow log is configured only for the subnet where the EC2 instance is located; the NAT gateway's traffic is captured by flow logs on the subnet where the NAT gateway is. Option A is wrong because Flow Logs can capture accepted traffic. Option B is wrong because Flow Logs capture traffic even if Security Groups are present.

Option D is wrong because Flow Logs capture all IP traffic, not just intra-VPC.

136
MCQeasy

A security analyst wants to monitor unsuccessful login attempts to the AWS Management Console. Which AWS service and log combination should be used?

A.Amazon S3 server access logs.
B.VPC Flow Logs.
C.Amazon CloudWatch Logs.
D.AWS CloudTrail.
AnswerD

CloudTrail records API calls, including ConsoleLogin events.

Why this answer

AWS CloudTrail logs console sign-in events, including failed attempts. The ConsoleLogin event with a failure status is logged. Option A is wrong because S3 access logs track object-level access.

Option B is wrong because VPC Flow Logs track network traffic. Option C is wrong because CloudWatch Logs is a destination, not a source of login events.

137
MCQhard

A company uses AWS Organizations to manage multiple accounts. The security team needs to implement a centralized logging solution where all VPC Flow Logs from all accounts are sent to a central S3 bucket in the security account. The flow logs must be encrypted with a customer-managed KMS key (CMK) that is owned by the security account. The security engineer has enabled VPC Flow Logs in each account and configured the destination to be the central S3 bucket. However, the flow logs are not being delivered. The engineer checks the S3 bucket policy and confirms that it grants the required permissions to the Flow Logs service principal. What is the MOST likely cause of the failure?

A.The VPC Flow Logs service does not support cross-account delivery.
B.The KMS key policy does not grant the Flow Logs service principal permission to use the key.
C.CloudTrail must be enabled in the source account for Flow Logs to work.
D.The S3 bucket policy is missing a condition for source account.
AnswerB

The key policy must allow the service principal to encrypt.

Why this answer

Option C is correct because the KMS key policy must grant the Flow Logs service principal permission to use the key for encryption. Option A is wrong because VPC Flow Logs can write to cross-account buckets. Option B is wrong because the bucket policy is already set.

Option D is wrong because CloudTrail is not involved in Flow Logs delivery.

138
Drag & Dropmedium

Drag and drop the steps to respond to a suspected AWS IAM credential compromise in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Credential compromise response starts with rotation, log review, disabling user, revoking temp creds, and notification.

139
MCQmedium

A security engineer notices that an IAM user in the company's AWS account is making API calls from an IP address outside the allowed corporate network. The engineer needs to be alerted immediately when such activity occurs. Which solution meets these requirements with the least operational overhead?

A.Create an Amazon CloudWatch Events rule that matches the IAM user's API calls from the unauthorized IP and sends an SNS notification.
B.Enable AWS Trusted Advisor and configure email notifications for security checks.
C.Enable VPC Flow Logs and analyze them with Amazon Athena to detect suspicious IPs.
D.Configure S3 server access logs on the IAM users' bucket and use Amazon Macie to detect anomalies.
AnswerA

CloudWatch Events can filter CloudTrail events and trigger alerts in real time.

Why this answer

Option C is correct because CloudWatch Events (now Amazon EventBridge) can capture API calls from CloudTrail and trigger an SNS notification based on a rule matching the source IP address. Option A is wrong because Trusted Advisor does not monitor IAM user API calls in real time. Option B is wrong because VPC Flow Logs capture network traffic but not API-level details.

Option D is wrong because S3 server access logs are for S3 operations only.

140
MCQeasy

A security engineer needs to centralize logs from multiple AWS accounts into a single S3 bucket. Which solution is most secure?

A.Deliver logs to separate buckets per account and use S3 replication to copy them to a central bucket.
B.Use a single S3 bucket in the management account and have each account write logs directly without additional permissions.
C.Configure each account's CloudTrail to deliver to a centralized S3 bucket in a logging account, with a bucket policy allowing CloudTrail from source accounts.
D.Stream logs to Amazon Kinesis Data Firehose in each account and consolidate into a single S3 bucket via cross-account delivery.
AnswerC

This uses cross-account bucket policies, a best practice for centralized logging.

Why this answer

Option A is correct because using a centralized S3 bucket with a bucket policy that grants cross-account permissions from each source account's CloudTrail is a standard secure approach. Option B is incorrect because writing from one account to another requires explicit permissions, not automatic. Option C is incorrect because delivering to separate buckets then copying adds complexity and potential security gaps.

Option D is incorrect because Kinesis Firehose can be used but is not required; S3 bucket policy is simpler and secure.

141
MCQhard

Refer to the exhibit. A security engineer is reviewing an IAM policy attached to a user. The policy is intended to allow the user to get and put objects in the S3 bucket 'example-bucket' only from the IP range 203.0.113.0/24. However, the user reports that they are unable to put objects from an IP within that range. What is the most likely cause of this issue?

A.The condition key should be 'aws:sourceIp' (lowercase 's').
B.The policy should use the 'NotIpAddress' condition operator instead of 'IpAddress'.
C.The resource ARN should be 'arn:aws:s3:::example-bucket' without the '/*' suffix.
D.The policy lacks a separate statement to allow 's3:ListBucket' on the bucket resource.
AnswerD

For console access, ListBucket is required; without it, the user cannot see the bucket but can still perform PutObject via API. However, the question implies inability to put objects, which could be due to missing ListBucket in some SDK scenarios.

Why this answer

Option D is correct because the policy only grants s3:GetObject and s3:PutObject actions on the bucket's objects (arn:aws:s3:::example-bucket/*), but does not include a separate statement allowing s3:ListBucket on the bucket resource (arn:aws:s3:::example-bucket). Without s3:ListBucket, the user cannot list the bucket's contents, which is often required by the AWS CLI or SDK to resolve object keys before performing put operations. The IP condition is correctly applied, so the issue is the missing list permission.

Exam trap

The trap here is that candidates focus on the IP condition syntax or resource ARN format and overlook the common requirement for an explicit s3:ListBucket permission when performing object operations via the AWS CLI or SDK.

How to eliminate wrong answers

Option A is wrong because 'aws:sourceIp' is the correct case-sensitive condition key; AWS condition keys are case-sensitive and 'aws:sourceIp' is valid. Option B is wrong because using 'NotIpAddress' would deny access from the specified range and allow all others, which is the opposite of the intended effect. Option C is wrong because the resource ARN 'arn:aws:s3:::example-bucket/*' is correct for object-level actions (GetObject, PutObject); the bucket-level ARN without '/*' is used for bucket-level actions like ListBucket, not for object operations.

142
MCQeasy

A security engineer needs to be alerted when an IAM user attempts to modify an S3 bucket policy. Which method is the MOST efficient?

A.Enable VPC Flow Logs and analyze for S3 API traffic
B.Configure an AWS Config rule to detect changes and invoke a Lambda function
C.Create an Amazon CloudWatch Events rule that matches the PutBucketPolicy API call and triggers an SNS notification
D.Enable S3 server access logs and parse them for PutBucketPolicy entries
AnswerC

CloudWatch Events can match API calls from CloudTrail.

Why this answer

Option C is correct because Amazon CloudWatch Events (now Amazon EventBridge) can directly capture the PutBucketPolicy API call as a real-time event and trigger an SNS notification without any additional compute or polling. This is the most efficient method as it requires no log parsing, no custom code, and no additional infrastructure, providing immediate alerting with minimal overhead.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing log-based methods (A or D) or evaluation-based methods (B), missing that CloudWatch Events provides the simplest and most direct real-time alerting for specific API calls without additional overhead.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not log API-level operations like PutBucketPolicy; they cannot identify the specific S3 API call being made. Option B is wrong because an AWS Config rule detects configuration changes after they occur via periodic evaluations or configuration item changes, which introduces latency and requires a Lambda function for notification, making it less efficient than a direct event-driven approach. Option D is wrong because S3 server access logs are delivered on a best-effort basis with delays (often hours), require parsing to extract PutBucketPolicy entries, and are not designed for real-time alerting.

143
MCQhard

A company uses AWS Config to track resource changes. They notice that a weekly compliance report shows an S3 bucket as non-compliant with a rule that checks for server-side encryption. However, the bucket has default encryption enabled. What is the MOST likely reason for this discrepancy?

A.The Config rule checks for SSE on objects, not default bucket encryption.
B.The Config rule was deleted and recreated without re-evaluating existing resources.
C.The Config rule is only evaluating resources in a single AWS Region.
D.The S3 bucket is not tagged with a required tag for the Config rule.
AnswerA

The rule 's3-bucket-server-side-encryption-enabled' checks if the bucket policy requires encryption, not default encryption. Default encryption does not enforce encryption on uploads.

Why this answer

Option B is correct because AWS Config rules evaluate the bucket configuration at the time of the change, and default encryption is a bucket-level setting, but the rule might be checking for encryption on objects. Option A is wrong because AWS Config evaluates all regions by default but can be scoped. Option C is wrong because the rule exists.

Option D is wrong because Config does not require a resource to be tagged to evaluate it.

144
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centralize security logs (CloudTrail, VPC Flow Logs, AWS Config) from all accounts into a single S3 bucket for analysis. What is the MOST secure way to set up this centralized logging?

A.Create a dedicated S3 bucket in the management account, enable S3 default encryption, and configure service delivery for each account.
B.Create a dedicated S3 bucket in the security account with a bucket policy that grants write access to the logging services of all accounts and enforces encryption in transit and at rest.
C.Configure each account to deliver logs to the same S3 bucket used for other data.
D.Create an S3 bucket in each account and use S3 replication to copy logs to a central bucket.
AnswerB

This approach uses a centralized bucket with proper cross-account bucket policy and encryption, ensuring secure and auditable logging.

Why this answer

Option D is correct because using a centralized S3 bucket with a bucket policy that grants cross-account access and enforces encryption is secure and auditable. Option A is wrong because using the same bucket used for other purposes may break the principle of least privilege and increase risk. Option B is wrong because creating individual buckets for each account defeats centralization.

Option C is wrong because enabling S3 default encryption on a bucket that already receives logs via cross-account policies is not sufficient; the bucket policy must explicitly grant permissions.

145
Multi-Selecteasy

A security engineer is designing a monitoring solution for a multi-account AWS environment using AWS Organizations. The solution must provide a centralized view of all API activities and send alerts for suspicious events. Which TWO services together can achieve this? (Choose TWO.)

Select 2 answers
A.Amazon GuardDuty
B.AWS Lambda
C.AWS CloudTrail
D.Amazon CloudWatch Logs
E.AWS Config
AnswersC, D

CloudTrail logs API calls across accounts and can be set up as an organization trail.

Why this answer

AWS CloudTrail is correct because it records all API activity across an AWS environment, and when integrated with AWS Organizations, it can deliver a centralized view of API calls from all accounts into a single CloudTrail trail. Amazon CloudWatch Logs is correct because it can ingest CloudTrail logs from a centralized logging account, allowing the security engineer to create metric filters and alarms that trigger alerts for suspicious events based on specific API patterns.

Exam trap

The trap here is that candidates often pick GuardDuty (A) because it is a security service, but they overlook that GuardDuty does not provide a centralized view of all API activities or allow custom alerting on specific API events, which requires CloudTrail and CloudWatch Logs.

146
Multi-Selecteasy

Which TWO AWS services can be used to monitor and detect unauthorized changes to Amazon S3 bucket policies? (Choose two.)

Select 2 answers
A.AWS CloudTrail
B.Amazon GuardDuty
C.Amazon CloudWatch Logs
D.AWS Config
E.Amazon VPC Flow Logs
AnswersA, D

CloudTrail logs PutBucketPolicy API calls.

Why this answer

Option A is correct because AWS Config can track changes to S3 bucket policies and trigger notifications. Option B is correct because CloudTrail logs API calls that modify S3 bucket policies. Option C is incorrect because CloudWatch Logs is for storing logs, not detecting changes.

Option D is incorrect because VPC Flow Logs do not track S3 policy changes. Option E is incorrect because GuardDuty does not monitor S3 policy changes.

