ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 19 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 19
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company used a lift-and-shift approach to migrate from its on-premises data centers to the AWS Cloud. The company migrated on-premises VMs to Amazon EC2 instances. Now the company wants to replace some of components that are running on the EC2 instances with managed AWS services that provide similar functionality.
Initially, the company will transition from load balancer software that runs on EC2 instances to AWS Elastic Load Balancers. A security engineer must ensure that after this transition, all the load balancer logs are centralized and searchable for auditing. The security engineer must also ensure that metrics are generated to show which ciphers are in use.
Which solution will meet these requirements?

  • A. Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the CloudWatch Logs console to search the logs. Create CloudWatch Logs filters on the logs for the required metrics.
  • B. Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Amazon CloudWatch filters on the S3 log files for the required metrics.
  • C. Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.
  • D. Create an Amazon CloudWatch Logs log group. Configure the load balancers to send logs to the log group. Use the AWS Management Console to search the logs. Create Amazon Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Sumi81 at Oct. 23, 2023, 4:24 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ghe
Highly Voted 1 year, 3 months ago
Selected Answer: C
You can't send ELB access logs into CloudWatch Logs, but to S3 only: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html Regarding the alarm, natively there is no way to use query result as a metric.We could use a Lambda Function for this. C remains the most valid option.
upvoted 14 times
khuman_12
1 year, 1 month ago
There is nothing about "access logs" in the question.
upvoted 1 times
...
hro
1 year, 3 months ago
I think this is the key to the question - save ELB access logs To save ELB access logs, you can: Create an S3 bucket Attach a policy to the S3 bucket that allows Elastic Load Balancing to write the logs to the bucket Configure access logs to capture and deliver log files to the S3 bucket Verify bucket permissions
upvoted 1 times
...
...
Daniel76
Highly Voted 1 year, 7 months ago
Selected Answer: A
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html#view-metric-data s3 buckets and athena are not needed.
upvoted 12 times
Aamee
1 year, 7 months ago
No, if you look at the reqs. of this question, it specifically asks for this query: "All the load balancer logs are centralized and searchable for auditing".. So if you select A for CloudWatch Log groups, it has the default retention policy set. After which it will clear off all the saved logs!... so how would you be able to do the audit on the logs after 14 days lets say?? That's why I'm going with Option C here..
upvoted 3 times
Daniel76
1 year, 6 months ago
By default, cloudWatch log retention is indefinite unless you set it to limited duration due to audit requirement. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#SettingLogRetention
upvoted 4 times
...
Daniel76
1 year, 6 months ago
However i tend to agree it is C after reviewing this qn: enable access log can keep logs in s3 where you can search for ssl_cipher string using SQL like query: https://docs.aws.amazon.com/athena/latest/ug/application-load-balancer-logs.html you can indeed publish athena query metrics to cloudwatch by enabling the option. https://docs.aws.amazon.com/athena/latest/ug/query-metrics-viewing.html
upvoted 3 times
03beafc
1 year, 4 months ago
The article you posted is about the metrics behind the athena query, nothing there about generating metrics from an athena query. Answer is A
upvoted 3 times
...
...
...
...
Sat897
Most Recent 1 week, 6 days ago
Selected Answer: C
Load balancer logs only to S3
upvoted 1 times
...
hb0011
10 months, 1 week ago
Selected Answer: C
The requirement for ciphers eliminates option A because you need ELB access logs which requires s3.
upvoted 2 times
...
FunkyFresco
10 months, 3 weeks ago
Selected Answer: C
C fits with the requirements.
upvoted 1 times
...
shailvardhan
1 year, 1 month ago
Selected Answer: C
C because elb access logs can not be sent directly to CloudWatch
upvoted 1 times
...
Just_Ninja
1 year, 1 month ago
Selected Answer: C
Amazon Application Load Balancers (ALBs) cannot send logs directly to Amazon CloudWatch Logs. ALB access logs can be sent to Amazon S3 buckets for storage and analysis. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
upvoted 1 times
...
liuyomz
1 year, 2 months ago
Selected Answer: A
Im between A and C, because probably A is less efficiente because searching through Athena is better? But i dont know, A still seems more correct.
upvoted 1 times
shailvardhan
1 year, 1 month ago
but ELB access logs can not be sent directly to CloudWarch.
upvoted 1 times
...
...
CloudHell
1 year, 2 months ago
Selected Answer: C
C for sure.
upvoted 2 times
...
Sodev
1 year, 3 months ago
C. ALB only push directly to S3 + Amazon CloudWatch filters only for log on CW log stream not on S3
upvoted 1 times
...
PareshBPatel
1 year, 5 months ago
B is not correct choice Option B involves using S3 for storage and Athena for searching, but it suggests creating CloudWatch filters on S3 log files, which isn't directly possible as CloudWatch filters work on logs stored in CloudWatch Logs, not on S3.
upvoted 2 times
...
PareshBPatel
1 year, 5 months ago
C For ensuring centralized and searchable logging for auditing purposes after transitioning to AWS Elastic Load Balancers, and for generating metrics to show which ciphers are in use, the most effective solution among the provided options is: C. Create an Amazon S3 bucket. Configure the load balancers to send logs to the S3 bucket. Use Amazon Athena to search the logs that are in the S3 bucket. Create Athena queries for the required metrics. Publish the metrics to Amazon CloudWatch.
upvoted 1 times
...
Raphaello
1 year, 5 months ago
Selected Answer: B
Weird set of answers. Mixing between access logs and performance metrics. Check out this https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-monitoring.html CloudWatch is responsible about collecting performance metrics. Whereas, access logs are captured and sent to S3. You can use these logs to analyze traffic patterns, but NOT TO QUERY METRICS using Athena (it does not make sense even). Therefore, the closest answer to correctness is B!
upvoted 2 times
Raphaello
1 year, 4 months ago
Correct answer is C. Athena is in fact capable of query metrics and publish them to CloudWatch. https://docs.aws.amazon.com/athena/latest/ug/athena-cloudwatch-metrics-enable.html
upvoted 1 times
...
...
smanzana
1 year, 5 months ago
A or C?? I choose C because I think that AWS ELB cant send logs to CloudWatch
upvoted 1 times
...
Gafa255
1 year, 5 months ago
Selected Answer: C
ELB cant send log to CloudWatch.
upvoted 1 times
...
trashbox
1 year, 6 months ago
Exam on 2023-12-18
upvoted 1 times
...
Raphaello
1 year, 7 months ago
Correct Answer is B. We're talking about ELB access logs, not metrics, which always get forwarded to S3 bucket. From there one can use Athena for SQL querying.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel