AWS Certified Security – Specialty (SCS-C02) — Question 236

A security engineer needs to analyze Apache web server access logs that are stored in an Amazon S3 bucket. Amazon EC2 instance web servers generated the logs. The EC2 instances have the Amazon CloudWatch agent installed and configured to report their access logs.

The security engineer needs to use a query in Amazon Athena to analyze the logs. The query must identify IP addresses that have attempted and failed to access restricted web server content held at the /admin URL path. The query also must identify the URLs that the IP addresses attempted to access.

Which query will meet these requirements?

Answer options

• A. SELECT client_ip, client_request FROM logs WHERE client_request LIKE '%/admin%!’ AND server_status = '403’
• B. SELECT client_ip FROM logs WHERE client_request CONTAINS '%/admin%’ AND server_status = '401' GROUP BY client_ip
• C. SELECT DISTINCT (client_ip), client_request, client_id FROM logs WHERE server status = ‘403’ LIMIT 1000
• D. SELECT DISTINCT (client_ip), client_request FROM logs WHERE user_id <> ‘admin’ AND server_status = ‘401!’

Correct answer: A

Explanation

Option A is correct because it specifically looks for log entries where the client_request contains the /admin path and the server_status indicates a forbidden access (403), which aligns with the requirement of identifying failed attempts. Option B incorrectly uses 'CONTAINS' instead of 'LIKE', and it checks for a 401 status, which pertains to unauthorized access rather than forbidden access. Option C includes a DISTINCT clause and an irrelevant client_id, while still looking for a 403 status, but it does not limit the search to the /admin path. Option D focuses on user_id and a 401 status, which does not meet the criteria for identifying failed access to the /admin path.