ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 456 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 456
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security team has received an alert from Amazon GuardDuty that AWS CloudTrail logging has been disabled. The security team’s account has AWS Config, Amazon Inspector, Amazon Detective, and AWS Security Hub enabled. The security team wants to identify who disabled CloudTrail and what actions were performed while CloudTrail was disabled.

What should the security team do to obtain this information?

  • A. Use AWS Config to search for the CLOUD_TRAIL_ENABLED event. Use the configuration recorder to find all activity that occurred when CloudTrail was disabled.
  • B. Use Amazon Inspector to find the details of the CloudTrailLoggingDisabled event from GuardDuly, including the user name and all activity that occurred when CloudTrail was disabled.
  • C. Use Detective to find the details of the CloudTrailLoggingDisabled event from GuardDuty, including the user name and all activity that occurred when CloudTrail was disabled.
  • D. Use GuardDuty to find which user generated the CloudTrailLoggingDisabled event. Use Security Hub to find the trace of activity related to the event.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Singhh at Nov. 30, 2022, 2:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Phongsanth
Highly Voted 2 years, 4 months ago
Selected Answer: C
C Findings detected by GuardDuty GuardDuty uses your log data to uncover suspected instances of malicious or high-risk activity. Detective provides resources that help you investigate these findings. For each finding, Detective provides the associated finding details. Detective also shows the entities, such as IP addresses and AWS accounts, that are connected to the finding. You can then explore the activity for the involved entities to determine whether the detected activity from the finding is a genuine cause for concern. https://docs.aws.amazon.com/detective/latest/userguide/investigation-phases-starts.html
upvoted 12 times
AzureDP900
2 years, 2 months ago
thx for sharing link, C is right
upvoted 1 times
...
...
Singhh
Highly Voted 2 years, 5 months ago
Selected Answer: D
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled GuardDuty IAM finding types Stealth:IAMUser/CloudTrailLoggingDisabled
upvoted 5 times
Teknoklutz
2 years, 4 months ago
it does not answer "what actions were performed while CloudTrail was disabled."
upvoted 2 times
AgboolaKun
1 year, 5 months ago
The question was "What should the security team do to obtain this information?". In fact when you use Detective to investigate action for this CloudTrailLoggingDisabled finding in GuardDuty opens the finding’s profile page, you will to see what other actions they performed after disabling logging. Please see this link - https://aws.amazon.com/blogs/security/analyze-and-understand-iam-role-usage-with-amazon-detective/. The correct answer is C.
upvoted 1 times
...
...
...
sam15
Most Recent 2 years, 2 months ago
Answer is C. Please check the link below for details: https://aws.amazon.com/blogs/security/analyze-and-understand-iam-role-usage-with-amazon-detective/
upvoted 5 times
cherry23
1 year, 10 months ago
Since Detective receives a copy of CloudTrail traffic directly from the AWS infrastructure, Detective will continue to receive API calls that are made after CloudTrail logging is disabled.
upvoted 1 times
...
...
Teknoklutz
2 years, 4 months ago
Selected Answer: C
Detective
upvoted 2 times
...
maddyr
2 years, 4 months ago
Selected Answer: C
C is correct
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago