AWS Certified Security – Specialty — Question 508

A Security Analyst attempted to troubleshoot the monitoring of suspicious security group changes. The Analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The Analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.
Which of the following troubleshooting steps should the Analyst perform?

Answer options

• A. Ensure that CloudTrail and S3 bucket access logging is enabled for the Analyst's AWS account. B. Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.
• B. Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.
• C. Verify that the Analyst's account is mapped to an IAM policy that includes permissions for cloudwatch: GetMetricStatistics and Cloudwatch: ListMetrics.

Correct answer: B

Explanation

To trigger an Amazon CloudWatch alarm from AWS CloudTrail logs, a metric filter must first extract the relevant events from the logs and map them to a CloudWatch metric, which the alarm then monitors. If the alarm fails to fire, the analyst must ensure this metric filter is correctly configured and that the alarm's notification actions (like an SNS topic) are properly set up. Other options, such as checking dashboard configurations, S3 access logs, or the analyst's personal IAM permissions, do not address the root cause of the automated alarm failing to trigger.