ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 427 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 427
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is operating an AWS workload that consists of multiple applications that are deployed on Amazon EC2 instances. Recent changes to a security group caused connectivity issues for some application instances that use the security group. The company now needs all changes to security groups to initiate an alert to a specific company email address.

Which solution will meet this requirement in the MOST operationally efficient manner?

  • A. Implement AWS Config. Configure an AWS Config managed rule to detect changes to security groups. Configure a manual remediation action for noncompliant resources to forward evaluations to an Amazon Simple Notification Service (Amazon SNS) topic.
  • B. Implement AWS Config. Configure an AWS Config managed rule to detect changes to security groups. Configure a manual remediation action for noncompliant resources to forward evaluations to an Amazon Simple Queue Service (Amazon SQS) queue.
  • C. Implement AWS CloudTrail. Configure forwarding to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter with a pattern match on all security group changes. Configure an Amazon CloudWatch alarm to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
  • D. Implement AWS CloudTrail. Configure forwarding to Amazon S3. Configure an AWS Glue crawler for use with Amazon Athena to query log contents for event patterns that indicate changes to security groups. Publish the query results to an Amazon Simple Queue Service (Amazon SQS) queue.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by AdamWest at Nov. 23, 2022, 3:22 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
margz
Highly Voted 2 years, 4 months ago
Selected Answer: C
Choosing C over A, quite a few reasons which others already stated, but a big one is that the question states "The company now needs ALL changes to security groups to initiate an alert to a specific company email address." Key-word being "ALL". I believe A would only notify of security group changes that made a sg non-compliant, whereas CloudTrail gives us a wider scope of activity.
upvoted 7 times
...
tainh
Highly Voted 2 years, 6 months ago
Selected Answer: C
i choose C https://aws.amazon.com/es/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/ A: focused on compliance management C: offers a faster way to detect changes to a security group’s configuration
upvoted 5 times
Balki
2 years, 5 months ago
C is faster and operationally efficient
upvoted 1 times
...
...
ITGURU51
Most Recent 2 years ago
The questions states that we are looking for the most operationally efficient method. Therefore C
upvoted 1 times
cherry23
1 year, 11 months ago
A is more efficient than C
upvoted 1 times
cherry23
1 year, 11 months ago
But the problem is managed rule
upvoted 1 times
...
...
...
awsgugu
2 years, 1 month ago
C: In this post, Method 1 uses AWS Config to monitor changes to a security group’s configuration as part of an organization’s overall compliance auditing program. Method 1 views a change to a VPC security group as a compliance risk. Use this method when you want to bolster your company’s compliance management. Method 2 uses AWS CloudTrail and Amazon CloudWatch Events to identify AWS API calls that could change the configurations of VPC security groups. Method 2 views a change to a VPC security group as a potential security incident that should be identified in near real time. Use this method when you want to support your company’s monitoring of security operations. https://aws.amazon.com/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/
upvoted 1 times
...
Boss_Sivaji
2 years, 3 months ago
Selected Answer: A
Both A and C works, however for the overall compliance A is efficient and for faster incident detection C is better. Here the company needs all changes to Security Group. https://aws.amazon.com/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/
upvoted 2 times
...
luis12345
2 years, 4 months ago
Selected Answer: C
A also includes remediation and the questions does not ask for it
upvoted 1 times
...
YellowSky002
2 years, 4 months ago
Another reason for choosing C is the time it takes for the alert to get sent. I think A might take up to 4 hours while C would be nearly immediate.
upvoted 1 times
...
secdaddy
2 years, 5 months ago
MOST operationally efficient = less manual intervention. A requires manual remediation so from this standpoint C is better than A. Reference for the cloudwatch logs metric filter trigger alarm on sg change part : https://docs.fugue.co/FG_R00056.html
upvoted 1 times
...
awsec2
2 years, 5 months ago
i choose A
upvoted 1 times
...
landsamboni
2 years, 6 months ago
Selected Answer: C
C. Implement AWS CloudTrail. Configure forwarding to Amazon CloudWatch Logs. Configure a CloudWatch Logs metric filter with a pattern match on all security group changes. Configure an Amazon CloudWatch alarm to publish messages to an Amazon Simple Notification Service (Amazon SNS) topic.
upvoted 2 times
...
D2
2 years, 6 months ago
A and C are correct. A is more scalable in multi-account scenario. Though question doesnt explicitly state of multiple accounts but as a best practice, applications should be hosted in their own individual accounts. That implicit requirement points towards A
upvoted 1 times
...
tryks
2 years, 6 months ago
A & C correct but choose C
upvoted 1 times
...
Isaias
2 years, 6 months ago
Selected Answer: C
A and C are correct , I read this post and I Choose C https://aws.amazon.com/es/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/
upvoted 4 times
landsamboni
2 years, 6 months ago
Thank you! If your concern is more about incident detection, Method 2 offers a faster way to detect changes to a security group’s configuration. Both methods can help you add security to your AWS infrastructure.
upvoted 2 times
Isaias
2 years, 6 months ago
Yes, and the 2 method is from the perspective of the object being changed thats we are looking for, the 1st one is from the perspective of the not compliance
upvoted 1 times
...
...
selim507
2 years, 4 months ago
Yeah, A is correct too, but in this case there is a manual step defined which does not make it operationally efficient..
upvoted 1 times
...
...
AdamWest
2 years, 6 months ago
Selected Answer: A
Its between A or C. Choosing A.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel