AWS Certified Security – Specialty (SCS-C02) — Question 203

A company is implementing a customized notification solution to detect repeated unauthorized authentication attempts to bastion hosts. The company’s security engineer needs to implement a solution that will provide notification when 5 failed attempts occur within a 5-minute period. The solution must use native AWS services and must notify only the designated system administrator who is assigned to the specific bastion host.

Which solution will meet these requirements?

Answer options

• A. Use the Amazon CloudWatch agent to collect operating system logs. Use Amazon EventBridge to configure an alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use Amazon EC2 instance tags to determine which SNS topics receive notifications.
• B. Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon EventBridge event based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.
• C. Use the Amazon CloudWatch agent to collect operating system logs. Create a CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Servige (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.
• D. Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use EC2 instance tags to determine which SNS topics receive notifications.

Correct answer: C

Explanation

The correct answer, C, effectively utilizes the Amazon CloudWatch agent and CloudWatch alarm to monitor and trigger alerts based on failed login attempts, while also employing SNS messaging filters for notification control. Option A incorrectly uses Amazon EventBridge, which is not necessary in this scenario. Option B relies on AWS Systems Manager, which is not aligned with the requirement for CloudWatch. Option D also incorrectly employs AWS Systems Manager and misuses instance tags instead of SNS filters for notification management.