ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 428 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 428
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail in AWS CloudTrail to assist in this work.

Which solution will meet these requirements?

  • A. In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Configure a threshold of 3 and a period of 5 minutes.
  • B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.
  • C. Create an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching “Failed authentication”. Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes.
  • D. In AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by AdamWest at Nov. 23, 2022, 3:32 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AdamWest
Highly Voted 2 years, 5 months ago
Selected Answer: B
B - Correct Answer https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html A - Insights today cannot alarm C - So much work when A has it built it. D - Why ? "The security engineer creates a trail in AWS CloudTrail to assist in this work."
upvoted 11 times
...
isokalau
Most Recent 2 years, 1 month ago
Selected Answer: B
D is incorrect because IAM Access Analyzer is used to identify the resources that an IAM principal (user or role) can access, and it doesn't provide the capability to create an alarm for failed sign-in attempts.
upvoted 2 times
...
Baksallas
2 years, 3 months ago
Selected Answer: D
A - lacks mechanism to send an alert... B - lacks mechanism to send an alert... C - Athena query is manual. D - Meets all requirements. The only reason why I'm not choosing B as answer is because there is no Sending of the alert requirement that is met here. Everything else on B looks good though. My answer - according to the question to meet all of the requirements - is D.
upvoted 1 times
...
secdaddy
2 years, 4 months ago
For B would be something lik this https://asecure.cloud/a/failed_console_logins/ but with these values : Period: "60" EvaluationPeriods: "5" Threshold: "3"
upvoted 1 times
...
vyktors
2 years, 5 months ago
Selected Answer: B
B - as per AdamWest link
upvoted 2 times
...
D2
2 years, 5 months ago
Answer B
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago