AWS Certified Security - Specialty · Domain 2 · 18% of exam

Security Logging and Monitoring

Drill 20 practice questions focused entirely on Security Logging and Monitoring for the AWS SCS-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A security engineer stores several years of CloudTrail logs in an S3 bucket organized by the standard prefix pattern (AWSLogs/<account>/CloudTrail/<region>/<year>/<month>/<day>/). Analysts run frequent Athena queries filtered to a specific account, region, and date range, but queries are slow and scan far more data than expected, driving up cost. The engineer wants to reduce data scanned and query time without running a crawler or manually adding partitions each day. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 2 of 20

A security engineer configured a CloudTrail trail to deliver events to a CloudWatch Logs log group so that metric filters and alarms can be created. Events are successfully delivered to the S3 bucket, but no log streams or events are appearing in the CloudWatch Logs log group. The trail shows no obvious errors in the console. What is the MOST likely cause?

Reviewed for accuracy · Report an issue
Question 3 of 20

A security engineer configured an organization trail in CloudTrail to log all management events to a central S3 bucket. During an investigation, the team notices that API calls made in the us-west-2 region for a member account are appearing in the logs, but Amazon S3 object-level GetObject and PutObject calls made against buckets in that account are completely absent from the delivered log files. The trail is confirmed to be logging and delivering files successfully. What is the MOST likely reason the S3 object-level activity is missing?

Reviewed for accuracy · Report an issue
Question 4 of 20

A security team must be alerted within seconds whenever any IAM policy is attached to a user, group, or role across a single account. They already have an organization CloudTrail delivering management events to an S3 bucket and to a CloudWatch Logs log group. The team wants the lowest-latency, most operationally efficient way to trigger an SNS notification when these specific API calls occur. Which approach best meets the requirement?

Reviewed for accuracy · Report an issue
Question 5 of 20

A security team wants to detect unusual patterns in API call volume and error rates across their AWS account, such as a sudden spike in IAM policy modifications or an unusual burst of TerminateInstances calls that could indicate compromised credentials. They already have a management events trail enabled but no automated way to surface anomalous behavior. They do not want to build and maintain custom baselining logic or manually tune CloudWatch metric filters for every API. Which approach best meets this requirement with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 6 of 20

A security team must run ad hoc SQL queries against 18 months of CloudTrail management events to investigate historical API activity. Currently, CloudTrail delivers logs to an S3 bucket, and the team queries them using Athena. However, they find that maintaining Athena table partitions and re-running the AWS Glue crawler as new log prefixes arrive is error-prone, and some queries return incomplete results because partitions were not updated. The team wants a managed solution that requires no partition management and lets them query events with SQL for up to 7 years. Which approach best meets these requirements with the least ongoing maintenance?

Reviewed for accuracy · Report an issue
Question 7 of 20

A security analyst configured a multi-Region CloudTrail trail delivering management events to an S3 bucket. During an incident investigation, they notice that an API call known to have occurred at 14:02 UTC does not appear in the S3 bucket when they check at 14:08 UTC. The trail is enabled, the S3 bucket policy is correct, and log file validation shows no gaps once files arrive. What is the MOST likely explanation, and what should the analyst do?

Reviewed for accuracy · Report an issue
Question 8 of 20

A security engineer must prove to auditors that CloudTrail log files stored in an S3 bucket have not been modified or deleted since delivery. The organization already has a multi-Region trail delivering logs to a dedicated central logging account. During a compliance review, the auditors ask for a mechanism that can cryptographically verify whether any log file was altered or removed after CloudTrail wrote it. Which approach satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 9 of 20

A company has 40 accounts in AWS Organizations. The security team wants to guarantee that management events from every existing and future member account are captured in a single, tamper-evident location, without requiring administrators in each account to create or maintain their own trails. Which approach BEST meets these requirements with the least ongoing operational overhead?

Reviewed for accuracy · Report an issue
Question 10 of 20

A security engineer configures a new CloudTrail trail to deliver logs to a centralized S3 bucket in a dedicated logging account. The trail is created successfully in the source account, but no log files ever appear in the destination bucket. CloudTrail shows no delivery errors in the console for the first few hours. The bucket has default SSE-S3 encryption enabled and a bucket policy that was recently modified to add a condition requiring the aws:SecureTransport key. What is the MOST likely cause of the missing log files?

Reviewed for accuracy · Report an issue
Question 11 of 20

A security engineer needs to prove which IAM principals read individual objects from a highly sensitive S3 bucket named 'legal-contracts'. After enabling a multi-region CloudTrail trail, the engineer notices that GetObject and PutObject API calls for the bucket do not appear in the CloudTrail logs, although CreateBucket and PutBucketPolicy calls are present. What is the correct action to capture the required object-level activity?

Reviewed for accuracy · Report an issue
Question 12 of 20

A security engineer configured a multi-Region CloudTrail trail to deliver logs to an S3 bucket and created an Athena table pointing to the bucket prefix. After several days, queries against the Athena table return zero rows even though the S3 bucket contains many CloudTrail log object files under the correct prefix. The engineer confirms the trail is active and logs are being written. What is the MOST likely cause of the empty query results?

Reviewed for accuracy · Report an issue
Question 13 of 20

A security engineer must centralize application logs from a fleet of Amazon Linux 2 EC2 instances into CloudWatch Logs so that a metric filter can trigger alarms on repeated authentication failures. After installing and starting the unified CloudWatch agent on the instances, the engineer confirms the agent process is running, but no log groups or log events appear in CloudWatch Logs. The agent configuration file correctly references the application log file path. What is the MOST likely cause of the missing logs?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security operations team receives dozens of CloudWatch alarm notifications each night for a fleet of EC2 instances. Individual metric alarms fire for high CPU, high memory, and low disk space, but the team only wants to be paged when an instance shows signs of genuine distress — specifically when CPU is high AND disk space is low at the same time. They want to reduce noise without deleting the existing metric alarms, which feed other dashboards. What is the MOST appropriate approach?

Reviewed for accuracy · Report an issue
Question 15 of 20

A security team operates a centralized logging account. They need application VPC Flow Logs and CloudWatch Logs from 40 member accounts to be continuously streamed in near real time to a central Amazon OpenSearch Service domain in the logging account for correlation and dashboards. The solution must scale to high log volume, require minimal per-account maintenance, and avoid custom polling code. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 16 of 20

A security analyst uses CloudWatch Logs Insights to investigate a suspected credential-stuffing attack against an application. The application writes JSON-formatted logs to a log group that contains 90 days of data across dozens of streams. The analyst runs a query filtering for failed authentication events over the last 24 hours, but the queries consistently time out or return very slowly, and the team is concerned about the cost of repeatedly scanning the full dataset. Which change will MOST effectively reduce query latency and cost while preserving the ability to investigate this incident?

Reviewed for accuracy · Report an issue
Question 17 of 20

A security team monitors an application that writes structured JSON logs to a CloudWatch Logs group. Application error volume fluctuates significantly by time of day and day of week, so a static threshold alarm on the error count either fires constantly during peak hours or misses spikes during off-peak hours. The team wants an alerting approach that automatically adapts to the normal daily and weekly patterns of the error metric and only alarms on statistically unusual deviations, with minimal ongoing tuning. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 18 of 20

A security team must be alerted within minutes whenever the AWS account root user signs in to the Management Console. CloudTrail is already delivering management events to a CloudWatch Logs log group in the same account. The team wants a solution that uses only native AWS logging and monitoring services, with no custom code to maintain. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 19 of 20

A company centralizes application logs in a CloudWatch Logs log group configured with a 30-day retention period. A new compliance requirement mandates that these logs be retained for 7 years for potential audit, but they will rarely be queried after 90 days. The security team wants to meet the retention requirement while minimizing storage cost. Which approach best satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 20 of 20

A security team wants application logs from a CloudWatch Logs log group delivered continuously to an S3 bucket in near real time so that a downstream SIEM can pull and parse them within seconds of generation. They also want the ability to transform each record (adding a source field) before it lands in S3, without managing servers. Which approach meets these requirements?

Reviewed for accuracy · Report an issue

More SCS-C02 practice

Keep going with the other AWS Certified Security - Specialty domains, or take a full timed mock exam.

← Back to SCS-C02 overview