Log Analysis PBQs: CompTIA Cloud+ (CV0-004)
easyQuestion 1 of 3
You are a cloud security administrator reviewing the weekly audit log report. An automated compliance scan flagged an IAM policy modification that occurred outside the approved change window (weekdays 10:00-16:00 UTC). The modification attached an overpermissive role to a contractor account. Review the cloud audit logs, flag all entries related to the unauthorized IAM change, and classify the incident.
Objectives
- •Review cloud audit logs for unauthorized IAM policy changes
- •Flag all log entries related to the unauthorized configuration change
- •Classify the type of security incident
- •Identify the user who made the unauthorized change
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 08:00:00 | INFO | audit-log | API call: DescribeInstances by user cloud-admin from 10.0.0.5 -- routine inventory check | |
| 08:15:00 | INFO | audit-log | API call: ListBuckets by user cloud-admin from 10.0.0.5 -- routine inventory check | |
| 09:00:00 | INFO | system | Automated backup: daily snapshot of production database completed successfully | |
| 09:30:15 | WARN | audit-log | API call: AttachRolePolicy by user dev-contractor -- policy AdministratorAccess attached to role dev-contractor-role -- outside change window | |
| 09:30:45 | ALERT | audit-log | Compliance violation: IAM policy change outside approved change window (10:00-16:00 UTC) by dev-contractor | |
| 09:31:00 | WARN | audit-log | Overpermissive role detected: dev-contractor-role now has AdministratorAccess -- violates least-privilege policy | |
| 09:35:00 | INFO | audit-log | API call: GetCallerIdentity by user dev-contractor from 203.0.113.60 -- identity verification | |
| 09:40:00 | INFO | system | Monitoring: cloud resource health check completed -- all services healthy | |
| 09:45:00 | INFO | audit-log | API call: ListUsers by user cloud-admin from 10.0.0.5 -- scheduled IAM audit | |
| 09:50:00 | ALERT | audit-log | Security finding: dev-contractor accessed production resources using elevated AdministratorAccess role | |
| 10:00:00 | INFO | system | Log aggregation: hourly log export to SIEM completed | |
| 10:05:00 | INFO | audit-log | API call: DescribeSecurityGroups by user cloud-admin from 10.0.0.5 -- security audit |
12 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 7 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete