CCNA Security Logging Questions

23 of 323 questions · Page 5/5 · Security Logging topic · Answers revealed

301
MCQmedium

A company uses AWS WAF to protect a web application. The security team needs to analyze blocked requests to identify attack patterns. Which service should be used to query and visualize WAF logs?

A.Amazon CloudWatch Logs Insights
B.Amazon QuickSight
C.Amazon Athena
D.AWS WAF console
AnswerC

Athena can query WAF logs in S3 using SQL.

Why this answer

Amazon Athena can query WAF logs stored in S3. CloudWatch Logs Insights is for CloudWatch Logs, not directly for S3. QuickSight can visualize but cannot query directly.

WAF does not have a built-in query service.

302
MCQhard

A security engineer is investigating a potential data exfiltration from an EC2 instance. CloudTrail logs show that an IAM user created a new access key for an existing IAM role and used it to call S3 GetObject from an unfamiliar IP address. What is the MOST likely reason the CloudTrail logs captured this activity?

A.CloudTrail was enabled to capture management events.
B.S3 server access logs were enabled on the bucket containing the objects.
C.VPC Flow Logs were enabled for the EC2 instance's subnet.
D.The security engineer had enabled CloudTrail Insights.
E.AWS Config was enabled to record resource changes.
AnswerA

CloudTrail management events include IAM actions like creating access keys and API calls.

Why this answer

Option B is correct because CloudTrail records IAM user actions, including creating access keys and API calls. Option A is wrong because VPC Flow Logs do not capture IAM actions. Option C is wrong because CloudTrail is enabled by default for management events.

Option D is wrong because S3 server access logs do not capture IAM user actions.

303
Multi-Selecthard

A security engineer is investigating a potential security incident. The engineer has enabled CloudTrail and VPC Flow Logs. Which THREE pieces of information can the engineer obtain from CloudTrail logs that are NOT available in VPC Flow Logs? (Choose three.)

Select 3 answers
A.The payload of the API request.
B.The AWS Region where the API call was made.
C.The destination IP address and port of the network traffic.
D.The IAM user or role that performed the API call.
E.The source IP address of the API call.
AnswersB, D, E

CloudTrail records the region of the endpoint; VPC Flow Logs are per VPC and do not indicate API endpoint region.

Why this answer

Options A, B, and D are correct because CloudTrail logs API calls, including details like the IAM user who made the call, the source IP address (could be the same as flow logs but identity is unique), and the AWS region of the API endpoint. Options C and E are wrong because packet payloads are not logged by either service, and VPC Flow Logs provide network traffic metadata (source/destination IP, ports, protocol) not available in CloudTrail.

304
MCQmedium

Refer to the exhibit. A security engineer has created an S3 bucket policy to allow AWS CloudTrail and VPC Flow Logs to deliver logs to the bucket. However, CloudTrail logs are not being delivered, but VPC Flow Logs are delivered successfully. What is the most likely cause?

A.The principal is set to a service instead of an AWS account.
B.The condition 's3:x-amz-acl' is misspelled.
C.The service principal in the policy is incorrect for CloudTrail.
D.The bucket policy does not grant CloudTrail permission to perform 's3:GetBucketAcl' and 's3:PutBucketAcl'.
AnswerD

CloudTrail needs these permissions to verify bucket ownership.

Why this answer

The service principal for CloudTrail is `cloudtrail.amazonaws.com`, which is correct, so the issue is likely that the CloudTrail trail's S3 bucket is not configured correctly, or the bucket policy does not include the necessary permissions for CloudTrail to verify the bucket. However, given that VPC Flow Logs work, the issue might be that the CloudTrail trail is not using the correct bucket name or prefix. But the question focuses on the policy; the policy seems correct for both.

The most common issue is that CloudTrail requires the bucket to have a specific ACL or the policy to allow `s3:GetBucketAcl` and `s3:PutBucketAcl`. Option D is correct. Option A is wrong because the service principal is correct.

Option B is wrong because the condition is fine. Option C is wrong because the principal is correct. Option D addresses a common missing permission.

305
MCQmedium

A company uses AWS CloudTrail and wants to ensure that all log files are encrypted at rest using a customer-managed AWS KMS key. The CloudTrail trail is configured to use a KMS key, but some log files appear to be encrypted with the default Amazon S3 managed key (SSE-S3). What is the most likely cause?

