AWS Certified Security - Specialty

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Configure CloudTrail to forward events to Amazon CloudWatch Logs. Establish a metric filter for the corresponding log group with a filter pattern that matches eventName ConsoleLogin and errorMessage "Failed authentication". Set up a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.

The correct answer is B. The most appropriate solution in this scenario is to configure CloudTrail to send events to Amazon CloudWatch Logs. By creating a metric filter for the relevant log group and using a filter pattern that matches 'eventName' ConsoleLogin and 'errorMessage' "Failed authentication", you can effectively create a CloudWatch alarm. This alarm is configured with a threshold of 3 failed attempts within a period of 5 minutes, thus meeting the requirements specified in the question. Option A, while involving CloudTrail Insights, doesn't have a built-in alarming mechanism suitable for this scenario. Option C involves a more complex and less efficient workflow using Amazon Athena and SNS. Option D, utilizing AWS Identity and Access Management Access Analyzer, is not typically used for real-time alerting on failed sign-in attempts.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A security engineer needs to set up an alerting mechanism that triggers when there are three or more consecutive failed login attempts to the AWS Management Console within a 5-minute timeframe. To achieve this, the engineer has initiated a trail in AWS CloudTrail. Which of the following solutions would effectively fulfill this requirement?

Exam-Like

Enable Insights events in CloudTrail and set up an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching "Failed authentication". Set the alarm threshold to 3 and the period to 5 minutes.

0.0%

Configure CloudTrail to forward events to Amazon CloudWatch Logs. Establish a metric filter for the corresponding log group with a filter pattern that matches eventName ConsoleLogin and errorMessage "Failed authentication". Set up a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.

83.3%

Generate an Amazon Athena table from the CloudTrail logs. Execute a query to find eventName matching ConsoleLogin and errorMessage "Failed authentication". Implement a notification action from the query results to dispatch an Amazon SNS notification when the count reaches 3 within a 5-minute interval.

Initiate a new analyzer in AWS Identity and Access Management Access Analyzer. Configure the analyzer to issue an Amazon SNS notification upon detecting three failed login events for any IAM user within a 5-minute period.