ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 217 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 217
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company's security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic. An Amazon SQS queue is subscribed to this SNS topic. The company's SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.
After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs.
Which of the following are possible causes of this issue? (Choose three.)

  • A. The SQS queue does not allow the SQS:SendMessage action from the SNS topic.
  • B. The SNS topic does not allow the SNS:Publish action from Amazon S3.
  • C. The SNS topic is not delivering raw messages to the SQS queue.
  • D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action.
  • E. The IAM role used by the SIEM tool does not have permission to subscribe to the SNS topic.
  • F. The IAM role used by the SIEM tool does not allow the SQS:DeleteMessage action.
Show Suggested Answer Hide Answer
Suggested Answer: ABD 🗳️
by DayQuil at March 17, 2021, 7:03 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DayQuil
Highly Voted 3 years, 9 months ago
A and B. A: The SQS queue is subscribed to the SNS topic, so the topic will need permission to send messages to the queue. B: S3 object creation notifications are sent to the SNS topic, therefore the topic's resource policy must allow S3 to publish messages. D: The bucket policy will need to allow CloudTrail to write logs. This is the first thing that should be checked.
upvoted 25 times
...
DahMac
Highly Voted 3 years, 8 months ago
A. https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html#sns-publish-messages-to-sqs-queue "Action": ["sqs:SendMessage"], B. https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html "Action": [ "SNS:Publish" D. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html "Action": "s3:PutObject",
upvoted 7 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: ABD
ABD are correct.
upvoted 1 times
...
dterefenko
1 year, 8 months ago
The SQS queue does not allow the SQS:SendMessage action from the SNS topic. If the SQS queue does not have the necessary permissions to receive messages from the SNS topic, it will not be able to receive new CloudTrail logs. So, Option A is correct. The SNS topic does not allow the SNS:Publish action from Amazon S3. If the SNS topic does not have the necessary permissions to receive messages from Amazon S3, it will not be able to forward these messages to the SQS queue. So, Option B is correct. The IAM role used by the SIEM tool does not allow the SQS:DeleteMessage action. After the SIEM tool reads a message from the SQS queue, it needs to delete that message to prevent it from being read again. If the IAM role does not have this permission, the SIEM tool will not be able to delete messages from the SQS queue, which could cause issues. So, Option F is correct. A B F
upvoted 1 times
...
CirusD
2 years ago
A. The SQS queue does not allow the SQS:SendMessage action from the SNS topic. If the SQS queue's policy does not allow the SQS:SendMessage action from the SNS topic, the messages won't be delivered to the queue. Therefore, the SIEM tool won't have any new messages to fetch. D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action. If the S3 bucket policy does not grant CloudTrail the permission to perform the PutObject action, CloudTrail won't be able to write logs to the S3 bucket. As a result, the S3 bucket cannot send any new object created event notifications to the SNS topic, which in turn would prevent the SQS queue from receiving new messages. F. The IAM role used by the SIEM tool does not allow the SQS:DeleteMessage action.
upvoted 1 times
...
OCHT
2 years ago
Selected Answer: AEF
BEF focuses on the permissions related to the IAM role used by the SIEM tool and the SNS topic's ability to deliver raw messages to the SQS queue BAD focuses on the permissions related to the SNS topic, the SQS queue, and the S3 bucket policy If the issue is related to the IAM role used by the SIEM tool or the delivery of raw messages from the SNS topic to the SQS queue, then BEF would be the better combination. If the issue is related to the permissions of the SNS topic, the SQS queue, or the S3 bucket policy, then BAD would be the better combination. Without more specific information about the nature of the issue, it's difficult to definitively say which combination is better.
upvoted 1 times
...
Maya77
2 years, 4 months ago
A,E,F Possible causes of this issue are: A. The SQS queue does not allow the SQS:SendMessage action from the SNS topic. E. The IAM role used by the SIEM tool does not have permission to subscribe to the SNS topic. F. The IAM role used by the SIEM tool does not allow the SQS:DeleteMessage action. Explanation: A. The SQS queue must be configured to allow the SendMessage action from the SNS topic to receive new messages. E. The IAM role used by the SIEM tool must have permission to subscribe to the SNS topic to receive new messages. F. The IAM role used by the SIEM tool must have permission to delete messages from the SQS queue after processing them to avoid receiving duplicate messages. If the DeleteMessage action is not allowed, messages may be repeatedly processed, causing the SIEM tool to stop receiving new logs. The other options are not relevant to the issue described.
upvoted 1 times
...
jishrajesh
2 years, 6 months ago
ABD is correct
upvoted 1 times
...
Radhaghosh
3 years, 5 months ago
A. The SQS queue does not allow the SQS:SendMessage action from the SNS topic. B. The SNS topic does not allow the SNS:Publish action from Amazon S3. D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action.
upvoted 3 times
Samir710413
2 years, 7 months ago
So how were the logs previously delivered to S3 bucket.
upvoted 1 times
...
...
James2022
3 years, 5 months ago
Selected Answer: ABD
The whole flow like this: CloudTrail -> S3 (Object-created event) -> SNS topic ->SQS <- SIEM (poll by IAM role)
upvoted 3 times
sapien45
2 years, 10 months ago
Indeed, the most difficult here is to understand the whole flow, and how the services depend on each other SQS must authorize SNS S3 must authorize CloudTrail SNS must authorize S3
upvoted 1 times
...
...
IMAHM
3 years, 7 months ago
B,D, E
upvoted 2 times
...
Hungdv
3 years, 9 months ago
A, B and D
upvoted 1 times
...
cldy
3 years, 9 months ago
A.B.D.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel