Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Get $3 OFF ALL CCP, SAA, CDA, and SysOps Video Courses!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Cloud Trail and "Write-Only" setting Reply To: Cloud Trail and "Write-Only" setting

  • Jon-Bonso

    Administrator
    May 15, 2020 at 10:23 am

    Hi Oren,

    Thank you for posting your question. This scenario is actually based on this AWS article:

    https://aws.amazon.com/premiumsupport/knowledge-center/track-access-key-credential/

    “You must have a trail enabled to send notifications to an SNS topic or SQS queue. Your trail’s management events must be configured as Write-only or All.”


    The scenario says that security alerts are still not being sent. There is a possibility that the access key is heavily used for write-operations such as “RunInstances” or “TerminateInstances” API operations that modify your resources, and not read-operations. If the trail is only set to track Read-only events, then these write-operations would obviously be not recorded. On this premise, the proposed solution was to configure the Management Events of the trail to either “Write-only” or “All” setting.

    I understand your point: If a particular access key is simply used to list down all EC2 instances (DescribeInstances), show the list of S3 buckets or any Read-only operations using the AWS CLI, then there will be no trace in the trail since it is only set to log “Write-only” event. However, I deliberately didn’t include the complete information in the scenario to make it on par with the style of the official AWS exam. The real test is quite concise and doesn’t divulge the whole information. It will truly test the depth of your security knowledge in AWS and your troubleshooting skills as well.

    Again, the idea in this scenario is that: the access key is presumably used invoke write operations in your AWS account but the trail is only set to track Read-Only events. If this scenario says that the “access key is invoking write events such as TerminateInstances, RunInstances et cetera ” upfront, then it would be easily answered since there is already a “write-only” keyword in one of the options. In the actual AWS exam, you will rarely see a scenario where the root cause is quite apparent.

    The AWS Security Specialty exam has a lot of troubleshooting scenarios similar to this one. You can see it in the official AWS Exam Guide -> Domain 2: Logging and Monitoring -> 2.2 Troubleshoot security monitoring and alerting.

    https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Specialty_Exam-Guide.pdf

    Regards,

    Jon Bonso @ Tutorials Dojo