147
Multi-Selectmedium

Which TWO actions are valid ways to send application logs from an EC2 instance to Amazon CloudWatch Logs? (Select TWO.)

Select 2 answers
A.Configure the EC2 instance to stream syslog to AWS CloudTrail.
B.Write logs to an S3 bucket and use S3 event notifications to send to CloudWatch Logs.
C.Install and configure the unified CloudWatch agent on the EC2 instance.
D.Enable VPC Flow Logs to capture application traffic.
E.Install and configure the legacy CloudWatch Logs agent.
AnswersC, E

The unified agent can collect logs and metrics.

Why this answer

Options A and D are correct. Option A: The unified CloudWatch agent can collect logs and send to CloudWatch Logs. Option D: The older CloudWatch Logs agent (awslogs) can also send logs.

Option B is wrong because CloudTrail is for API logging, not application logs. Option C is wrong because S3 does not directly send to CloudWatch Logs. Option E is wrong because VPC Flow Logs are for network traffic.

148
MCQmedium

A company has a requirement to retain AWS CloudTrail logs for 7 years for compliance. The logs are stored in an S3 bucket. The company wants to reduce storage costs by automatically moving older logs to a cheaper storage class. Which solution should the company implement?

A.Use S3 Intelligent-Tiering to automatically move logs to the most cost-effective access tier.
B.Configure an S3 Lifecycle policy to transition objects from S3 Standard to S3 Glacier after a specified number of days.
C.Move logs to S3 Standard-IA after 30 days.
D.Use S3 Batch Operations to manually copy logs to S3 Glacier.
AnswerB

S3 Lifecycle policies can automatically transition objects to lower-cost storage classes like Glacier for archival.

Why this answer

Option A is correct because S3 Lifecycle policies can transition objects to Glacier after a specified period. Option B is wrong because S3 Intelligent-Tiering is for unknown access patterns, but the goal is to reduce costs for logs that are rarely accessed. Option C is wrong because S3 Standard-IA is for infrequently accessed data but not the cheapest for archival.

Option D is wrong because S3 Batch Operations is for bulk actions, not automatic transitions.

149
Multi-Selectmedium

A security engineer needs to capture all network traffic between EC2 instances in a VPC for forensic analysis. Which TWO services should be used together? (Choose TWO.)

Select 2 answers
A.Amazon VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon Athena
E.Amazon GuardDuty
AnswersA, D

Captures network traffic metadata.

Why this answer

Amazon VPC Flow Logs capture IP traffic information for network interfaces in a VPC, including metadata such as source/destination IPs, ports, protocols, and packet accept/reject decisions. To perform forensic analysis on this raw flow log data, you can use Amazon Athena to query the logs directly from S3 using standard SQL, enabling efficient filtering and pattern detection across large volumes of network traffic.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (network metadata) with AWS CloudTrail (API activity) or GuardDuty (threat detection), failing to recognize that forensic analysis of raw traffic requires both a capture mechanism and a query engine like Athena.

150
MCQhard

A company has a multi-account AWS environment using AWS Organizations. The security team wants to centralize all CloudTrail logs from all accounts into a single S3 bucket in the management account. The bucket policy allows cross-account access. However, logs from member accounts are not being delivered. What is the most likely cause?

A.CloudTrail cannot deliver logs to a bucket in a different account.
B.The S3 bucket is not configured with a CloudTrail prefix.
C.CloudTrail is not enabled in the member accounts.
D.The S3 bucket policy does not grant `s3:PutObject` permission to the member accounts.
AnswerD

Without this permission, CloudTrail cannot write logs to the bucket.

Why this answer

Option B is correct because CloudTrail in member accounts must have permissions via a bucket policy that grants the `s3:PutObject` action. Option A is incorrect because CloudTrail is enabled by default for the last 90 days, but that is not related to delivery. Option C is incorrect because CloudTrail supports delivering logs to another account's S3 bucket.

Option D is incorrect because CloudTrail logs are delivered to a prefix, not a separate bucket.

← PreviousPage 2 of 5 · 323 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Logging questions.