Logging and Monitoring — AWS Certified Security Specialty Practice Questions

Learning

Loading practice session...

Loading certificate…

Ready to learn

Sample questions — Logging and Monitoring

1. A security engineer wants to automatically trigger an AWS Lambda function whenever an IAM policy is changed, to audit configuration drift in real time. Which AWS service combination is the MOST appropriate solution?

A.Use Amazon CloudWatch Events (EventBridge) with an IAM API event rule targeting a Lambda function to invoke it on policy changes.✓ Correct
B.Use Amazon CloudWatch Alarms with a custom metric filter to invoke Lambda when policy change count exceeds a threshold.
C.Use AWS CloudTrail alone to stream IAM events directly to a Lambda function without any intermediary service.
D.Use Amazon CloudWatch Logs Insights queries scheduled hourly to detect IAM policy changes and trigger Lambda manually.

Explanation

CloudWatch Events (EventBridge) rules can match IAM API calls recorded by CloudTrail in near-real time and route them to Lambda targets immediately. Alarms require metric thresholds, CloudTrail alone cannot invoke Lambda, and Insights queries are not event-driven.

2. A team sets up a CloudWatch Alarm to detect brute-force login attempts by monitoring a metric filter on failed SSH login log entries. The alarm triggers an SNS notification. After deployment, no alerts are received despite verified failed logins. What is the MOST likely cause?

A.The CloudWatch Alarm evaluation period and datapoints-to-alarm settings may not match the frequency of log ingestion, causing missed breaches.
B.CloudWatch Alarms cannot monitor log-based metric filters; only native CloudWatch service metrics are supported by alarms.
C.The metric filter namespace is set incorrectly, so the custom metric data never reaches the alarm's monitored metric.✓ Correct
D.SNS topics require explicit CloudWatch service principal permissions in the topic's access policy to publish alarm notifications.

Explanation

If the metric filter publishes to a different namespace or metric name than the alarm monitors, the alarm receives no data and never triggers. Options A and D are secondary concerns; Option B is false—alarms do support custom log-based metrics.

3. A compliance team must receive an immediate alert whenever the AWS root account is used for any API call. Which CloudWatch configuration achieves this MOST directly?

A.Create a CloudWatch Logs metric filter using the RootAccountUsage filter pattern on the CloudTrail log group, then attach an alarm and SNS topic to that metric.✓ Correct
B.Enable AWS Config with a managed rule for root account usage and configure an SNS notification on Config rule non-compliance events.
C.Create a CloudWatch Events rule matching all IAM events and filter for root user in the Lambda function that receives the events.
D.Use AWS GuardDuty's RootCredentialUsage finding and configure a GuardDuty SNS notification for immediate alerting.

Explanation

The RootAccountUsage filter pattern on a CloudTrail-backed CloudWatch Logs metric filter is the AWS-documented approach to detect root API usage and trigger alarms. Config and GuardDuty work but are indirect; a broad IAM rule with Lambda filtering adds unnecessary complexity.

4. Which CloudWatch metric filter pattern correctly identifies root account API activity from CloudTrail logs delivered to a CloudWatch Logs log group?

A.{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" } is the correct RootAccountUsage filter pattern.✓ Correct
B.{ $.userIdentity.arn = "arn:aws:iam::*:root" } is sufficient to capture all root account activities including service-invoked events.
C.{ $.eventSource = "iam.amazonaws.com" && $.userIdentity.type = "Root" } limits detection to IAM API calls only and misses other services.
D.{ $.userIdentity.type = "Root" } alone captures all root usage but will also generate false positives from AWS service-initiated root events.

Explanation

The AWS-recommended RootAccountUsage pattern excludes service-initiated events (invokedBy NOT EXISTS, eventType != AwsServiceEvent) to reduce noise while capturing real root user actions. Option B matches on ARN which is less reliable; C only catches IAM events; D causes false positives.

5. A developer's IAM role has a policy granting 'cloudwatch:PutMetricData' but they cannot publish metrics to a custom namespace. A security review reveals the CloudWatch namespace has no resource-based policy. What is the MOST accurate explanation?

A.CloudWatch does not support resource-based policies on namespaces; access is controlled entirely by identity-based IAM policies attached to principals.✓ Correct
B.CloudWatch requires both an identity-based policy on the IAM role and a resource-based policy on the namespace to allow PutMetricData.
C.The developer must use a service-linked role for CloudWatch because PutMetricData is restricted to AWS-managed roles only.
D.Resource-based policies on CloudWatch namespaces override identity-based policies, so the absence of a namespace policy denies all access by default.

