AWS Certified Security – Specialty — Question 190

A company's security information events management (SIEM) tool receives new AWS CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notifications to an Amazon SNS topic. An Amazon SQS queue is subscribed to this SNS topic. The company's SIEM tool then polls this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages.
After a recent security review that resulted in restricted permissions, the SIEM tool has stopped receiving new CloudTrail logs.
Which of the following are possible causes of this issue? (Choose three.)

Answer options

• A. The SQS queue does not allow the SQS:SendMessage action from the SNS topic.
• B. The SNS topic does not allow the SNS:Publish action from Amazon S3.
• C. The SNS topic is not delivering raw messages to the SQS queue.
• D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action.
• E. The IAM role used by the SIEM tool does not have permission to subscribe to the SNS topic.
• F. The IAM role used by the SIEM tool does not allow the SQS:DeleteMessage action.

Correct answer: A, B, D

Explanation

The correct answers include A, B, and D as these directly relate to permissions that could prevent the SIEM tool from receiving new logs. Specifically, if the SQS queue doesn't allow messages from the SNS topic (A), the SNS topic doesn't permit publishing from S3 (B), or if CloudTrail lacks permission to write to the S3 bucket (D), the flow of logs will be interrupted. The other options do not directly affect the log receipt process.