Exam AWS Certified Security - Specialty topic 1 question 118 discussion

events ,rules and target , ACE - should be correct

Lambda has a strict 15 minute time limit and is not likely to be appropriate for evaluating all the S3 buckets across all the production accounts. It could time out.

Correct answers are ACE. GuardDuty is not quite useful in this case. Rather, creating EventBridge (formerly CW Event) events in Prod accounts and drive them into Sec account event bus, and use Lambda function to analyze the events and provide notification seem to be the right solution here.

Option C (Configure a CloudWatch Events rule in the security account to detect S3 bucket creation or modification events) can be useful for monitoring bucket creation or modification events, but it doesn't specifically address the requirement of enforcing bucket policy compliance based on the bucket's data classification.

https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html ABE

ACE -A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus: This will allow the security account to monitor the S3 bucket events in all production accounts. C. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events: This will allow the security account to detect when a new bucket is created or when an existing bucket is modified. E. Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team: This will allow the security account to analyze the bucket policy changes in accordance with the data classification of the bucket and send notifications to the security team if any policy change is out of compliance.

The obvious wrong answers would leave you with ACE. Trusted Advisor, GuardDuty have nothing to do with maintaining the overall compliance requirements. Invoking the Lambda function would help us send the non-compliance notifications.

ACE A: To recive events on the security account you have to allow S3 events to be sent on the event bus of the security account. If not, the S3 events can be recorded on the production account but they will not be sent to the security account. https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html C: Not much to be said, you have to detect somehow, CloudWatch Event rules does this and can invoke a Lambda function E: After detection you need to analyze the event and send a notification

To build the required solution, the security engineer should take the following actions: A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus. This will allow the security account to receive notifications of all S3 events that occur in the production accounts, such as bucket creation, modification, or deletion. C. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events. This will allow the security account to monitor for changes to the S3 bucket policies and detect any non-compliant changes. E. Invoke an AWS Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team. The Lambda function can be triggered by the CloudWatch Events rule to analyze the S3 bucket settings and determine if they are in compliance with the bucket's data classification. If any changes are detected that are out of compliance, the Lambda function can send a notification to the Security team.

A C E , send bucket events to sec acc -> analyze them, and notify via a lambda that checks validity

A - get events C - rule to detect E - notification

Both A and F are not really neeed. There is not requirement to log all data events.. only configuration changes.

ACE I say. (PUT, POST and DELETE events do not change the policy of the bucket)

ACE makes sense.

CEF - The questions states "All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents", what would be the essence of monitoring read and list operations events? We are to ensure the right data is pushed the required buckets which would suffice to the following operations - PUT, POST & DLETE

So in this situation we have to config cloud watch 2 times?? I first assume C..E..F..But after reading post it could be A..C..E.. I just need to understand why we are configuring cloud watch 2 times but being that it is a prod to central sec account its possible.

very weird question, I will go with you guys but I am unsure about this one.