ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 168 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 168
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company recently performed an annual security assessment of its AWS environment. The assessment showed the audit logs are not available beyond 90 days and that unauthorized changes to IAM policies are made without detection.
How should a Security Engineer resolve these issues?

  • A. Create an Amazon S3 lifecycle policy that archives AWS CloudTrail trail logs to Amazon S3 Glacier after 90 days. Configure Amazon Inspector to provide a notification when a policy change is made to resources.
  • B. Configure AWS Artifact to archive AWS CloudTrail logs. Configure AWS Trusted Advisor to provide a notification when a policy change is made to resources.
  • C. Configure Amazon CloudWatch to export log groups to Amazon S3. Configure AWS CloudTrail to provide a notification when a policy change is made to resources.
  • D. Create an AWS CloudTrail trail that stores audit logs in Amazon S3. Configure an AWS Config rule to provide a notification when a policy change is made to resources.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Kitty0403 at Aug. 29, 2020, 11:44 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Kitty0403
Highly Voted 3 years, 8 months ago
Answer is D
upvoted 37 times
ucsdmiami2020
3 years, 7 months ago
To support answer D, refer to the following... https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-aws-config/ "AWS Config recently added the ability to record changes to the configuration of your AWS Identity and Access Management (IAM) users, groups, and roles (collectively referred to as IAM entities) and the policies associated with them."
upvoted 3 times
ucsdmiami2020
3 years, 7 months ago
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html "For an ongoing record of events in your AWS account, you must create a trail. Although CloudTrail provides 90 days of event history information for management events in the CloudTrail console without creating a trail, it is not a permanent record, and it does not provide information about all possible types of events. For an ongoing record, and for a record that contains all the event types you specify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify."
upvoted 2 times
...
...
...
PeppaPig
Highly Voted 3 years, 8 months ago
D is the answer for sure
upvoted 9 times
...
Raphaello
Most Recent 1 year, 3 months ago
Selected Answer: D
Correct answer is D.
upvoted 1 times
...
addy_prepare
1 year, 9 months ago
Selected Answer: D
Glacier looks valid for persistence after 90 days, but Inspector can't track changes. D - is considered a more suitable option.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
D is the only possible answer.
upvoted 1 times
...
sapien45
2 years, 9 months ago
Selected Answer: D
cloudTrail logs are not persisted after 90 days without s3 bucket : https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html CloudTrail detective security best practices Create a trail For an ongoing record of events in your AWS account, you must create a trail. Although CloudTrail provides 90 days of event history information for management events in the CloudTrail console without creating a trail, it is not a permanent record, and it does not provide information about all possible types of events. For an ongoing record, and for a record that contains all the event types you specify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify.
upvoted 1 times
...
dcasabona
2 years, 10 months ago
Selected Answer: D
D for sure.
upvoted 2 times
...
jackfei
3 years ago
Answer is D , AWS config is suit for this case.
upvoted 1 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: D
the only right answer
upvoted 2 times
...
ceros399
3 years, 2 months ago
Selected Answer: D
D is the only possible answer
upvoted 1 times
...
LaLune
3 years, 5 months ago
Amazon Inspector is a scanning tool that can surely generate notifications about scanning activities: assessment has started, ended, status, ...), but the notifications is not about configuration changes. The AWS Config can. You will resolve the condition on saving the logs more than 90 days by channeling the trail to S3, even though without S3 lifecycle (cost effective). So, A is not a solution and D is the solution!
upvoted 2 times
...
munish3420
3 years, 6 months ago
Ans is D because in A inspector is wrong. When you store logs in S3 , only logs from Cloudtrail console gets deleted after 90 days.
upvoted 1 times
...
kiev
3 years, 7 months ago
cloud trail, S3 and Config #D
upvoted 1 times
...
skipbaylessfor3
3 years, 7 months ago
Lol even without knowing whether D is correct, you can deduce that it is correct, because all the others are wrong How? Well because: A - Inspector doesnt provide notifications upon policy changes B - Artifact doesn't archive logs C - Cloudtrail doesn't provide notifications upon policy changes Thus, I believe D is correct. It sounds correct, and I kinda knew it was just by eliminating the other answers
upvoted 2 times
...
sanjaym
3 years, 7 months ago
D for sure
upvoted 2 times
...
kely
3 years, 7 months ago
The correct answer is D.
upvoted 1 times
...
Banton88
3 years, 7 months ago
Why not A? It's about "behind 90 days"
upvoted 1 times
avland
3 years, 7 months ago
An S3 Lifecycle policy can't pull logs out from Cloud Trail. The issue about 90 days is that the logs will disappear from Cloud Trail after that much time, so you need to get them out, which you can configure Cloud Trail to do. Additionally, Inspector isn't going to help with watching for changes to IAM policies. Config will.
upvoted 3 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel