Question 7

Domain 2: Security Logging and Monitoring

A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail in AWS CloudTrail to assist in this work. Which solution will meet these requirements?

A. In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching `Failed authentication`. Configure a threshold of 3 and a period of 5 minutes. B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching `Failed authentication`. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes. C. Create an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching `Failed authentication`. Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes. D. In AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.

Correct answer: B

Explanation

CloudTrail records console sign-in activity, and sending the trail to CloudWatch Logs lets you search for failed logins. A metric filter on "eventName" = "ConsoleLogin" and "errorMessage" = "Failed authentication" turns those events into a metric, and a CloudWatch alarm can trigger when the count reaches 3 within a "5-minute period".

Why each option is right or wrong

CloudTrail Insights detects unusual API activity, not console-login failure counting.

B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching `Failed authentication`. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.

CloudTrail can deliver management events to Amazon CloudWatch Logs, and the AWS CloudTrail event for a console sign-in is `ConsoleLogin` with a failure indicated by `errorMessage = Failed authentication`; those fields are what the metric filter must match. CloudWatch alarms evaluate a metric over a defined period, so setting the alarm threshold to 3 with a 5-minute period is the correct way to trigger on three or more failed sign-ins within 300 seconds.

C. Create an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching `Failed authentication`. Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes.

Athena queries analyze stored data; they do not create real-time alarm thresholds on CloudTrail events.

D. In AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.

IAM Access Analyzer evaluates access and permissions, not failed sign-in event monitoring.

Previous Next