Explanation

CloudWatch namespaces do not support resource-based policies; access is governed solely by identity-based IAM policies on the calling principal. If the identity policy grants PutMetricData, the issue lies elsewhere (e.g., condition keys or permission boundaries), not a missing resource-based policy.

Practice all 56+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Security Specialty practice questions are there for Logging and Monitoring?↓

AnyCert has 56 AWS Certified Security Specialty practice questions specifically for the Logging and Monitoring domain, each with a detailed AI-tutored explanation.

Is Logging and Monitoring heavily tested on the AWS Certified Security Specialty exam?↓

Logging and Monitoring is one of the core domains in the AWS Certified Security Specialty exam blueprint. Mastering this domain is essential for passing. AnyCert's practice questions cover the full scope of testable topics in this domain.

How should I study the Logging and Monitoring domain for AWS Certified Security Specialty?↓

Practice all 56 Logging and Monitoring questions in AnyCert, review every explanation for missed answers, and use the AI tutor to clarify any concept. Focus on understanding the reasoning behind each answer, not just memorizing the correct choice.

Sample questions — Logging and Monitoring

A.Use Amazon CloudWatch Events (EventBridge) with an IAM API event rule targeting a Lambda function to invoke it on policy changes.✓ Correct
B.Use Amazon CloudWatch Alarms with a custom metric filter to invoke Lambda when policy change count exceeds a threshold.
C.Use AWS CloudTrail alone to stream IAM events directly to a Lambda function without any intermediary service.
D.Use Amazon CloudWatch Logs Insights queries scheduled hourly to detect IAM policy changes and trigger Lambda manually.

Explanation

A.The CloudWatch Alarm evaluation period and datapoints-to-alarm settings may not match the frequency of log ingestion, causing missed breaches.
B.CloudWatch Alarms cannot monitor log-based metric filters; only native CloudWatch service metrics are supported by alarms.
C.The metric filter namespace is set incorrectly, so the custom metric data never reaches the alarm's monitored metric.✓ Correct
D.SNS topics require explicit CloudWatch service principal permissions in the topic's access policy to publish alarm notifications.

Explanation

3. A compliance team must receive an immediate alert whenever the AWS root account is used for any API call. Which CloudWatch configuration achieves this MOST directly?

A.Create a CloudWatch Logs metric filter using the RootAccountUsage filter pattern on the CloudTrail log group, then attach an alarm and SNS topic to that metric.✓ Correct
B.Enable AWS Config with a managed rule for root account usage and configure an SNS notification on Config rule non-compliance events.
C.Create a CloudWatch Events rule matching all IAM events and filter for root user in the Lambda function that receives the events.
D.Use AWS GuardDuty's RootCredentialUsage finding and configure a GuardDuty SNS notification for immediate alerting.

Explanation

4. Which CloudWatch metric filter pattern correctly identifies root account API activity from CloudTrail logs delivered to a CloudWatch Logs log group?

A.{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" } is the correct RootAccountUsage filter pattern.✓ Correct
B.{ $.userIdentity.arn = "arn:aws:iam::*:root" } is sufficient to capture all root account activities including service-invoked events.
C.{ $.eventSource = "iam.amazonaws.com" && $.userIdentity.type = "Root" } limits detection to IAM API calls only and misses other services.
D.{ $.userIdentity.type = "Root" } alone captures all root usage but will also generate false positives from AWS service-initiated root events.

Explanation

A.CloudWatch does not support resource-based policies on namespaces; access is controlled entirely by identity-based IAM policies attached to principals.✓ Correct
B.CloudWatch requires both an identity-based policy on the IAM role and a resource-based policy on the namespace to allow PutMetricData.
C.The developer must use a service-linked role for CloudWatch because PutMetricData is restricted to AWS-managed roles only.
D.Resource-based policies on CloudWatch namespaces override identity-based policies, so the absence of a namespace policy denies all access by default.

Explanation

Practice all 56+ questions in this domain

Start free practice →

Frequently asked questions

How many AWS Certified Security Specialty practice questions are there for Logging and Monitoring?↓

AnyCert has 56 AWS Certified Security Specialty practice questions specifically for the Logging and Monitoring domain, each with a detailed AI-tutored explanation.

Is Logging and Monitoring heavily tested on the AWS Certified Security Specialty exam?↓

How should I study the Logging and Monitoring domain for AWS Certified Security Specialty?↓