Exam AWS Certified Security - Specialty topic 1 question 30 discussion

C is the correct answer since it asks how to search the logs most efficiently and the only way to search and analyze huge logs is using Athena queries on S3. A is wrong because you can create a trail with write-only managment and data events upon creation of the trail and this has nothing to do with searching exisitng huge number of logs in an efficient way.

I had this question on my exam today. Correct answer is C

. Correct answer is C

Saw a similar question in TJ that makes this one look like an incomplete copy; Essentially the same situation except they specify KMS is used and that the sec engineer needs to track certain events (Disable, Delete, ScheduleKey) and is overwhelmed when 99% of the events are Encrypt, Decrypt, and GenerateDataKey API calls, essentially calling for a solution to search through audit logs for the events they need to see. Disable / Delete / ScheduleKey actions are write events while Encrypt / Decrypt / GenerateDataKey are read events. Long story short, this feels like an incomplete question

A is the best answer. After a compromise incident, it is more efficient to filter out "write-only" event in CloudTrail event history. Option C does not give any edge in relation to this context.

The most efficient way to analyze AWS CloudTrail logs is to **configure Amazon Athena** to read from the CloudTrail S3 bucket and query the logs to examine account activities¹. Using Athena, you can easily write SQL queries to filter and analyze CloudTrail log events. C

Note "search through the logs" - search = Athena

A is the correct one. MOST efficiently! https://aws.amazon.com/blogs/mt/streamline-aws-cloudtrail-logs-using-event-filters/

I have done this practically with the Logs generated by a Firewall Manager. They were analyzed with Athena and worked perfectly!

I'm going to go with C - Key concept "search data/logs" - Athena is useful for scanning VPC flow logs and similar, so would be a similar scenario for Cloudtrail. This also improves management, rather than needing to create new (or modify) existing cloudtrails. Example: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html https://aws.amazon.com/premiumsupport/knowledge-center/athena-tables-search-cloudtrail-logs/

C because we can use Athena to query the s3 which will filter out lots of things.

but is overwhelmed by the volume of audit logs being generated" is the keyword here. So, option A is the correct solution

I also agree on C.

C, Athena https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

The reason why A is not correct because THERE IS NO WRITE-ONLY option in the drop down list, hence I will go with C

Answer is A according to Tutorial Dojo

answer is C