AWS Certified Security – Specialty — Question 204

A Security Engineer must design a system that can detect whether a file on an Amazon EC2 host has been modified. The system must then alert the Security
Engineer of the modification.
What is the MOST efficient way to meet these requirements?

Answer options

• A. Install antivirus software and ensure that signatures are up-to-date. Configure Amazon CloudWatch alarms to send alerts for security events.
• B. Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting.
• C. Export system log files to Amazon S3. Parse the log files using an AWS Lambda function that will send alerts of any unauthorized system login attempts through Amazon SNS.
• D. Use Amazon CloudWatch Logs to detect file system changes. If a change is detected, automatically terminate and recreate the instance from the most recent AMI. Use Amazon SNS to send notification of the event.

Correct answer: B

Explanation

Option B is the correct answer as installing host-based IDS software specifically focuses on file integrity monitoring, which directly meets the requirement of detecting file changes. The other options either do not specifically address file modification detection (A and C) or propose an overly complex and indirect solution (D) that involves terminating the instance instead of simply alerting about the modifications.