Which of the following troubleshooting steps should the Analyst perform?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes.The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events.The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.

Which of the following troubleshooting steps should the Analyst perform?

Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst’s AWS account. B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.

Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.

Verify that the Analyst’s account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.

Explanations:

Enabling CloudTrail and S3 bucket access logging ensures logs are recorded, but it does not directly address the issue of CloudWatch alarm configuration or metric filtering.

The Analyst needs to verify that a metric filter was created for CloudTrail logs and that it is linked to an alarm with appropriate notification actions. This step directly addresses the lack of alerting.

While the permissions mentioned are useful for accessing CloudWatch metrics, the issue is related to how CloudWatch is monitoring and alerting, not the permissions for retrieving metrics.

Leave a Reply

Your email address will not be published. Required fields are marked *

six − 5 =