ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 181 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 181
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company's web application is hosted on Amazon EC2 instances running behind an Application Load Balancer (ALB) in an Auto Scaling group. An AWS WAF web ACL is associated with the ALB. AWS CloudTrail is enabled, and stores logs in Amazon S3 and Amazon CloudWatch Logs.
The Operations team has observed some EC2 instances reboot at random. After rebooting, all access logs on the instances have been deleted. During an investigation, the Operations team found that each reboot happened just after a PHP error occurred on the new-user-creation.php file. The Operations team needs to view log information to determine if the company is being attacked.
Which set of actions will identify the suspect attacker's IP address for future occurrences?

  • A. Configure VPC Flow Logs on the subnet where the ALB is located, and stream the data CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
  • B. Configure the CloudWatch agent on the ALB. Configure the agent to send application logs to CloudWatch. Update the instance role to allow CloudWatch Logs access. Export the logs to CloudWatch. Search for the new-user-creation.php occurrences in CloudWatch.
  • C. Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences.
  • D. Configure the web ACL to send logs to Amazon Kinesis Data Firehose, which delivers the logs to an S3 bucket. Use Amazon Athena to query the logs and find the new-user-creation.php occurrences.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by DayQuil at March 11, 2021, 11:55 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 3 years, 7 months ago
answer is D You send logs from your web ACL to an Amazon Kinesis Data Firehose with a configured storage destination. After you enable logging, AWS WAF delivers logs to your storage destination through the HTTPS endpoint of Kinesis Data Firehose. https://docs.aws.amazon.com/waf/latest/developerguide/logging.html
upvoted 27 times
...
[Removed]
Highly Voted 3 years, 8 months ago
I think A - Flow Logs to get IP Address
upvoted 5 times
...
Raphaello
Most Recent 1 year, 3 months ago
Selected Answer: D
ELB Access Logs destination is S3 only. WAF logging destinations are either: CW Logs, S3, or Kinesis Data Firehose. Both ALB and WAF logs should contain the client IP, however since the WAF is at frontline and option D contains a valid destination for WAF logging, I'd go with D.
upvoted 1 times
...
OCHT
1 year, 11 months ago
Selected Answer: C
Therefore, the best option among the given choices is: C. Configure the ALB to export access logs to an Amazon Elasticsearch Service cluster, and use the service to search for the new-user-creation.php occurrences. This approach allows you to analyze the access logs in real-time using Elasticsearch's powerful search capabilities. It also provides scalability and ease of use, as you can leverage Kibana, a visualization tool that comes with Amazon Elasticsearch Service, to create dashboards and visualize the data. Please note that while option D also provides a viable solution, it involves more steps and services, making it less efficient than option C.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
The question insinuates that the organization is under attack. D is the best answer because it provides a real time response to the cyber security incident.
upvoted 1 times
...
boooliyooo
2 years, 4 months ago
Selected Answer: D
Option C is not correct because it does not specify how to identify the IP address of the suspect attacker. In order to identify the IP address, the access logs should be exported to a location where they can be searched for specific occurrences, such as new-user-creation.php in this case. Option D is correct because it specifies using Amazon Kinesis Data Firehose to deliver the logs to an S3 bucket and then using Amazon Athena to query the logs and find the occurrences.
upvoted 1 times
...
sapien45
2 years, 9 months ago
Selected Answer: D
https://docs.aws.amazon.com/waf/latest/developerguide/logging.html You can enable logging to get detailed information about traffic that is analyzed by your web ACL. Logged information includes the time that AWS WAF received a web request from your AWS resource, detailed information about the request, and details about the rules that the request matched. You can send your logs to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose.
upvoted 1 times
...
MoreOps
3 years, 1 month ago
I would love it if you guys can explain why is it not C?
upvoted 2 times
...
TigerInTheCloud
3 years, 1 month ago
Selected Answer: D
A - VPC flow log does not capture packages B - CloudWatch agent cannot be configured on the ALB but on instances. C - ALB export log to S3. This could be an answer if there is no better one, as the log can be relaid from S3 to ES. D - Good answer https://aws.amazon.com/premiumsupport/knowledge-center/waf-configure-comprehensive-logging/
upvoted 2 times
sapien45
2 years, 10 months ago
Thank you so much Tiger. I appreciate the fact that you prove your pointrs with AWS links related to the question
upvoted 2 times
...
...
f4bi4n
3 years, 1 month ago
As far as I understood, WAF logs per web acl, so we would create an acl that reacts on the request. Even if D is not directly possible it could be a possible answer
upvoted 1 times
...
Radhaghosh
3 years, 4 months ago
Answer is D
upvoted 1 times
...
siddhu__33
3 years, 6 months ago
Selected Answer: D
D is the answer for sure. web ACL supports logging and this options is best among others.
upvoted 1 times
...
skipbaylessfor3
3 years, 7 months ago
Its probably D A - the wording seems wrong here, it says "on the subnet where the ALB is located" well ALBs have to span a minimum of 2 subnets, so I think this is testing that knowledge so thats wrong. B - ALBs don't have Cloudwatch agents on them C - I'm pretty sure ALB access logs can only be sent to S3. In the console, I don't see an option to send them anywhere else, including ElasticSearch
upvoted 2 times
...
Hungdv
3 years, 7 months ago
D is answer. Option A is wrong because ALB span multi subnets and flowlogs can not log the request path, you can not retrieve new-user-creation.php log. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-fields
upvoted 5 times
...
Marcis
3 years, 7 months ago
D: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html
upvoted 3 times
...
cldy
3 years, 8 months ago
C. ALB natively publishes logs to CW; doesn’t need agent.
upvoted 4 times
eskimolander
3 years, 7 months ago
Yes, but you don´t export it from ELB or configure it from ELB. You need to import cloudwatch logs from ElasticSearch, so this can´t be the answer. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-aws-integrations.html#es-aws-integrations-cloudwatch-es
upvoted 1 times
...
...
Ayusef
3 years, 8 months ago
I think its is B.. are D.. I do see we are looking for application logs but debating if Kineses is better at doing it. But I think B.. is more for sure.
upvoted 2 times
Ayusef
3 years, 7 months ago
The guys have a point about Cloud watch agent on ALB so its ...D...
upvoted 1 times
...
ChinkSantana
3 years, 7 months ago
Hos is this B? You cant configure Cloudwatch agents on ALB only on EC2 instance. Correct me if i am wrong. A looks like the only doable thing.
upvoted 4 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel