Amazon Exam SCS-C02 Topic 1 Question 10 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 10
Topic #: 1

A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail in AWS CloudTrail to assist in this work.

Which solution will meet these requirements?

AIn CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching ''Failed authentication''. Configure a threshold of 3 and a period of 5 minutes.

BConfigure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching ''Failed authentication''. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.

CCreate an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching ''Failed authentication''. Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes.

DIn AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.

Show Suggested Answer

Suggested Answer: B

The correct answer is B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching ''Failed authentication''. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.

This answer is correct because it meets the requirements of sending an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. By configuring CloudTrail to send events to CloudWatch Logs, the security engineer can create a metric filter that matches the desired pattern of failed sign-in events. Then, by creating a CloudWatch alarm based on the metric filter, the security engineer can set a threshold of 3 and a period of 5 minutes, and choose an action such as sending an email or an Amazon Simple Notification Service (Amazon SNS) message when the alarm is triggered12.

The other options are incorrect because:

A) Turning on Insights events on the trail and configuring an alarm on the insight is not a solution, because Insights events are used to analyze unusual activity in management events, such as spikes in API call volume or error rates. Insights events do not capture failed sign-in attempts to the AWS Management Console3.

C) Creating an Amazon Athena table from the CloudTrail events and running a query for failed sign-in events is not a solution, because it does not provide a mechanism to send an alert based on the query results. Amazon Athena is an interactive query service that allows analyzing data in Amazon S3 using standard SQL, but it does not support creating notifications or alarms from queries4.

D) Creating an analyzer in AWS Identity and Access Management Access Analyzer and configuring it to send an Amazon SNS notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes is not a solution, because IAM Access Analyzer is not a service that monitors sign-in events, but a service that helps identify resources that are shared with external entities. IAM Access Analyzer does not generate findings for failed sign-in attempts to the AWS Management Console5.

1: Sending CloudTrail Events to CloudWatch Logs - AWS CloudTrail 2: Creating Alarms Based on Metric Filters - Amazon CloudWatch 3: Analyzing unusual activity in management events - AWS CloudTrail 4: What is Amazon Athena? - Amazon Athena 5: Using AWS Identity and Access Management Access Analyzer - AWS Identity and Access Management

by Sherita at Dec 25, 2023, 03:03 PM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Justa

9 days ago

Option B does seem like the most straightforward solution. Although, I'm curious about option C with Athena and SNS. That could be a cool way to do some more advanced analysis on the login events. Might be overkill for this specific requirement, but it's an interesting approach.

upvoted 0 times

...

Aleta

10 days ago

Yeah, I'm leaning towards B as well. The other options seem a bit more complex, and I'm not sure they'd be as reliable or easy to manage in the long run. Plus, with CloudWatch, we get a lot of other monitoring and alerting capabilities that could come in handy down the line.

upvoted 0 times

...

Mable

11 days ago

I agree, option B seems like the way to go. Setting up the CloudWatch alarm with the right threshold and time period is pretty simple, and it should give us the alerts we need when those login failures happen.

upvoted 0 times

...

Lon

12 days ago

Hmm, this is an interesting question. I think option B looks like the best solution here. Sending the CloudTrail events to CloudWatch Logs and creating a metric filter to monitor for the specific login failure conditions seems like a straightforward way to meet the requirements.

upvoted 0 times

...