Exam AWS Certified Security - Specialty topic 1 question 169 discussion

Answer C - - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#cloudtrail-add-change-or-remove-a-bucket-prefix

I think this question is messed up... nothing to do with DDoS

Before setting the configuration to new prefix on CloudTrail trail configuration, make sure the prefix already exist (created) in the S3 bucket. Option C is correct.

Option B is incorrect because updating the bucket policy to allow the Security Engineer's Principal to perform PutBucketPolicy does not directly address the issue of updating the log file prefix for the trail. Option D is incorrect because updating the bucket policy to allow the Security Engineer's Principal to perform GetBucketPolicy does not directly address the issue of updating the log file prefix for the trail. Option A is incorrect because creating a new trail with the updated log file prefix and deleting the original trail would not allow the Security Engineer to update the log file prefix for the existing trail.

The question is correct ? May be this : A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7. All of the company’s AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53. Which solution will meet these requirements?

If you try to add, modify, or remove a log file prefix for an S3 bucket that receives logs from a trail, you might see the error: There is a problem with the bucket policy. A bucket policy with an incorrect prefix can prevent your trail from delivering logs to the bucket. To resolve this issue, use the Amazon S3 console to update the prefix in the bucket policy, and then use the CloudTrail console to specify the same prefix for the bucket in the trail. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#cloudtrail-add-change-or-remove-a-bucket-prefix

Q. What types of attacks can AWS Shield Standard help protect me from? AWS Shield Standard automatically provides protection for web applications running on AWS against the most common, frequently occurring Infrastructure layer attacks like UDP floods, and State exhaustion attacks like TCP SYN floods. Customers can also use AWS WAF to protect against Application layer attacks like HTTP POST or GET floods. Find more details on how to deploy application layer protections in the AWS WAF and AWS Shield Advanced Developer Guide.

There is no answer to the choices. I think you should use the AWS shield, but how about it?

Wrong answers: A. Use AWS Shield Advanced B. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS and a NACL restricting all Ingress traffic C. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity D. Use AWS WAF with an upgrade to the AWS Business support plan Answer is C.

Wrong answers for this question. Google says these are the correct answers for this question: A. Use AWS Shield Advanced B. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS and a NACL restricting all Ingress traffic C. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity D. Use AWS WAF with an upgrade to the AWS Business support plan The answer is AWS shield.

C is the only right statement, but not an answer to the question :-)

C seems correct.

Question should be this A Security Engineer is asked to update an AWS CloudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the Security Engineer receives the following error message: “There is a problem with the bucket policy." What will enable the Security Engineer to save the change ?

I totally agree with those who say none of the solutions in answers do mitigate DDOS.

Can someone explain how any of the options have anything to do with DDOS

C. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console.

I dont understand what this has to do with preventing DDoS,