ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 89 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 89
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail in AWS CloudTrail to assist in this work.

Which solution will meet these requirements?

  • A. In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching "Failed authentication''. Configure a threshold of 3 and a period of 5 minutes.
  • B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching "Failed authentication". Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.
  • C. Create an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching "Failed authentication". Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes.
  • D. In AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by oioi at Nov. 23, 2023, 9:33 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
IPLogic
3 months ago
Selected Answer: B
The keyword in answer B is threshold for CloudWatch Alarm.
upvoted 2 times
...
cloudbusting
1 year, 1 month ago
Because it says alert the answer is B
upvoted 1 times
...
brpjp
1 year, 2 months ago
C is correct. Because SNS generated using detail information on finding that help security, while only CloudWatch Alarm generated do not have information as with SNS notification.
upvoted 1 times
...
Daniel76
1 year, 2 months ago
Selected Answer: B
This is how it is done: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-signin
upvoted 2 times
Daniel76
1 year, 2 months ago
For option c, you will need Eventbridge, Lambda on top of SNS topic. https://stackoverflow.com/questions/62823521/i-need-to-create-alerts-based-on-the-results-returned-by-queries-in-amazon-athen Option b doesnt include SNS topic, but that is fine because the question ask for "alert" (you can find it in the console) but not "notification".
upvoted 1 times
...
...
rahav
1 year, 2 months ago
Selected Answer: B
B is the answer. need an Alarm here
upvoted 1 times
...
Aamee
1 year, 3 months ago
Selected Answer: B
CW alarm is best suited here for this scenario.
upvoted 1 times
...
[Removed]
1 year, 3 months ago
Selected Answer: B
B it is. Insights does not do alarming
upvoted 2 times
...
oioi
1 year, 3 months ago
Selected Answer: B
correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago