AWS Certified Security – Specialty — Question 372
A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail in AWS CloudTrail to assist in this work.
Which solution will meet these requirements?
Answer options
- A. In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Configure a threshold of 3 and a period of 5 minutes.
- B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.
- C. Create an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching “Failed authentication”. Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes.
- D. In AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.
Correct answer: B
Explanation
Sending CloudTrail logs to Amazon CloudWatch Logs allows you to create a metric filter to detect specific patterns, such as ConsoleLogin events with a "Failed authentication" errorMessage, and trigger a CloudWatch alarm if the threshold of 3 is met within 5 minutes. CloudTrail Insights cannot be configured with custom threshold alarms for specific login errors, and Amazon Athena is a query service that does not natively support real-time threshold-based alerting. IAM Access Analyzer is used to identify external resource sharing and does not monitor console login events.