A.The KMS key policy does not grant CloudTrail permission to use the key.
B.The CloudTrail trail is configured to use SSE-S3 instead of SSE-KMS.
C.The KMS key is in a different AWS region than the S3 bucket.
D.The S3 bucket has default encryption set to SSE-S3.
AnswerA

If CloudTrail cannot use the KMS key, it falls back to SSE-S3.

Why this answer

CloudTrail uses the KMS key for encrypting log files, but if the KMS key is not accessible due to permission issues, CloudTrail falls back to SSE-S3. Option B is correct. Option A is wrong because CloudTrail supports KMS keys regardless of region.

Option C is wrong because the trail configuration does not need to specify SSE-S3; KMS is specified. Option D is wrong because CloudTrail does not use S3 bucket default encryption; it uses the trail's KMS key.

306
MCQeasy

Refer to the exhibit. A security engineer runs this CloudWatch Logs Insights query on a log group. What is the purpose of this query?

A.Retrieve the 20 most recent log events that contain only 'ERROR'.
B.Retrieve the 20 most recent log events that contain 'ERROR' or 'WARN'.
C.Display all log events grouped by log level.
D.Count the number of ERROR and WARN events in the last hour.
AnswerB

The filter and sort achieve this.

Why this answer

The query filters log events containing 'ERROR' or 'WARN', sorts them by timestamp descending, and returns the 20 most recent. Option A is correct. Option B is wrong because it returns both ERROR and WARN.

Option C is wrong because it does not count them. Option D is wrong because it does not group by log level.

307
Multi-Selectmedium

A security engineer needs to monitor DNS query logs for malicious domain names. Which THREE services can be used together to collect, analyze, and alert on DNS logs? (Choose THREE.)

Select 3 answers
A.Amazon CloudWatch Logs
B.AWS Lambda
C.Amazon Route 53 Resolver Query Logs
D.Amazon GuardDuty
E.Amazon Athena
AnswersA, B, C

Can store and filter DNS logs.

Why this answer

Amazon CloudWatch Logs is correct because it can ingest DNS query logs from Route 53 Resolver Query Logs and serve as a centralized log storage and monitoring service. It allows you to create metric filters and alarms to detect patterns indicative of malicious domain queries, enabling real-time alerting on suspicious DNS activity.

Exam trap

The trap here is that candidates often confuse Amazon GuardDuty's DNS-based threat detection capabilities with the ability to directly collect and alert on custom DNS query logs, but GuardDuty operates on its own internal data sources and does not provide the same level of custom log monitoring and alerting as the combination of Route 53 Resolver Query Logs, CloudWatch Logs, and Lambda.

308
Multi-Selecteasy

A company wants to monitor for unauthorized changes to security group rules in their VPC. Which TWO AWS services can be used together to detect and alert on such changes?

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.VPC Flow Logs
D.Amazon GuardDuty
E.Amazon Macie
AnswersA, B

CloudTrail logs API calls that modify security groups.

Why this answer

AWS Config can track changes to security group rules, and CloudTrail can log the API calls that made those changes. Both can be used to trigger alerts. Options A and C are correct.

Option B is wrong because GuardDuty is for threat detection, not configuration changes. Option D is wrong because VPC Flow Logs capture traffic, not rule changes. Option E is wrong because Macie is for data classification.

309
MCQhard

Refer to the exhibit. A security engineer reviews a CloudTrail log entry. What is the MOST concerning security issue?

A.The security group rule allows SSH from 0.0.0.0/0
B.The root user is performing actions
C.The API call failed as indicated by null response elements
D.The request came from an external IP address
AnswerB

Root user should not be used for routine tasks; its use is a security risk.

Why this answer

Option B is correct because the root user is performing actions. In AWS, the root user has unrestricted access to all resources and services, and its use should be strictly limited to a few account-level tasks (e.g., closing the account, changing support plans). Routine API calls by the root user violate the principle of least privilege and indicate a serious security misconfiguration, as there is no way to audit or restrict root user permissions.

CloudTrail logs showing root user activity for non-essential operations are a red flag for potential credential compromise or lack of proper IAM governance.

Exam trap

Cisco often tests the misconception that a failed API call (null response) or an external IP address is automatically a security issue, but the real threat is the root user performing any action outside its limited scope, as this violates the foundational security principle of least privilege and indicates potential credential misuse.

How to eliminate wrong answers

Option A is wrong because the security group rule allowing SSH from 0.0.0.0/0 is a common misconfiguration but is not the most concerning issue in this context; the question focuses on the CloudTrail log entry, which does not necessarily indicate that the security group rule is actively exploited or that it is the primary risk. Option C is wrong because the API call failed as indicated by null response elements is not inherently a security concern; failed API calls can occur for legitimate reasons (e.g., permission errors, resource not found) and do not directly indicate a security threat like unauthorized access or privilege misuse. Option D is wrong because the request came from an external IP address is not automatically concerning; AWS resources are often accessed from external IPs (e.g., from the internet or VPNs), and the CloudTrail log does not show that the IP is malicious or that the action was unauthorized.

310
Multi-Selecthard

A company is designing a centralized logging solution for multiple AWS accounts. The logs must be encrypted at rest and in transit, and access must be audited. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Configure cross-account CloudWatch Logs subscription to aggregate logs centrally.
B.Enable S3 server access logs on the central bucket for auditing.
C.Configure the S3 bucket policy to restrict PutObject to the CloudTrail service principal with a condition on aws:SourceArn.
D.Use AWS KMS customer managed keys (CMK) to encrypt the central S3 bucket.
E.Use VPC endpoints to ensure logs are transmitted over the AWS network.
AnswersC, D

This ensures only the expected CloudTrail trail can deliver logs, preventing unauthorized writes.

Why this answer

Option A is correct: KMS encryption with a CMK provides control over encryption keys and auditing via CloudTrail. Option D is correct: S3 bucket policy with a condition for aws:SourceArn ensures only the intended CloudTrail trail can write logs. Option B is wrong because CloudWatch Logs does not have cross-account subscription without additional configuration.

Option C is wrong because S3 access logs are not used for encrypting data. Option E is wrong because VPC endpoints are not a substitute for encryption in transit.

311
MCQeasy

A company wants to centrally collect VPC Flow Logs from multiple accounts into a single S3 bucket in the security account. Which solution is the MOST operationally efficient?

A.Use CloudWatch Logs to stream flow logs to a Lambda function that writes to S3.
B.Log in to each account and configure VPC Flow Logs to deliver to the central S3 bucket.
C.Configure each account's VPC Flow Logs to a local S3 bucket, then use S3 replication to copy to the central bucket.
D.Use AWS Organizations to centrally enable VPC Flow Logs in all accounts and deliver to the central S3 bucket.
AnswerD

With Organizations, you can use CloudFormation StackSets to deploy flow log configurations across accounts, delivering to a central S3 bucket.

Why this answer

Option A is correct because AWS Organizations allows you to centrally manage VPC Flow Logs across accounts using a CloudFormation StackSet or a central subscription. Option B is wrong because each account must create its own flow log; it cannot be done from the security account directly. Option C is wrong because CloudWatch Logs is not needed if the destination is S3.

Option D is wrong because S3 replication adds complexity and does not centralize the logging configuration.

312
MCQmedium

A DevOps engineer notices that an EC2 instance's CloudWatch agent is not sending custom metrics to CloudWatch. The agent is installed and the configuration file is valid. The instance has an IAM role attached. What is the most likely reason for the failure?

A.The instance does not have internet access to reach CloudWatch endpoints.
B.The CloudWatch agent is not running as root.
C.The CloudWatch agent configuration file has a syntax error.
D.The IAM role attached to the instance does not have the cloudwatch:PutMetricData permission.
AnswerD

The CloudWatch agent requires the CloudWatchAgentServerPolicy or equivalent with PutMetricData.

Why this answer

The CloudWatch agent needs permissions to put metrics. If the IAM role lacks the 'cloudwatch:PutMetricData' action, the agent will fail silently.

313
MCQmedium

A company uses AWS CloudTrail to log all API activity. A security analyst notices that some delete operations on S3 buckets are missing from the CloudTrail logs. What is the MOST likely reason?

A.The S3 bucket has server access logging enabled, which overrides CloudTrail.
B.The trail is configured to log only management events, not data events.
C.The delete operations are performed by a cross-account role, which CloudTrail does not log.
D.The root user of the account is excluded from CloudTrail logging.
AnswerB

Data events (e.g., S3 object-level operations) must be enabled separately.

Why this answer

Option B is correct because CloudTrail cannot log data events for S3 if they are not enabled in the trail configuration. Management events are logged by default, but data events like DeleteObject need to be explicitly enabled. Option A is wrong because S3 server access logs are separate and do not affect CloudTrail.

Option C is wrong because CloudTrail can log cross-account events if configured. Option D is wrong because the root user activities are logged unless the trail excludes them.

