Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

💰 Up to 40% BIG Discounts on AWS & Azure Foundational Practice Exams – Now as LOW as $9.99 only!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty How do I get feedback on wrong question/answers?

  • How do I get feedback on wrong question/answers?

     Irene-TutorialsDojo updated 1 week ago 2 Members · 2 Posts
    AWS Certified Security – Specialty

  • NickTheSecurityDude

    Member
    April 26, 2026 at 5:01 pm

    Example:

    8. Question1 point(s)

    Category: SEC – Data Protection

    A security engineer plans to set up AWS CloudTrail in order to record and monitor all AWS API operations across multiple AWS accounts. The log files must be stored in a central repository, secured against unauthorized modifications, and made available for ingestion by a central SIEM platform.

    Which of the following options will satisfy this requirement? (Select TWO.)

    One of the correct answers was:
    “Enable AWS Organizations across all AWS accounts and log file validation for CloudTrail. Configure the organization trail to write logs directly to the Amazon S3 bucket.”

    Log file validation is just a hash, it doesn’t “secured [the logs] against unauthorized modifications”.

    There are several other questions like this, I would recommend having a feedback option by each question.

  • Irene-TutorialsDojo

    Administrator
    May 4, 2026 at 2:23 pm

    Hi Nick,

    Thank you for the feedback. You raised a valid point, and we appreciate the attention to detail.

    You are correct that log file integrity validation does not prevent unauthorized modifications. Per AWS documentation, it uses SHA-256 hashing and RSA digital signing to generate hourly digest files, which allow you to verify whether log files were modified or deleted after CloudTrail delivered them. This is tamper detection, not tamper prevention.

    Tamper prevention in this architecture is enforced by two controls:

    • The central S3 bucket in the dedicated logging account has a bucket policy that restricts member accounts from modifying or deleting log objects.

    • Member accounts cannot modify or delete the organization trail. Only the management account or a delegated administrator account can do so.

    Log file integrity validation serves as an additional layer, providing cryptographic proof that logs were not altered after delivery, which is a standard requirement for compliance and SIEM ingestion.

    We have updated the explanation to clearly distinguish tamper detection from tamper prevention to avoid any confusion for future learners.

    We have also noted your suggestion on adding a per-question feedback option and passed it along to our team.

    Best regards,

    Irene @ Tutorials Dojo Support

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content