Home › Forums › AWS › AWS Certified Security – Specialty › Misleading statement about CloudTrail and CloudWatch Logs
-
Misleading statement about CloudTrail and CloudWatch Logs
-
For the question question: “A Security Administrator has discovered an unauthorized access to AWS resources sometime in the past 3 months using an access key pair. The Administrator needs to determine the actions or activities done using this credential within AWS. The investigation should be done quickly and shouldn’t entail an additional cost.”
One of the incorrect answers is listed as: The option that says: Filter the CloudTrail data using the Amazon CloudWatch Logs console to track the user activity is incorrect because you can only use CloudWatch queries to search API history beyond the last 90 days.
That seems to indicate that you can’t view anything in CloudWatch Logs that is less than 90 days old, which is definitely not true. That’s a really bad explanation for why that answer is incorrect. It should probably say something like “While you could search CloudWatch Logs, it is much easier and more efficient to search CloudTrail directly since 90 days of data are retained in CloudTrail”
Honestly, searching the CloudTrail logs via CloudWatch Logs seems to be a perfectly valid answer to that question. I get that the question is trying to test if you know CloudTrail is directly searchable for the last 90 days, but I would say there are 2 perfectly valid answers presented in the question and one is only very slightly “more correct” than the other.
- This discussion was modified 4 years, 5 months ago by mark-baird.
- This discussion was modified 4 years, 5 months ago by mark-baird.
-
Hi Mark,
Thank you so much for bringing this up to our attention. I stand corrected, the rationale should say that CloudWatch can satisfy the requirement, but entails an additional cost (which is explicitly prohibited in the scenario).
I have updated the explanation as follows:
The option that says: Filter the CloudTrail data using the Amazon CloudWatch Logs console to track the user activity is incorrect because although you can use CloudWatch to view and search the API history of the access key within 90 days, this option entails an additional cost and extra steps to associate CloudWatch Logs to CloudTrail. Remember that the scenario mandates that the investigation should be done quickly and shouldn’t entail an additional cost.
The change will be reflected in our practice tests soon. I appreciate your time sharing this constructive feedback. Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo
- This reply was modified 4 years, 5 months ago by Jon-Bonso.
-
I get what you are saying, but if they already have CloudWatch Logs enabled with CloudTrail, the cost is going to be a few pennies at the most. If they don’t already have it enabled then they wouldn’t be able to use CloudWatch Logs for this at all.
- This reply was modified 4 years, 5 months ago by mark-baird.
-
Thanks for the reply, Mark. I understand your point. When I took, and passed, the official Security Specialty exam just a month ago, I encountered this similar question as well.
The actual exam has over 150+ items in its question bank so you may or may not encounter this question, but it would be great to know that you can directly use AWS CloudTrail to track the API history for the last 90 days without an additional cost. By default, a new trail is not automatically associated with CloudWatch.
Cheers,
Jon Bonso
Log in to reply.