314
MCQmedium

A company uses AWS CloudTrail to log management events in all regions. The security team notices that some API calls made by an IAM user are not appearing in the CloudTrail event history. What is the most likely reason?

A.The user used the AWS Management Console, not the CLI
B.The trail is configured for a single region only
C.The API calls were read-only and excluded by default
D.CloudTrail event history only retains events for 90 days; older events are not visible
AnswerD

CloudTrail event history is limited to 90 days.

Why this answer

D is correct because CloudTrail event history only retains the last 90 days of events. If the API calls were made more than 90 days ago, they would no longer appear in the event history, even though the trail itself may still be delivering log files to an S3 bucket for longer-term storage. The security team is likely looking at the event history rather than querying the S3 bucket or using Athena for older events.

Exam trap

The trap here is that candidates often assume missing API calls are due to configuration issues (like single-region trails or console-only access) rather than the 90-day retention limit of the event history, which is a fundamental but easily overlooked CloudTrail behavior.

How to eliminate wrong answers

Option A is wrong because CloudTrail logs API calls regardless of whether they are made via the AWS Management Console, CLI, or SDK; all management events are captured. Option B is wrong because the question states the trail is configured for all regions, so a single-region trail would not explain missing events across all regions. Option C is wrong because CloudTrail does not exclude read-only API calls by default; management events include both read and write events unless specifically filtered.

315
MCQmedium

A company uses AWS Organizations with multiple accounts. The security team wants to centralize the collection of VPC Flow Logs and AWS CloudTrail logs from all accounts into a single Amazon S3 bucket in the management account. The S3 bucket policy must allow cross-account log delivery. Which condition in the bucket policy should be used to restrict log delivery to only the organization's accounts?

A.aws:SourceArn
B.aws:SourceOrgId
C.aws:SourceAccount
D.aws:PrincipalOrgID
AnswerB

Valid condition key that restricts to the entire organization.

Why this answer

Using the aws:SourceOrgId condition key ensures that only principals from the specified AWS Organization can write to the bucket. Option B is correct. Option A is wrong because aws:SourceAccount would require specifying each account individually, which is not scalable.

Option C is wrong because aws:PrincipalOrgID is not a valid condition key. Option D is wrong because aws:SourceArn could be too restrictive if the ARN format is not consistent across services.

316
Multi-Selectmedium

A company needs to ensure that all API calls made to AWS are logged and that the logs are immutable. Which TWO steps should be taken? (Choose TWO.)

Select 2 answers
A.Enable CloudTrail log file validation.
B.Enable AWS CloudTrail in all regions.
C.Store CloudTrail logs in an S3 bucket with Object Lock enabled in Compliance mode.
D.Send CloudTrail logs to CloudWatch Logs with a retention policy.
E.Enable S3 versioning on the destination bucket.
AnswersB, C

CloudTrail logs all API calls across regions.

Why this answer

Option A is correct: CloudTrail logs all API calls. Option C is correct: S3 Object Lock in Compliance mode prevents deletion. Option B is wrong because CloudTrail log file validation provides integrity but not immutability.

Option D is wrong because CloudWatch Logs does not provide immutability. Option E is wrong because S3 versioning allows overwrites and does not prevent deletion.

317
MCQeasy

A company wants to receive real-time notifications when specific API calls are made in their AWS account, such as creating a new IAM user. Which AWS service should be used to trigger a notification based on CloudTrail events?

A.AWS Config
B.Amazon EventBridge
C.Amazon Inspector
D.Amazon VPC Flow Logs
AnswerB

Can trigger on CloudTrail events for real-time notifications.

Why this answer

Amazon EventBridge can match patterns on CloudTrail events and invoke targets like SNS for notifications. Option B is correct. Option A is wrong because VPC Flow Logs do not contain API call data.

Option C is wrong because AWS Config is for resource configuration tracking, not real-time API notifications. Option D is wrong because Amazon Inspector is for vulnerability assessments.

318
MCQmedium

A security engineer needs to ensure that all API calls made to AWS are logged and retained for at least 7 years for compliance. Which AWS service should be enabled to meet this requirement?

A.Amazon GuardDuty
B.AWS Config
C.Amazon Inspector
D.AWS CloudTrail
AnswerD

CloudTrail logs API activity and can store logs in S3 for long-term retention.

Why this answer

Option C is correct because AWS CloudTrail logs API activity and can be configured to store logs in S3 with lifecycle policies for long-term retention. Option A is wrong because Amazon GuardDuty is a threat detection service, not for API logging. Option B is wrong because AWS Config records resource configuration changes, not API calls.

Option D is wrong because Amazon Inspector is for vulnerability assessments.

319
MCQhard

A company stores sensitive data in an S3 bucket with SSE-KMS encryption. The security team wants to log all access attempts to the bucket, including successful and denied requests. They have enabled S3 server access logs and are delivering them to a different bucket. However, they notice that some access attempts are not logged. What is the most likely reason?

A.The delivery bucket is in a different AWS account.
B.The access logs only log successful requests.
C.The bucket uses SSE-KMS encryption, which prevents logging.
D.S3 server access logs do not log requests that are denied before reaching S3.
AnswerD

Requests denied by IAM or bucket policies may not be logged.

Why this answer

Option B is correct because S3 server access logs do not log requests that are denied by the bucket ACL or policy before reaching S3; they only log requests that are processed by S3. Option A is wrong because SSE-KMS does not affect access logging. Option C is wrong because access logs can be delivered to the same account.

Option D is wrong because access logs do not log requests that are blocked by the bucket policy? Actually, they log both allowed and denied requests, but if the request is denied at the service level (like AuthFailure), it may not be logged. The correct answer is B.

320
MCQhard

A company is using Amazon CloudWatch Logs to collect logs from its EC2 instances. The security team wants to ensure that logs are encrypted at rest and that access to the logs is controlled. Which solution should the team implement?

A.Enable encryption using AWS KMS customer managed keys (CMK) and apply IAM policies to control access.
B.Use SSE-C with a customer-provided key to encrypt log data.
C.Use SSE-S3 to encrypt the log data in CloudWatch Logs.
D.Enable default encryption on the log group and use S3 bucket policies.
AnswerA

CloudWatch Logs supports KMS CMK for encryption at rest, and IAM policies can control who can access the logs.

Why this answer

Option D is correct because CloudWatch Logs supports encryption using AWS KMS customer-managed keys, and IAM policies can control access. Option A is wrong because SSE-S3 is for S3, not CloudWatch Logs. Option B is wrong because CloudWatch Logs does not use SSE-C.

Option C is wrong because default encryption uses AWS-managed keys, which may not meet compliance requirements.

321
Matchingmedium

Match each AWS CloudTrail log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Control plane operations

Resource operations like S3 object access

Unusual activity detection

Invocation of Lambda function URLs

Why these pairings

CloudTrail captures different categories of events.

322
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a central S3 bucket. A new member account is created and the security engineer wants to enforce this configuration automatically. Which approach meets these requirements with the least operational overhead?

A.Use AWS Config rules to detect accounts without CloudTrail and trigger a remediation via Systems Manager Automation.
B.Use AWS CloudFormation StackSets to deploy a CloudTrail template to all accounts in the organization.
C.Use an SCP to deny cloudtrail:StopLogging and cloudtrail:DeleteTrail actions.
D.Create an AWS Lambda function that runs periodically to check and enable CloudTrail in each account.
AnswerB

StackSets automatically deploy resources to new accounts when configured with automatic deployment.

Why this answer

Option D is correct because AWS CloudFormation StackSets can deploy a CloudTrail template across all accounts in an organization automatically. Option A is wrong because AWS Config rules are reactive and cannot enable CloudTrail. Option B is wrong because SCPs can deny disabling CloudTrail but cannot enable it.

Option C is wrong because AWS Lambda would require manual setup and maintenance.

323
MCQmedium

Refer to the exhibit. A security engineer ran this AWS CLI command to find when a specific CreateKeyPair API call was made. The command returns no results, even though the engineer knows the call was made. What is the MOST likely reason?

A.The time range is too narrow.
B.The command did not specify a region, so it defaults to us-east-1, but the call was made in a different region.
C.The event name should be 'CreateKeypair' (lowercase p).
D.The --lookup-attributes parameter has incorrect syntax.
AnswerD

The comma should be a space or the syntax is wrong.

Why this answer

Option B is correct. The --lookup-attributes parameter syntax requires a space after the comma, not an equals sign. The correct syntax is 'AttributeKey=EventName, AttributeValue=CreateKeyPair' or use separate parameters.

Option A is wrong because the time range is valid. Option C is wrong because the region is not specified, but the command uses the default region; however, that might cause missing results if the call was in another region. Option D is wrong because the event name is correct.

← PreviousPage 5 of 5 · 323 questions total

Ready to test yourself?

Try a timed practice session using only Security Logging questions.